Hi again.
You did create that object (cn=samba,ou=DSA,dc=arzur,dc=local), right?
Could you please try binding with the cn=Manager,dc=arzur,dc=local instead?
Bruno Guerreiro
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: ter�a-feira, 22 de Mar�o de 2005 10:49
To: Bruno Guerreiro
Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
Bruno Guerreiro a �crit :
Yes, that's normal.
And i see, that you've edited your slapd.conf.
Does your setupwork now?
Best regards,
Bruno Guerreiro
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
Sent: ter�a-feira, 22 de Mar�o de 2005 10:31
To: [EMAIL PROTECTED]
Cc: Bruno Guerreiro; 'Poil'; [email protected]
Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
When checking my samba log I have :
[2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136)
getpeername failed. Error was Transport endpoint is not connected
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430)
write_socket_data: write failure. Error = Connection reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455)
write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection
reset by peer
[2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647)
Error writing 4 bytes to client. -1. (Connection reset by peer)
[2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575)
Is it normal ? I think no ... :/
[EMAIL PROTECTED] a �crit :
I've got :
# users can authenticate and change their password
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" write
by self write
by anonymous auth
# the objectClass needed for everyone
access to attrs=objectClass,entry
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" read
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by dn="cn=postfix-auth,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes need to be readable by everyone
access to attrs=uidNumber,gidNumber
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes can be writable by users themselves
access to attrs=description,telephoneNumber
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by self write
by users read
# some attributes need to be readable so that 'id user' can answer
correctly
access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by dn="cn=nssldap,ou=DSA,dc=arzur,dc=local" read
by self read
# some attributes need to be writable for samba
access to
[EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@
sambaShare,@sambaConfigOption,@sambaPrivilege
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
by self read
# samba need to be able to create the sambaDomain account and
NextFreeUnixId
access to dn="dc=arzur,dc=local" attrs=children
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn="cn=NextFreeUnixId,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
access to dn.one="dc=arzur,dc=local" filter="(objectClass=sambaDomain)"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new users account
access to dn="ou=People,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new groups account
access to dn="ou=Groups,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new computers account
access to dn="ou=Computers,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# samba need to be able to create new idmap entries
access to dn="ou=Idmap,dc=arzur,dc=local"
by dn="cn=samba,ou=DSA,dc=arzur,dc=local" write
# Default access rights
access to *
by self read
Bruno Guerreiro a �crit :
Hi, i think i've found your problem.
You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you
didn't
give that user Admin LDAP rights.
Have you done this?
http://samba.idealx.org/smbldap-howto.en.html#htoc116
And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111
attention that since you're using an root bind different from
Manager, you
must give it admin acess. Something like
access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write
This is a very WIDE configuration, you may restrict which object you
admin
user can access, in order for it to have write permissions only to samba
objects.
Something like
access to
attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb
aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr
ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI
D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori
thmicRidBase,
Best Regards,
Bruno Guerreiro
-----Original Message-----
From: Poil [mailto:[EMAIL PROTECTED]
Sent: ter�a-feira, 22 de Mar�o de 2005 8:55
To: [email protected]
Subject: [Samba] SAMBA3 + LDAP = Round 5 :(((
Okay, if anyone can help me, I put all my config and log on
http://www.arzurproduction.com/temp/
I cannot join the domain on my Windows XP (Access Deny)
So I try :
1- An Administrator user create by smbldap-populate, I have root =
Administrator on my /etc/samba/smbusers
Error :
[2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312)
check_ntlm_password: Authentication for user [administrator] ->
[root] FAILED with error NT_STATUS_NO_SUCH_USER
2- The same Administrator but I comment root = Administrator
Error :
[2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: Administrator
[2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 512
[2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[administrator] -> [Administrator] succeeded
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:access_check_samr_object(93)
_samr_open_domain: ACCESS DENIED (requested: 0x00000211)
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:47:05, 2]
rpc_server/srv_samr_nt.c:access_check_samr_function(115)
_samr_create_user: ACCESS DENIED (granted: 0x00000201; required:
0x00000010)
[2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575)
Closing connections
3- The same Administrator, I create a root ldap user (same as the old
smbldap-tools)
[2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: root
[2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 513
[2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [administrator] ->
[root] -> [root] succeeded
[2005/03/22 09:49:43, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 515
[2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
init_ldap_from_sam: Setting entry for user: poil-barebone$
[2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
ldapsam_modify_entry: Failed to modify user dn=
uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient
access
[2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
ldapsam_add_sam_account: failed to modify/add user with uid =
poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
[2005/03/22 09:49:43, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2272)
could not add user/computer poil-barebone$ to passdb. Check
permissions?
[2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575)
Closing connections
4- In root (ldap root)
[2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692)
smbldap_open_connection: connection opened
[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518)
init_sam_from_ldap: Entry found for user: root
[2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 513
[2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2005/03/22 09:50:22, 2]
rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482)
Returning domain sid for domain ARZUR-NT ->
S-1-5-21-1874299889-3982645529-2160850509
[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057)
init_group_from_ldap: Entry found for group: 515
[2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929)
init_ldap_from_sam: Setting entry for user: poil-barebone$
[2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552)
ldapsam_modify_entry: Failed to modify user dn=
uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient
access
[2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994)
ldapsam_add_sam_account: failed to modify/add user with uid =
poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local)
[2005/03/22 09:50:22, 0]
rpc_server/srv_samr_nt.c:_samr_create_user(2272)
could not add user/computer poil-barebone$ to passdb. Check
permissions?
[2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575)
Closing connections
Thanks all for helping me!
No same error :-(
