Arvid Requate
2010-Jan-07 19:00 UTC
[Samba] LDAP_NO_SUCH_OBJECT upon new user creation in s4/OpenLDAP
Hello, on Mon, 07 Dec 2009 01:13:19 -0800 Eric Woltermann posted:> for some weeks now I am trying to set up Samba4 (alpha9) with an OpenLDAP2.4.17 backend as an AD PDC for my XP/7 clients. It was working for some time with Samba's integrated LDAP facility, however I could not figure out how to use this database e.g. to authenticate my IMAP users against (bind-dn, port etc.). OpenLDAP was compiled from source using --enable-modules=yes and --enable-overlays=yes. Provisioning samba using the command line> >setup/provision --ldap-backend-type=openldap --slapd-path="/usr/sbin/slapd" --username=samba-admin --realm=localdomain --domain=Heimnetz --server-role='domain controller' --adminpass=somepass> > ran through, although there were errors about slapd (id2entry.bdb not found,NT_STATUS_UNEXPECTED_NETWORK_ERROR, slapd unable to start). Afterwards, slapd and samba start fine, I can join machines to the domain "Heimnetz" (DNS is also working properly), login using the "administrator" account and have a look at the AD via dsa.msc. Was is NOT working is the creation of new users. Doing that in dsa.msc failes with an error message about password policies, but this is probably not yet implemented, right? Going the howto-way, "<source-dir>/setup/newuser blah" prompts for a password, displays messages about skipping the loading of schema, naming context details and domain details, and then failes with the following error message:> > _ldb.LdbError: (32, 'objectclass: Cannot addCN=blah,CN=Users,DC=localdomain, parent does not exist!') Alpha10 showed the same problem. Looking into the code you can see that it accepts options to pass credentials. Providing the 'LDAP Admin User' name and password from the output of the provision command helps, although the AssertionError looks a bit discouaging at first sight: debiantest:~# newuser --username=samba-admin --password=$ldapadminpass demo1 New Password: Traceback (most recent call last): File "/usr/local/samba/sbin/newuser", line 69, in <module> samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login) File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line 133, in newuser force_password_change_at_next_login_req) File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line 172, in setpassword assert(len(res) == 1) AssertionError The user object has been created anyway, but it is still unactive: debiantest:~# smbclient //localhost/netlogon -Udemo1%S4password Connection to \\localhost\netlogon failed - NT_STATUS_LOGON_FAILURE Using windows dsa.msc to create the user, I got a NT_STATUS_ACCOUNT_DISABLED instead. You can enable the account by running setup/setpassword (or setup/enableaccount). Regards, Arvid -- Arvid Requate Open Source Software Engineer Univention GmbH Linux for your business Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 Fax : +49 421 22232-99 requate at univention.de http://www.univention.de Gesch?ftsf?hrer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876
Arvid Requate
2010-Jan-07 21:00 UTC
[Samba] LDAP_NO_SUCH_OBJECT upon new user creation in s4/OpenLDAP
Hello, sorry for the misquoted post. This one might be easier to read. on Mon, 07 Dec 2009 01:13:19 -0800 Eric Woltermann posted:> for some weeks now I am trying to set up Samba4 (alpha9) with an OpenLDAP > 2.4.17 backend as an AD PDC for my XP/7 clients. > [...] > Was is NOT working is the creation of new users. > Doing that in dsa.msc failes with an error message about password policies, > but this is probably not yet implemented, right? Going the > howto-way, "<source-dir>/setup/newuser blah" prompts for a password, > displays messages about skipping the loading of schema, naming context > details and domain details, and then failes with the following error > message: > > _ldb.LdbError: (32, 'objectclass: Cannot add > CN=blah,CN=Users,DC=localdomain, parent does not exist!')Alpha10 showed the same problem. Looking into the code you can see that it accepts options to pass credentials. Providing the 'LDAP Admin User' name and password from the output of the provision command helps, although the AssertionError looks a bit discouaging at first sight: debiantest:~# newuser --username=samba-admin --password=$ldapadminpass demo1 New Password: Traceback (most recent call last): ? File "/usr/local/samba/sbin/newuser", line 69, in <module> ? ? samdb.newuser(username, opts.unixname, password, force_password_change_at_next_login_req=opts.must_change_at_next_login) ? File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line 133, in newuser ? ? force_password_change_at_next_login_req) ? File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line 172, in setpassword ? ? assert(len(res) == 1) AssertionError The user object has been created anyway, but it is still inactive: debiantest:~# smbclient //localhost/netlogon -Udemo1%S4password Connection to \\localhost\netlogon failed - NT_STATUS_LOGON_FAILURE Using windows dsa.msc to create the user, I got a NT_STATUS_ACCOUNT_DISABLED instead, trying to access netlogon. You can enable the account by running setup/setpassword (or setup/enableaccount). Regards, Arvid -- Arvid Requate Open Source Software Engineer Univention GmbH Linux for your business Mary-Somerville-Str.1 28359 Bremen Tel. : +49 421 22232-0 Fax : +49 421 22232-99 requate at univention.de http://www.univention.de Gesch?ftsf?hrer: Peter H. Ganten HRB 20755 Amtsgericht Bremen Steuer-Nr.: 71-597-02876