Hi there. I've a problem with using samba as Primary Domain Controller with backend ldap. Version release (Samba 3.2.5, OpenLDAP 2.4.11) on Debian Lenny. When I try to join the domain with a Windows XP Pro Client, all works fine...profiles updating, logon, ecc..but when I try to join the domain with a Linux Client (Slackware 12.1) I get different errors: client:~# net rpc join -U root%password Joined Domain DOMINIO. and in samba log (log.__ffff_10.1.4.85): [2009/04/30 13:45:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(306) get_md4pw: Workstation PARIS$: no account in domain [2009/04/30 13:45:42, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502) _netr_ServerAuthenticate2: failed to get machine password for account PARIS$: NT_STATUS_ACCESS_DENIED and samba add an entry-Computer account for paris$: # paris$, Computers, DOMINIO dn: uid=paris$,ou=Computers,dc=DOMINIO objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: paris$ uid: paris$ uidNumber: 2008 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer sambaSID: S-1-5-21-1849485170-1217343015-651458238-1008 displayName: Computer sambaAcctFlags: [W ] Then, I try to log out from the client and try login with a user in ldap (I've tried with a PosixAccount and SambaAccount), but it doesn't work. If I try again to rejoin the domain, the client side give me: Joined Domain DOMINIO., but samba log (log.__ffff_10.1.4.85) give me: [2009/04/30 13:48:07, 0] rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520) _netr_ServerAuthenticate2: netlogon_creds_server_check failed. Rejecting auth request from client PARIS machine account PARIS$ and I can't log-in in client side. These problems only when try to join domain from simple Linux client. I've also removed the entire ldap db, repopulate, but the problem persist. This is a client configuration problem or Server PDC configuration problem? Samba? or OpenLDAP? thanks in advance for help.
paris$ should not have a SID until it creates it upon joining the domain. you should not have done smbpasswd -a -m paris, so if you did, do smbpasswd -x paris\$ and try rejoining. Alessandro Baggi wrote:> Hi there. I've a problem with using samba as Primary Domain Controller > with backend ldap. Version release (Samba 3.2.5, OpenLDAP 2.4.11) on > Debian Lenny. > When I try to join the domain with a Windows XP Pro Client, all works > fine...profiles updating, logon, ecc..but when I try to join the > domain with a Linux Client (Slackware 12.1) I get different errors: > > > client:~# net rpc join -U root%password > Joined Domain DOMINIO. > > and in samba log (log.__ffff_10.1.4.85): > > [2009/04/30 13:45:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(306) > get_md4pw: Workstation PARIS$: no account in domain > [2009/04/30 13:45:42, 0] > rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(502) > _netr_ServerAuthenticate2: failed to get machine password for account > PARIS$: NT_STATUS_ACCESS_DENIED > > and samba add an entry-Computer account for paris$: > > # paris$, Computers, DOMINIO > dn: uid=paris$,ou=Computers,dc=DOMINIO > objectClass: top > objectClass: account > objectClass: posixAccount > objectClass: sambaSamAccount > cn: paris$ > uid: paris$ > uidNumber: 2008 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > sambaSID: S-1-5-21-1849485170-1217343015-651458238-1008 > displayName: Computer > sambaAcctFlags: [W ] > > Then, I try to log out from the client and try login with a user in > ldap (I've tried with a PosixAccount and SambaAccount), but it doesn't > work. > If I try again to rejoin the domain, the client side give me: Joined > Domain DOMINIO., but samba log (log.__ffff_10.1.4.85) give me: > > [2009/04/30 13:48:07, 0] > rpc_server/srv_netlog_nt.c:_netr_ServerAuthenticate2(520) > _netr_ServerAuthenticate2: netlogon_creds_server_check failed. > Rejecting auth request from client PARIS machine account PARIS$ > > and I can't log-in in client side. These problems only when try to > join domain from simple Linux client. > I've also removed the entire ldap db, repopulate, but the problem > persist. > > This is a client configuration problem or Server PDC configuration > problem? Samba? or OpenLDAP? > > > thanks in advance for help. >
Hi Adam. I'm sorry for the late answer. Ok I've added the machine
account manually with a .ldif. Then, when the client join the domain,
samba modifiy the entry, with sambaSID and other.
On the client I receive: Joined Domain DOMINIO
but on log I still receive:
_netr_ServerAuthenticate2: netlogon_creds_server_check failed.
Rejecting auth request from client DEBIAN machine account DEBIAN$
then with an high loglevel on samba I get this:
[2009/05/14 15:15:57, 10] libsmb/credentials.c:creds_server_init(186)
creds_server_init: client chal : A047C2F85202142F
[2009/05/14 15:15:57, 10] libsmb/credentials.c:creds_server_init(187)
creds_server_init: server chal : 0012364D7628C4B5
[2009/05/14 15:15:57, 5] libsmb/credentials.c:creds_init_128(70)
creds_init_128
[2009/05/14 15:15:57, 5] libsmb/credentials.c:creds_init_128(71)
clnt_chal_in: A047C2F85202142F
[2009/05/14 15:15:57, 5] libsmb/credentials.c:creds_init_128(72)
srv_chal_in : 0012364D7628C4B5
[2009/05/14 15:15:57, 10] libsmb/credentials.c:creds_server_init(205)
creds_server_init: clnt : 9E53396C4265DCC1
[2009/05/14 15:15:57, 10] libsmb/credentials.c:creds_server_init(206)
creds_server_init: server : DE8F791907CC3E7A
[2009/05/14 15:15:57, 10] libsmb/credentials.c:creds_server_init(207)
creds_server_init: seed : 9E53396C4265DCC1
[2009/05/14 15:15:57, 5]
libsmb/credentials.c:netlogon_creds_server_check(221)
netlogon_creds_server_check: challenge : ADBFFA3C1575AA41
[2009/05/14 15:15:57, 5]
libsmb/credentials.c:netlogon_creds_server_check(222)
calculated: 9E53396C4265DCC1
[2009/05/14 15:15:57, 2]
libsmb/credentials.c:netlogon_creds_server_check(223)
netlogon_creds_server_check: credentials check failed.
Another thing, after joined the domain, i can see domain users with
getent passwd? Or I must add ldap support on the client computer?
Thanks in advance
Adam Williams wrote:
i would delete uid=debian$,ou=Computers,dc=DOMINIO and load this ldif:
dn: uid=debian$,ou=Computers,dc=DOMINIO
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: organizationalPerson
objectClass: inetOrgPerson
cn: debian$
uid: debian$
sn: debian$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
displayName: DEBIAN$
userPassword: {crypt}!!
shadowLastChange: 13916
shadowMax: 99999
shadowWarning: 7
then on DEBIAN do net join -D DOMINIO -S PDC_SERVER_NAME -U root%password