Hi everyone,
I'm having a slight problem getting Samba and OpenLDAP to play together.
First off, sorry for the long mail.
I'm struggling to understand the whole machine account business, and to
get them working correctly.
I'm using the smbldap-tools package to create my ldap directory and also
the various users and machine accounts. Creating users works fine, but
machine
accounts seems to be the problem.
The problem seems to come when Samba tries to look up the machine
account from the
ldap directory. The first problem is displayed here:
<slapd.log>
conn=185 op=7 SRCH base="dc=example,dc=org" scope=2 deref=0
filter="(&(uid=machine$)(objectClass=sambaSamAccount))"
</slapd.log>
The problem here is that Samba thinks that the machine account is also
part of the
sambaSamAccount objectclass. smbldap-tools doesn't add machine accounts
like that
(no SambaSamAccount objectclass) so I presume that this is a problem
with the smbldap-tools package.
Ok, so I add the SambaSamAccount Objectclass to the machine account and
hey presto! it works.
So this is what the machine$ directory entry now looks like :
<machine$>
dn: uid=machine$,ou=Users,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: machine$
sn: machine$
givenName: machine$
uid: machine$
uidNumber: 1003
gidNumber: 513
homeDirectory: /home/machine$
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
displayName: System User
sambaSID: S-1-5-21-4149842143-3922995212-3442003976-3006
sambaPrimaryGroupSID: S-1-5-21-4149842143-3922995212-3442003976-513
sambaLogonScript: logon.bat
sambaProfilePath: \\SERVER\profiles\machine$
sambaHomePath: \\SERVER\machine$
sambaHomeDrive: H:
userPassword:: e1NTSEF9M29FWklLL3c0czhYR3I3Y3MwUXhYejQ3Wm1vMGVUUnI=
sambaAcctFlags: [UW ]
sambaPwdCanChange: 1152185055
sambaPwdMustChange: 2147483647
sambaNTPassword: D5DFE3EB70379E4BE015A6B51CC90B7B
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1152185055
</machine$>
Allrighty, so, if I copy this directory entry to another one, and just
change the relevant SID's and stuff, it should work fine right ?
<box2$>
dn: uid=box2$,ou=Users,dc=example,dc=org
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: box2$
sn: box2$
givenName: box2$
uid: box2$
uidNumber: 1009
gidNumber: 513
homeDirectory: /home/box2$
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaSID: S-1-5-21-4149842143-3922995212-3442003976-3018
sambaPrimaryGroupSID: S-1-5-21-4149842143-3922995212-3442003976-513
sambaLogonScript: logon.bat
sambaProfilePath: \\IOLSERVER\profiles\box2$
sambaHomePath: \\IOLSERVER\box2$
sambaHomeDrive: H:
userPassword:: e1NTSEF9M29FWklLL3c0czhYR3I3Y3MwUXhYejQ3Wm1vMGVUUnI=
sambaAcctFlags: [UW ]
sambaPwdCanChange: 1152185055
sambaPwdMustChange: 2147483647
sambaNTPassword: D5DFE3EB70379E4BE015A6B51CC90B7B
sambaPasswordHistory:
00000000000000000000000000000000000000000000000000000000
00000000
sambaPwdLastSet: 1152185055
displayName: box2$
</box2$>
Great, but :
<smb.log>
[2006/07/07 15:59:03, 3] lib/smbldap.c:smbldap_connect_system(905)
ldap_connect_system: succesful connection to the LDAP server
[2006/07/07 15:59:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: box2$
[2006/07/07 15:59:03, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
[2006/07/07 15:59:03, 2] libsmb/credentials.c:creds_server_check(159)
creds_server_check: credentials check failed.
[2006/07/07 15:59:03, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(424)
_net_auth2: creds_server_check failed. Rejecting auth request from
client BOX2 machine account BOX2$
</smb.log>
Now, I tried adding a machine account via the smbldap-useradd script
again and
just adding the objectClass sambaSambAccount, but i couldn't get it working
this time. It still fails with the above error message in the log file.
The client machine is a WinXP SP2 Box.
So now it successfully gets everything from ldap, but the it fails for
some reason.
So, this is what I would like to know please :
Anyone know why it fails here ?
and secondly,
Where can I find some kind of reference as to what fields samba looks for
in the ldap directory and what it does with them ? ( Well, apart from the
source if possible :) )
I have attached the smb.cfg file below.
Thanks for your help,
cillier
<versions>
Samba - 3.0.22 : Built from source
--with-ldap
--with-ads
--with-winbind
--with-acl-support
OpenLdap - 2.2.26 : Ubuntu-6.06 package
OS : Ubuntu 6.06
</versions>
<smb.cfg>
netbios name = SERVER
workgroup = WORKGROUP
server string = PDC [on Ubuntu :: Samba server %v]
enable privileges = yes
passdb backend = ldapsam:ldap://localhost/
unix passwd sync = Yes
ldap suffix = dc=example,dc=com
ldap admin dn = cn=admin,dc=example,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
hosts allow = 172.20.80.0/24 127.0.0.0/8
security = user
encrypt passwords = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = lo eth0
bind interfaces only = yes
local master = yes
os level = 65
domain master = yes
preferred master = yes
null passwords = no
hide unreadable = yes
hide dot files = yes
domain logons = yes
logon script = login.bat OR %U.bat
logon path = \\%L\profiles\%U
logon drive = H:
logon home = \\%L\%U\.9xprofile
wins support = yes
name resolve order = wins lmhosts host bcast
dns proxy = no
time server = yes
log level = 3
log file = /usr/local/samba/var/log.%m
max log size = 50
passwd program = /usr/local/sbin/smbldap-passwd -u %u
passwd chat = "*New password:*" %n\r "*New password (again):*" %n\r
\ "*Password changed*"
unix charset = ISO8859-1
[netlogon]
path = /usr/local/samba/netlogon
guest ok = no
read only = yes
browseable = yes
[profiles]
path = /usr/local/samba/profiles
browseable = yes
writeable = yes
default case = lower
preserve case = no
short preserve case = no
case sensitive = no
hide files = /desktop.ini/ntuser.ini/NTUSER.*/
write list = @smbusers @root
create mask = 0600
directory mask = 0700
[homes]
path = /home/%U
browseable = no
valid users = %S
read only = no
guest ok = no
inherit permissions = yes
[public]
comment = Public Stuff
path = /usr/local/samba/public
public = yes
read only = yes
browseable = yes
write list = @users
</smb.cfg>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
