Yes please for the notes.
I re-ran the tests without the smbldap-tools. I installed phpldapadmin and
am able to login to the apache page using the cn=admin, dn=mydomain and
create entries. This kind of tells me that LDAP is working
Then I run the pdbedit -Lv and it lists all the users.
The following happens when I add the LDAP bits to smb.conf and restart
samba.The issue seems to be with samba and ldap intergration. Just to
re-iterate we have samba 3.6. The following errors keeps coming up.
pdbedit -Lv
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
add_new_domain_info: failed to add domain dnsambaDomainName=MYDOMAIN,dc=mydomain
with: Invalid DN syntax
invalid DN
smbldap_search_domain_info: Adding domain info for MYDOMAIN failed with
NT_STATUS_UNSUCCESSFUL
pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the
domain
pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new
users/groups, and will risk BDCs having inconsistent SIDs
obey pam restrictions = no
dns forwarder = 8.8.8.8
passdb backend = ldapsam:ldap://sam3dc.mydomain/
ldap admin dn = cn=admin,dc=mydomain
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=mydomain
ldap user suffix = ou=Users
ldap ssl = off
ldap passwd sync = yes
/etc/ldap/ldap.conf
BASE dc=mydomain
URI ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666
On Thu, Mar 1, 2018 at 10:51 AM, Rob Thoman <emailthomasrob at gmail.com>
wrote:
> Yes please
>
> On Wed, Feb 28, 2018 at 9:34 PM, Rowland Penny via samba <
> samba at lists.samba.org> wrote:
>
>> On Wed, 28 Feb 2018 20:41:43 +1000
>> Rob Thoman via samba <samba at lists.samba.org> wrote:
>>
>> >
>> > root at sam3dc # smbldap-populate
>> > Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
>> > smbldap_tools.pm line 1423, <DATA> line 522.
>> > Unable to open /etc/smbldap-tools/smbldap.conf for reading !
>> > Compilation failed in require at /usr/sbin/smbldap-populate line
30.
>> > BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate
line
>> > 30.
>> >
>>
>> The problem is that smbldap-tools appears to be a dead project, last
>> time I looked, it had disappeared from the internet.
>> That's the bad news, the good news is, you do not need it ;-)
>>
>> You have (in your smb.conf):
>>
>> ldapsam:trusted = yes
>> ldapsam:editposix = yes
>>
>> With these lines, Samba itself can admin ldap, I can provide you with
>> some notes I made last year when testing this very subject, interested
?
>>
>> >
>> >
>> > The file in question doesn't even exist. Any ideas?
>> >
>> > Also, in one of the samba list articles, I read that we'll
need to run
>> > pdbedit -i tdbsam -e ldapsam to import the info from tdb to ldap.
>> > When do we do this one?
>>
>> Presumably, once you get your PDC up and running, the how is a
>> question I cannot answer ;-)
>>
>> Rowland
>>
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: https://lists.samba.org/mailman/options/samba
>>
>
>
Am Donnerstag, 1. März 2018, 16:05:36 CET schrieb Rob Thoman via samba:> Yes please for the notes. > > I re-ran the tests without the smbldap-tools. I installed phpldapadmin > and am able to login to the apache page using the cn=admin, > dn=mydomain and create entries. This kind of tells me that LDAP is > working > > Then I run the pdbedit -Lv and it lists all the users. > > The following happens when I add the LDAP bits to smb.conf and restart > samba.The issue seems to be with samba and ldap intergration. Just to > re-iterate we have samba 3.6. The following errors keeps coming up. > > pdbedit -Lv > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))] > smbldap_open_connection: connection opened > add_new_domain_info: failed to add domain dn> sambaDomainName=MYDOMAIN,dc=mydomain with: Invalid DN syntax > invalid DN > smbldap_search_domain_info: Adding domain info for MYDOMAIN failed > with NT_STATUS_UNSUCCESSFUL > pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to > the domain > pdb_init_ldapsam: Continuing on regardless, will be unable to allocate > new users/groups, and will risk BDCs having inconsistent SIDs > > > obey pam restrictions = no > dns forwarder = 8.8.8.8 > passdb backend = ldapsam:ldap://sam3dc.mydomain/ > ldap admin dn = cn=admin,dc=mydomain > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Users > ldap machine suffix = ou=Computers > ldap passwd sync = yes > ldap suffix = dc=mydomain > ldap user suffix = ou=Users > ldap ssl = off > ldap passwd sync = yes > > /etc/ldap/ldap.conf > BASE dc=mydomain > URI ldap://sam3dc.mydomain ldap://sam3dc.mydomain:666This line is wrong, I asume, but let us verify how your ldap server is started: $ cat /proc/$(pidof slapd)/cmdline|xargs -0 ;echo /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d I do not have a server on port 666 and you may also not. If you have a listener on ldapi, show us the base: $ ldapsearch -xLLL -s base -b dc=kronprinz,dc=xx + dn: dc=kronprinz,dc=xx structuralObjectClass: organization entryUUID: 4f120bb2-1ec1-1033-881e-8177fc263f99 creatorsName: cn=admin,dc=kronprinz,dc=xx createTimestamp: 20140131124529Z entryCSN: 20140131124529.134733Z#000000#000#000000 modifiersName: cn=admin,dc=kronprinz,dc=xx modifyTimestamp: 20140131124529Z entryDN: dc=kronprinz,dc=xx subschemaSubentry: cn=Subschema hasSubordinates: TRUE Your cmd should look like: $ ldapsearch -xLLL -s base -b dc=mydomain + as root user: Let us check if you have loaded the samba schema: # ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config On this machine samba schema is *not loaded* Here it is and some other usefull schemas: # ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config 'olcAttributeTypes=*' dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: cn=schema,cn=config dn: cn={0}core,cn=schema,cn=config dn: cn={1}cosine,cn=schema,cn=config dn: cn={2}nis,cn=schema,cn=config dn: cn={3}inetorgperson,cn=schema,cn=config dn: cn={4}corba,cn=schema,cn=config dn: cn={6}samba,cn=schema,cn=config dn: cn={7}dhcp,cn=schema,cn=config dn: cn={8}quota,cn=schema,cn=config check your secrets.tdb in /var/lib/samba # tdbdump secrets.tdb |egrep 'SID|LDAP' key(16) = "SECRETS/SID/ALIX" key(18) = "SECRETS/SID/SCHULE" key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx" key16 is the hostname, key18 is the netbios domain name, both in upper case key45 is the admin DN of your ldap server and should contain the admin password, like: data(8) = "secrets\00" And check that this ldap server is authoritive for your samba domain: # ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*' dn: sambaDomainName=SCHULE,dc=afrika,dc=xx objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: SCHULE sambaSID: S-1-5-21-1507708399-2130971284-2230424465 sambaAlgorithmicRidBase: 1000 sambaNextRid: 100000 sambaNextUserRid: 2000 sambaNextGroupRid: 100000 uidNumber: 10001 gidNumber: 2000 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 Important is "objectClass, sambaDomainName and sambaSID" And please, show us the imortant sections of your smb.conf. Perhaps in a private mail: # cat /etc/samba/smb.conf| egrep -v '^[[:space:]]*#|^;|^$' [global] server string = Schulserver %h workgroup = SCHULE netbios name = alix interfaces = lo 10.100.0.1/255.255.0.0 bind interfaces only = Yes hosts allow = 127. 10.100. unix extensions = yes time server = yes case sensitive = no preserve case = yes short preserve case = yes logon script = logon.bat %u %U %a %g %G %m logon path = \\%L\profile\%G\%U\%a logon drive = L: logon home = \\%L\profile\%G\%U\%a domain logons = yes domain master = yes local master = yes os level = 99 preferred master = yes passdb backend = ldapsam ldap passwd sync = yes pam password change = yes security = user ldap suffix = dc=afrika,dc=xx ldap admin dn = cn=admin,dc=afrika,dc=xx ldap group suffix = ou=groups ldap user suffix = ou=people,ou=accounts ldap machine suffix = ou=machines,ou=accounts passwd program = /usr/sbin/smbldap-passwd %u add machine script = /usr/local/sbin/delixs-smb-useradd "%u" ldap delete dn = yes ldap ssl = no ldap passwd sync = yes passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* encrypt passwords = true dns proxy = no wins support = yes admin users = adm, root, Administrator enable privileges = yes guest account = nobody mangled names = no log level = 1 veto files = /*.eml/*.nws/riched20.dll/autorun.inf/ [netlogon] comment = Anmeldeverzeichnis browsable = yes path = /etc/samba/scripts public = yes write list = adm, root guest ok = yes locking = no root preexec = /etc/samba/exec/prelogon %u %U %a %g %G %m [homes] comment = Stammverzeichnis browseable = no read only = no inherit permissions = yes create mask = 0755 map hidden = yes map system = yes hide dot files = yes wide links = no This is *not* the best smb.conf you should have but it is a working one with smbldap tools. Today samba is much faster with these settings and w/o smbldap: ldapsam:trusted = yes ldapsam:editposix = yes> On Thu, Mar 1, 2018 at 10:51 AM, Rob Thoman <emailthomasrob at gmail.com> > wrote: > > Yes please > > > > On Wed, Feb 28, 2018 at 9:34 PM, Rowland Penny via samba < > > > > samba at lists.samba.org> wrote: > >> On Wed, 28 Feb 2018 20:41:43 +1000 > >> > >> Rob Thoman via samba <samba at lists.samba.org> wrote: > >> > root at sam3dc # smbldap-populate > >> > Use of qw(...) as parentheses is deprecated at /usr/share/perl5/ > >> > smbldap_tools.pm line 1423, <DATA> line 522. > >> > Unable to open /etc/smbldap-tools/smbldap.conf for reading ! > >> > Compilation failed in require at /usr/sbin/smbldap-populate line > >> > 30. > >> > BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate > >> > line > >> > 30. > >> > >> The problem is that smbldap-tools appears to be a dead project, > >> last > >> time I looked, it had disappeared from the internet. > >> That's the bad news, the good news is, you do not need it ;-) > >> > >> You have (in your smb.conf): > >> > >> ldapsam:trusted = yes > >> ldapsam:editposix = yes > >> > >> With these lines, Samba itself can admin ldap, I can provide you > >> with > >> some notes I made last year when testing this very subject, > >> interested ?>> > >> > The file in question doesn't even exist. Any ideas? > >> > > >> > Also, in one of the samba list articles, I read that we'll need > >> > to run pdbedit -i tdbsam -e ldapsam to import the info from tdb > >> > to ldap. When do we do this one? > >> > >> Presumably, once you get your PDC up and running, the how is a > >> question I cannot answer ;-) > >> > >> Rowland > >> > >> > >> -- > >> To unsubscribe from this list go to the following URL and read the > >> instructions: https://lists.samba.org/mailman/options/samba-- Gruss Harry Jede
Hi Rob, please stay on list. Otherwise I will charge you :-) By the way I have no problem to get payed.> Hi Harry, > > The one very obvious difference is the result of this command: # > ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D > cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*' > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx > > I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different , > should it be MYDOMAIN dc=sam3dc?I hope you have got the first line, the second will never work: dn: sambaDomainName=MYDOMAIN,dc=mydomain dn: sambaDomainName=MYDOMAIN, dc=mydomain The difference is just one space. Remember ldap is white space sensitive!!! You may get trouble with some dns resolver libs, because you use only one "domain component". Search for ndots... You may also get trouble with certificate name validation for SSL/TLS hosts.> sambaDomainName: MYDOMAIN > sambaSID: S-1-5-21-3936576374-1604338294-181246221 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomainI prefer to add here an auxiliary objectclass: sambaUnixIdPool More later on> sambaNextUserRid: 1000 > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 0 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: -1 > sambaMinPwdAge: 0 > sambaLockoutDuration: 30 > sambaLockoutObservationWindow: 30 > sambaLockoutThreshold: 0 > sambaForceLogoff: -1 > sambaRefuseMachinePwdChange: 0 > sambaNextRid: 1002 > > > > > ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config > 'olcAttributeTypes=*' dn > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > dn: cn=schema,cn=config > > dn: cn={0}core,cn=schema,cn=config > > dn: cn={1}cosine,cn=schema,cn=config > > dn: cn={2}nis,cn=schema,cn=config > > dn: cn={3}inetorgperson,cn=schema,cn=config > > dn: cn={4}samba,cn=schema,cn=configThat is the minimum you need. So it is OK.> > ldapsearch -xLLL -s base -b dc=mydomain > dn: dc=mydomain > objectClass: top > objectClass: dcObject > objectClass: organization > o: mydomain > dc: mydomainOK> > > > The one thing I found is that when I tried to add a new Win10 machine > to the domain, I got wrong password. The login details I entered is > for a admin account. I then changed the password using smbpasswd and > then I got the machine was joined with another account error messageOK. But what error message? What command? Please post the resulting machine account. You should first try a win 7 machine. From win 7 to current win 10 the default settings for smb protocol has changed. Thanks to wanna cry. Maybe "max protocol = NT1" will help. But read man smb.conf section: client max protocol. Depending on the used clients you should go with the highest protocol level!!!> The other bits are similar to yours. Here is the smb.conf > > > [global] > workgroup = MYDOMAIN > bind interfaces only = Yes > netbios name = sam3DC > security = USER > dns forwarder = 8.8.8.8"dns forwarder" is not required, *but* if you set this entry, it should point to a local DNS server. Google is not always the best choice.> passdb backend = ldapsam:ldap://127.0.0.1/ > obey pam restrictions = noThat I would change to yes. If yes, pam can create the home directorys if you add users from windows tools or samba tools. The user dir is created at first logon. The template directory is /etc/skel.> ldap admin dn = cn=admin,dc=mydomain > ldap suffix = dc=mydomain > ldap group suffix = ou=Group > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=People > ldap passwd sync = No > unix password sync = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > ldap ssl= no > > encrypt passwords = true > password server = sam3dcWhat sould be the benefit ??? At first you setup this host as a PDC and then you delegate to an other password server?> check password script = /usr/local/sbin/crackcheck -d > /var/cache/cracklib/cracklib_dict > > unix password sync = NoYou should add: ldap passwd sync = yes pam password change = yes to sync windows and unix passwords.> log level = 10 auth:5tooooooooooooo high log level = 1 auth:5 makes more sense> syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > SO_SNDBUF=8192 SO_RCVBUF=8192Please remove this line. Do not ask me or any other. Just do it. It is mystic.> local master = No > domain master = No > preferred master = NoIf this host should be a domain controler ( primary or secondary ) change all to yes Test it with nmblookup i.e. # nmblookup SCHULE querying SCHULE on 127.255.255.255 10.100.0.1 SCHULE<00> # nmblookup -M SCHULE querying SCHULE on 127.255.255.255 10.100.0.1 SCHULE<1d> # nmblookup ALIX querying ALIX on 127.255.255.255 10.100.0.1 ALIX<00> # nmblookup -M ALIX querying ALIX on 127.255.255.255 querying ALIX on 10.100.255.255 name_query failed to find name ALIX#1d Where SCHULE is the netbios domain name and ALIX is the PDC name.> invalid users > hosts deny = ALLFine, you deny all hosts on your network. What are you doing here?> load printers = Yes > printcap name = cups > printing = cups > add machine script = /usr/sbin/useradd -d /dev/null -g > machines -s /bin/false %uThis will *not* add windows hosts to the ldap backend. So do not expect working windows machines. A common script is: add machine script = /usr/sbin/smbldap-useradd -w "%u"> # Logon Options > logon script = %U.bat > logon drive = n: > domain logons = Yes > > logon home = \\%L\%u\%a\.profiles > logon home = \\%L\%U\profileOverwriting entrys in this way seems bad practice, surely it works.> logon path > > # Browse Options > os level = 65 > preferred master = Yes > local master = Yes > domain master = YesFine you will setup the Netbios stuff. Please remove the other lines. This one wins, because they comes later in this file.> # WINS Options > dns proxy = No > wins proxy = No > wins support = Yes > > > # Getting symlinks working for the OCEs > unix extensions = no > > # Audit settings > full_audit:prefix = %u|%I|%S > full_audit:failure = none > full_audit:success = mkdir rmdir read pread write pwrite > rename unlink > full_audit:facility = local5 > full_audit:priority = notice > > [homes] > comment = Home Directories > create mask = 0700 > directory mask = 0700 > browseable = No > read only = No > path = %H/sambaunusual, but if it works for you> vfs objects = full_audityou have silently disabled acl handling! vfs objects = acl_xattr full_audit> follow symlinks = yesrisky. Remove it if possible. Otherwise change symlinks to real dirs and remove then. Check if you have a machine account for your server: # ldapsearch -xLLL 'uid=hostname$' I assume you have none. Now, the unixidpool: Add the attached ldif with: ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif check if it is OK # ldapsearch -xLLL objectclass=sambaunixidpool Restart samba and reapply the admin password. This should add the machine account: smbpasswd -w <ldap admin password> If the machine account is not their, restart both samba and winbind and wait some seconds. The next useable uidnumber in smabaDomainName should change from 10000 to 10001. # ldapsearch -xLLL uidnumber=10001 dn: sambaDomainName=SCHULE,dc=afrika,dc=xx objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: SCHULE sambaSID: S-1-5-21-1507708399-2130971284-2230424465 sambaAlgorithmicRidBase: 1000 sambaNextRid: 100000 sambaNextUserRid: 2000 sambaNextGroupRid: 100000 uidNumber: 10001 gidNumber: 2000 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 have fun # cat unixidpool.ldif dn: sambaDomainName=MYDOMAIN,dc=mydomain changetype: modify add: objectclass objectclass: sambaUnixIdPool - add: uidnumber uidnumber: 10000 - add: gidnumber gidnumber: 10000 - -- Gruss Harry Jede
Hi Harry, When I install slapd , I didn't get the option to use MDB, so used hdb I went through your suggestions and cleaned up the smb.conf. Also added the unixidpool ldif dn: sambaDomainName=mydomain,dc=mydomain sambaDomainName: mydomain sambaSID: S-1-5-21-3936576374-1604348213-1812434911 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain objectClass: sambaUnixIdPool sambaNextUserRid: 1000 sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 sambaNextRid: 1001 uidNumber: 10000 gidNumber: 10000 When I tried to add a Windows 7 machine to the domain I get " Unknown user or wrong password". I was using the "sadmin" login who is in the "sudo". I dumped the user's details into a ldif file and imported it into ldap. I see the following in the /var/log/samba/log.win7ldap check_ntlm_password: Checking password for unmapped user [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password) check_ntlm_password: mapped user is: [mydomain]\[sadmin]@[WIN7-LDAP] [2018/03/04 11:04:05.007372, 2] lib/smbldap.c:1018(smbldap_open_connection) smbldap_open_connection: connection opened [2018/03/04 11:04:05.008805, 3] auth/check_samsec.c:399(check_sam_security) check_sam_security: Couldn't find user 'sadmin' in passdb. [2018/03/04 11:04:05.008857, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [sadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2018/03/04 11:04:05.008898, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [mydomain] was for this SAM. [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [sadmin] -> [sadmin] FAILED with error NT_STATUS_NO_SUCH_USER [2018/03/04 11:04:19.544336, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.17.199 read error NT_STATUS_CONNECTION_RESET. After a few retries it comes up with "The security database is corrupted" message in Window7 The following in /var/log/syslog sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid) not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not indexed [2018/03/04 11:12:23.780636, 0] auth/check_samsec.c:492(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_INTERNAL_DB_CORRUPTION' [2018/03/04 11:12:23.780675, 5] auth/auth.c:271(check_ntlm_password) check_ntlm_password: sam authentication for user [sadmin] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION [2018/03/04 11:12:23.780713, 3] auth/auth_winbind.c:60(check_winbind_security) check_winbind_security: Not using winbind, requested domain [mydomain] was for this SAM. [2018/03/04 11:12:23.780746, 2] auth/auth.c:319(check_ntlm_password) check_ntlm_password: Authentication for user [sadmin] -> [sadmin] FAILED with error NT_STATUS_INTERNAL_DB_CORRUPTION [2018/03/04 11:12:37.544463, 1] smbd/process.c:457(receive_smb_talloc) receive_smb_raw_talloc failed for client 192.168.17.199 read error NT_STATUS_CONNECTION_RESET. Any thoughts? On Sat, Mar 3, 2018 at 4:58 AM, Harry Jede <walk2sun at arcor.de> wrote:> Hi Rob, > > please stay on list. Otherwise I will charge you :-) > > By the way I have no problem to get payed. > > > > > Hi Harry, > > > > > > The one very obvious difference is the result of this command: # > > > ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D > > > cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*' > > > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx > > > > > > I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different , > > > should it be MYDOMAIN dc=sam3dc? > > I hope you have got the first line, the second will never work: > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > dn: sambaDomainName=MYDOMAIN, dc=mydomain > > > > The difference is just one space. Remember ldap is white space sensitive!!! > > > > You may get trouble with some dns resolver libs, because you use only one > "domain component". Search for ndots... > > You may also get trouble with certificate name validation for SSL/TLS > hosts. > > > > > sambaDomainName: MYDOMAIN > > > sambaSID: S-1-5-21-3936576374-1604338294-181246221 > > > sambaAlgorithmicRidBase: 1000 > > > objectClass: sambaDomain > > I prefer to add here an auxiliary objectclass: sambaUnixIdPool > > More later on > > > > > sambaNextUserRid: 1000 > > > sambaMinPwdLength: 5 > > > sambaPwdHistoryLength: 0 > > > sambaLogonToChgPwd: 0 > > > sambaMaxPwdAge: -1 > > > sambaMinPwdAge: 0 > > > sambaLockoutDuration: 30 > > > sambaLockoutObservationWindow: 30 > > > sambaLockoutThreshold: 0 > > > sambaForceLogoff: -1 > > > sambaRefuseMachinePwdChange: 0 > > > sambaNextRid: 1002 > > > > > > > > > > > > > > > ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config > > > 'olcAttributeTypes=*' dn > > > SASL/EXTERNAL authentication started > > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > > SASL SSF: 0 > > > dn: cn=schema,cn=config > > > > > > dn: cn={0}core,cn=schema,cn=config > > > > > > dn: cn={1}cosine,cn=schema,cn=config > > > > > > dn: cn={2}nis,cn=schema,cn=config > > > > > > dn: cn={3}inetorgperson,cn=schema,cn=config > > > > > > dn: cn={4}samba,cn=schema,cn=config > > That is the minimum you need. So it is OK. > > > > > > > > ldapsearch -xLLL -s base -b dc=mydomain > > > dn: dc=mydomain > > > objectClass: top > > > objectClass: dcObject > > > objectClass: organization > > > o: mydomain > > > dc: mydomain > > OK > > > > > > > > > > > > > > The one thing I found is that when I tried to add a new Win10 machine > > > to the domain, I got wrong password. The login details I entered is > > > for a admin account. I then changed the password using smbpasswd and > > > then I got the machine was joined with another account error message > > OK. But what error message? What command? > > Please post the resulting machine account. > > > > You should first try a win 7 machine. From win 7 to current win 10 > > the default settings for smb protocol has changed. Thanks to wanna cry. > > Maybe "max protocol = NT1" will help. But read man smb.conf section: > > client max protocol. Depending on the used clients you should go with > > the highest protocol level!!! > > > > > The other bits are similar to yours. Here is the smb.conf > > > > > > > > > [global] > > > workgroup = MYDOMAIN > > > bind interfaces only = Yes > > > netbios name = sam3DC > > > security = USER > > > dns forwarder = 8.8.8.8 > > "dns forwarder" is not required, *but* if you set this entry, > > it should point to a local DNS server. > > Google is not always the best choice. > > > > > passdb backend = ldapsam:ldap://127.0.0.1/ > > > obey pam restrictions = no > > That I would change to yes. If yes, pam can create the > > home directorys if you add users from windows tools or > > samba tools. The user dir is created at first logon. > > The template directory is /etc/skel. > > > > > ldap admin dn = cn=admin,dc=mydomain > > > ldap suffix = dc=mydomain > > > ldap group suffix = ou=Group > > > ldap user suffix = ou=People > > > ldap machine suffix = ou=Computers > > > ldap idmap suffix = ou=People > > > ldap passwd sync = No > > > unix password sync = Yes > > > passwd program = /usr/sbin/smbldap-passwd -u %u > > > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > > > ldap ssl= no > > > > > > encrypt passwords = true > > > password server = sam3dc > > What sould be the benefit ??? > > At first you setup this host as a PDC and then you delegate > > to an other password server? > > > > > check password script = /usr/local/sbin/crackcheck -d > > > /var/cache/cracklib/cracklib_dict > > > > > > unix password sync = No > > You should add: > > ldap passwd sync = yes > > pam password change = yes > > to sync windows and unix passwords. > > > > > log level = 10 auth:5 > > tooooooooooooo high > > log level = 1 auth:5 > > makes more sense > > > > > syslog = 0 > > > log file = /var/log/samba/log.%m > > > max log size = 1000 > > > > > > socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE > > > SO_SNDBUF=8192 SO_RCVBUF=8192 > > Please remove this line. Do not ask me or any other. > > Just do it. It is mystic. > > > > > local master = No > > > domain master = No > > > preferred master = No > > If this host should be a domain controler ( primary or secondary ) > > change all to yes > > > > Test it with nmblookup i.e. > > # nmblookup SCHULE > > querying SCHULE on 127.255.255.255 > > 10.100.0.1 SCHULE<00> > > > > # nmblookup -M SCHULE > > querying SCHULE on 127.255.255.255 > > 10.100.0.1 SCHULE<1d> > > > > # nmblookup ALIX > > querying ALIX on 127.255.255.255 > > 10.100.0.1 ALIX<00> > > > > # nmblookup -M ALIX > > querying ALIX on 127.255.255.255 > > querying ALIX on 10.100.255.255 > > name_query failed to find name ALIX#1d > > > > Where SCHULE is the netbios domain name and > > ALIX is the PDC name. > > > > > invalid users > > > hosts deny = ALL > > Fine, you deny all hosts on your network. What are you doing here? > > > > > load printers = Yes > > > printcap name = cups > > > printing = cups > > > add machine script = /usr/sbin/useradd -d /dev/null -g > > > machines -s /bin/false %u > > This will *not* add windows hosts to the ldap backend. So do not > > expect working windows machines. > > > > A common script is: > > add machine script = /usr/sbin/smbldap-useradd -w "%u" > > > > > # Logon Options > > > logon script = %U.bat > > > logon drive = n: > > > domain logons = Yes > > > > > > logon home = \\%L\%u\%a\.profiles > > > logon home = \\%L\%U\profile > > Overwriting entrys in this way seems bad practice, surely it works. > > > > > logon path > > > > > > # Browse Options > > > os level = 65 > > > preferred master = Yes > > > local master = Yes > > > domain master = Yes > > Fine you will setup the Netbios stuff. Please remove the > > other lines. This one wins, because they comes later in this file. > > > > > # WINS Options > > > dns proxy = No > > > wins proxy = No > > > wins support = Yes > > > > > > > > > # Getting symlinks working for the OCEs > > > unix extensions = no > > > > > > # Audit settings > > > full_audit:prefix = %u|%I|%S > > > full_audit:failure = none > > > full_audit:success = mkdir rmdir read pread write pwrite > > > rename unlink > > > full_audit:facility = local5 > > > full_audit:priority = notice > > > > > > [homes] > > > comment = Home Directories > > > create mask = 0700 > > > directory mask = 0700 > > > browseable = No > > > read only = No > > > path = %H/samba > > unusual, but if it works for you > > > > > vfs objects = full_audit > > you have silently disabled acl handling! > > vfs objects = acl_xattr full_audit > > > > > follow symlinks = yes > > risky. Remove it if possible. Otherwise change symlinks to real dirs > > and remove then. > > > > > > > > > > Check if you have a machine account for your server: > > # ldapsearch -xLLL 'uid=hostname$' > > I assume you have none. > > > > Now, the unixidpool: > > > > Add the attached ldif with: > > ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif > > > > check if it is OK > > # ldapsearch -xLLL objectclass=sambaunixidpool > > > > Restart samba and reapply the admin password. This should add the machine > account: > > smbpasswd -w <ldap admin password> > > > > If the machine account is not their, restart both samba and winbind and > wait some seconds. > > > > The next useable uidnumber in smabaDomainName should change from 10000 to > 10001. > > # ldapsearch -xLLL uidnumber=10001 > > dn: sambaDomainName=SCHULE,dc=afrika,dc=xx > > objectClass: top > > objectClass: sambaDomain > > objectClass: sambaUnixIdPool > > sambaDomainName: SCHULE > > sambaSID: S-1-5-21-1507708399-2130971284-2230424465 > > sambaAlgorithmicRidBase: 1000 > > sambaNextRid: 100000 > > sambaNextUserRid: 2000 > > sambaNextGroupRid: 100000 > > uidNumber: 10001 > > gidNumber: 2000 > > sambaPwdHistoryLength: 0 > > sambaLogonToChgPwd: 0 > > sambaMaxPwdAge: -1 > > sambaMinPwdAge: 0 > > sambaLockoutDuration: 30 > > sambaLockoutObservationWindow: 30 > > sambaLockoutThreshold: 0 > > sambaForceLogoff: -1 > > > > have fun > > > > # cat unixidpool.ldif > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > changetype: modify > > add: objectclass > > objectclass: sambaUnixIdPool > > - > > add: uidnumber > > uidnumber: 10000 > > - > > add: gidnumber > > gidnumber: 10000 > > - > > > > -- > > > > Gruss > > Harry Jede >