samba - Jul 2006 - Samba PDC + OpenLDAP machine accounts

Hi everyone,

I'm having a slight problem getting Samba and OpenLDAP to play together.

First off, sorry for the long mail.


I'm struggling to understand the whole machine account business, and to
get them working correctly.

I'm using the smbldap-tools package to create my ldap directory and also
the various users and machine accounts. Creating users works fine, but 
machine
accounts seems to be the problem.

The problem seems to come when Samba tries to look up the machine 
account from the
ldap directory. The first problem is displayed here:


<slapd.log>
    conn=185 op=7 SRCH base="dc=example,dc=org" scope=2 deref=0 
filter="(&(uid=machine$)(objectClass=sambaSamAccount))"
</slapd.log>

The problem here is that Samba thinks that the machine account is also 
part of the
sambaSamAccount objectclass. smbldap-tools doesn't add machine accounts 
like that
(no SambaSamAccount objectclass) so I presume that this is a problem 
with the smbldap-tools package.

Ok, so I add the SambaSamAccount Objectclass to the machine account and 
hey presto! it works.

So this is what the machine$ directory entry now looks like :

<machine$>

dn: uid=machine$,ou=Users,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: machine$
sn: machine$
givenName: machine$
uid: machine$
uidNumber: 1003
gidNumber: 513
homeDirectory: /home/machine$
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
displayName: System User
sambaSID: S-1-5-21-4149842143-3922995212-3442003976-3006
sambaPrimaryGroupSID: S-1-5-21-4149842143-3922995212-3442003976-513
sambaLogonScript: logon.bat
sambaProfilePath: \\SERVER\profiles\machine$
sambaHomePath: \\SERVER\machine$
sambaHomeDrive: H:
userPassword::
e1NTSEF9M29FWklLL3c0czhYR3I3Y3MwUXhYejQ3Wm1vMGVUUnIsambaAcctFlags: [UW         ]
sambaPwdCanChange: 1152185055
sambaPwdMustChange: 2147483647
sambaNTPassword: D5DFE3EB70379E4BE015A6B51CC90B7B
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1152185055


</machine$>




Allrighty, so, if I copy this directory entry to another one, and just
change the relevant SID's and stuff, it should work fine right ?


<box2$>

dn: uid=box2$,ou=Users,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: box2$
sn: box2$
givenName: box2$
uid: box2$
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/box2$
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaSID: S-1-5-21-4149842143-3922995212-3442003976-3018
sambaPrimaryGroupSID: S-1-5-21-4149842143-3922995212-3442003976-513
sambaLogonScript: logon.bat
sambaProfilePath: \\IOLSERVER\profiles\box2$
sambaHomePath: \\IOLSERVER\box2$
sambaHomeDrive: H:
userPassword::
e1NTSEF9M29FWklLL3c0czhYR3I3Y3MwUXhYejQ3Wm1vMGVUUnIsambaAcctFlags: [UW         ]
sambaPwdCanChange: 1152185055
sambaPwdMustChange: 2147483647
sambaNTPassword: D5DFE3EB70379E4BE015A6B51CC90B7B
sambaPasswordHistory: 
00000000000000000000000000000000000000000000000000000000
 00000000
sambaPwdLastSet: 1152185055
displayName: box2$

</box2$>


Great, but  :

<smb.log>

[2006/07/07 15:59:03, 3] lib/smbldap.c:smbldap_connect_system(905)
  ldap_connect_system: succesful connection to the LDAP server
[2006/07/07 15:59:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
  init_sam_from_ldap: Entry found for user: box2$
[2006/07/07 15:59:03, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2006/07/07 15:59:03, 2] libsmb/credentials.c:creds_server_check(159)
  creds_server_check: credentials check failed.
[2006/07/07 15:59:03, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(424)
  _net_auth2: creds_server_check failed. Rejecting auth request from 
client BOX2 machine account BOX2$


</smb.log>


Now, I tried adding a machine account via the smbldap-useradd script 
again and
just adding the objectClass sambaSambAccount, but i couldn't get it working
this time. It still fails with the above error message in the log file.

The client machine is a WinXP SP2 Box.

So now it successfully gets everything from ldap, but the it fails for 
some reason.

So, this is what I would like to know please :

Anyone know why it fails here ?

and secondly,


Where can I find some kind of reference as to what fields samba looks for
in the ldap directory and what it does with them ? ( Well, apart from the
source if possible :) )

I have attached the smb.cfg file below.



Thanks for your help,

cillier




<versions>
    Samba - 3.0.22 : Built from source
          --with-ldap
          --with-ads
          --with-winbind
          --with-acl-support


    OpenLdap  - 2.2.26 : Ubuntu-6.06 package
   

    OS   : Ubuntu 6.06
</versions>


<smb.cfg>

    netbios name = SERVER
    workgroup = WORKGROUP
    server string = PDC [on Ubuntu :: Samba server %v]

    enable privileges = yes
    passdb backend = ldapsam:ldap://localhost/
    unix passwd sync = Yes

    ldap suffix = dc=example,dc=com
    ldap admin dn = cn=admin,dc=example,dc=com
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Users
   
    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    ldap delete dn = Yes
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
"%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"

    hosts allow = 172.20.80.0/24 127.0.0.0/8
    security = user
    encrypt passwords = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    interfaces = lo eth0
    bind interfaces only = yes

    local master = yes
    os level = 65
    domain master = yes
    preferred master = yes

    null passwords = no
    hide unreadable = yes
    hide dot files = yes


    domain logons = yes
    logon script = login.bat  OR %U.bat
    logon path = \\%L\profiles\%U
    logon drive = H:
    logon home = \\%L\%U\.9xprofile

    wins support = yes
    name resolve order = wins lmhosts host bcast
    dns proxy = no

    time server = yes
    log level = 3
    log file = /usr/local/samba/var/log.%m
    max log size = 50
   
    passwd program = /usr/local/sbin/smbldap-passwd -u %u
    passwd chat = "*New password:*" %n\r "*New password
(again):*" %n\r
\ "*Password changed*"
    unix charset = ISO8859-1

[netlogon]
 path = /usr/local/samba/netlogon
 guest ok = no
 read only = yes
 browseable = yes


[profiles]
 path = /usr/local/samba/profiles
 browseable = yes
 writeable = yes
 default case = lower
 preserve case = no
 short preserve case = no
 case sensitive = no
 hide files = /desktop.ini/ntuser.ini/NTUSER.*/
 write list = @smbusers @root
 create mask = 0600
 directory mask = 0700


[homes]
 path = /home/%U
 browseable = no
 valid users = %S
 read only = no
 guest ok = no
 inherit permissions = yes

[public]
 comment = Public Stuff
 path = /usr/local/samba/public
 public = yes
 read only = yes
 browseable = yes
 write list = @users

</smb.cfg>