samba - Oct 2009 - PDC witch LDAP and machine account lookup

Hey all,

 

i do have the following problem: i set up a PDC with Samba with an LDAP
backend. Everything works fine but the machine account lookup. If i try to
logon to the domain i have to create the machine account in
ou=People,dc=testing,dc=de. Everything works fine with this. But if i create
the machine account in ou=Computers,dc=testing,dc=de and change all suffixes
according to this the search performed looks like this in slapd log file:

 

Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
base="ou=People,dc=testing,dc=de"
scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_

 

So where is the mistake? I found some forum posts but all with no answers.
Is it a configuration issue or a software problem?

 

Thanks

Stefan

Hey Bruno,

it seems that the problem is something else. I tested on one computer
(farbwahl06 - WinXP Pro Client)
most of the time. But i have another machine to test (farbwahl04 - WinVista
client).
I moved the machine account for farbwahl04 from People to Computers and
everything
works fine. So i tried all variants for farbwahl06 (account in People and
Computers,
changed suffixes and so on) and the machine account for farbwahl06 seems to
be
broken. I tried to create a new one, but this doesn't help too.

So how do you create machine accounts? Perhaps i am missing something.
Adding machine
accounts automatically doesn't work too by the way. The Samba server is a
gentoo (Linux version 2.6.23-hardened-r12).

Please find attached my smb.conf (farbwahl04 is working with this)
>>>
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = TEST-DOMAIN
        interfaces = eth0
        map to guest = Bad User
        passdb backend = ldapsam:ldap://localhost
        username map = /etc/samba/smbusers
        log level = 10
        log file = /var/log/samba/log.%m
        max log size = 50000
        add user script = /usr/sbin/smbldap-useradd -a -d '/home/%u' -m
-g
'Domain Users' '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
        delete group script = /usr/sbin/smbldap-userdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x
'%u'
'%g'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -g
'Domain Computers' -c 'Machine Account' -s /bin/false
'%u'
        logon path = \\%L\Profiles\%U
        logon drive = w:
        logon home = \\%L\%U
        logon script = logonscripts\%U
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=smbadmin,ou=People,dc=testing,dc=de
        ldap group suffix = ou=Groups
        ldap idmap suffix = cn=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=testing,dc=de
        ldap user suffix = ou=People
        winbind separator = #
        winbind use default domain = Yes
        hosts allow = 192.168.2.

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/__netlogon__
        admin users = root
        read only = No
        browseable = No
        preexec = /home/__netlogon__/genlogon.pl %U %m

[Profiles]
        comment = For Windows Profile
        path = /var/lib/samba/profiles/%U
        read only = No
        profile acls = Yes
        browseable = No
        create mask = 0600
        directory mask = 0700

[public]
        path = /home/__public__
        force user = public
        force group = public
        read only = No

[sharehome]
        path = /home/share
        read only = No

[sharesrc]
        path = /usr/src
        read only = No

[backup]
        comment = The folder for backups
        path = /home/backup
        force user = backupexternal
        force group = backup
        read only = No
        guest ok = Yes

[Projekt_A]
        comment = For the Project A
        path = /home/projekt_a
        directory mask = 0770
        force group = Projekt A
        force create mode = 0770
        force directory mode = 0770
        read only = No
        guest ok = No
        browsable = No
        hide unreadable = Yes
        read list = @projekt_a_read
<<<

Kind regards,
Stefan



-----Urspr?ngliche Nachricht-----
Von: Bruno MACADRE [mailto:bruno.macadre at univ-rouen.fr] 
Gesendet: Donnerstag, 1. Oktober 2009 17:51
An: Stefan Michalsky
Betreff: Re: [Samba] PDC witch LDAP and machine account lookup

Stefan Michalsky a ?crit :
> Hey all,
> 
> i do have the following problem: i set up a PDC with Samba with an LDAP
> backend. Everything works fine but the machine account lookup. If i try to
> logon to the domain i have to create the machine account in
> ou=People,dc=testing,dc=de. Everything works fine with this. But if i
create
> the machine account in ou=Computers,dc=testing,dc=de and change all
suffixes
> according to this the search performed looks like this in slapd log file:
> 
> Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
base="ou=People,dc=testing,dc=de"
> scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_
> 
> So where is the mistake? I found some forum posts but all with no answers.
> Is it a configuration issue or a software problem?
> 
> Thanks
> 
> Stefan
> 
Hi,

	Are you sure that your "ldap machine suffix" is changed to "ldap
machine suffix = ou=Computers" ?

	Can you show your smb.conf when you want to have machine account in
ou=Computers ?

	Regards,
	Bruno

-- 

Bruno MACADRE
-------------------------------------------------------------------
 Ing?nieur Syst?mes et R?seau     | Systems and Network Engineer
 D?partement Informatique         | Department of computer science
 Responsable R?seau et T?l?phonie | Telecom and Network Manager
 Universit? de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonn?es / Contact :
	Universit? de Rouen
	Facult? des Sciences et Techniques - Madrillet
	Avenue de l'Universit? - BP12
	76801 St Etienne du Rouvray CEDEX

	T?l : +33 (0)2-32-95-51-86
	Fax : +33 (0)2-32-95-51-87
-------------------------------------------------------------------

Hi again,

so it looks like something with adding machine accounts manually does not
work for me.
After reconfiguring the smbldap tools and removing the computer (farbwahl06)
from the
domain i added it again. The automatically created machine account works
fine and i
am able to logon to the domain.

The differences between the pdbedit outputs have not been that big but big
enough to
make trouble i guess.

Thanks for your help Bruno.

Regards
Stefan



-----Urspr?ngliche Nachricht-----
Von: Bruno MACADRE [mailto:bruno.macadre at univ-rouen.fr] 
Gesendet: Donnerstag, 1. Oktober 2009 22:10
An: Stefan Michalsky
Betreff: Re: [Samba] PDC witch LDAP and machine account lookup

Hi,

    It looks strange... I've you tried to increase your log level 
(specially on tdb and passdb). Something like :
    log level = 2 tdb:5 passdb:5

    And look for any strange behavior when you try to log onto 
farbwhal06 or when you try to join it to the domain.

    I don't use smbldap-tools so i can help you with this, for me adding 
a machine to the LDAP is like adding a user, the only difference is that 
the username (uid for LDAP) finish with a $

    If you try :
    # pdbedit -v farbwahl06$
    and
    # pdbedit -v farbwahl04$

    Look for any difference between the 2 results !

    Regards,
    Bruno
   
Stefan Michalsky a ?crit :
> Hey Bruno,
>
> it seems that the problem is something else. I tested on one computer
> (farbwahl06 - WinXP Pro Client)
> most of the time. But i have another machine to test (farbwahl04 -
WinVista
> client).
> I moved the machine account for farbwahl04 from People to Computers and
> everything
> works fine. So i tried all variants for farbwahl06 (account in People and
> Computers,
> changed suffixes and so on) and the machine account for farbwahl06 seems
to
> be
> broken. I tried to create a new one, but this doesn't help too.
>
> So how do you create machine accounts? Perhaps i am missing something.
> Adding machine
> accounts automatically doesn't work too by the way. The Samba server is
a
> gentoo (Linux version 2.6.23-hardened-r12).
>
> Please find attached my smb.conf (farbwahl04 is working with this) ***
REMOVED ***
>
>   
>
> Kind regards,
> Stefan
>
>
>
> -----Urspr?ngliche Nachricht-----
> Von: Bruno MACADRE [mailto:bruno.macadre at univ-rouen.fr] 
> Gesendet: Donnerstag, 1. Oktober 2009 17:51
> An: Stefan Michalsky
> Betreff: Re: [Samba] PDC witch LDAP and machine account lookup
>
> Stefan Michalsky a ?crit :
>   
>> Hey all,
>>
>> i do have the following problem: i set up a PDC with Samba with an LDAP
>> backend. Everything works fine but the machine account lookup. If i try
to
>> logon to the domain i have to create the machine account in
>> ou=People,dc=testing,dc=de. Everything works fine with this. But if i
>>     
> create
>   
>> the machine account in ou=Computers,dc=testing,dc=de and change all
>>     
> suffixes
>   
>> according to this the search performed looks like this in slapd log
file:
>>
>> Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
>>     
> base="ou=People,dc=testing,dc=de"
>   
>> scope=2 deref=0
filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_
>>
>> So where is the mistake? I found some forum posts but all with no
answers.
>> Is it a configuration issue or a software problem?
>>
>> Thanks
>>
>> Stefan
>>
>>     
> Hi,
>
> 	Are you sure that your "ldap machine suffix" is changed to
"ldap
> machine suffix = ou=Computers" ?
>
> 	Can you show your smb.conf when you want to have machine account in
> ou=Computers ?
>
> 	Regards,
> 	Bruno
>
>