Gaiseric Vandal
2010-Sep-27 16:31 UTC
[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP
Wait, you are using samba with openldap backend.
Why are you using useradd ??? with this backend you need smbldap instead.
like this:
passdb backend = ldapsam:ldap://your ldap server
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=root,dc=domain,dc=com,dc=br
ldap suffix = dc=domain,dc=com,dc=br
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = sambaDomainName=DOMAIN
idmap backend = ldap:ldap://ldap server
idmap alloc backend = ldap:ldap://ldap server
idmap uid = 1000-20000
idmap gid = 1000-20000
idmap alloc config:range = 1000-20000
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
# add/remove users
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
# add/remove Groups
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
# add/remove user in groups
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
# define primary group of user
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
# add machines in domain
add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
regards
On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
<gaiseric.vandal at gmail.com> wrote:> You user script may be adding a LOCAL unix account (in /etc/passwd.) Do
> you see the accounts in there? You may need to custom script that adds
the
> accounts to ldap.
>
> The following may help
>
> https://gna.org/projects/smbldap-tools/
>
>
> Remember, that being root on your unix system does not automatically make
> you LDAP admin.
>
> If you have a single server then having your unix may be OK- samba will
> match the samba user to the unix user via the user id. I have multiple
> server so I use LDAP for unix accounts (previously used NIS.) So now an
> LDAP user has both windows and unix account info.
>
>
>
>
>
> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>
>> Gaiseric Vandal ha scritto:
>>
>>>
>>> Do you have an underlying unix account for the pc (eg
SOMEMACHINE$)
>>>
>>> It is possible to configure scripts that the unix account is
created
>>> by samba if necessary when samba creates the "Windows"
account for the
>>> machine. I don't have it set up this way, so I need to create
the
>>> unix account 1st.
>>>
>>>
>>
>> add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody
-s
>> /bin/false %m$
>>
>> This script automatically add the machine if needed, or i am wrong ?
>>
>>>
>>> Also, I found that since the underlying unix OS may need validate
the
>>> machine account, I put my machine accounts in either the same
ldap ou
>>> as people (or in a sub ou.) ("getent passwd" command
may need to show
>>> your machine accounts as well as people accounts.)
>>>
>>> If you have manually created the unix account for the machine, can
you
>>> them manually create the samba account for it
>>>
>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>
>>> (I think you leave the $ off .)
>>>
>>>
>>> I use LDAP for both "unix" and "windows"
clients so my config choices
>>> may not be applicable to a windows-only client environment.
>>>
>>>
>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>
>>>>
>>>> Hello all,
>>>>
>>>> I have some problems to make work a configuration like Samba
and
>>>> OpenLDAP as domain controller. My operative system is OpenSuSE
11.3.
>>>>
>>>> Here is my testparm:
>>>>
>>>> [global]
>>>> workgroup = MEDIADC
>>>> netbios name = MEDIADC
>>>> map to guest = Bad User
>>>> passdb backend =
ldapsam:ldap://afs-test.mediaservice-test.pri
>>>> log level = 2
>>>> printcap name = cups
>>>> add machine script = /usr/sbin/useradd -c Machine
-d
>>>> /var/lib/nobody -s /bin/false %m$
>>>> logon path = \\%L\profiles\.msprofile
>>>> logon drive = P:
>>>> logon home = \\%L\%U\.9xprofile
>>>> domain logons = Yes
>>>> os level = 65
>>>> preferred master = Yes
>>>> domain master = Yes
>>>> wins support = Yes
>>>> ldap admin dn =
cn=Administrator,dc=mediaservice-test,dc=pri
>>>> ldap group suffix = ou=group
>>>> ldap idmap suffix = ou=Idmap
>>>> ldap machine suffix = ou=Machines
>>>> ldap passwd sync = yes
>>>> ldap suffix = dc=mediaservice-test,dc=pri
>>>> ldap ssl = no
>>>> ldap user suffix = ou=people
>>>> usershare allow guests = Yes
>>>> idmap backend =
ldap:ldap://afs-test.mediaservice-test.pri
>>>> idmap uid = 1000-60000
>>>> idmap gid = 1000-60000
>>>> cups options = raw
>>>>
>>>> [homes]
>>>> comment = Home Directories
>>>> valid users = %S, %D%w%S
>>>> read only = No
>>>> inherit acls = Yes
>>>> browseable = No
>>>>
>>>> [profiles]
>>>> comment = Network Profiles Service
>>>> path = %H
>>>> read only = No
>>>> create mask = 0600
>>>> directory mask = 0700
>>>> store dos attributes = Yes
>>>>
>>>> [users]
>>>> comment = All users
>>>> path = /home
>>>> read only = No
>>>> inherit acls = Yes
>>>> veto files = /aquota.user/groups/shares/
>>>>
>>>> [groups]
>>>> comment = All groups
>>>> path = /home/groups
>>>> read only = No
>>>> inherit acls = Yes
>>>>
>>>> [printers]
>>>> comment = All Printers
>>>> path = /var/tmp
>>>> create mask = 0600
>>>> printable = Yes
>>>> browseable = No
>>>>
>>>> [print$]
>>>> comment = Printer Drivers
>>>> path = /var/lib/samba/drivers
>>>> write list = @ntadmin, root
>>>> force group = ntadmin
>>>> create mask = 0664
>>>> directory mask = 0775
>>>>
>>>> [netlogon]
>>>> comment = Network Logon Service
>>>> path = /var/lib/samba/netlogon
>>>> write list = root
>>>>
>>>> If i try to join a windows xp into the domain i have this
results:
>>>>
>>>> [2010/09/27 14:58:52.229946, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not
connected
>>>> [2010/09/27 14:58:52.233371, 2]
smbd/reply.c:536(reply_special)
>>>> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS
0x0
>>>> [2010/09/27 14:58:52.233498, 2]
smbd/reply.c:547(reply_special)
>>>> netbios connect: local=mediadc remote=testafs, name type =
0
>>>> [2010/09/27 14:58:52.234068, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we
would close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.233647, 0]
lib/util_sock.c:675(write_data)
>>>> [2010/09/27 14:58:52.234876, 0]
>>>> lib/util_sock.c:1432(get_peer_addr_internal)
>>>> getpeername failed. Error was Transport endpoint is not
connected
>>>> write_data: write failure in writing to client 0.0.0.0.
Error
>>>> Connection reset by peer
>>>> [2010/09/27 14:58:52.236855, 0]
smbd/process.c:79(srv_send_smb)
>>>> Error writing 4 bytes to client. -1. (Transport endpoint
is not
>>>> connected)
>>>> [2010/09/27 14:58:52.238615, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we
would close
>>>> all old resources.
>>>> [2010/09/27 14:58:52.239888, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:52.242954, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:52.295749, 2]
auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user
[Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:52.780610, 0]
>>>> rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
>>>> _netr_ServerAuthenticate: no challenge sent to client
TESTAFS
>>>> [2010/09/27 14:58:53.337111, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we
would close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.338938, 2]
>>>> smbd/sesssetup.c:1390(setup_new_vc_session)
>>>> setup_new_vc_session: New VC == 0, if NT4.x compatible we
would close
>>>> all old resources.
>>>> [2010/09/27 14:58:53.339808, 2]
>>>> lib/smbldap.c:950(smbldap_open_connection)
>>>> smbldap_open_connection: connection opened
>>>> [2010/09/27 14:58:53.342371, 2]
>>>> passdb/pdb_ldap.c:572(init_sam_from_ldap)
>>>> init_sam_from_ldap: Entry found for user: Administrator
>>>> [2010/09/27 14:58:53.347683, 2]
auth/auth.c:304(check_ntlm_password)
>>>> check_ntlm_password: authentication for user
[Administrator] ->
>>>> [Administrator] -> [Administrator] succeeded
>>>> [2010/09/27 14:58:53.812728, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>> [2010/09/27 14:58:53.814002, 2]
>>>> rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
>>>> Returning domain sid for domain MEDIADC ->
>>>> S-1-5-21-1949818787-1514111066-129980733
>>>>
>>>> As it seems all works fine, but windows give an error like
"Access
>>>> Denied" and the computer is not added to the domain.
>>>>
>>>> What can be the problem? How to debug it?
>>>>
>>>> Any hint is welcome...
>>>>
>>>> Cordially,
>>>>
>>>> Claudio Prono.
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
Claudio Prono
2010-Sep-28 09:06 UTC
[Samba] Fwd: Re: Problem with Samba - Openldap and domain autentication of Windows XP
Ok, now the join to the domain works, but when i create a new user, and
i try to login to the Windows XP domain, the windows says to me "Unable
to access. A periferic is not working". (sorry for the poor traduction,
but my windows is in italian). Into the samba logs i read this:
[2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special)
netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
[2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special)
netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/28 10:07:45.799185, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801093, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801767, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/28 10:07:45.865629, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: AFS
[2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [AFS] -> [AFS] -> [AFS]
succeeded
[2010/09/28 10:07:45.872630, 1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
_netr_LogonSamLogon: user MEDIADC\AFS has user sid
S-1-5-21-3218914170-3340994528-1537192846-3010
but group sid S-1-5-21-1949818787-1514111066-129980733-513.
The conflicting domain portions are not supported for NETLOGON calls
This is my testparm (actually):
[global]
workgroup = MEDIADC
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
add group script = /usr/sbin/ldapsmb -a -g "%g" -f
delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g
"%g" -f
delete user from group script = /usr/sbin/ldapsmb -r -u "%u"
-g
"%g" -f
add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
How i can debug what is wrong?
Any suggestion?
Cordially,
Claudio Prono.
Gaiseric Vandal ha scritto:> Wait, you are using samba with openldap backend.
>
> Why are you using useradd ??? with this backend you need smbldap instead.
> like this:
>
> passdb backend = ldapsam:ldap://your ldap server
> ldap passwd sync = yes
> ldap delete dn = Yes
> ldap admin dn = cn=root,dc=domain,dc=com,dc=br
> ldap suffix = dc=domain,dc=com,dc=br
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap idmap suffix = sambaDomainName=DOMAIN
> idmap backend = ldap:ldap://ldap server
> idmap alloc backend = ldap:ldap://ldap server
> idmap uid = 1000-20000
> idmap gid = 1000-20000
> idmap alloc config:range = 1000-20000
> ldap timeout = 15
> ldap connection timeout = 2
> ldap page size = 1024
>
> # add/remove users
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> # add/remove Groups
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> # add/remove user in groups
> add user to group script = /usr/sbin/smbldap-groupmod -m
"%u"
> "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> # define primary group of user
> set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
> # add machines in domain
> add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
>
> regards
>
> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
> <gaiseric.vandal at gmail.com> wrote:
>> You user script may be adding a LOCAL unix account (in
>> /etc/passwd.) Do
>> you see the accounts in there? You may need to custom script that
>> adds the
>> accounts to ldap.
>>
>> The following may help
>>
>> https://gna.org/projects/smbldap-tools/
>>
>>
>> Remember, that being root on your unix system does not automatically
>> make
>> you LDAP admin.
>>
>> If you have a single server then having your unix may be OK- samba
>> will
>> match the samba user to the unix user via the user id. I have
>> multiple
>> server so I use LDAP for unix accounts (previously used NIS.) So
>> now an
>> LDAP user has both windows and unix account info.
>>
>>
>>
>>
>>
>> On 09/27/2010 11:08 AM, Claudio Prono wrote:
>>>
>>> Gaiseric Vandal ha scritto:
>>>
>>>>
>>>> Do you have an underlying unix account for the pc (eg
SOMEMACHINE$)
>>>>
>>>> It is possible to configure scripts that the unix account is
created
>>>> by samba if necessary when samba creates the
"Windows" account for
>>>> the
>>>> machine. I don't have it set up this way, so I need to
create the
>>>> unix account 1st.
>>>>
>>>>
>>>
>>> add machine script = /usr/sbin/useradd -c Machine -d
>>> /var/lib/nobody -s
>>> /bin/false %m$
>>>
>>> This script automatically add the machine if needed, or i am wrong
?
>>>
>>>>
>>>> Also, I found that since the underlying unix OS may need
validate the
>>>> machine account, I put my machine accounts in either the same
>>>> ldap ou
>>>> as people (or in a sub ou.) ("getent passwd"
command may need to
>>>> show
>>>> your machine accounts as well as people accounts.)
>>>>
>>>> If you have manually created the unix account for the machine,
can
>>>> you
>>>> them manually create the samba account for it
>>>>
>>>> e.g. smbpasswd -m -a SOMEMACHINE
>>>>
>>>> (I think you leave the $ off .)
>>>>
>>>>
>>>> I use LDAP for both "unix" and "windows"
clients so my config choices
>>>> may not be applicable to a windows-only client environment.
>>>>
>>>>
>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote:
>>>>
>>>>>
--
--------------------------------------------------------------------------------
Claudio Prono OPST
System Developer
Gsm: +39-349-54.33.258
@PSS Srl Tel: +39-011-32.72.100
Via San Bernardino, 17 Fax: +39-011-32.46.497
10141 Torino - ITALY http://atpss.net/disclaimer
--------------------------------------------------------------------------------
PGP Key - http://keys.atpss.net/c_prono.asc