guido@lorenzutti.com.ar
2009-Mar-06 01:26 UTC
[Samba] pdbedit dosen't send the sambaSID to the ldap
Hi people: I have a Debian etch stable with the latests updates. When I try to join a computer to the domain I create the machine on the ldap and its created with the following atributes: dn:cn=test$,ou=Machines,dc=domain,dc=org objectClass: top objectClass: inetOrgPerson objectClass: posixAccount uidNumber: 3123 uid: test$ cn: test$ sn: test$ gidNumber: 604 homeDirectory: /dev/null loginShell: /bin/false gecos: Machine Account description: Machine Account Then, in the samba I run: pdbedit -am test And this is the output... ldapsam_add_sam_account: User exists without samba attributes: adding them init_ldap_from_sam: Setting entry for user: test$ smbldap_modify: dn => [cn=test$,ou=Machines,dc=domain,dc=org] ldapsam_modify_entry: Failed to modify user dncn=test$,ou=Machines,dc=domain,dc=org with: Object class violation object class 'sambaSamAccount' requires attribute 'sambaSID' ldapsam_add_sam_account: failed to modify/add user with uid = test$ (dn = cn=zigo$,ou=Systems,dc=domain,dc=int) Unable to add machine! (does it already exist?) I set the debug level in the ldap and I can't see the pdbedit sending any sambaSID atributte. So I can't think this is a schema problem... Any ideas? Why is this happening?? I have found nothing on the net to help me... Tnxs in advance.
guido@lorenzutti.com.ar
2009-Mar-07 21:16 UTC
[Samba] Re: pdbedit dosen't send the sambaSID to the ldap
> Hi people: I have a Debian etch stable with the latests updates. > When I try to join a computer to the domain I create the > machine on the ldap and its created with the following atributes: > > dn:cn=test$,ou=Machines,dc=domain,dc=org > objectClass: top > objectClass: inetOrgPerson > objectClass: posixAccount > uidNumber: 3123 > uid: test$ > cn: test$ > sn: test$ > gidNumber: 604 > homeDirectory: /dev/null > loginShell: /bin/false > gecos: Machine Account > description: Machine Account > > Then, in the samba I run: > > pdbedit -am test > > And this is the output... > > ldapsam_add_sam_account: User exists without samba attributes: adding them > init_ldap_from_sam: Setting entry for user: test$ > smbldap_modify: dn => [cn=test$,ou=Machines,dc=domain,dc=org] > ldapsam_modify_entry: Failed to modify user dn> cn=test$,ou=Machines,dc=domain,dc=org with: Object class violation > object class 'sambaSamAccount' requires attribute 'sambaSID' > ldapsam_add_sam_account: failed to modify/add user with uid = test$ (dn > = cn=zigo$,ou=Systems,dc=domain,dc=int) > Unable to add machine! (does it already exist?) > > I set the debug level in the ldap and I can't see the pdbedit sending any > sambaSID atributte. So I can't think this is a schema problem... > > Any ideas? Why is this happening?? I have found nothing on the net to help > me... > > Tnxs in advance. >Anyone knowing something? I found some PDC NOT with the latest updates from Debian Etch, but with the same Samba version and they work! This is the output of the working version: account_policy_get: name: maximum password age, val: -1 account_policy_get: name: minimum password age, val: 0 pdb_set_username: setting username test$, was test$ smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(&(uid=test$)(objectclass=sambaSamAccount))], scope => [2] smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(&(sambaSID=S-1-5-21-2281447165-45835457-3575675572-31254)(objectclass=sambaSamAccount))], scope => [2] smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(uid=test$)], scope => [2] ldapsam_add_sam_account: User exists without samba attributes: adding them smbldap_make_mod: attribute |uid| not changed. init_ldap_from_sam: Setting entry for user: test$ smbldap_get_single_attribute: [sambaSID] = [<does not exist>] smbldap_make_mod: adding attribute |sambaSID| value |S-1-5-21-2281447165-45835457-3575675572-31254| smbldap_get_single_attribute: [displayName] = [<does not exist>] smbldap_make_mod: adding attribute |displayName| value |Computer| smbldap_get_single_attribute: [sambaPwdCanChange] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1236459494| smbldap_get_single_attribute: [sambaPwdMustChange] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdMustChange| value |2147483647| smbldap_get_single_attribute: [sambaLMPassword] = [<does not exist>] smbldap_get_single_attribute: [sambaNTPassword] = [<does not exist>] smbldap_make_mod: adding attribute |sambaNTPassword| value |0CB6948805F797BF2A82807973B89537| smbldap_get_single_attribute: [sambaPwdLastSet] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1236459494| smbldap_get_single_attribute: [sambaAcctFlags] = [<does not exist>] smbldap_make_mod: adding attribute |sambaAcctFlags| value |[W ]| smbldap_modify: dn => [uid=test$,ou=sarmiento,ou=Computers,dc=jusbaires,dc=gov,dc=ar] rebindproc_connect_with_state: Rebinding to ldaps://10.8.2.100/uid=test$,ou=sarmiento,ou=Computers,dc=jusbaires,dc=gov,dc=ar as "uid=sarmiento-proxy,ou=security,dc=jusbaires,dc=gov,dc=ar" rebindproc_connect_with_state: setting last_rebind timestamp (req: 0x66) ldapsam_add_sam_account: added: uid == test$ in the LDAP database smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(&(uid=test$)(objectclass=sambaSamAccount))], scope => [2] smbldap_search_ext: waiting 866 milliseconds for LDAP replication. smbldap_search_ext: go on! init_sam_from_ldap: Entry found for user: test$ pdb_set_username: setting username test$, was pdb_set_domain: setting domain JUSBAIRES, was pdb_set_nt_username: setting nt username test$, was pdb_set_user_sid_from_string: setting user sid S-1-5-21-2281447165-45835457-3575675572-31254 pdb_set_user_sid: setting user sid S-1-5-21-2281447165-45835457-3575675572-31254 smbldap_get_single_attribute: [sambaLogonTime] = [<does not exist>] smbldap_get_single_attribute: [sambaLogoffTime] = [<does not exist>] smbldap_get_single_attribute: [sambaKickoffTime] = [<does not exist>] pdb_set_full_name: setting full name Computer, was smbldap_get_single_attribute: [sambaHomeDrive] = [<does not exist>] pdb_set_dir_drive: setting dir drive C:, was NULL smbldap_get_single_attribute: [sambaHomePath] = [<does not exist>] pdb_set_homedir: setting home dir \\pdc\profiles\test_, was smbldap_get_single_attribute: [sambaLogonScript] = [<does not exist>] pdb_set_logon_script: setting logon script netlogon.test_.bat, was smbldap_get_single_attribute: [sambaProfilePath] = [<does not exist>] pdb_set_profile_path: setting profile path \\pdc\profiles\test_, was smbldap_get_single_attribute: [sambaUserWorkstations] = [<does not exist>] smbldap_get_single_attribute: [sambaMungedDial] = [<does not exist>] smbldap_get_single_attribute: [sambaLMPassword] = [<does not exist>] account_policy_get: name: password history, val: 0 smbldap_get_single_attribute: [sambaBadPasswordCount] = [<does not exist>] smbldap_get_single_attribute: [sambaBadPasswordTime] = [<does not exist>] smbldap_get_single_attribute: [sambaLogonHours] = [<does not exist>] Opening cache file at /var/cache/samba/login_cache.tdb Looking up login cache for user test$ No cache entry found No cache entry, bad count = 0, bad time = 0 Unix username: test$ NT username: test$ Account Flags: [W ] User SID: S-1-5-21-2281447165-45835457-3575675572-31254 Finding user test$ Trying _Get_Pwnam(), username as lowercase is test$ Got test$ from pwnam_cache Get_Pwnam_internals did find user [test$]! smbldap_search_ext: base => [ou=Group,dc=jusbaires,dc=gov,dc=ar], filter => [(&(objectClass=sambaGroupMapping)(gidNumber=515))], scope => [2] init_group_from_ldap: Entry found for group: 515 Accepting SID S-1-5-21-2281447165-45835457-3575675572 in level 1 lookup_global_sam_rid: looking up RID 515. smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(&(sambaSID=S-1-5-21-2281447165-45835457-3575675572-515)(objectclass=sambaSamAccount))], scope => [2] ldapsam_getsampwsid: Unable to locate SID [S-1-5-21-2281447165-45835457-3575675572-515] count=0 smbldap_search_ext: base => [ou=Group,dc=jusbaires,dc=gov,dc=ar], filter => [(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-2281447165-45835457-3575675572-515))], scope => [2] init_group_from_ldap: Entry found for group: 515 lookup_rids: Domain Computers:2 Sid S-1-5-21-2281447165-45835457-3575675572-515 -> JUSBAIRES\Domain Computers(2) Primary Group SID: S-1-5-21-2281447165-45835457-3575675572-515 Full Name: Computer Home Directory: \\pdc\profiles\test_ HomeDir Drive: C: Logon Script: netlogon.test_.bat This is the output of the NOT working version: account_policy_get: name: maximum password age, val: -1 account_policy_get: name: minimum password age, val: 0 account_policy_get: name: password history, val: 0 pdb_set_username: setting username beruti-proxy$, was smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(&(uid=beruti-proxy$)(objectclass=sambaSamAccount))], scope => [2] smbldap_search_ext: base => [dc=jusbaires,dc=gov,dc=ar], filter => [(uid=beruti-proxy$)], scope => [2] ldapsam_add_sam_account: User exists without samba attributes: adding them smbldap_make_mod: attribute |uid| not changed. init_ldap_from_sam: Setting entry for user: beruti-proxy$ smbldap_get_single_attribute: [sambaPwdCanChange] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdCanChange| value |1236459262| smbldap_get_single_attribute: [sambaPwdMustChange] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdMustChange| value |9223372036854775807| smbldap_get_single_attribute: [sambaLMPassword] = [<does not exist>] smbldap_get_single_attribute: [sambaNTPassword] = [<does not exist>] smbldap_make_mod: adding attribute |sambaNTPassword| value |A506EB2FCE65B16CF8EF7E05D2971B16| account_policy_get: name: password history, val: 0 smbldap_get_single_attribute: [sambaPasswordHistory] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPasswordHistory| value |0000000000000000000000000000000000000000000000000000000000000000| smbldap_get_single_attribute: [sambaPwdLastSet] = [<does not exist>] smbldap_make_mod: adding attribute |sambaPwdLastSet| value |1236459262| smbldap_get_single_attribute: [sambaAcctFlags] = [<does not exist>] smbldap_make_mod: adding attribute |sambaAcctFlags| value |[W ]| smbldap_modify: dn => [uid=beruti-proxy$,ou=beruti,ou=Computers,dc=jusbaires,dc=gov,dc=ar] rebindproc_connect_with_state: Rebinding to ldaps://10.8.2.100/uid=beruti-proxy$,ou=beruti,ou=Computers,dc=jusbaires,dc=gov,dc=ar as "uid=beruti-dns1,ou=security,dc=jusbaires,dc=gov,dc=ar" rebindproc_connect_with_state: setting last_rebind timestamp (req: 0x66) Failed to modify dn: uid=beruti-proxy$,ou=beruti,ou=Computers,dc=jusbaires,dc=gov,dc=ar, error: Object class violation (object class 'sambaSamAccount' requires attribute 'sambaSID') ldapsam_add_sam_account: failed to modify/add user with uid beruti-proxy$ (dn uid=beruti-proxy$,ou=beruti,ou=Computers,dc=jusbaires,dc=gov,dc=ar) Unable to add machine! (does it already exist?) By the way, the version of the debian package is: 3.0.24-6etch10. Slds.
Hi people, did you find a solution for this problem? I'm having it too. root@patata:/var/log/samba# pdbedit -am merlin Cannot locate Unix account for merlin$ But the unix account is in ldap and it creates automatically with smbldap. If I add it manually or add the attributes by hand it works fine. http://www.mail-archive.com/samba@lists.samba.org/msg99530.html