samba - Feb 2006 - Adding machine account to LDAP with pdbedit fails

Hello everyone,

  I am having a problem adding a machine account with pdbedit. My setup is the
latest samba (3.0.21b) compiled from
source on Solaris 10, SUN's latest JES' Directory Server. I am in a
beginning
stage of setting up this environment, so
I may not have done something right. I was following the Samba PDC LDAP howto
by Ignacio Coupeau
(http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html), a link to which is
being provided on the official Samba howto
page. I've attached the output of following command:
# date;pdbedit -a -m -u baltika -d10

The DS error log show this
[19/Feb/2006:11:20:21 -0600] - ERROR<5896> - Schema  - conn=-1 op=-1
msgId=-1
- User error:  Entry 
"uid=baltika$,ou=Computers,dc=dcvast,dc=com", attribute
"sambaSID" required by
object class "sambaSamAccount" is missing

  I saw an earlier posting with the same type of error but no resolution yet.
Is this a problem with my setup? Is this a general bug with pdbedit/LDAP
server/something else?

  Thanks,

Arc C.
achapkis@dls.net
-------------- next part --------------
Sun Feb 19 11:20:21 CST 2006
INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
  quota: False/0
  acls: False/0
  locking: False/0
  msdfs: False/0
lp_load: refreshing parameters
Initialising global parameters
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = DCVAST_NT
doing parameter netbios name = STROHS
handle_netbios_name: set global_myname to: STROHS
doing parameter local master = yes
doing parameter passdb backend = ldapsam:ldap://localhost
doing parameter security = user
doing parameter os level = 33
doing parameter preferred master = auto
doing parameter enable privileges = Yes
doing parameter hosts allow = 10.10.
doing parameter username map = /etc/samba/smbusers
doing parameter log level = 5
doing parameter syslog = 0
doing parameter log file = /var/adm/samba/%m
doing parameter max log size = 50
doing parameter name resolve order = wins bcast hosts
doing parameter time server = Yes
doing parameter show add printer wizard = No
doing parameter logon path = \\%L\profiles\%U
doing parameter logon drive = H:
doing parameter logon home = \\baltika\%U\winprofile
doing parameter domain logons = Yes
doing parameter domain master = Yes
doing parameter wins support = Yes
doing parameter ldap suffix = dc=dcvast,dc=com
doing parameter ldap machine suffix = ou=Computers
doing parameter ldap user suffix = ou=People
doing parameter ldap group suffix = ou=Group
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap admin dn = cn=Directory Manager
doing parameter ldap passwd sync = yes
doing parameter ldap delete dn = no
doing parameter idmap backend = ldap:ldap://localhost
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter winbind enum users = yes
doing parameter winbind enum groups = yes
doing parameter winbind use default domain = yes
doing parameter map acl inherit = Yes
doing parameter printing = lpd
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF-16LE
Registered charset UTF-16LE
Attempting to register new charset UCS-2BE
Registered charset UCS-2BE
Attempting to register new charset UTF-16BE
Registered charset UTF-16BE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset UTF-8
Registered charset UTF-8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset ISO-8859-1
Registered charset ISO-8859-1
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Substituting charset '646' for LOCALE
Trying to load: ldapsam:ldap://localhost
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend NDS_ldapsam
Successfully added passdb backend 'NDS_ldapsam'
Attempting to register passdb backend NDS_ldapsam_compat
Successfully added passdb backend 'NDS_ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://localhost (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DCVAST_NT))]
smbldap_search_ext: base => [dc=dcvast,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=DCVAST_NT))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://localhost
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://localhost as
"cn=Directory Manager"
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://localhost has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="STROHS"
Trying to load: ldapsam:ldap://localhost
Attempting to find an passdb backend to match ldapsam:ldap://localhost (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DCVAST_NT))]
smbldap_search_ext: base => [dc=dcvast,dc=com], filter =>
[(&(objectClass=sambaDomain)(sambaDomainName=DCVAST_NT))], scope => [2]
The connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://localhost
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://localhost as
"cn=Directory Manager"
ldap_connect_system: succesful connection to the LDAP server
ldap_connect_system: LDAP server does not support paged results
The LDAP server is succesfully connected
pdb backend ldapsam:ldap://localhost has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
grant_privilege: S-1-1-0
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-544
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-548
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-549
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-550
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
grant_privilege: S-1-5-32-551
original privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
new privilege mask:
SE_PRIV  0x0 0x0 0x0 0x0
account_policy_get: name: maximum password age, val: -1
account_policy_get: name: minimum password age, val: 0
account_policy_get: name: password history, val: 0
pdb_set_username: setting username baltika$, was 
pdb_set_group_sid: setting group sid
S-1-5-21-1396024627-659649020-1213447526-515
pdb_set_group_sid_from_rid:
	setting group sid S-1-5-21-1396024627-659649020-1213447526-515 from rid 515
smbldap_search_ext: base => [dc=dcvast,dc=com], filter =>
[(&(uid=baltika$)(objectclass=sambaSamAccount))], scope => [2]
smbldap_search_ext: base => [dc=dcvast,dc=com], filter =>
[(uid=baltika$)], scope => [2]
smbldap_search_ext: base => [dc=dcvast,dc=com], filter =>
[(&(sambaSID=S-0-0)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))],
scope => [2]
ldapsam_add_sam_account: Adding new user
smbldap_make_mod: adding attribute |uid| value |baltika$|
init_ldap_from_sam: Setting entry for user: baltika$
smbldap_make_mod: adding attribute |sambaPrimaryGroupSID| value
|S-1-5-21-1396024627-659649020-1213447526-515|
smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1140369621|
smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647|
smbldap_make_mod: adding attribute |sambaLMPassword| value
|77D4B81312FC26E7AAD3B435B51404EE|
smbldap_make_mod: adding attribute |sambaNTPassword| value
|8A5AE4B7198BDF08D005F4BD32DD0B04|
account_policy_get: name: password history, val: 0
smbldap_make_mod: adding attribute |sambaPasswordHistory| value
|0000000000000000000000000000000000000000000000000000000000000000|
smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1140369621|
smbldap_make_mod: adding attribute |sambaAcctFlags| value |[W          ]|
smbldap_add: dn => [uid=baltika$,ou=Computers,dc=dcvast,dc=com]
ldapsam_modify_entry: Failed to add user dn=
uid=baltika$,ou=Computers,dc=dcvast,dc=com with: Object class violation
	
ldapsam_add_sam_account: failed to modify/add user with uid = baltika$ (dn =
uid=baltika$,ou=Computers,dc=dcvast,dc=com)
Unable to add machine! (does it already exist?)

Hello!

I had a samba 2.2.12 server working fine with mount_smbfs clients
and a windows 2000 client. Not working with windows 2003 client.
I upgraded to samba 3.0.21a, same result. Windows 2003 not working,
other clients working. I just need to be able to connect to my home
share in the samba server, with read/write permission.

This is the error I get in the samba log when trying to connect from
windows 2003 to my home share, with valid user/password combination:

auth/auth.c:check_ntlm_password(271) check_ntlm_password: sam authentication for
user [xxx] FAILED with error NT_STATUS_WRONG_PASSWORD
auth/auth.c:check_ntlm_password(317) check_ntlm_password:  Authentication for
user [xxx] -> [xxx] FAILED with error NT_STATUS_WRONG_PASSWORD

smb.conf is default, except for changing workgroup and hosts allow.
Also load printers = no, and tried with passdb backend = tdbsam instead
of default. I have secrets.tdb and smbpasswd in /usr/local/private.
OS on samba server is FreeBSD 5.4.

Anything special needed to get the windows 2003 client working?
I have googled different search strings, and searched Samba-Guide.pdf
and Samba-HOWTO-Collection.pdf for 2003. Found nothing that seems
interesting. I know close to nothing about windows 2003.

Thanks!

-- 
Peter Olsson                    pol@leissner.se

Arc C. wrote:
> 
>   I am having a problem adding a machine account with pdbedit. My setup is
the
> latest samba (3.0.21b) compiled from
> source on Solaris 10, SUN's latest JES' Directory Server.
...
> The DS error log show this
> [19/Feb/2006:11:20:21 -0600] - ERROR<5896> - Schema  - conn=-1 op=-1
msgId=-1
> - User error:  Entry 
> "uid=baltika$,ou=Computers,dc=dcvast,dc=com", attribute
"sambaSID" required by
> object class "sambaSamAccount" is missing
I'd venture to guess that this is a bug in pdbedit.  The samba schema 
definitely requires sambaSid for sambaSamAccount objects, and pdbedit 
clearly isn't specifying that attribute when it adds a machine account.

I know that the smbldap-tools scripts add the posix account without the 
sambaSamAccount objectclass and values, which smbd adds when the machine 
joins the domain.  I'm not familiar enough with pdbedit to know whether 
it should behave like those scripts, or add the sambaSid attribute.  I 
guess the latter seems more likely.

That is what I thought. Should I submit a bug report for pdbedit?
Another thing I am looking for is help (or a suggestion). The problem is that I
already have a userbase in LDAP with
passwords in CRYPT format for logging into UNIX workstations. Is there a way to
syncronize these passwords with Samba
hashes? Is there a way to make a Samba password hashes from a cleartext
password? The reason for the questions is I am
using a custom script to add a user to LDAP and in there is asks for a password
to generate CRYPT string. I would
rather use the entered-once password than to have pdbedit ask for it again (in
case I use pdbedit in my script)

  Thanks for all the help,
>>   I am having a problem adding a machine account with pdbedit. My setup
is the
>> latest samba (3.0.21b) compiled from
>> source on Solaris 10, SUN's latest JES' Directory Server.
>...
>> The DS error log show this
>> [19/Feb/2006:11:20:21 -0600] - ERROR<5896> - Schema  - conn=-1
op=-1 msgId=-1
>> - User error:  Entry 
>> "uid=baltika$,ou=Computers,dc=dcvast,dc=com", attribute
"sambaSID" required by
>> object class "sambaSamAccount" is missing
>
>I'd venture to guess that this is a bug in pdbedit.  The samba schema 
>definitely requires sambaSid for sambaSamAccount objects, and pdbedit 
>clearly isn't specifying that attribute when it adds a machine account.
>
>I know that the smbldap-tools scripts add the posix account without the 
>sambaSamAccount objectclass and values, which smbd adds when the machine 
>joins the domain.  I'm not familiar enough with pdbedit to know whether 
>it should behave like those scripts, or add the sambaSid attribute.  I 
>guess the latter seems more likely.
>

                                      Arc C.
                                      achapkis@dls.net