On 22/12/14 17:47, Elias Pereira wrote:> And now, I run the command "samba-tool user list" and the result is as > follows: > > *# samba-tool user list* > *ldb_wrap open of secrets.ldb* > *Could not find machine account in secrets database: Failed to fetch > machine account password from secrets.ldb: Could not find entry to match > filter: '(&(flatname=POA)(objectclass=primaryDomain))' base: 'cn=Primary > Domains': No such object: (null) and failed to fetch > SECRETS/MACHINE_PASSWORD/POA from /var/lib/samba/private/secrets.tdb: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO* > *ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'* > * File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run* > * return self.run(*args, **kwargs)* > * File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 271, > in run* > * attrs=["samaccountname"])* > > > > > On Mon, Dec 22, 2014 at 12:05 PM, Elias Pereira <empbilly at gmail.com> wrote: > >> Guys, >> >> In my lab test when I run the command "net groupmap list" the result is as >> follows: >> >> *# net groupmap list* >> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> 512* >> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> 513* >> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> 514* >> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> 515* >> >> >> I believe that would have to be like this: >> >> *# net groupmap list* >> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> Domain >> Admins* >> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> Domain >> Users* >> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> Domain >> Guests* >> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> Domain >> Computers* >> >> >> Any idea what could have happened? >> >> Att. >> -- >> Elias Pereira >> > >Hi, could you provide a bit more info, how are you running samba, what version and what is in your smb.conf. Rowland
Hi, i'm running the samba as "classic primary domain controller" in my lab test. In my lab tests, at first everything seems to be working properly. 1. I set the Samba4 as "classic primary domain controller." *smb.conf in the pastebin link*. 2. I set up an external ldap, with the equal ldif base what we have in production here on campus. 3. I set up an bind9 as DNS server. I tried to enter a machine with windows xp in the domain. When was shown the login and password window, I put the login and password of a user who is in the ldap base, and there was the error that the "Error while trying to domain join "poa" Logon failure: unknown user name or bad password". So, I tried a few things, but without success. When I tried to run the commands mentioned above, as seen, more mistakes happen. :( http://pastebin.com/raw.php?i=3mUJB9fA On Mon, Dec 22, 2014 at 4:41 PM, Rowland Penny <rowlandpenny at googlemail.com> wrote:> On 22/12/14 17:47, Elias Pereira wrote: > >> And now, I run the command "samba-tool user list" and the result is as >> follows: >> >> *# samba-tool user list* >> *ldb_wrap open of secrets.ldb* >> *Could not find machine account in secrets database: Failed to fetch >> machine account password from secrets.ldb: Could not find entry to match >> filter: '(&(flatname=POA)(objectclass=primaryDomain))' base: 'cn=Primary >> Domains': No such object: (null) and failed to fetch >> SECRETS/MACHINE_PASSWORD/POA from /var/lib/samba/private/secrets.tdb: >> NT_STATUS_CANT_ACCESS_DOMAIN_INFO* >> *ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'* >> * File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line >> 175, in _run* >> * return self.run(*args, **kwargs)* >> * File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line >> 271, >> in run* >> * attrs=["samaccountname"])* >> >> >> >> >> On Mon, Dec 22, 2014 at 12:05 PM, Elias Pereira <empbilly at gmail.com> >> wrote: >> >> Guys, >>> >>> In my lab test when I run the command "net groupmap list" the result is >>> as >>> follows: >>> >>> *# net groupmap list* >>> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> 512* >>> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> 513* >>> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> 514* >>> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> 515* >>> >>> >>> I believe that would have to be like this: >>> >>> *# net groupmap list* >>> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> Domain >>> Admins* >>> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> Domain >>> Users* >>> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> Domain >>> Guests* >>> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> >>> Domain >>> Computers* >>> >>> >>> Any idea what could have happened? >>> >>> Att. >>> -- >>> Elias Pereira >>> >>> >> >> > Hi, could you provide a bit more info, how are you running samba, what > version and what is in your smb.conf. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >-- Elias Pereira
On 22/12/14 19:02, Elias Pereira wrote:> Hi, i'm running the samba as "classic primary domain controller" in my > lab test. > > In my lab tests, at first everything seems to be working properly. > > 1. I set the Samba4 as "classic primary domain controller." */smb.conf > in the pastebin link/*. > 2. I set up an external ldap, with the equal ldif base what we have in > production here on campus. > 3. I set up an bind9 as DNS server. > > I tried to enter a machine with windows xp in the domain. When was > shown the login and password window, I put the login and password of a > user who is in the ldap base, and there was the error that the "Error > while trying to domain join "poa" Logon failure: unknown user name or > bad password". > > So, I tried a few things, but without success. > > When I tried to run the commands mentioned above, as seen, more > mistakes happen. :( >OK, stupid question first, have you run 'smbpasswd -w' and supplied the ldap admin passwd ? Also, you cannot use samba-tool with a classic domain control, it is for the Active Directory domain controller. Rowland> http://pastebin.com/raw.php?i=3mUJB9fA > > On Mon, Dec 22, 2014 at 4:41 PM, Rowland Penny > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: > > On 22/12/14 17:47, Elias Pereira wrote: > > And now, I run the command "samba-tool user list" and the > result is as > follows: > > *# samba-tool user list* > *ldb_wrap open of secrets.ldb* > *Could not find machine account in secrets database: Failed to > fetch > machine account password from secrets.ldb: Could not find > entry to match > filter: '(&(flatname=POA)(objectclass=primaryDomain))' base: > 'cn=Primary > Domains': No such object: (null) and failed to fetch > SECRETS/MACHINE_PASSWORD/POA from > /var/lib/samba/private/secrets.tdb: > NT_STATUS_CANT_ACCESS_DOMAIN_INFO* > *ERROR(ldb): uncaught exception - ldb_search: invalid basedn > '(null)'* > * File > "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", line > 175, in _run* > * return self.run(*args, **kwargs)* > * File > "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line 271, > in run* > * attrs=["samaccountname"])* > > > > > On Mon, Dec 22, 2014 at 12:05 PM, Elias Pereira > <empbilly at gmail.com <mailto:empbilly at gmail.com>> wrote: > > Guys, > > In my lab test when I run the command "net groupmap list" > the result is as > follows: > > *# net groupmap list* > *Domain Admins > (S-1-5-21-187220369-3628530160-3539241734-512) -> 512* > *Domain Users > (S-1-5-21-187220369-3628530160-3539241734-513) -> 513* > *Domain Guests > (S-1-5-21-187220369-3628530160-3539241734-514) -> 514* > *Domain Computers > (S-1-5-21-187220369-3628530160-3539241734-515) -> 515* > > > I believe that would have to be like this: > > *# net groupmap list* > *Domain Admins > (S-1-5-21-187220369-3628530160-3539241734-512) -> Domain > Admins* > *Domain Users > (S-1-5-21-187220369-3628530160-3539241734-513) -> Domain > Users* > *Domain Guests > (S-1-5-21-187220369-3628530160-3539241734-514) -> Domain > Guests* > *Domain Computers > (S-1-5-21-187220369-3628530160-3539241734-515) -> Domain > Computers* > > > Any idea what could have happened? > > Att. > -- > Elias Pereira > > > > > Hi, could you provide a bit more info, how are you running samba, > what version and what is in your smb.conf. > > Rowland > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > > > > > -- > Elias Pereira
No stupid question. For me there is not. Better to ask than to stay with the doubt. I believe that had not used this command, but now I have. But I am still with the error: "Error while trying to join domain" poa "Logon failure: unknown user name or bad password." About the results of the command "net groupmap list", you would have any tips on how I can solve this problem? And one more question. :D You took one look at my smb.conf? On Mon, Dec 22, 2014 at 6:11 PM, Elias Pereira <empbilly at gmail.com> wrote:> No stupid question. For me there is not. Better to ask than to stay with > the doubt. > > I believe that had not used this command, but now I have. > > But I am still with the error: > "Error while trying to join domain" poa "Logon failure: unknown user name > or bad password." > > You took one look at my smb.conf? Would have a problem? > > On Mon, Dec 22, 2014 at 5:12 PM, Rowland Penny < > rowlandpenny at googlemail.com> wrote: > >> On 22/12/14 19:02, Elias Pereira wrote: >> >> Hi, i'm running the samba as "classic primary domain controller" in my >> lab test. >> >> In my lab tests, at first everything seems to be working properly. >> >> 1. I set the Samba4 as "classic primary domain controller." *smb.conf >> in the pastebin link*. >> 2. I set up an external ldap, with the equal ldif base what we have in >> production here on campus. >> 3. I set up an bind9 as DNS server. >> >> I tried to enter a machine with windows xp in the domain. When was >> shown the login and password window, I put the login and password of a user >> who is in the ldap base, and there was the error that the "Error while >> trying to domain join "poa" Logon failure: unknown user name or bad >> password". >> >> So, I tried a few things, but without success. >> >> When I tried to run the commands mentioned above, as seen, more >> mistakes happen. :( >> >> >> OK, stupid question first, have you run 'smbpasswd -w' and supplied the >> ldap admin passwd ? >> >> Also, you cannot use samba-tool with a classic domain control, it is for >> the Active Directory domain controller. >> >> Rowland >> >> >> http://pastebin.com/raw.php?i=3mUJB9fA >> >> On Mon, Dec 22, 2014 at 4:41 PM, Rowland Penny < >> rowlandpenny at googlemail.com> wrote: >> >>> On 22/12/14 17:47, Elias Pereira wrote: >>> >>>> And now, I run the command "samba-tool user list" and the result is as >>>> follows: >>>> >>>> *# samba-tool user list* >>>> *ldb_wrap open of secrets.ldb* >>>> *Could not find machine account in secrets database: Failed to fetch >>>> machine account password from secrets.ldb: Could not find entry to match >>>> filter: '(&(flatname=POA)(objectclass=primaryDomain))' base: 'cn=Primary >>>> Domains': No such object: (null) and failed to fetch >>>> SECRETS/MACHINE_PASSWORD/POA from /var/lib/samba/private/secrets.tdb: >>>> NT_STATUS_CANT_ACCESS_DOMAIN_INFO* >>>> *ERROR(ldb): uncaught exception - ldb_search: invalid basedn '(null)'* >>>> * File "/usr/lib/python2.7/dist-packages/samba/netcmd/__init__.py", >>>> line >>>> 175, in _run* >>>> * return self.run(*args, **kwargs)* >>>> * File "/usr/lib/python2.7/dist-packages/samba/netcmd/user.py", line >>>> 271, >>>> in run* >>>> * attrs=["samaccountname"])* >>>> >>>> >>>> >>>> >>>> On Mon, Dec 22, 2014 at 12:05 PM, Elias Pereira <empbilly at gmail.com> >>>> wrote: >>>> >>>> Guys, >>>>> >>>>> In my lab test when I run the command "net groupmap list" the result >>>>> is as >>>>> follows: >>>>> >>>>> *# net groupmap list* >>>>> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> 512* >>>>> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> 513* >>>>> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> 514* >>>>> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> >>>>> 515* >>>>> >>>>> >>>>> I believe that would have to be like this: >>>>> >>>>> *# net groupmap list* >>>>> *Domain Admins (S-1-5-21-187220369-3628530160-3539241734-512) -> Domain >>>>> Admins* >>>>> *Domain Users (S-1-5-21-187220369-3628530160-3539241734-513) -> Domain >>>>> Users* >>>>> *Domain Guests (S-1-5-21-187220369-3628530160-3539241734-514) -> Domain >>>>> Guests* >>>>> *Domain Computers (S-1-5-21-187220369-3628530160-3539241734-515) -> >>>>> Domain >>>>> Computers* >>>>> >>>>> >>>>> Any idea what could have happened? >>>>> >>>>> Att. >>>>> -- >>>>> Elias Pereira >>>>> >>>>> >>>> >>>> >>> Hi, could you provide a bit more info, how are you running samba, what >>> version and what is in your smb.conf. >>> >>> Rowland >>> >>> -- >>> To unsubscribe from this list go to the following URL and read the >>> instructions: https://lists.samba.org/mailman/options/samba >>> >> >> >> >> -- >> Elias Pereira >> >> >> > > > -- > Elias Pereira >-- Elias Pereira
On 22/12/14 21:24, Elias Pereira wrote:> > 1. No you haven't, you have set up a 'backup domain controller'. > > > Ok. Now I'm totally lost. Where I've set this as "backup domain > controller"? > > 2. This is why you haven't got a PDC > > > I set up an "external ldap" because we have one in operation and that > is why I am making tests with Samba4 because after testing, and if it > works, we will opt for Samba4 - PDC (debian) + "external ldap" (debian). > > 3. Why? you do not need a dns server with a PDC/BDC setup > > > I asked here in the list, if with the Samba4 pdc I need a dns server, > and the answer was yes. > > Can you please explain just what you are hoping to achieve? > > > Here on campus where I am working we have the following scenario: > > > ? > > ?In my lab tests I setup I mentioned in steps 1, 2 and 3. > I have three virtual machines with an internal network for these tests. > > Machine 1: 192.168.77.200 > Samba4 pdc > Machine 2: 192.168.77.220 > openldap > Machine 3: 192.168.77.150 > bind9 the dns server > > I want the end of everything, I can leave running what is in the > "scenario after migration" in the picture above. > > I'm sorry if my explanations are not helping. :( > > Elias PereiraWhat you need to do is setup your samba4 machine as the PDC, in my opinion this entails storing the primary domain records on the PDC, you would then join the other machine (the one you call external OpenLDAP) to it, not the other way round. Get the domain working first, then add the other parts to it, you may then find that it is better to transfer the 'external OpenLDAP' role to your PDC. Rowland
On 23/12/14 13:59, Elias Pereira wrote:> > What you need to do is setup your samba4 machine as the PDC > > > I thought I had done it, but from what you said, I did not. :( > > in my opinion this entails storing the primary domain records on > the PDC, you would then join the other machine (the one you call > external OpenLDAP) to it, not the other way round. > > > And how would I do that? If it is not too much to ask, could give me > some tips on how to do this, because I think I'm a little lost right now. > > > On Mon, Dec 22, 2014 at 7:35 PM, Rowland Penny > <rowlandpenny at googlemail.com <mailto:rowlandpenny at googlemail.com>> wrote: > > On 22/12/14 21:24, Elias Pereira wrote: >> >> 1. No you haven't, you have set up a 'backup domain controller'. >> >> >> Ok. Now I'm totally lost. Where I've set this as "backup domain >> controller"? >> >> 2. This is why you haven't got a PDC >> >> >> I set up an "external ldap" because we have one in operation and >> that is why I am making tests with Samba4 because after testing, >> and if it works, we will opt for Samba4 - PDC (debian) + >> "external ldap" (debian). >> >> 3. Why? you do not need a dns server with a PDC/BDC setup >> >> >> I asked here in the list, if with the Samba4 pdc I need a dns >> server, and the answer was yes. >> >> Can you please explain just what you are hoping to achieve? >> >> >> Here on campus where I am working we have the following scenario: >> >> >> ? >> >> ?In my lab tests I setup I mentioned in steps 1, 2 and 3. >> I have three virtual machines with an internal network for these >> tests. >> >> Machine 1: 192.168.77.200 > Samba4 pdc >> Machine 2: 192.168.77.220 > openldap >> Machine 3: 192.168.77.150 > bind9 the dns server >> >> I want the end of everything, I can leave running what is in the >> "scenario after migration" in the picture above. >> >> I'm sorry if my explanations are not helping. :( >> >> Elias Pereira > > What you need to do is setup your samba4 machine as the PDC, in my > opinion this entails storing the primary domain records on the > PDC, you would then join the other machine (the one you call > external OpenLDAP) to it, not the other way round. > > Get the domain working first, then add the other parts to it, you > may then find that it is better to transfer the 'external > OpenLDAP' role to your PDC. > > Rowland > > > > > -- > Elias PereiraOK, here is a few howto's: http://www.unixmen.com/setup-samba-domain-controller-with-openldap-backend-in-ubuntu-13-04/ http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend http://www.fatofthelan.com/technical/using-ldap-for-single-authentication/ http://www.ibm.com/developerworks/linux/tutorials/l-ldapsamba/ After reading them I think you might realise what you are missing PDC wise. I suppose that you could upgrade the external OpenLDAP server to be the PDC and then auth to that, but I think that you would be better going the other way, but this is just my opinion. Rowland