I read all the HOWTOs I could find on the net about the LDAP PDC and still, I can't get it to work.
Here are some infos about the server
Samba version 3.0.1pre3 running Redhat 8.0 with a OpenLDAP server version 2.0.27.
I want to do a new domain named DOMAINB from the users I imported from DOMAINA (NT4 PDC) using net rpc vampire.
It went well and every user is in the DB, including the machine accounts and the groups ( groups mappings too ). I don't know if this is right but I changed every SIDs from the original accounts to the new server SID (got it from net getlocalsid) please tell me if this is wrong.
The problem occurs when I try to join the domain using a Windows 2000 SP2 client (signorseal=0). I constantly get the message : User / Password is wrong from the client.
The root/nobody are also created.
Here are the debug messages I get, starting by the LDAP logs :
daemon: conn=0 fd=9 connection from IP=127.0.0.1:1296 (IP=0.0.0.0:389) accepted.
conn=0 op=0 BIND dn="CN=ROOT,O=GARAGE,DC=QC,DC=CA" method=128
ber_flush: 14 bytes to sd 9
deferring operation
conn=0 op=0 RESULT tag=97 err=0 text=
conn=0 op=1 SRCH base="o=garage,dc=qc,dc=ca" scope=2 filter="(&(objectClass=sambaDomain)(sambaDomainName=DOMAINB))"
ber_flush: 271 bytes to sd 9
ber_flush: 14 bytes to sd 9
conn=0 op=1 SEARCH RESULT tag=101 err=0 text=
conn=0 op=2 SRCH base="o=garage,dc=qc,dc=ca" scope=2 filter="(&(uid=ADMINAM)(objectClass=sambaSamAccount))"
ber_flush: 672 bytes to sd 9
ber_flush: 14 bytes to sd 9
daemon: conn=1 fd=16 connection from IP=127.0.0.1:1297 (IP=0.0.0.0:389) accepted.
conn=0 op=2 SEARCH RESULT tag=101 err=0 text=
conn=1 op=0 BIND dn="" method=128
ber_flush: 14 bytes to sd 16
deferring operation
conn=1 op=0 RESULT tag=97 err=0 text=
conn=1 op=1 SRCH base="o=garage,dc=qc,dc=ca" scope=2 filter="(&(objectClass=posixAccount)(uid=ADMINAM))"
ber_flush: 14 bytes to sd 16
conn=1 op=1 SEARCH RESULT tag=101 err=0 text=
conn=-1 fd=9 closed
conn=-1 fd=16 closed
Now goes the SAMBA log :
[2003/12/06 00:37:23, 4] auth/auth_sam.c:sam_password_ok(224)
sam_password_ok: Checking NT MD4 password
[2003/12/06 00:37:23, 4] auth/auth_sam.c:sam_account_ok(325)
sam_account_ok: Checking SMB password for user ADMINAM
[2003/12/06 00:37:23, 1] auth/auth_util.c:make_server_info_sam(821)
User ADMINAM in passdb, but getpwnam() fails!
[2003/12/06 00:37:23, 5] auth/auth_util.c:free_server_info(1251)
attempting to free (and zero) a server_info structure
[2003/12/06 00:37:23, 0] auth/auth_sam.c:check_sam_security(464)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2003/12/06 00:37:23, 5] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: sam authentication for user [ADMINAM] FAILED with error NT_STATUS_NO_SUCH_USER
[2003/12/06 00:37:23, 3] auth/auth_winbind.c:check_winbind_security(79)
check_winbind_security: Not using winbind, requested domain was for this SAM.
[2003/12/06 00:37:23, 10] auth/auth.c:check_ntlm_password(256)
check_ntlm_password: winbind had nothing to say
[2003/12/06 00:37:23, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: Authentication for user [ADMINAM] -> [ADMINAM] FAILED with error NT_STATUS_NO_SUCH_USER
[2003/12/06 00:37:23, 5] auth/auth_util.c:free_user_info(1226)
attempting to free (and zero) a user_info structure
[2003/12/06 00:37:23, 10] auth/auth_util.c:free_user_info(1229)
structure was created for ADMINAM
Here is the ADMINAM entry in the backend :
dn: uid=ADMINAM,ou=Users,o=garage,dc=qc,dc=ca uid: ADMINAM displayName: Admin sambaLogonTime: 1070401736 sambaLogoffTime: 1025783704 sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX sambaPwdLastSet: 1056543798 sambaAcctFlags: [UX ] objectClass: sambaSamAccount objectClass: account sambaDomainName: GARAGE sambaSID: S-1-5-21-3655003630-1527190663-3647291254-1009 sambaPrimaryGroupSID: S-1-5-21-3655003630-1527190663-3647191254-513
Here is my samba config file :
# Global parameters [global]
#### ADD SCRIPTS
add machine script = /usr/local/samba/share/smbldap-useradd.pl -w %ms"
add user script = /usr/local/samba/share/smbldap-useradd.pl -a %u
delete user script = /usr/local/samba/share/smbldap-userdel.pl %u
add group script = /usr/local/samba/share/smbldap-groupadd.pl %g
delete group script = /usr/local/samba/share/smbldap-groupdel.pl %g
add user to group script = /usr/local/samba/share/smbldap-groupmod.pl" -m %u %g
delete user from group script = /usr/local/samba/share/smbldap-groupmod.pl -x %u %g
set primary group script = /usr/local/samba/share/smbldap-usermod.pl -G %g %u
null passwords = yes unix charset = UTF-8 passdb backend = ldapsam:ldap://localhost/ ldap suffix = o=garage,dc=qc,dc=ca ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=root,o=garage,dc=qc,dc=ca workgroup = GARAGE netbios name = PDC comment = Server security = user encrypt passwords = yes logon script = scripts\%U.bat domain logons = Yes os level = 255 preferred master = Yes domain master = Yes share modes = No wins support = yes [homes] path=/home/domainusers read only = No create mask = 0700 directory mask = 0700 locking = No oplocks = No
[netlogon] path = /usr/local/samba/netlogon locking = no read only = yes write list = ntadmin
[profiles] path = /home/domainusers/profiles read only = no writeable = yes create mask = 0600 directory mask = 0700
nsswitch.conf is passwd/group/shadow are set to : files ldap
I think this is all, thank you for your help and thanks to the samba team for writing such a useful software!
Charles Hamel [EMAIL PROTECTED]
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba