Claudio Prono
2010-Sep-27 13:59 UTC
[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Hello all,
I have some problems to make work a configuration like Samba and
OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
Here is my testparm:
[global]
workgroup = MEDIADC
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
idmap uid = 1000-60000
idmap gid = 1000-60000
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
If i try to join a windows xp into the domain i have this results:
[2010/09/27 14:58:52.229946, 0]
lib/util_sock.c:1432(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
[2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
[2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/27 14:58:52.234068, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
[2010/09/27 14:58:52.234876, 0]
lib/util_sock.c:1432(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer
[2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2010/09/27 14:58:52.238615, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:52.239888, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/27 14:58:52.242954, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: Administrator
[2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [Administrator] succeeded
[2010/09/27 14:58:52.780610, 0]
rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate: no challenge sent to client TESTAFS
[2010/09/27 14:58:53.337111, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:53.338938, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:53.339808, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/27 14:58:53.342371, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: Administrator
[2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [Administrator] succeeded
[2010/09/27 14:58:53.812728, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain MEDIADC ->
S-1-5-21-1949818787-1514111066-129980733
[2010/09/27 14:58:53.814002, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain MEDIADC ->
S-1-5-21-1949818787-1514111066-129980733
As it seems all works fine, but windows give an error like "Access
Denied" and the computer is not added to the domain.
What can be the problem? How to debug it?
Any hint is welcome...
Cordially,
Claudio Prono.
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc
Gaiseric Vandal
2010-Sep-27 14:41 UTC
[Samba] Problem with Samba - Openldap and domain autentication of Windows XP
Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
It is possible to configure scripts that the unix account is created by
samba if necessary when samba creates the "Windows" account for the
machine. I don't have it set up this way, so I need to create the unix
account 1st.
Also, I found that since the underlying unix OS may need validate the
machine account, I put my machine accounts in either the same ldap ou
as people (or in a sub ou.) ("getent passwd" command may need to show
your machine accounts as well as people accounts.)
If you have manually created the unix account for the machine, can you
them manually create the samba account for it
e.g. smbpasswd -m -a SOMEMACHINE
(I think you leave the $ off .)
I use LDAP for both "unix" and "windows" clients so my
config choices
may not be applicable to a windows-only client environment.
On 09/27/2010 09:59 AM, Claudio Prono wrote:> Hello all,
>
> I have some problems to make work a configuration like Samba and
> OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
>
> Here is my testparm:
>
> [global]
> workgroup = MEDIADC
> netbios name = MEDIADC
> map to guest = Bad User
> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
> log level = 2
> printcap name = cups
> add machine script = /usr/sbin/useradd -c Machine -d
> /var/lib/nobody -s /bin/false %m$
> logon path = \\%L\profiles\.msprofile
> logon drive = P:
> logon home = \\%L\%U\.9xprofile
> domain logons = Yes
> os level = 65
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
> ldap group suffix = ou=group
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Machines
> ldap passwd sync = yes
> ldap suffix = dc=mediaservice-test,dc=pri
> ldap ssl = no
> ldap user suffix = ou=people
> usershare allow guests = Yes
> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
> idmap uid = 1000-60000
> idmap gid = 1000-60000
> cups options = raw
>
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> read only = No
> inherit acls = Yes
> browseable = No
>
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> create mask = 0600
> directory mask = 0700
> store dos attributes = Yes
>
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
>
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
>
> [printers]
> comment = All Printers
> path = /var/tmp
> create mask = 0600
> printable = Yes
> browseable = No
>
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin, root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root
>
> If i try to join a windows xp into the domain i have this results:
>
> [2010/09/27 14:58:52.229946, 0]
> lib/util_sock.c:1432(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> [2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
> [2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
> netbios connect: local=mediadc remote=testafs, name type = 0
> [2010/09/27 14:58:52.234068, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
> [2010/09/27 14:58:52.234876, 0]
> lib/util_sock.c:1432(get_peer_addr_internal)
> getpeername failed. Error was Transport endpoint is not connected
> write_data: write failure in writing to client 0.0.0.0. Error
> Connection reset by peer
> [2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
> Error writing 4 bytes to client. -1. (Transport endpoint is not
connected)
> [2010/09/27 14:58:52.238615, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/27 14:58:52.239888, 2] lib/smbldap.c:950(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2010/09/27 14:58:52.242954, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: Administrator
> [2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [Administrator] ->
> [Administrator] -> [Administrator] succeeded
> [2010/09/27 14:58:52.780610, 0]
> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate: no challenge sent to client TESTAFS
> [2010/09/27 14:58:53.337111, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/27 14:58:53.338938, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2010/09/27 14:58:53.339808, 2] lib/smbldap.c:950(smbldap_open_connection)
> smbldap_open_connection: connection opened
> [2010/09/27 14:58:53.342371, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
> init_sam_from_ldap: Entry found for user: Administrator
> [2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
> check_ntlm_password: authentication for user [Administrator] ->
> [Administrator] -> [Administrator] succeeded
> [2010/09/27 14:58:53.812728, 2]
> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
> Returning domain sid for domain MEDIADC ->
> S-1-5-21-1949818787-1514111066-129980733
> [2010/09/27 14:58:53.814002, 2]
> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
> Returning domain sid for domain MEDIADC ->
> S-1-5-21-1949818787-1514111066-129980733
>
> As it seems all works fine, but windows give an error like "Access
> Denied" and the computer is not added to the domain.
>
> What can be the problem? How to debug it?
>
> Any hint is welcome...
>
> Cordially,
>
> Claudio Prono.
>
>
>