Re: [Samba] My story installing Samba-LDAP PDC (it has a happy ending)

Andrei Mikhailovsky Fri, 16 Jan 2004 04:56:44 -0800

Hello again )

I have followed your suggestion. changed the ldap.conf so the nsswitch will do sub search and changed the nss_passwd/group/shadow to search at the root of the database. Still no luck.

When i look at the ldap logs, I can't seems to find entries for searching machine names. Even though i've seen them once before now, everytime I try to logon to my domain, i can't find any entries for machine names. Here are the logs from ldap:

------- Jan 16 11:42:56 whale slapd[1183]: conn=170 fd=24 ACCEPT from IP=192.168.77.7:41475 (IP=0.0.0.0:389) Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND dn="cn=root,dc=arhont,dc=com" method=128 Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 BIND dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0 Jan 16 11:42:56 whale slapd[1183]: conn=170 op=0 RESULT tag=97 err=0 text= Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH base="dc=arhont,dc=com" scope=2 filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))" Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SRCH attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass Jan 16 11:42:56 whale slapd[1183]: conn=170 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH base="dc=arhont,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-3830420305-2497394645-3910713721-501)(objectClass=sambaSamAccount))" Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial Jan 16 11:42:56 whale slapd[1183]: conn=170 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Jan 16 11:42:56 whale slapd[1183]: conn=171 fd=25 ACCEPT from IP=127.0.0.1:41476 (IP=0.0.0.0:389) Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND dn="cn=root,dc=arhont,dc=com" method=128 Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 BIND dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0 Jan 16 11:42:56 whale slapd[1183]: conn=171 op=0 RESULT tag=97 err=0 text= Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SRCH base="dc=arhont,dc=com" scope=2 filter="(uid=nobody)" Jan 16 11:42:56 whale slapd[1183]: conn=171 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH base="dc=arhont,dc=com" scope=2 filter="(&(objectClass=posixGroup)(|(memberUid=nobody)(uniqueMember=uid=nobody,ou=users,dc=arhont,dc=com)))" Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jan 16 11:42:56 whale slapd[1183]: <= bdb_equality_candidates: (uniqueMember) index_param failed (18) Jan 16 11:42:56 whale slapd[1183]: conn=171 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH base="dc=arhont,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=65534))" Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SRCH attr=gidNumber sambaSID sambaGroupType description displayName cn objectClass Jan 16 11:42:56 whale slapd[1183]: conn=170 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH base="dc=arhont,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=501))" Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SRCH attr=gidNumber sambaSID sambaGroupType description displayName cn objectClass Jan 16 11:42:56 whale slapd[1183]: conn=170 op=4 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 11:42:57 whale slapd[1183]: conn=170 fd=24 closed Jan 16 11:42:57 whale slapd[1183]: conn=171 fd=25 closed

-------- Is it normal that i can't see the search entries for machine name that i try to connect to domain?

Thanks

Vegeta Saiyajin wrote:

On Thursday 15 January 2004 10:32, you wrote:

Hello Vegeta,

I've looked at your post at samba mailing list.

Same as you are, I am having a nightmare making a windows 2000
pro to logon to my domain.

But unlike you, smbldap-tools worked fine-ish for me. They
have populated the database with initial users,groups and
created computer entry. The setup works fine for
shares/workgroup. But I can't make it connect to my pdc. By
the way, I am running Debian unstable with samba 3.0.1 and
ldap 2.1.23.

By following your experience, i've managed to resolve some of
the issues while i was trying to logon to my domain.

Initially, looking at the ldap logs, windows was trying to
search for entries that where not found in the ldap. Like pid
501, which is ment to be a guest account, and few other
things.

But after correcting these issues, ldap finds all the entries,
but still gives me Logon Failure: unknown username or bad
password.

There are two solutions.

One is to use ldap machine suffix = ou=People instead of ldap machine suffix= ou=Computers This will probably work.

A better solution that allows storing computer accounts in ou=Computers requires changing the ldap.conf file. This is not a Samba file, but an OpenLdap file (I assume you are using OpenLDAP).

In the ldap.conf file of the LDAP server use:
scope sub
nss_base_passwd  dc=arhont,dc=com
nss_base_shadow  dc=arhont,dc=com

instead of the more traditional
scope one
nss_base_passwd  ou=People,dc=arhont,dc=com
nss_base_shadow  ou=People,dc=arhont,dc=com

The reason for the "unknown username or bad password" message is that Samba tries to find the machine as a "user" listed by NSS (as when you use "getent passwd"). When you have nss configured with "scope one" and "nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba sees are the accounts in ou=People (without looking any subtrees).

When you use "scope sub" and "nss_base_passwd dc=arhont,dc=com" samba can see all users in all subtrees of "dc=arhont,dc=com".

Regarding changes in the registry, they are not necessary in Samba 3.0.x. Some documentation I read talks about this, but only applies to Samba 2.2.x. I could join W2K machines to the domain without making any registry modifications.

But looking at samba logs, I don't see any errors. This is the
output of the slapd when I atempt to logon to domain:

--------
Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
IP=192.168.77.7:38423 (IP=0.0.0.0:389)
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
dn="cn=root,dc=arhont,dc=com" method=128
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97
err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1
SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid
sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(uid=root)(objectClass=sambaSamAccount))"
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet
sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID
sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT
tag=101 err=0 nentries=1 text=
Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed

-------

and this is the example of my smb.conf

#LDAP Support for samba 3+
passdb backend          = ldapsam:ldap://whale.core.arhont.com
ldap admin dn           = "cn=root,dc=arhont,dc=com"
idmap backend           = ldap:ldap://whale.core.arhont.com
ldap suffix             = dc=arhont,dc=com
ldap machine suffix     = ou=computers
ldap user suffix        = ou=users

#ldap ssl       = off
#ldap user suffix       = "ou=users,dc=arhont,dc=com"

##Default LDAP FILTER
#ldap filter    = "(&(uid=%u)(objectClass=SambaSamAccount))"
ldap filter     = "(uid=%u)"

ldap delete dn          = no
#ldap password sync     = yes


In addition, you have mentioned that the win2k registry has to
be changed. I've looked at the registry key on my workstation,
and it was already 0, from the default install. Is it normal,
as i've read in few places that it has to be changed. but my
one was already 0 from the initial installation.

Do you have any suggestions, what might be going wrong? I am
already at my third day trying to integrate samba/ldap. What a
nighmare!

Thanks in advance for any help )


--
Andrei Mikhailovsky
Financial Director
Arhont Ltd

Web: http://www.arhont.com
Tel: +44 (0)870 4431337
Fax: +44 (0)1454 201200
PGP: Key ID - 0xFF67A4F4
PGP: Server - gpg.arhont.com

--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] My story installing Samba-LDAP PDC (it has a happy ending)

Reply via email to