samba - Sep 2005 - Samba PDC (3.0.14a) with LDAP cannot add machines

Hi,

I am setting up a Samba PDC which uses LDAP for account information.
It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm 
also using ldap-account-manager, but I don't think that has anything to 
do with this).

I have checked the release notes whether it might have been fixed in a 
new release, but there's nothing I recognize that seems related to this.

The problem is that when I attempt to join a w2k machine (the first one, 
actually) to the domain it reports 'Logon failure: unknown user name or 
password'.
Samba, at the same time, reports in the logfile for that machine:

[2005/09/06 13:12:58, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (1000, 1000) - sec_ctx_stack_ndx = 0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:_samr_set_userinfo(3077)
  _samr_set_userinfo:  does not possess sufficient rights
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2961)
  Attempting administrator password change for user krauq$
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: maximum password age:-1
[2005/09/06 13:12:58, 10] lib/account_pol.c:account_policy_get(210)
  account_policy_get: minimum password age:0
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2981)
  Changing trust account or non-unix-user password, not updating /etc/passwd
[2005/09/06 13:12:58, 5] rpc_server/srv_samr_nt.c:set_user_info_pw(2999)
  set_user_info_pw: pdb_update_pwd()
[2005/09/06 13:12:58, 5] lib/smbldap.c:smbldap_search(1038)
  smbldap_search: base => [dc=XXX,dc=XXX,dc=org], filter => 
[(&(uid=krauq$)(objectclass=sambaSamAccount))], scope => [2]

[2005/09/06 13:12:58, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:12:58, 1] lib/smbldap.c:another_ldap_try(1011)
  Connection to LDAP server failed for the 1 try!

These last two are repeasted 15 times and then gives up.

[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_open(882)
  smbldap_open: cannot access LDAP when not root..
[2005/09/06 13:13:13, 0] lib/smbldap.c:smbldap_search_suffix(1176)
  smbldap_search_suffix: Problem during the LDAP search:  (Timed out)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_set_userinfo
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(672)
      0000 status: NT_STATUS_ACCESS_DENIED
[2005/09/06 13:13:13, 5] rpc_server/srv_pipe.c:api_rpcTNP(1578)
  api_rpcTNP: called samr successfully
[2005/09/06 13:13:13, 10] rpc_server/srv_pipe.c:api_rpcTNP(1587)
  api_rpcTNP: rpc input buffer underflow (parse error?)
[2005/09/06 13:13:13, 5] rpc_parse/parse_prs.c:prs_uint8s(729)
  021c : 00

I don't understand this as smbd and nmbd are running as root, so why is 
it complaining about not being root?

I am sure that there is no problem with the LDAP connection itself. It 
is already used for unix authentication (using pam_ldap) and also on 
this w2k machine I can browse (windows explorer) the shares on the PDC 
using the same username/password used to join the machine to the domain. 
So I guess that samba is getting information from LDAP just fine (the 
logfile also shows this in other places).

I have a logfile with loglevel 10. I will not publish it on this list (I 
think it is too much), but I can share sections with interested developers.
If there is other information that is useful, please just ask.

Has this been fixed already and did I miss it in the releasenotes?
Is there a work-around that I can use?

This has been filed as 3064 with the samba bugzilla.

Thanks,
Jan Evert van Grootheest

Jan Evert van Grootheest schrieb:
> Hi,
> 
> I am setting up a Samba PDC which uses LDAP for account information.
> It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm 
> also using ldap-account-manager, but I don't think that has anything to
> do with this).
> 
> I have checked the release notes whether it might have been fixed in a 
> new release, but there's nothing I recognize that seems related to
this.
> 
> The problem is that when I attempt to join a w2k machine (the first one, 
> actually) to the domain it reports 'Logon failure: unknown user name or
> password'.
> Samba, at the same time, reports in the logfile for that machine:
try to do your machine add command from the command line as root (for 
some artificial name like testing), and see if the machine was added.

maybe there lies the problem.


-- 
Tomek
http://wpkg.org

Jan Evert van Grootheest wrote:
>Hi,
>  
>
>I am setting up a Samba PDC which uses LDAP for account information.
>  
>
>It is a debian installation with samba 3.0.14a and slapd 2.2.23 (I'm 
>also using ldap-account-manager, but I don't think that has anything to 
>do with this).
>  
>
Jan,

I also ran into maybe similar problems, which i couldnt solve on ubuntu(debian).
The problem for me is that when the script is executed on the command line/
'/usr/sbin/smbldap-useradd -w //"eduard-laptop$"'/ the
following enviourment varaibles are set:

	...	
	UID=0
	USER=root
	...

When the script is run by samba, the enviourment settings are:
	...
	UID=65534
	USER=root
	...

Notice that the UID of 65534 should be 0 AFAIK. I determined this by using the
following setting in the smb.conf:
	'set /> /tmp/user.txt; /usr/sbin/smbldap-useradd -w "%u"'

(http://lists.samba.org/archive/samba/2005-August/109759.html)

I dont know if we have the same problem, but to me it almost looks the same.

I dont have a sollution for this problem.
/


-- 
Eduard Witteveen
+31 (0)6 414 789 23
nl_NL  fy_NL  en_US

Hello list,

Im still trying to get the add machine script working.

I have a user which is named "administrator", which is stored in ldap,
i  can login using this user(i attached a loginshell) and execute the 
command: '/usr/sbin/smbldap-useradd -w "eduard-laptop$"'
succesfull
(UID=0,USER=root)

Howevery, when this command is executed by samba, it will not run, since 
ldap doesnt like the way the command was started:
(UID=65534,USER=root)

How can i get this script to be executed the same way as when it is run 
from the commandline?