It looks like this is configured as a BDC - (domain logons= yes, domain
master=no.)
How is the underlying unix account created? Do you manually create
them, or does a script create them? If you don't actually create a
unix account, then you need to make sure winbindd is allocating a uid.
Either way "getent passwd" should show you the unix user name or uid.
If you use winbindd to allocate unix uid's , then /etc/nsswitch.conf
would need an entry like
passwd: files ldap winbind
On 06/10/2011 12:45 PM, Dermot wrote:
Hi,
I have an ldap provider and consumer that appear to work correctly,
EG, new users are sync'ed and a search on either server (ldapsearch -x
-b 'dc=example,dc=com' '(cn=djohn)') returns an oject. However when an
XP user attempt to connect to the consumer server the authentication
fails:
[2011/06/10 16:11:21, 0] lib/util_sock.c:write_data(1059)
[2011/06/10 16:11:21, 0] lib/util_sock.c:get_peer_addr_internal(1607)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer
[2011/06/10 16:11:21, 0] smbd/process.c:srv_send_smb(74)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2011/06/10 16:11:21, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
pdb_get_group_sid: Failed to find Unix account for djohn
[2011/06/10 16:11:21, 1] auth/auth_util.c:make_server_info_sam(562)
User djohn in passdb, but getpwnam() fails!
[2011/06/10 16:11:21, 0] auth/auth_sam.c:check_sam_security(355)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2011/06/10 16:11:21, 0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
pdb_get_group_sid: Failed to find Unix account for djohn
[2011/06/10 16:11:21, 1] auth/auth_util.c:make_server_info_sam(562)
User djohn in passdb, but getpwnam() fails!
[2011/06/10 16:11:21, 0] auth/auth_sam.c:check_sam_security(355)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
The XP user is prompted with a login dialogue box.
I can see requests being made from the smb consumer server to the ldap provider
Jun 10 15:54:43 provider slapd[11306]: conn=70 fd=19 ACCEPT from
IP=162.128.168.137:49339 (IP=0.0.0.0:389)
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 BIND
dn="cn=admin,dc=example,dc=com" method=128
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 RESULT tag=97 err=0 text=
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SRCH attr=supportedControl
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=2 SRCH
base="sambaDomainName=LDNSPL,sambaDomainName=LDNSPL,dc=example,dc=com"
scope=2 deref=0
filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=LDNSPL))"
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=2 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn diLDNSPLayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SRCH
base="sambaDomainName=LDNSPL,dc=example,dc=com" scope=0 deref=0
filter="(objectClass=*)"
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SRCH
attr=sambaPwdHistoryLength
Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 10 15:54:43 provider slapd[11306]: conn=70 fd=19 closed (connection lost)
Jun 10 15:54:43 provider slapd[11306]: conn=71 fd=19 ACCEPT from
IP=162.128.168.137:49340 (IP=0.0.0.0:389)
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 BIND
dn="cn=admin,dc=example,dc=com" method=128
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 BIND
dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 RESULT tag=97 err=0 text=
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SRCH base=""
scope=0 deref=0 filter="(objectClass=*)"
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SRCH attr=supportedControl
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=2 SRCH
base="sambaDomainName=LDNSPL,sambaDomainName=LDNSPL,dc=example,dc=com"
scope=2 deref=0
filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=LDNSPL))"
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=2 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn diLDNSPLayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber
Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jun 10 15:54:43 provider slapd[11306]: conn=71 fd=19 closed (connection lost)
I see an error 32 here and I also some see nentries=1 that I'm
guessing matched responses.
If I do ldapsearch -x -b "sambaDomainName=LDNSPL,dc=example,dc=com", I get
# extended LDIF
#
# LDAPv3
# base<sambaDomainName=LDNSPL,dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# LDNSPL, example.com
dn: sambaDomainName=LDNSPL,dc=example,dc=com
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: LDNSPL
sambaSID: S-1-5-21-1979685110-1467996072-351907979
gidNumber: 1000
sambaPwdHistoryLength: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutThreshold: 0
sambaRefuseMachinePwdChange: 0
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaNextRid: 1001
sambaForceLogoff: -1
uidNumber: 1116
The same query with cn=djohn returns nothing:
...
# filter: cn=djohn
# requesting: ALL
#
# search result
search: 2
result: 0 Success
So some parts of my configuration look to be working but something is
not right but I can't figure out where the problems is. The smb config
for the consumer is below. Can any one help track down where the
problem lies?
Thanks in advance,
Dermot.
### SMB.CONF ###
[global]
unix charset = LOCALE
workgroup = LDNSPL
server string = Test Server
netbios name = docstore
# security = domain
load printers = no
; printcap name = /etc/printcap
; printcap name = lpstat
; printing = cups
cups options = raw
; guest account = pcguest
log file = /var/log/samba/%m.log
log level = 1
syslog = 0
max log size = 50
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = no
passdb backend = ldapsam:"ldap://provider.example.com";
# passdb backend = ldapsam:"ldap://consumer.example.com
ldap://provider.example.com";
domain logons = yes
os level = 63
domain master = no
logon script = login.bat
logon path =
wins server = provider.example.com
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers, ou=Users
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=idmap
ldap admin dn = cn=admin,dc=example,dc=com
utmp = Yes
idmap backend = ldap://provider.example.com
idmap uid = 15000-20000
idmap gid = 15000-20000
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
