samba - Dec 2006 - Samba 3 LDAP backend cannot authenticate

I am trying to setup a samba3 pdc using samba 3.0.21b with openldap 
backend, running freebsd 6.1 release, and openldap server is version 
2.2.30. The short of it is: I cannot get any of my windows boxes to join 
the domain. Also no ldap cn entries can login to the server, but if I 
attempt to login to say #su user1, where user1 is an entry in the LDAP 
directory, but does not have a unix account I can see that LDAP gets the 
search query, but I am still not able to log in. I basically do not know 
where to trouble shoot? Please any suggestions would be greatly 
appreciated. Thanks.

-- 
Brad

On 12/6/06, Brad Askew <Brad.Askew@tsch.biz>
wrote:
> I am trying to setup a samba3 pdc using samba 3.0.21b with openldap
> backend, running freebsd 6.1 release, and openldap server is version
> 2.2.30. The short of it is: I cannot get any of my windows boxes to join
> the domain. Also no ldap cn entries can login to the server, but if I
> attempt to login to say #su user1, where user1 is an entry in the LDAP
> directory, but does not have a unix account I can see that LDAP gets the
> search query, but I am still not able to log in. I basically do not know
> where to trouble shoot? Please any suggestions would be greatly
> appreciated. Thanks.
>
Can you give a brief description on your setup and what you have done
as from the description you have given I can only guess. Are you using
the smbldap_tools from IDEALX? How did you configure your ldap server?
Have you set up users for the machines? ...

John

John Drescher wrote:
> On 12/6/06, Brad Askew <Brad.Askew@tsch.biz> wrote:
>> I am trying to setup a samba3 pdc using samba 3.0.21b with openldap
>> backend, running freebsd 6.1 release, and openldap server is version
>> 2.2.30. The short of it is: I cannot get any of my windows boxes to
join
>> the domain. Also no ldap cn entries can login to the server, but if I
>> attempt to login to say #su user1, where user1 is an entry in the LDAP
>> directory, but does not have a unix account I can see that LDAP gets
the
>> search query, but I am still not able to log in. I basically do not
know
>> where to trouble shoot? Please any suggestions would be greatly
>> appreciated. Thanks.
>>
> Can you give a brief description on your setup and what you have done
> as from the description you have given I can only guess. Are you using
> the smbldap_tools from IDEALX? How did you configure your ldap server?
> Have you set up users for the machines? ...
>
> John
>
Sure thing.

I am using the idealx smbldap_tools. I used smbldap-populate to populate 
the directory. I have the following lines in slapd.conf
<snip>
include  /usr/local/etc/openldap/schema/core.schema
include  /usr/local/etc/openldap/schema/cosine.schema
include  /usr/local/etc/openldap/schema/inetorgperson.schema
include  /usr/local/etc/openldap/schema/nis.schema
include  /usr/local/etc/openldap/schema/samba.schema
<snip>

Aside from using smbldap-populate, the directory is pretty flat, I used 
smbldap-useradd to add one user to the directory. I have set up the 
indices as follows.

<snip>
index   objectClass        eq
 
index cn                pres,sub,eq
index sn                pres,sub,eq
## required to support pdb_getsampwnam
index uid              pres,sub,eq
## required to support pdb_getsambapwrid
index displayName       pres,sub,eq
## uncomment these if you are storing posixAccount
## and posixGroup in the directory as well
index uidNumber  eq
index gidNumber  eq
index memberUID  eq
 
index sambaSID      eq
index sambaPrimaryGroupSID      eq
index sambaDomainName      eq
index default         sub
<snip>

If you need more info on ldap, let me know. I added a machine account 
for the machines using the smbldaptools using the netbios name of the 
client machine followed by a $.

-- 
Brad