On Thursday 15 January 2004 10:32, you wrote: > Hello Vegeta, > > I've looked at your post at samba mailing list. > > Same as you are, I am having a nightmare making a windows 2000 > pro to logon to my domain. > > But unlike you, smbldap-tools worked fine-ish for me. They > have populated the database with initial users,groups and > created computer entry. The setup works fine for > shares/workgroup. But I can't make it connect to my pdc. By > the way, I am running Debian unstable with samba 3.0.1 and > ldap 2.1.23. > > By following your experience, i've managed to resolve some of > the issues while i was trying to logon to my domain. > > Initially, looking at the ldap logs, windows was trying to > search for entries that where not found in the ldap. Like pid > 501, which is ment to be a guest account, and few other > things. > > But after correcting these issues, ldap finds all the entries, > but still gives me Logon Failure: unknown username or bad > password.
There are two solutions. One is to use ldap machine suffix = ou=People instead of ldap machine suffix= ou=Computers This will probably work. A better solution that allows storing computer accounts in ou=Computers requires changing the ldap.conf file. This is not a Samba file, but an OpenLdap file (I assume you are using OpenLDAP). In the ldap.conf file of the LDAP server use: scope sub nss_base_passwd dc=arhont,dc=com nss_base_shadow dc=arhont,dc=com instead of the more traditional scope one nss_base_passwd ou=People,dc=arhont,dc=com nss_base_shadow ou=People,dc=arhont,dc=com The reason for the "unknown username or bad password" message is that Samba tries to find the machine as a "user" listed by NSS (as when you use "getent passwd"). When you have nss configured with "scope one" and "nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba sees are the accounts in ou=People (without looking any subtrees). When you use "scope sub" and "nss_base_passwd dc=arhont,dc=com" samba can see all users in all subtrees of "dc=arhont,dc=com". Regarding changes in the registry, they are not necessary in Samba 3.0.x. Some documentation I read talks about this, but only applies to Samba 2.2.x. I could join W2K machines to the domain without making any registry modifications. > > But looking at samba logs, I don't see any errors. This is the > output of the slapd when I atempt to logon to domain: > > -------- > Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from > IP=192.168.77.7:38423 (IP=0.0.0.0:389) > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND > dn="cn=root,dc=arhont,dc=com" method=128 > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND > dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0 > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97 > err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 > SRCH > base="dc=arhont,dc=com" scope=2 > filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))" > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH > attr=sambaDomainName sambaNextRid sambaNextUserRid > sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT > tag=101 err=0 nentries=1 text= > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH > base="dc=arhont,dc=com" scope=2 > filter="(&(uid=root)(objectClass=sambaSamAccount))" > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid > uidNumber gidNumber homeDirectory sambaPwdLastSet > sambaPwdCanChange sambaPwdMustChange sambaLogonTime > sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive > sambaHomePath sambaLogonScript sambaProfilePath description > sambaUserWorkstations sambaSID sambaPrimaryGroupSID > sambaLMPassword sambaNTPassword sambaDomainName objectClass > sambaAcctFlags sambaMungedDial > Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT > tag=101 err=0 nentries=1 text= > Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed > > ------- > > and this is the example of my smb.conf > > #LDAP Support for samba 3+ > passdb backend = ldapsam:ldap://whale.core.arhont.com > ldap admin dn = "cn=root,dc=arhont,dc=com" > idmap backend = ldap:ldap://whale.core.arhont.com > ldap suffix = dc=arhont,dc=com > ldap machine suffix = ou=computers > ldap user suffix = ou=users > > #ldap ssl = off > #ldap user suffix = "ou=users,dc=arhont,dc=com" > > ##Default LDAP FILTER > #ldap filter = "(&(uid=%u)(objectClass=SambaSamAccount))" > ldap filter = "(uid=%u)" > > ldap delete dn = no > #ldap password sync = yes > > > In addition, you have mentioned that the win2k registry has to > be changed. I've looked at the registry key on my workstation, > and it was already 0, from the default install. Is it normal, > as i've read in few places that it has to be changed. but my > one was already 0 from the initial installation. > > Do you have any suggestions, what might be going wrong? I am > already at my third day trying to integrate samba/ldap. What a > nighmare! > > Thanks in advance for any help ) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba