Hi Gruss,
At this stage there is only one server, running 3.6.25 on Ubuntu12.04. The
plan to get LDAP to work on this one. Then add the second server 4.x and
the promote it to BDC and then demote this one. Just a side info, we
didn't want to go tdbsam in both as I read it breaks the domain trust.
The domain names are real ones.
I ran the commands you suggested, nothing in reply. I tried ldapi:// and
ldap://sam3dc.mydomain .
Let me run through what I did ,
/etc/ldap/ldap.conf:
BASE dc=mydomain
URI ldap://sam3dc.mydomain
TLS_CACERT /etc/ldap/ca_certs.pem
Imported the samba.ldif from the 3.6.25 binaries.
Imported the indices
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: ou eq
olcDbIndex: mail eq
olcDbIndex: surname eq
olcDbIndex: givenname eq
olcDbIndex: loginShell eq
olcDbIndex: uniqueMember eq,pres
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaGroupType eq
olcDbIndex: sambaSIDList eq
olcDbIndex: sambaDomainName eq
olcDbIndex: default sub
olcDbIndex: nisMapName eq
olcDbIndex: nisMapEntry eq
add: olcAccess
olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by
self
write by * read
olcAccess: to
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange by
dn="cn=admin,dc=mydomain" write by self write by * none
Did the certificates, confirmed working
Added the following
dn: ou=users,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: users
dn: ou=groups,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: groups
dn: ou=idmap,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: idmap
dn: ou=computers,dc=mydomain
objectClass: top
objectClass: organizationalUnit
ou: computers
Added the unixdipool as per your email
cat unixidpool.ldif
dn: sambaDomainName=MYDOMAIN,dc=mydomain
changetype: modify
add: objectclass
objectclass: sambaUnixIdPool
-
add: uidnumber
uidnumber: 10000
-
add: gidnumber
gidnumber: 10000
Then smbpasswd -a '' bit.
Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with entries
from tdb. Then exported the /etc/passwd and /etc/group and imported using
the migration tool scripts
here is smb.conf
workgroup = MYDOMAIN
netbios name = sam3dc
security = USER
obey pam restrictions = Yes
encrypt passwords = true
preferred master = Yes
local master = Yes
domain master = Yes
domain logons = yes
max protocol = NT1
map untrusted to domain = Yes
os level = 65
time server = yes
passdb backend = ldapsam
ldapsam:editposix = yes
ldapsam:trusted = yes
ldap admin dn = cn=admin,dc=mydomain
ldap suffix = dc=mydomain
ldap group suffix = ou=groups
ldap machine suffix = ou=computers
ldap user suffix = ou=users
idmap config *: backend = ldap
idmap config *: range = 10000-19999
idmap config *: ldap_url = ldap://sam3dc.mydomain/
idmap config *: ldap_base_dn = ou=idmap,dc=example,dc=com
idmap config *: ldap_user_dn = cn=admin,dc=example,dc=com
ldap delete dn = yes
ldap password sync = yes
wins support = yes
ldap ssl= no
add user script = /usr/bin/smbldap-useradd -m '%u'
delete user script = /usr/bin/smbldap-userdel '%u'
add group script = /usr/bin/smbldap-groupadd -p '%g'
delete group script = /usr/bin/smbldap-groupdel '%g'
add user to group script = /usr/bin/smbldap-groupmod -m '%g'
'%u'
delete user from group script = /usr/bin/smbldap-groupmod -x
'%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
set primary group script = /usr/bin/smbldap-usermod -g '%g'
'%u'
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
check password script = /usr/local/sbin/crackcheck -d
/var/cache/cracklib/cracklib_dict
add machine script = /usr/sbin/smbldap-useradd -w "%u"
I then did some tests:
- Reverted smb.conf back to use tdbsam
- Was able to join the win7 machine to the domain, ofcourse
- Removed the win7 machine from the domain
- Changed the smb.conf back to ldapsam
- Changed the ldapsam:trusted to no from yes
- I was able to add Win7 machine back to the domain, possibly because the
computer account was already in place
- Then tried to add a new Windows 10 machine , with ldapsam:trusted=yes ,
same issue with db corruption
- Then changed ldapsam:trusted=no, different error message. "The specified
computer account could not be found"
- The following in the samba logs
[2018/03/04 16:37:59.448745, 2]
rpc_server/samr/srv_samr_nt.c:3976(_samr_LookupDomain)
Returning domain sid for domain MYDOMAIN ->
S-1-5-21-3936576374-1604348213-1812465911
Use of qw(...) as parentheses is deprecated at /usr/share/perl5/
smbldap_tools.pm line 1423, <DATA> line 522.
Unable to open /etc/smbldap-tools/smbldap.conf for reading !
Compilation failed in require at /usr/sbin/smbldap-useradd line 29.
BEGIN failed--compilation aborted at /usr/sbin/smbldap-useradd line 29.
[2018/03/04 16:37:59.579160, 0]
passdb/pdb_interface.c:476(pdb_default_create_user)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
"win10-split$"' gave 2
[2018/03/04 16:38:12.723642, 4] auth/pampass.c:483(smb_pam_start)
smb_pam_start: PAM: Init user: tadmin
[2018/03/04 16:38:12.725997, 4] auth/pampass.c:492(smb_pam_start)
smb_pam_start: PAM: setting rhost to: 192.168.14.191
[2018/03/04 16:38:12.726044, 4] auth/pampass.c:501(smb_pam_start)
smb_pam_start: PAM: setting tty
[2018/03/04 16:38:12.726080, 4] auth/pampass.c:509(smb_pam_start)
smb_pam_start: PAM: Init passed for user: tadmin
[2018/03/04 16:38:12.726114, 4]
auth/pampass.c:646(smb_internal_pam_session)
smb_internal_pam_session: PAM: tty set to: smb/2471/100
[2018/03/04 16:38:12.726451, 4] auth/pampass.c:465(smb_pam_end)
smb_pam_end: PAM: PAM_END OK.
[2018/03/04 16:38:12.726853, 1] smbd/process.c:457(receive_smb_talloc)
receive_smb_raw_talloc failed for client 192.168.17.191 read error
NT_STATUS_CONNECTION_RESET.
On Mon, Mar 5, 2018 at 9:38 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Am Montag, 5. März 2018, 16:51:41 CET schrieb Rob Thoman:
>
> > Hi Harry,
>
> >
>
> > When I install slapd , I didn't get the option to use MDB, so used
hdb
>
> OK,
>
> I have reread the thread. Some questions:
>
> Is your old server still running?
>
> Ubuntu, openldap, samba versions on old and new server
>
>
>
> I assume your old server use tdbsam and your new server ldapsam.
>
>
>
> > I went through your suggestions and cleaned up the smb.conf. Also
>
> > added the unixidpool ldif
>
> >
>
> > dn: sambaDomainName=mydomain,dc=mydomain
>
> > sambaDomainName: mydomain
>
> > sambaSID: S-1-5-21-3936576374-1604348213-1812434911
>
> > sambaAlgorithmicRidBase: 1000
>
> > objectClass: sambaDomain
>
> > objectClass: sambaUnixIdPool
>
> > sambaNextUserRid: 1000
>
> > sambaMinPwdLength: 5
>
> > sambaPwdHistoryLength: 0
>
> > sambaLogonToChgPwd: 0
>
> > sambaMaxPwdAge: -1
>
> > sambaMinPwdAge: 0
>
> > sambaLockoutDuration: 30
>
> > sambaLockoutObservationWindow: 30
>
> > sambaLockoutThreshold: 0
>
> > sambaForceLogoff: -1
>
> > sambaRefuseMachinePwdChange: 0
>
> > sambaNextRid: 1001
>
> > uidNumber: 10000
>
> > gidNumber: 10000
>
>
>
> Fine.
>
> Are the names mydomain your real and wished names,
>
> or are they coming from samdb migration?
>
>
>
> >
>
> > When I tried to add a Windows 7 machine to the domain I get "
Unknown
>
> > user or wrong password". I was using the "sadmin" login
who is in the
>
> > "sudo". I dumped the user's details into a ldif file and
imported it
>
> > into ldap. I see the following in the /var/log/samba/log.win7ldap
>
> >
>
> > check_ntlm_password: Checking password for unmapped user
>
> > [mydomain]\[sadmin]@[WIN7LDAP] with the new password interface
>
> > [2018/03/04 11:04:05.007209, 3] auth/auth.c:222(check_ntlm_password)
>
> Indicates that you dont have a valid samba provision. Normal state
>
> after migration. Dont worry, we will fix this.
>
>
>
> ...
>
>
>
> > auth/auth_winbind.c:60(check_winbind_security)
>
> > check_winbind_security: Not using winbind, requested domain
>
> > [mydomain] was for this SAM.
>
> > [2018/03/04 11:04:05.008932, 2] auth/auth.c:319(check_ntlm_password)
>
> > check_ntlm_password: Authentication for user [sadmin] -> [sadmin]
>
> > FAILED with error NT_STATUS_NO_SUCH_USER
>
> As you can see, no winbind operation with a valid admin account,
>
> so no join.
>
>
>
> > After a few retries it comes up with "The security database is
>
> > corrupted" message in Window7
>
> Same as above
>
> > The following in /var/log/syslog
>
> >
>
> > sam3dom slapd[2600]: <= bdb_equality_candidates: (gidNumber) not
>
> > indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
(gidNumber)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates: (uid)
>
> > not indexed sam3dom slapd[2600]: <= bdb_equality_candidates:
>
> > (gidNumber) not indexed
>
> Your ldap db is not well indexed. This gives you bad response times,
>
> but ldap should work.
>
> > [2018/03/04 11:12:23.780636, 0]
>
> > auth/check_samsec.c:492(check_sam_security) check_sam_security:
>
> > make_server_info_sam() failed with
>
> > 'NT_STATUS_INTERNAL_DB_CORRUPTION'
>
> The DB may be corrupt or not. Until you have a valid admin account,
>
> any error is possible.
>
>
>
> >
>
> >
>
> >
>
> >
>
> > Any thoughts?
>
> 1. check your SIDs on both servers
>
> # net getdomainsid
>
> SID for local machine ALIX is: S-1-5-21-1507708399-2130971284-2230424465
>
> SID for domain SCHULE is: S-1-5-21-1507708399-2130971284-2230424465
>
>
>
> 2. Check on your new server some entrys
>
> become root!!
>
> $ sudo su -
>
> # export SID=S-1-5-21-3936576374-1604348213-1812434911
>
>
>
> 2.1 check admin
>
> # ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=mydomain -s sub
> "sambasid=$SID-500" objectclass cn sn uidnumber gidnumber
> sambaPrimaryGroupSID sambaSID 2>/dev/null
>
>
>
> 2.2 check domain admins, users and computers
>
> # for s in 512 513 515 ;do ldapsearch -LLLY EXTERNAL -H ldapi:/// -b
> dc=mydomain -s sub "sambasid=$SID-$s" 2>/dev/null;done
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:> Hi Gruss, > > At this stage there is only one server, running 3.6.25 on Ubuntu12.04. > The plan to get LDAP to work on this one. Then add the second server > 4.x and the promote it to BDC and then demote this one. Just a side > info, we didn't want to go tdbsam in both as I read it breaks the > domain trust. > > The domain names are real ones. > > I ran the commands you suggested, nothing in reply. I tried ldapi:// > and ldap://sam3dc.mydomain .you are using ubuntu, which use debian slapd packages, so ldapi must work. The advantage of ldapi: You can access your ldap server as unix root user vi sasl external authentication. So this two switches must be used: -Y EXTERNAL -H ldapi:/// 3 examples returning only the dn: very long version (default): ----- # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <dc=afrika,dc=xx> with scope subtree # filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500 # requesting: dn # # Administrator, people, accounts, afrika.xx dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 ----- short version (without ldif messages): ----- # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx ----- very short version (without ldif and sasl messages): ----- # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn 2>/dev/null dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx The last version is best for scripting. The SASL messages show that the user with uidnumber 0 and gidnumber 0, aka root:root has been authenticated. ldap://sam3dc.mydomain must work with -D and -W or -w secret # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL -D uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn Enter LDAP Password: dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx> > Let me run through what I did , > /etc/ldap/ldap.conf: > BASE dc=mydomain > URI ldap://sam3dc.mydomain > TLS_CACERT /etc/ldap/ca_certs.pem > > Imported the samba.ldif from the 3.6.25 binaries. > > Imported the indices > > dn: olcDatabase={1}hdb,cn=config > changetype: modify > add: olcDbIndex > olcDbIndex: ou eq > olcDbIndex: mail eq > olcDbIndex: surname eq > olcDbIndex: givenname eq > olcDbIndex: loginShell eq > olcDbIndex: uniqueMember eq,pres > olcDbIndex: sambaSID eq > olcDbIndex: sambaPrimaryGroupSID eq > olcDbIndex: sambaGroupType eq > olcDbIndex: sambaSIDList eq > olcDbIndex: sambaDomainName eq > olcDbIndex: default sub > olcDbIndex: nisMapName eq > olcDbIndex: nisMapEntry eq > add: olcAccess > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by > self write by * read > olcAccess: to > attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChan > ge by dn="cn=admin,dc=mydomain" write by self write by * noneHere I retrieve the access for openldap as root user. This works even I dont know the admin password. # ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*' olcaccess SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth manage by * break dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by anonymous read by * n one olcAccess: {2}to * by self write by dn="cn=admin,dc=afrika,dc=xx" write by * r ead> Did the certificates, confirmed working > > Added the following > dn: ou=users,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: users > > dn: ou=groups,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: groups > > dn: ou=idmap,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: idmap > > dn: ou=computers,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: computers > > Added the unixdipool as per your email > > cat unixidpool.ldif > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > changetype: modify > > add: objectclass > > objectclass: sambaUnixIdPool > > - > > add: uidnumber > > uidnumber: 10000 > > - > > add: gidnumber > > gidnumber: 10000 > > > Then smbpasswd -a '' bit. > > Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with > entries from tdb. Then exported the /etc/passwd and /etc/group and > imported using the migration tool scriptsOK, even if you can not go through ldapi you have admin access to your ldap server. So modify the commands I have send you and run them. You have had a working PDC with tdbsam and then switched to ldapsam in 2 different ways. "smbldap" and "ldapsam:editposix". Some possible failures: - duplicate system accounts, i.e. administrator - wrong suffices for user, group and/or machines - wrong idmap config params Check your secrets.tdb to verify these 3 entrys # tdbdump secrets.tdb |egrep -v '^data|^}|^{' key(16) = "SECRETS/SID/ALIX" key(18) = "SECRETS/SID/SCHULE" key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx" The tdbdump utility is in package tdb-tools -- Gruss Harry Jede
Am Montag, 5. März 2018, 14:22:13 CET schrieb Harry Jede via samba:> Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman: > > Hi Gruss, > > > > At this stage there is only one server, running 3.6.25 on > > Ubuntu12.04. The plan to get LDAP to work on this one. Then add the > > second server 4.x and the promote it to BDC and then demote this > > one. Just a side info, we didn't want to go tdbsam in both as I > > read it breaks the domain trust. > > > > The domain names are real ones. > > > > I ran the commands you suggested, nothing in reply. I tried > > ldapi:// > > and ldap://sam3dc.mydomain . > > you are using ubuntu, which use debian slapd packages, so ldapi must > work. The advantage of ldapi: You can access your ldap server as unix > root user vi sasl external authentication. So this two switches must > be used: > > -Y EXTERNAL > -H ldapi:/// > > 3 examples returning only the dn: > > very long version (default): > ----- > # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -YEXTERNAL> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn > SASL/EXTERNAL authentication started > SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth> SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <dc=afrika,dc=xx> with scope subtree > # filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500 > # requesting: dn > # > > # Administrator, people, accounts, afrika.xx > dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > ----- > > short version (without ldif messages): > ----- > # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY > EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" > dn SASL/EXTERNAL authentication started > SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth> SASL SSF: 0 > dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx > > ----- > very short version (without ldif and sasl messages): > ----- > # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY > EXTERNAL -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" > dn 2>/dev/null dn: > uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx > > The last version is best for scripting. The SASL messages show > that the user with uidnumber 0 and gidnumber 0, aka root:root > has been authenticated. > > > ldap://sam3dc.mydomain must work with -D and -W or -w secret > # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL-D> uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b > dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn Enter LDAP Password: > dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx > > > Let me run through what I did , > > /etc/ldap/ldap.conf: > > BASE dc=mydomain > > URI ldap://sam3dc.mydomain > > TLS_CACERT /etc/ldap/ca_certs.pem > > > > Imported the samba.ldif from the 3.6.25 binaries. > > > > Imported the indices > > > > dn: olcDatabase={1}hdb,cn=config > > changetype: modify > > add: olcDbIndex > > olcDbIndex: ou eq > > olcDbIndex: mail eq > > olcDbIndex: surname eq > > olcDbIndex: givenname eq > > olcDbIndex: loginShell eq > > olcDbIndex: uniqueMember eq,pres > > olcDbIndex: sambaSID eq > > olcDbIndex: sambaPrimaryGroupSID eq > > olcDbIndex: sambaGroupType eq > > olcDbIndex: sambaSIDList eq > > olcDbIndex: sambaDomainName eq > > olcDbIndex: default sub > > olcDbIndex: nisMapName eq > > olcDbIndex: nisMapEntry eq > > add: olcAccess > > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" writeby> > self write by * read > > olcAccess: to > >attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwd MustCh> > an ge by dn="cn=admin,dc=mydomain" write by self write by * none > Here I retrieve the access for openldap as root user. > This works even I dont know the admin password. > > # ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub > 'olcaccess=*' olcaccess SASL/EXTERNAL authentication started > SASL username:gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth> SASL SSF: 0 > dn: olcDatabase={-1}frontend,cn=config > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth> manage by * break > olcAccess: {1}to dn.exact="" by * read > olcAccess: {2}to dn.base="cn=Subschema" by * read > > dn: olcDatabase={0}config,cn=config > olcAccess: {0}to * by > dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth> manage by * break > > dn: olcDatabase={1}hdb,cn=config
On Mon, 5 Mar 2018 22:16:36 +1000 Rob Thoman via samba <samba at lists.samba.org> wrote:> Hi Gruss, > > At this stage there is only one server, running 3.6.25 on > Ubuntu12.04. The plan to get LDAP to work on this one. Then add the > second server 4.x and the promote it to BDC and then demote this > one. Just a side info, we didn't want to go tdbsam in both as I read > it breaks the domain trust. > > The domain names are real ones. > > I ran the commands you suggested, nothing in reply. I tried ldapi:// > and ldap://sam3dc.mydomain . > > Let me run through what I did , > /etc/ldap/ldap.conf: > BASE dc=mydomain > URI ldap://sam3dc.mydomain > TLS_CACERT /etc/ldap/ca_certs.pem > > Imported the samba.ldif from the 3.6.25 binaries. > > Imported the indices > > dn: olcDatabase={1}hdb,cn=config > changetype: modify > add: olcDbIndex > olcDbIndex: ou eq > olcDbIndex: mail eq > olcDbIndex: surname eq > olcDbIndex: givenname eq > olcDbIndex: loginShell eq > olcDbIndex: uniqueMember eq,pres > olcDbIndex: sambaSID eq > olcDbIndex: sambaPrimaryGroupSID eq > olcDbIndex: sambaGroupType eq > olcDbIndex: sambaSIDList eq > olcDbIndex: sambaDomainName eq > olcDbIndex: default sub > olcDbIndex: nisMapName eq > olcDbIndex: nisMapEntry eq > add: olcAccess > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by > self write by * read > olcAccess: to > attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange > by dn="cn=admin,dc=mydomain" write by self write by * none > > Did the certificates, confirmed working > > Added the following > dn: ou=users,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: users > > dn: ou=groups,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: groups > > dn: ou=idmap,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: idmap > > dn: ou=computers,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: computers > > Added the unixdipool as per your email > > cat unixidpool.ldif > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > changetype: modify > > add: objectclass > > objectclass: sambaUnixIdPool > > - > > add: uidnumber > > uidnumber: 10000 > > - > > add: gidnumber > > gidnumber: 10000 > > > Then smbpasswd -a '' bit. > > Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with > entries from tdb. Then exported the /etc/passwd and /etc/group and > imported using the migration tool scripts > > here is smb.conf > > workgroup = MYDOMAIN > netbios name = sam3dc > security = USER > obey pam restrictions = Yes > encrypt passwords = true > > preferred master = Yes > local master = Yes > domain master = Yes > domain logons = yes > max protocol = NT1 > map untrusted to domain = Yes > os level = 65 > time server = yes > passdb backend = ldapsam > ldapsam:editposix = yes > ldapsam:trusted = yes > ldap admin dn = cn=admin,dc=mydomain > ldap suffix = dc=mydomain > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users > idmap config *: backend = ldap > idmap config *: range = 10000-19999 > idmap config *: ldap_url = ldap://sam3dc.mydomain/ > idmap config *: ldap_base_dn = ou=idmap,dc=example,dc=com > idmap config *: ldap_user_dn = cn=admin,dc=example,dc=com > ldap delete dn = yes > ldap password sync = yes > wins support = yes > ldap ssl= no > > add user script = /usr/bin/smbldap-useradd -m '%u' > delete user script = /usr/bin/smbldap-userdel '%u' > add group script = /usr/bin/smbldap-groupadd -p '%g' > delete group script = /usr/bin/smbldap-groupdel '%g' > add user to group script = /usr/bin/smbldap-groupmod -m '%g' > '%u' delete user from group script = /usr/bin/smbldap-groupmod -x '%g' > '%u' > add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u" > set primary group script = /usr/bin/smbldap-usermod -g '%g' > '%u' passwd program = /usr/sbin/smbldap-passwd -u %u > > passwd chat = *New*password* %n\n *Retype*new*password* %n\n > check password script = /usr/local/sbin/crackcheck -d >OK, I have been doing some tests with 'ldapsam:editposix' & 'ldapsam:trusted' because smbldap-tools seems to be a dead project. Whilst I can get a PDC to provision (if that's the right word) and winbind to work with nss i.e. getent works, it seems to ignore the 'sambaUnixIdPool' and the 'idmap config' lines in smb.conf (well the ones for the DOMAIN). What I cannot get to work, in any form, is a winbind client. I tried various smb.conf settings, some do nothing, some lead to winbindd crashing. The main problem seems to be that winbind cannot contact the ldap server. Has anyone got a Samba PDC (set up with 'ldapsam:editposix' & 'ldapsam:trusted') working correctly and also a Samba winbind client ? If they have, can they post the smb.conf files. Rowland
Hi Gruss,
Had to ditch the VM and start again. Here is the info:
tdbdump secrets.tdb |egrep -v '^data|^}|^{'
key(21) = "SECRETS/SID/mydomain"
key(18) = "SECRETS/SID/sam3dc"
key(42) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=mydomain"
key(25) = "SECRETS/DOMGUID/mydomain"
key(42) = "SECRETS/MACHINE_SEC_CHANNEL_TYPE/mydomain"
key(42) = "SECRETS/MACHINE_LAST_CHANGE_TIME/mydomain"
key(34) = "SECRETS/MACHINE_PASSWORD/mydomain"
dapsearch -LLLY External -H ldapi:/// -b cn=config -s sub 'olcaccess=*'
olcaccess
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external
,cn=auth manage by * break
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=mydomain" write by * none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=mydomain" write by * read
olcAccess: {3}to attrs=loginShell by dn="cn=admin,dc=mydomain" write
by self
write by * read
olcAccess: {4}to
attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPw
dMustChange by dn="cn=admin,dc=mydomain" write by self write by *
none
I don't get the Administrator bit
ldapsearch -Y EXTERNAL -H ldapi:/// -b dc=mydomain -s sub
"sambasid=$SID-500" dn
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <dc=mydomain> with scope subtree
# filter: sambasid=-500
# requesting: dn
#
# search result
search: 2
result: 0 Success
# numResponses: 1
When I try to add a new user I get the following
root at sam3dc:/var/lib/samba# smbpasswd -a sadmin
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
New SMB password:
Retype new SMB password:
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
init_ldap_from_sam: Setting entry for user: sadmin
ldapsam_create_user: Unable to get the Domain Users gid: bailing out!
Failed to add entry for user sadmin.
-----------------------------------------------
I then created a user (unix) and added to ldap using the following ldif
dn: uid=sadmin,ou=users,dc=mydomain
uid: sadmin
cn: sadmin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword:
{crypt}$6$mpuXYy2Z$z336h96CJBNJNZifnts1JK9QqcMdXAZLKxRIiDUuZ9nyDXefOgbFjCe0h4gfpx.0Ug13JSt0NHpLtpE6brXrz/
shadowLastChange: 17594
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/sh
uidNumber: 1359
gidNumber: 1359
homeDirectory: /home/sadmin
Then tried to add machine to the domain.
Mar 5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (uid) not
indexed
Mar 5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed
Mar 5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed
Mar 5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (uid) not
indexed
Mar 5 01:38:59 Dozer5 slapd[5581]: <= bdb_equality_candidates: (gidNumber)
not indexed
I have the following in the samba logs for that machine
Failed to get groups from sam account.
So basically it is telling me there are issues with groups, fair enough.
What is the best way to get the groups in ldap? I have tried the pdedit -i
tdbsam -e ldapam, also have tried adding it via the migration tools
The other question I would like to ask is what if I remove the following
bit from smb.conf just to test and use smbldap tools to do the user/machine
management?
ldapsam:editposix = yes
ldapsam:trusted = yes
I assume I would have to setup the smbldap.conf and smbldap_bind.conf? What
about the perl script in /usr/share/smbladp.pm?
SID="S-1-5-21-2631908330-1812305667-41686038" (SID of the server)
sambaDomain="mydomain"
ldapTLS="0"
suffix="dc=mydomain"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=mydomain,${suffix}"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
userSmbHome="sam3dc\%U"
userProfile="sam3dc\profiles\%U"
smbpasswd="/usr/bin/smbpasswd"
slappasswd="/usr/sbin/slappasswd"
Sorry asking too many questions......
On Mon, Mar 5, 2018 at 11:22 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:
>
> > Hi Gruss,
>
> >
>
> > At this stage there is only one server, running 3.6.25 on Ubuntu12.04.
>
> > The plan to get LDAP to work on this one. Then add the second server
>
> > 4.x and the promote it to BDC and then demote this one. Just a side
>
> > info, we didn't want to go tdbsam in both as I read it breaks the
>
> > domain trust.
>
> >
>
> > The domain names are real ones.
>
> >
>
> > I ran the commands you suggested, nothing in reply. I tried ldapi://
>
> > and ldap://sam3dc.mydomain .
>
> you are using ubuntu, which use debian slapd packages, so ldapi must
>
> work. The advantage of ldapi: You can access your ldap server as unix
>
> root user vi sasl external authentication. So this two switches must
>
> be used:
>
>
>
> -Y EXTERNAL
>
> -H ldapi:///
>
>
>
> 3 examples returning only the dn:
>
>
>
> very long version (default):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -Y EXTERNAL -H
> ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> # extended LDIF
>
> #
>
> # LDAPv3
>
> # base <dc=afrika,dc=xx> with scope subtree
>
> # filter: sambasid=S-1-5-21-1507708399-2130971284-2230424465-500
>
> # requesting: dn
>
> #
>
>
>
> # Administrator, people, accounts, afrika.xx
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> # search result
>
> search: 2
>
> result: 0 Success
>
>
>
> # numResponses: 2
>
> # numEntries: 1
>
> -----
>
>
>
> short version (without ldif messages):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL
> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> -----
>
> very short version (without ldif and sasl messages):
>
> -----
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -LLLY EXTERNAL
> -H ldapi:/// -b dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
2>/dev/null
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
> The last version is best for scripting. The SASL messages show
>
> that the user with uidnumber 0 and gidnumber 0, aka root:root
>
> has been authenticated.
>
>
>
>
>
> ldap://sam3dc.mydomain must work with -D and -W or -w secret
>
> # SID=S-1-5-21-1507708399-2130971284-2230424465 ldapsearch -xLLL -D
> uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx -W -b
> dc=afrika,dc=xx -s sub "sambasid=$SID-500" dn
>
> Enter LDAP Password:
>
> dn: uid=Administrator,ou=people,ou=accounts,dc=afrika,dc=xx
>
>
>
>
>
> >
>
> > Let me run through what I did ,
>
> > /etc/ldap/ldap.conf:
>
> > BASE dc=mydomain
>
> > URI ldap://sam3dc.mydomain
>
> > TLS_CACERT /etc/ldap/ca_certs.pem
>
> >
>
> > Imported the samba.ldif from the 3.6.25 binaries.
>
> >
>
> > Imported the indices
>
> >
>
> > dn: olcDatabase={1}hdb,cn=config
>
> > changetype: modify
>
> > add: olcDbIndex
>
> > olcDbIndex: ou eq
>
> > olcDbIndex: mail eq
>
> > olcDbIndex: surname eq
>
> > olcDbIndex: givenname eq
>
> > olcDbIndex: loginShell eq
>
> > olcDbIndex: uniqueMember eq,pres
>
> > olcDbIndex: sambaSID eq
>
> > olcDbIndex: sambaPrimaryGroupSID eq
>
> > olcDbIndex: sambaGroupType eq
>
> > olcDbIndex: sambaSIDList eq
>
> > olcDbIndex: sambaDomainName eq
>
> > olcDbIndex: default sub
>
> > olcDbIndex: nisMapName eq
>
> > olcDbIndex: nisMapEntry eq
>
> > add: olcAccess
>
> > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain"
write by
>
> > self write by * read
>
> > olcAccess: to
>
> > attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChan
>
> > ge by dn="cn=admin,dc=mydomain" write by self write by *
none
>
>
>
>
>
> Here I retrieve the access for openldap as root user.
>
> This works even I dont know the admin password.
>
>
>
> # ldapsearch -LLLY External -H ldapi:/// -b cn=config -s sub
'olcaccess=*'
> olcaccess
>
> SASL/EXTERNAL authentication started
>
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>
> SASL SSF: 0
>
> dn: olcDatabase={-1}frontend,cn=config
>
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn>
external
>
> ,cn=auth manage by * break
>
> olcAccess: {1}to dn.exact="" by * read
>
> olcAccess: {2}to dn.base="cn=Subschema" by * read
>
>
>
> dn: olcDatabase={0}config,cn=config
>
> olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn>
external
>
> ,cn=auth manage by * break
>
>
>
> dn: olcDatabase={1}hdb,cn=config
>
> olcAccess: {0}to attrs=userPassword by self write by anonymous auth by *
> none
>
> olcAccess: {1}to attrs=shadowLastChange by self write by anonymous read by
> * n
>
> one
>
> olcAccess: {2}to * by self write by dn="cn=admin,dc=afrika,dc=xx"
write by
> * r
>
> ead
>
>
>
>
>
> > Did the certificates, confirmed working
>
> >
>
> > Added the following
>
> > dn: ou=users,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: users
>
> >
>
> > dn: ou=groups,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: groups
>
> >
>
> > dn: ou=idmap,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: idmap
>
> >
>
> > dn: ou=computers,dc=mydomain
>
> > objectClass: top
>
> > objectClass: organizationalUnit
>
> > ou: computers
>
> >
>
> > Added the unixdipool as per your email
>
> >
>
> > cat unixidpool.ldif
>
> >
>
> > dn: sambaDomainName=MYDOMAIN,dc=mydomain
>
> >
>
> > changetype: modify
>
> >
>
> > add: objectclass
>
> >
>
> > objectclass: sambaUnixIdPool
>
> >
>
> > -
>
> >
>
> > add: uidnumber
>
> >
>
> > uidnumber: 10000
>
> >
>
> > -
>
> >
>
> > add: gidnumber
>
> >
>
> > gidnumber: 10000
>
> >
>
> >
>
> > Then smbpasswd -a '' bit.
>
> >
>
> > Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with
>
> > entries from tdb. Then exported the /etc/passwd and /etc/group and
>
> > imported using the migration tool scripts
>
>
>
> OK,
>
>
>
> even if you can not go through ldapi you have admin access to your
>
> ldap server. So modify the commands I have send you and run them.
>
>
>
> You have had a working PDC with tdbsam and then switched to ldapsam
>
> in 2 different ways. "smbldap" and "ldapsam:editposix".
>
>
>
> Some possible failures:
>
> - duplicate system accounts, i.e. administrator
>
> - wrong suffices for user, group and/or machines
>
> - wrong idmap config params
>
>
>
> Check your secrets.tdb to verify these 3 entrys
>
> # tdbdump secrets.tdb |egrep -v '^data|^}|^{'
>
> key(16) = "SECRETS/SID/ALIX"
>
> key(18) = "SECRETS/SID/SCHULE"
>
> key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=afrika,dc=xx"
>
>
>
> The tdbdump utility is in package tdb-tools
>
>
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
Am Montag, 5. März 2018, 22:16:36 CET schrieb Rob Thoman:> Hi Gruss, > > At this stage there is only one server, running 3.6.25 on Ubuntu12.04. > The plan to get LDAP to work on this one. Then add the second server > 4.x and the promote it to BDC and then demote this one. Just a side > info, we didn't want to go tdbsam in both as I read it breaks the > domain trust. > > The domain names are real ones. > > I ran the commands you suggested, nothing in reply. I tried ldapi:// > and ldap://sam3dc.mydomain . > > Let me run through what I did , > /etc/ldap/ldap.conf: > BASE dc=mydomain > URI ldap://sam3dc.mydomain > TLS_CACERT /etc/ldap/ca_certs.pem > > Imported the samba.ldif from the 3.6.25 binaries. > > Imported the indices > > dn: olcDatabase={1}hdb,cn=config > changetype: modify > add: olcDbIndex > olcDbIndex: ou eq > olcDbIndex: mail eq > olcDbIndex: surname eq > olcDbIndex: givenname eq > olcDbIndex: loginShell eq > olcDbIndex: uniqueMember eq,pres > olcDbIndex: sambaSID eq > olcDbIndex: sambaPrimaryGroupSID eq > olcDbIndex: sambaGroupType eq > olcDbIndex: sambaSIDList eq > olcDbIndex: sambaDomainName eq > olcDbIndex: default sub > olcDbIndex: nisMapName eq > olcDbIndex: nisMapEntry eq > add: olcAccess > olcAccess: to attrs=loginShell by dn="cn=admin,dc=mydomain" write by > self write by * read > olcAccess: to >attrs=sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwd MustChan> ge by dn="cn=admin,dc=mydomain" write by self write by * none > > Did the certificates, confirmed working > > Added the following > dn: ou=users,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: users > > dn: ou=groups,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: groups > > dn: ou=idmap,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: idmap > > dn: ou=computers,dc=mydomain > objectClass: top > objectClass: organizationalUnit > ou: computers > > Added the unixdipool as per your email > > cat unixidpool.ldif > > dn: sambaDomainName=MYDOMAIN,dc=mydomain > > changetype: modify > > add: objectclass > > objectclass: sambaUnixIdPool > > - > > add: uidnumber > > uidnumber: 10000 > > - > > add: gidnumber > > gidnumber: 10000 >add this point you should have cleaned /var/lib/samba by stopping samba backup and remove the content of /var/lib/samba start samba> Then smbpasswd -a '' bit. > > Then did the pdbedit -i tdbsam -e ldapsam. This populated ldap with > entries from tdb.Are you sure that the generated ldif is working? I am sure not! Why do I say this? Because samba 3.6 tolerates lot of things which are not allowed in current releases.> Then exported the /etc/passwd and /etc/group and > imported using the migration tool scriptsI have never done this. And this could also make problems. i.e. You have the user sadmin in /etc/paaswd and in ldap. Remember that nss use first passwd and then ldap and stops after first match.> here is smb.conf > > workgroup = MYDOMAIN > netbios name = sam3dc > security = USER > obey pam restrictions = Yes > encrypt passwords = true > > preferred master = Yes > local master = Yes > domain master = Yes > domain logons = yes > max protocol = NT1 > map untrusted to domain = Yes > os level = 65 > time server = yes > passdb backend = ldapsam > ldapsam:editposix = yes > ldapsam:trusted = yes > ldap admin dn = cn=admin,dc=mydomain > ldap suffix = dc=mydomain > ldap group suffix = ou=groups > ldap machine suffix = ou=computers > ldap user suffix = ou=users
Hi Rob,> olcDbIndex: ou eq > olcDbIndex: mail eq > olcDbIndex: surname eq > olcDbIndex: givenname eq > olcDbIndex: loginShell eq > olcDbIndex: uniqueMember eq,pres > olcDbIndex: sambaSID eq > olcDbIndex: sambaPrimaryGroupSID eq > olcDbIndex: sambaGroupType eq > olcDbIndex: sambaSIDList eq > olcDbIndex: sambaDomainName eq > olcDbIndex: default sub > olcDbIndex: nisMapName eq > olcDbIndex: nisMapEntry eqDont looks good. replace the indices # ldapmodify -Y external -H ldapi:/// -f olcdbindex.ldif stop slapd # /etc/init.d/slapd stop re-index # slapindex -v -n 1 start slapd # /etc/init.d/slapd start We want to watch the communication between samba and ldap: First, we set another loglevel # ldapmodify -Y external -H ldapi:/// -f olcloglevel.ldif and then run in an extra terminal: tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p' You will see the communication between samba and slapd. This is the output from: *net getdomainsid* slapd[18826]: conn=1000 fd=13 ACCEPT from IP=127.0.0.1:33707 (IP=0.0.0.0:389) slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx" method=128 slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx" mech=SIMPLE ssf=0 slapd[18826]: conn=1000 op=0 RESULT tag=97 err=0 text# the bind from smbd slapd[18826]: conn=1000 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" slapd[18826]: conn=1000 op=1 SRCH attr=supportedControl slapd[18826]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text# the search from smbd for supportedControls slapd[18826]: conn=1000 op=2 SRCH base="dc=afrika,dc=xx" scope=2 deref=0 filter="(&(objectClass=sambaDomain)(sambaDomainName=schule))" slapd[18826]: conn=1000 op=2 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass slapd[18826]: conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 textslapd[18826]: conn=1000 fd=13 closed (connection lost) # and finaly the search for "sambaDomainName and sambaSID" # samba do not search for single attributes, # instead all attributes from an objectclass ### $ cat olcloglevel.ldif dn: cn=config changetype: modify replace: olcloglevel olcloglevel: 256 - $ cat olcdbindex.ldif dn: olcDatabase={1}hdb,cn=config changetype: modify replace: olcDbIndex olcDbIndex: cn eq,sub olcDbIndex: dc eq olcDbIndex: default eq olcDbIndex: dhcpClassData eq olcDbIndex: dhcpHWAddress eq olcDbIndex: displayName eq,sub olcDbIndex: gidNumber eq olcDbIndex: givenName eq,sub olcDbIndex: loginShell eq olcDbIndex: mail eq,sub,approx olcDbIndex: memberUid eq,sub olcDbIndex: objectClass eq olcDbIndex: ou eq olcDbIndex: sambaDomainName eq olcDbIndex: sambaGroupType eq olcDbIndex: sambaPrimaryGroupSID eq olcDbIndex: sambaSID eq olcDbIndex: sambaSIDList eq olcDbIndex: sn eq,sub olcDbIndex: uid eq,sub olcDbIndex: uidNumber eq olcDbIndex: uniqueMember eq -- Gruss Harry Jede
Peter Serbe
2018-Mar-07 12:42 UTC
[Samba] dns_tkey_negotiategss: TKEY is unacceptable - documentation update
Hi list, I have struggled with one of my DCs, which persistently refused to do DNS updates, even after I carefully went through all the actions listed in the wiki page: https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable Finally I found the reason: The resolv.conf on the DC pointed to itself, so that I might have hit the DNS islanding trap. After pointing the primary entry in resolv.conf to the main DC the DNS update immediately was working. Maybe the wiki should give a hint on checking the name resolver, too. Best regards Peter
L.P.H. van Belle
2018-Mar-07 13:11 UTC
[Samba] dns_tkey_negotiategss: TKEY is unacceptable - documentation update
2 Small questions here. Pointing to itself with nameserver 127.0.0.1 or nameserver real_ip_of_DC Samba Internal DNS or Samba+Bind9_DLZ ? Greetz, Louis> -----Oorspronkelijk bericht----- > Van: samba [mailto:samba-bounces at lists.samba.org] Namens > Peter Serbe via samba > Verzonden: woensdag 7 maart 2018 13:42 > Aan: samba at lists.samba.org > Onderwerp: [Samba] dns_tkey_negotiategss: TKEY is > unacceptable - documentation update > > Hi list, > > I have struggled with one of my DCs, which persistently > refused to do DNS updates, > even after I carefully went through all the actions listed in > the wiki page: > > https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_i > s_unacceptable > > Finally I found the reason: The resolv.conf on the DC pointed > to itself, so that > I might have hit the DNS islanding trap. After pointing the > primary entry in > resolv.conf to the main DC the DNS update immediately was working. > > Maybe the wiki should give a hint on checking the name resolver, too. > > Best regards > Peter > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba > >
Hi Harry,
sadmin and tadmin are both admin logins. I was trying to domain join with
both. sadmin is in ldap
The olcdbindex.ldif gave this error
SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Other
(e.g.,
implementation specific) error (80) additional info: index attribute
"dhcpClassData" undefined
I did the indexing and also the log level
Here is what I got with tail -f /var/log/syslog|sed -nre 's/^.*(
slapd.*$)/\1/p' net getlocasid
slapd[2332]: <= bdb_equality_candidates: (uid) not indexed slapd[2332]:
conn=1090 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
conn=1090 op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]:
conn=1090 op=11 SRCH attr=sambaSID slapd[2332]: <= bdb_equality_candidates:
(gidNumber) not indexed slapd[2332]: conn=1090 op=11 SEARCH RESULT tag=101
err=0 nentries=0 text= slapd[2332]: conn=1090 op=12 SRCH
base="dc=mydomain"
scope=2 deref=0
filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))"
slapd[2332]: conn=1090 op=12 SRCH attr=uid uidNumber gidNumber
homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=12 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=13 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=13 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=13 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
op=14 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))"
slapd[2332]:
conn=1090 op=14 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=14 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=15 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=15 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=15 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
fd=20 closed (connection lost) slapd[2332]: conn=1091 fd=20 ACCEPT from
IP=[::1]:38914 (IP=[::]:389) slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" method=128 slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" mech=SIMPLE ssf=0 slapd[2332]: conn=1091
op=0
RESULT tag=97 err=0 text= slapd[2332]: conn=1091 op=1 SRCH base=""
scope=0
deref=0 filter="(objectClass=*)" slapd[2332]: conn=1091 op=1 SRCH
attr=supportedControl slapd[2332]: conn=1091 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= slapd[2332]: conn=1091 op=2 SRCH
base="dc=mydomain"
scope=2 deref=0
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
slapd[2332]: conn=1091 op=2 SRCH attr=sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass slapd[2332]: conn=1091 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1091 fd=20 closed (connection lost)
Joining the machine to the domain
slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=sadmin)(objectClass=sambaSamAccount))" slapd[2332]:
conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1120 op=9 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1120 op=10 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=10 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1120
op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID slapd[2332]:
<bdb_equality_candidates: (memberUid) not indexed slapd[2332]:
<bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=11 SEARCH RESULT tag=101 err=0 nentries=1 text
The two ways I can join a machine to teh domain is
- Change to TDBSAM
- Remove both the lines from smb.conf
ldapsam:editposix = yes ldapsam:trusted = yes
The strange thing is that Win7 joins to the domain, reboots then gives the
domain trust failed message. Windows10 joins and works. That might be an
issue with the machine password
My question is that are we loosing anything by not using the editposix and
trusted option. I understand that smbdlap is not supported but it seems to
work in my testing
On Wed, Mar 7, 2018 at 10:10 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Hi Rob,
>
>
>
> > olcDbIndex: ou eq
>
> > olcDbIndex: mail eq
>
> > olcDbIndex: surname eq
>
> > olcDbIndex: givenname eq
>
> > olcDbIndex: loginShell eq
>
> > olcDbIndex: uniqueMember eq,pres
>
> > olcDbIndex: sambaSID eq
>
> > olcDbIndex: sambaPrimaryGroupSID eq
>
> > olcDbIndex: sambaGroupType eq
>
> > olcDbIndex: sambaSIDList eq
>
> > olcDbIndex: sambaDomainName eq
>
> > olcDbIndex: default sub
>
> > olcDbIndex: nisMapName eq
>
> > olcDbIndex: nisMapEntry eq
>
> Dont looks good.
>
>
>
> replace the indices
>
> # ldapmodify -Y external -H ldapi:/// -f olcdbindex.ldif
>
>
>
> stop slapd
>
> # /etc/init.d/slapd stop
>
>
>
> re-index
>
> # slapindex -v -n 1
>
>
>
> start slapd
>
> # /etc/init.d/slapd start
>
>
>
> We want to watch the communication between samba and ldap:
>
>
>
> First, we set another loglevel
>
> # ldapmodify -Y external -H ldapi:/// -f olcloglevel.ldif
>
>
>
> and then run in an extra terminal:
>
>
>
> tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p'
>
>
>
> You will see the communication between samba and slapd.
>
> This is the output from: *net getdomainsid*
>
>
>
> slapd[18826]: conn=1000 fd=13 ACCEPT from IP=127.0.0.1:33707 (IP>
0.0.0.0:389)
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx"
method=128
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx"
> mech=SIMPLE ssf=0
>
> slapd[18826]: conn=1000 op=0 RESULT tag=97 err=0 text>
> # the bind from smbd
>
>
>
> slapd[18826]: conn=1000 op=1 SRCH base="" scope=0 deref=0
> filter="(objectClass=*)"
>
> slapd[18826]: conn=1000 op=1 SRCH attr=supportedControl
>
> slapd[18826]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1
text>
> # the search from smbd for supportedControls
>
>
>
> slapd[18826]: conn=1000 op=2 SRCH base="dc=afrika,dc=xx" scope=2
deref=0
> filter="(&(objectClass=sambaDomain)(sambaDomainName=schule))"
>
> slapd[18826]: conn=1000 op=2 SRCH attr=sambaDomainName sambaNextRid
> sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
>
> slapd[18826]: conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1
text>
> slapd[18826]: conn=1000 fd=13 closed (connection lost)
>
> # and finaly the search for "sambaDomainName and sambaSID"
>
> # samba do not search for single attributes,
>
> # instead all attributes from an objectclass
>
>
>
> ###
>
> $ cat olcloglevel.ldif
>
> dn: cn=config
>
> changetype: modify
>
> replace: olcloglevel
>
> olcloglevel: 256
>
> -
>
>
>
> $ cat olcdbindex.ldif
>
> dn: olcDatabase={1}hdb,cn=config
>
> changetype: modify
>
> replace: olcDbIndex
>
> olcDbIndex: cn eq,sub
>
> olcDbIndex: dc eq
>
> olcDbIndex: default eq
>
> olcDbIndex: dhcpClassData eq
>
> olcDbIndex: dhcpHWAddress eq
>
> olcDbIndex: displayName eq,sub
>
> olcDbIndex: gidNumber eq
>
> olcDbIndex: givenName eq,sub
>
> olcDbIndex: loginShell eq
>
> olcDbIndex: mail eq,sub,approx
>
> olcDbIndex: memberUid eq,sub
>
> olcDbIndex: objectClass eq
>
> olcDbIndex: ou eq
>
> olcDbIndex: sambaDomainName eq
>
> olcDbIndex: sambaGroupType eq
>
> olcDbIndex: sambaPrimaryGroupSID eq
>
> olcDbIndex: sambaSID eq
>
> olcDbIndex: sambaSIDList eq
>
> olcDbIndex: sn eq,sub
>
> olcDbIndex: uid eq,sub
>
> olcDbIndex: uidNumber eq
>
> olcDbIndex: uniqueMember eq
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
Seemingly Similar Threads
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- samba_dnsupdate --all-names -> dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable
- 2nd DC, internal DNS: dns_tkey_negotiategss: TKEY is unacceptable