I have spent days now trying to debug why I can not add machines to the
domain. I am using samba 3.0.23c with an openldap backend. I can
authenticate fine using smbclient with the administrator account but
when I go to add a machine it fails. I have checked the debug logs and
know what is happening, I am just not sure why or how to fix it. I am
using the idealx scripts to add machines. It adds the machine to ldap
but does not add any of the necessary samba attributes. I thought the
machine was supposed to do this now and not the scripts. Is this
correct? If so I am seeing one thing in the log for the machine that I
think may have something to do with it. It says "secrets_fetch
failed!"
just before the check for the machine and failing. What does this mean
and is this a problem? As you can see the administrator authenticates
fine. When it fails the check for the machine account with
NT_STATUS_NO_SUCH_USER it is searching the ldap for
"(&(uid=xplaptop$)(objectClass=sambaSamAccount))" but the entry
created
does not contain any "samba*" entries like it should. I am curious to
know if the secrets check failing is the machine trying to add that
stuff to ldap? I have read the how to a few times and don't see
anything I missed, but obviously I have something amiss here. Any help
would be GREATLY appreciated as I have spent many many hours trying to
find out why this is happening.
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_username(534)
pdb_set_username: setting username Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_domain(557)
pdb_set_domain: setting domain DOMAIN_UK, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_nt_username(580)
pdb_set_nt_username: setting nt username Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_fullname(603)
pdb_set_full_name: setting full name System User, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_homedir(696)
pdb_set_homedir: setting home dir \UK_PDC\Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(672)
pdb_set_dir_drive: setting dir drive c:, was NULL
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_logon_script(626)
pdb_set_logon_script: setting logon script logon.bat, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_profile_path(649)
pdb_set_profile_path: setting profile path c:\Documents and
Settings\Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_workstations(739)
pdb_set_workstations: setting workstations , was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_user_sid(463)
pdb_set_user_sid: setting user sid
S-1-5-21-334771251-3296030561-843139161-500
[2006/09/26 10:35:53, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-334771251-3296030561-843139161-500
from rid 500
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_group_sid(521)
pdb_set_group_sid: setting group sid
S-1-5-21-334771251-3296030561-843139161-512
[2006/09/26 10:35:53, 10]
passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-334771251-3296030561-843139161-512
from rid 512
[2006/09/26 10:35:53, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
secrets_fetch failed!
[2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1396)
ldapsam_getsampwnam: Unable to locate user [XPLAPTOP$] count=0
[2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213)
ldapsam_getgroup: Did not find group
[2006/09/26 10:36:00, 3] passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command
`/usr/local/sbin/smbldap-useradd -t 5 -w 'xplaptop$'' gave 0
[2006/09/26 10:36:00, 3] passdb/pdb_interface.c:pdb_default_create_user(381)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
[2006/09/26 10:36:00, 5] lib/gencache.c:gencache_shutdown(90)
Closing cache file
I figured out what my problem was. It was with nss_ldap not authenticating off of ldap. I didn't notice it before because I had all the same users etc in the local file as I did in ldap. After adding some more users to ldap and running "getent passwd", I realized they weren't showing up. I looked around and tried to turn on debugging but it didn't work. I then realized it obviously wasn't reading the ldap.conf under my /etc/openldap directory. I linked that conf to /etc and voila everything works! Something to keep in mind for people seeing what I was seeing. Dan wrote:> I have spent days now trying to debug why I can not add machines to > the domain. I am using samba 3.0.23c with an openldap backend. I can > authenticate fine using smbclient with the administrator account but > when I go to add a machine it fails. I have checked the debug logs > and know what is happening, I am just not sure why or how to fix it. > I am using the idealx scripts to add machines. It adds the machine to > ldap but does not add any of the necessary samba attributes. I > thought the machine was supposed to do this now and not the scripts. > Is this correct? If so I am seeing one thing in the log for the > machine that I think may have something to do with it. It says > "secrets_fetch failed!" just before the check for the machine and > failing. What does this mean and is this a problem? As you can see > the administrator authenticates fine. When it fails the check for the > machine account with NT_STATUS_NO_SUCH_USER it is searching the ldap > for "(&(uid=xplaptop$)(objectClass=sambaSamAccount))" but the entry > created does not contain any "samba*" entries like it should. I am > curious to know if the secrets check failing is the machine trying to > add that stuff to ldap? I have read the how to a few times and don't > see anything I missed, but obviously I have something amiss here. Any > help would be GREATLY appreciated as I have spent many many hours > trying to find out why this is happening. > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_username(534) > pdb_set_username: setting username Administrator, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_domain(557) > pdb_set_domain: setting domain DOMAIN_UK, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_nt_username(580) > pdb_set_nt_username: setting nt username Administrator, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_fullname(603) > pdb_set_full_name: setting full name System User, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_homedir(696) > pdb_set_homedir: setting home dir \UK_PDC\Administrator, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(672) > pdb_set_dir_drive: setting dir drive c:, was NULL > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_logon_script(626) > pdb_set_logon_script: setting logon script logon.bat, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_profile_path(649) > pdb_set_profile_path: setting profile path c:\Documents and > Settings\Administrator, was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_workstations(739) > pdb_set_workstations: setting workstations , was > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_user_sid(463) > pdb_set_user_sid: setting user sid > S-1-5-21-334771251-3296030561-843139161-500 > [2006/09/26 10:35:53, 10] > passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73) > pdb_set_user_sid_from_rid: > setting user sid S-1-5-21-334771251-3296030561-843139161-500 > from rid 500 > [2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_group_sid(521) > pdb_set_group_sid: setting group sid > S-1-5-21-334771251-3296030561-843139161-512 > [2006/09/26 10:35:53, 10] > passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100) > pdb_set_group_sid_from_rid: > setting group sid S-1-5-21-334771251-3296030561-843139161-512 > from rid 512 > [2006/09/26 10:35:53, 5] > passdb/secrets.c:secrets_fetch_trusted_domain_password(340) > secrets_fetch failed! > [2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1396) > ldapsam_getsampwnam: Unable to locate user [XPLAPTOP$] count=0 > [2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213) > ldapsam_getgroup: Did not find group > [2006/09/26 10:36:00, 3] > passdb/pdb_interface.c:pdb_default_create_user(368) > _samr_create_user: Running the command > `/usr/local/sbin/smbldap-useradd -t 5 -w 'xplaptop$'' gave 0 > [2006/09/26 10:36:00, 3] > passdb/pdb_interface.c:pdb_default_create_user(381) > pdb_default_create_user: failed to create a new user structure: > NT_STATUS_NO_SUCH_USER > [2006/09/26 10:36:00, 5] lib/gencache.c:gencache_shutdown(90) > Closing cache file > >
Hi,
I see this sort of behavior about half the time I add a machine to the
domain. The workstation comes back with a message expressing
NT_STATUS_NO_SUCH_USER. A second attempt generally succeeds.
It looks like your "add machine script" in smb.conf is correct. I
would
try running the smbldap-useradd command from the command-line, then
checking the output and your LDAP database. I have discovered stderr
messages that do not make it back to the workstation level.
I think that the idealx scripts are wholly responsible for what goes
into the LDAP database, the workstation does not have direct contact
with your LDAP database.
Good luck,
Chuck
I have spent days now trying to debug why I can not add machines to the
domain. I am using samba 3.0.23c with an openldap backend. I can
authenticate fine using smbclient with the administrator account but
when I go to add a machine it fails. I have checked the debug logs and
know what is happening, I am just not sure why or how to fix it. I am
using the idealx scripts to add machines. It adds the machine to ldap
but does not add any of the necessary samba attributes. I thought the
machine was supposed to do this now and not the scripts. Is this
correct? If so I am seeing one thing in the log for the machine that I
think may have something to do with it. It says "secrets_fetch
failed!"
just before the check for the machine and failing. What does this mean
and is this a problem? As you can see the administrator authenticates
fine. When it fails the check for the machine account with
NT_STATUS_NO_SUCH_USER it is searching the ldap for
"(&(uid=xplaptop$)(objectClass=sambaSamAccount))" but the entry
created
does not contain any "samba*" entries like it should. I am curious to
know if the secrets check failing is the machine trying to add that
stuff to ldap? I have read the how to a few times and don't see
anything I missed, but obviously I have something amiss here. Any help
would be GREATLY appreciated as I have spent many many hours trying to
find out why this is happening.
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_username(534)
pdb_set_username: setting username Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_domain(557)
pdb_set_domain: setting domain DOMAIN_UK, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_nt_username(580)
pdb_set_nt_username: setting nt username Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_fullname(603)
pdb_set_full_name: setting full name System User, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_homedir(696)
pdb_set_homedir: setting home dir \UK_PDC\Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(672)
pdb_set_dir_drive: setting dir drive c:, was NULL
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_logon_script(626)
pdb_set_logon_script: setting logon script logon.bat, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_profile_path(649)
pdb_set_profile_path: setting profile path c:\Documents and
Settings\Administrator, was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_workstations(739)
pdb_set_workstations: setting workstations , was
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_user_sid(463)
pdb_set_user_sid: setting user sid
S-1-5-21-334771251-3296030561-843139161-500
[2006/09/26 10:35:53, 10] passdb/pdb_compat.c:pdb_set_user_sid_from_rid(73)
pdb_set_user_sid_from_rid:
setting user sid S-1-5-21-334771251-3296030561-843139161-500 from
rid 500
[2006/09/26 10:35:53, 10] passdb/pdb_get_set.c:pdb_set_group_sid(521)
pdb_set_group_sid: setting group sid
S-1-5-21-334771251-3296030561-843139161-512
[2006/09/26 10:35:53, 10]
passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100)
pdb_set_group_sid_from_rid:
setting group sid S-1-5-21-334771251-3296030561-843139161-512
from rid 512
[2006/09/26 10:35:53, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(340)
secrets_fetch failed!
[2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1396)
ldapsam_getsampwnam: Unable to locate user [XPLAPTOP$] count=0
[2006/09/26 10:35:53, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2213)
ldapsam_getgroup: Did not find group
[2006/09/26 10:36:00, 3]
passdb/pdb_interface.c:pdb_default_create_user(368)
_samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd
-t 5 -w 'xplaptop$'' gave 0
[2006/09/26 10:36:00, 3]
passdb/pdb_interface.c:pdb_default_create_user(381)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
[2006/09/26 10:36:00, 5] lib/gencache.c:gencache_shutdown(90)
Closing cache file
--
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345