Hi Erik: You might want to double check the following. This might not be the cause of your issue, but it might be worth checking:
Allow Access to Account Attributes Likewise Enterprise is compatible with Small Business Server 2003. However, because the server locks down several user account values by default, you must create a group in Active Directory for your Unix computers, add each Likewise client computer to it, and configure the group to read all user information. On other versions of Windows Server, the user account values are available by default. If, however, you use an AD security setting to lock them down, they will be unavailable to the Likewise agent. To determine Unix account information, the Likewise agent requires that the AD computer account for the machine running Likewise can access the attributes in the following table . Attribute Requirement uid Required when you use Likewise Enterprise in schema mode. uidNumber Required when you use Likewise Enterprise in schema mode. gidNumber Required when you use Likewise Enterprise in schema mode. userAccountControl Required for schema mode, non-schema mode, and unprovisioned mode. Allow Access to Account Attributes 1. In Active Directory Users and Computers, create a group named Unix Computers. 2. Add each Likewise client computer to the group. 3. In the console tree, right-click the domain, choose Delegate Control, click Next, click Add, and then enter the group named Unix Computers. 4. Click Next, select Delegate the following common tasks, and then in the list select Read all user information. 5. Click Next, and then click Finish. 6. On the target Unix, Linux, or Mac computer, restart the Likewise agent to reinitialize the computer account's logon to Active Directory and to get the new information about group membership. 7. Run /opt/likewise/lw-enum-users to verify that you can read user information. See Also Restart the Authentication Daemon About Schema Mode and Non-Schema Mode ________________________________ (c) 2009 Likewise Software. All rights reserved. For more information, contact i...@likewise.com or visit www.Likewise.com <http://www.likewise.com/> . Steve Hoenisch Likewise Software Inc. shoeni...@likewise.com <mailto:shoeni...@likewisesoftware.com> 15395 SE 30th Place, Suite 140 Bellevue, WA 98007 www.likewise.com <http://www.likewisee.com/> From: likewise-open-discuss-boun...@lists.likewiseopen.org [mailto:likewise-open-discuss-boun...@lists.likewiseopen.org] On Behalf Of Erik Peeters Sent: Thursday, May 07, 2009 3:00 AM To: likewise-open-discuss@lists.likewiseopen.org Subject: [Likewise-open-discuss] Succesfully joined AD;I can list groups but I can't list users ! Hello all, I succesfully joined a CentOS v5.3 to our AD-server using LikewiseOpen v5.1.5249. However I am not able to login using users from AD. I performed some of the tests as discribed in the Manual (see below). What is very strange is that I am able to see the AD-groups using 'lw-enum-groups', but I am not able to see the users using 'lw-enum-users'. If I check /var/log/messages (see below) I get as error message: May 7 11:14:47 pv03 lsassd[3073]: 0x46dd8940:User S-1-5-21-2709511636-3220455279-3717729453-1117 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it. I checked the 'userAccountControl' attribute and I am pretty sure that this is not the problem. So then I must conclude that the problem must be related to the last message: ... and that the machine account has permission to read it. Does anyone know what this 'machine account' is and how I can check its permissions ? Does anyone have an idea what the problem might be ? Thanks, Erik Peeters Operating system: CentOS 5.3 Installation of LikewiseOpen (v5.1.5249) was succesfull. Joining a domain was succesfull using the command line tool. (The GUI gave an error) Logon problem with AD-accounts: ------------------------------- [r...@pv03 bin]# /opt/likewise/bin/domainjoin-cli query Name = pv03 Domain = ANSEM-INTERN.LOCAL Distinguished Name = CN=pv03,CN=Computers,DC=ansem-intern,DC=local [r...@pv03 bin]# /opt/likewise/bin/kdestroy kdestroy: No credentials cache found while destroying cache [r...@pv03 bin]# /sbin/service lsassd status lsassd (pid 3073) is running... [r...@pv03 bin]# /opt/likewise/bin/lw-get-dc-name ansem-intern.local Printing LWNET_DC_INFO fields: =============================== dwDomainControllerAddressType = 23 dwFlags = 1021 dwVersion = 5 wLMToken = 65535 wNTToken = 65535 pszDomainControllerName = dc01.ansem-intern.local pszDomainControllerAddress = 192.168.2.1 pucDomainGUID(hex) = 4B B7 89 58 B9 B5 78 49 88 B3 C8 61 17 F7 C5 9A pszNetBIOSDomainName = ANSEM-INTERN pszFullyQualifiedDomainName = ansem-intern.local pszDnsForestName = ansem-intern.local pszDCSiteName = Default-First-Site-Name pszClientSiteName = Default-First-Site-Name pszNetBIOSHostName = DC01 pszUserName = <EMPTY> [r...@pv03 bin]# /opt/likewise/bin/lw-get-status LSA Server Status: Agent version: 5.1.5249 Uptime: 8 days 0 hours 9 minutes 12 seconds [Authentication provider: lsa-activedirectory-provider] Status: Online Mode: Un-provisioned Domain: ANSEM-INTERN.LOCAL Forest: ansem-intern.local Site: Default-First-Site-Name Online check interval: 300 seconds [Trusted Domains: 1] [Domain: ANSEM-INTERN] DNS Domain: ansem-intern.local Netbios name: ANSEM-INTERN Forest name: ansem-intern.local Trustee DNS name: Client site name: Default-First-Site-Name Domain SID: S-1-5-21-2709511636-3220455279-3717729453 Domain GUID: 4bb78958-b9b5-7849-88b3-c86117f7c59a Trust Flags: [0x001d] [0x0001 - In forest] [0x0004 - Tree root] [0x0008 - Primary] [0x0010 - Native] Trust type: Up Level Trust Attributes: [0x0000] Trust Direction: Primary Domain Trust Mode: In my forest Trust (MFT) Domain flags: [0x0001] [0x0001 - Primary] [Domain Controller (DC) Information] DC Name: dc01.ansem-intern.local DC Address: 192.168.2.1 DC Site: Default-First-Site-Name DC Flags: [0x000003fd] DC Is PDC: yes DC is time server: yes DC has writeable DS: yes DC is Global Catalog: yes DC is running KDC: yes [Authentication provider: lsa-local-provider] Status: Online Mode: Local system [r...@pv03 bin]# su ANSEM-INTERN\\peeters su: user ANSEM-INTERN\peeters does not exist [r...@pv03 bin]# ./lw-enum-groups Group info (Level-0): ==================== Name: ANSEM-INTERN\aankopen_users-distrubution-group Gid: 27788776 SID: S-1-5-21-2709511636-3220455279-3717729453-1512 . . 197 similar entires deleted . Group info (Level-0): ==================== Name: ANSEM-INTERN\witness-security Gid: 27788599 SID: S-1-5-21-2709511636-3220455279-3717729453-1335 TotalNumGroupsFound: 199 [r...@pv03 bin]# ./lw-enum-users Failed to enumerate users. The LDAP attribute value is NULL or invalid [r...@pv03 bin]# tail /var/log/messages May 7 11:12:58 pv03 lsassd[3073]: 0x445d4940:User S-1-5-21-2709511636-3220455279-3717729453-1195 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it. [r...@pv03 bin]# su ANSEM-INTERN\\peeters su: user ANSEM-INTERN\peeters does not exist [r...@pv03 bin]# tail /var/log/messages May 7 11:14:47 pv03 lsassd[3073]: 0x46dd8940:User S-1-5-21-2709511636-3220455279-3717729453-1117 has an invalid value for the userAccountControl attribute. Please check that it is set and that the machine account has permission to read it. _________________________________________________ Erik Peeters IT Manager IC Operations Manager Direct: +32 16 386 510 erik.peet...@ansem.com AnSem NV - www.ansem.com <file:///\\www.ansem.com> Esperantolaan 9 - 3001 Heverlee - BELGIUM Phone: +32 16 38 65 00 - Fax: +32 16 38 65 65 BTW BE 0462.614.279 - RPR Leuven Information in this mail is strictly confidential _________________________________________________
<<image001.jpg>>
_____________________________________________________________________ Likewise-open-discuss mailing list Likewise-open-discuss@lists.likewiseopen.org Found a bug? Please file a report: http://lobugs.likewise.com/ Looking for other discussion options? Try our forums: http://www.likewise.com/community/index.php/forums/
