[Samba] Samba3 ldap password change
Hello to all, I got samba3 PDC working with ldap. But I' m still wondering how to set important things about the users passwords. The first thing when a user login the first time should be to change his/her password? Where do I set when the passwords expire and how do I set it to 60 days? I do not work mith Microsoft's usrmgr because of Vista clients.I look at my samba/ldap with LDAP Admin. Does someone manage this point with this tool? greetings Daniel -- Feel free - 5 GB Mailbox, 50 FreeSMS/Monat ... Jetzt GMX ProMail testen: www.gmx.net/de/go/mailfooter/promail-out -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 ldap password change
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/27/2007 08:17 AM, Daniel Müller wrote: Hello to all, I got samba3 PDC working with ldap. But I' m still wondering how to set important things about the users passwords. You can use pdbedit to configure that. Your sambaDomainName object will have the fiedls to define the size of password, minimum time before change, maximum time to change, date of must change and so on. You can also export from tdbsam do LDAP using something like this (from the manpage): pdbedit -y -i tdbsam: -e ldapsam:ldap://my.ldap.host The first thing when a user login the first time should be to change his/her password? You need to set the MustChange field to 0. Be aware that samba has a strange behaviour with regards to CanChange and LastSet. If you have a new user, change his password and want that he/she changes it on the first login, you probably will need to adjust the LastSet to $TODAY-MinPwdTime and the CanChange to $TODAY (remember that it uses the number of secs. So, an example would be: Fields Just After Mandatory Change Chang PWD on next logon sambaPwdCanChange 1173192147 1172587347 sambaPwdLastSet 1172587347 1171982547 sambaPwdMustChange 1175179347 0 Where do I set when the passwords expire and how do I set it to 60 days? Define the number of seconds in the sambaDomainName object, field: sambaMaxPwdAge I do not work mith Microsoft's usrmgr because of Vista clients. I look at my samba/ldap with LDAP Admin. Does someone manage this point with this tool? I use phpLDAPadmin to control our LDAP database and to set samba options. greetings Daniel Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5FaHCj65ZxU4gPQRAroPAKDMEiRM/FqMzC8OHVzUUyRHHDLQ0QCgqoL1 4Js0pxyHq8S4+QUAOCtkjPo= =QrZ8 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA3 + LDAP + winbind
Dear all I have a system with samba PDC with LDAP, samba version being 3.0.21 and openLDAP version 2.2.13 i have another linux system with samba version being 3.0.10 which is a member server to samba pdc. i have configured nss_ldap, and ldap.conf on the member server pointing to my ldap server on samba pdc . The samba PDC LDAP is configured for simple bind . Please Guide me on the following errors 1 )i have been getting the following errors: on the member server when i issue the command on the Domain member server root#net rpc info i get the following error rpc_parse/parse_prs.c prs_mem_get(537) prs_mem_get: reading data size 14418130 would overrun buffer 2) on the domain member server i get the error: nss_wins ldap_simple_bind can't contact LDAP server (keeps on occuring) 3) And often on the samba PDC /var/log/message i get the following error init_sam_from_ldap , Failed to get password history for user (keeps on occuring) In the below samba configuration the winbind use default domain = no , when i type the command 'net rpc info i get the output but when i type the command wbinfo -U error getting client list should i have to enable winbind and set it to yes actually i have already added users with the below configuration , and all my users are working on the present environment, if i make winbind use default domain , will it make any difficerence, will all the users information still be available . The idmap in the below configuration is idmap uid 1-2 and idmap gid 1-2 , but when the user is created it is created with uid starting from 1000., 2000 etc. please guide me my samba pdc with LDAP, smb.conf file is ## [global] workgroup = msdpl.com netbios name = medhapdc passdb backend = ldapsam:ldap://msdpl.com server string = Domain Controller hosts allow = 192.168.128. 192.168.129. 192.168.130. 127. security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 interfaces = eth0, lo printing = cups disable spoolss = Yes printcap name = cups max print jobs = 100 enable privileges = yes password level = 8 username level = 8 bind interfaces only = yes local master = Yes os level = 65 domain master = yes preferred master = yes null passwords = no hide unreadable = yes hide dot files = yes domain logons = yes logon script = %u.bat logon path = logon drive = X: logon home = \\medhapdc\%U wins support = yes name resolve order = wins lmhosts host bcast dns proxy = no time server = yes log file = /var/log/samba/%m.log max log size = 50 nt acl support = yes ldap passwd sync = yes add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add machine script = /usr/local/sbin/smbldap-useradd -w %m add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' ldap delete dn = Yes ldap ssl = no ldap suffix = dc=msdpl,dc=com ldap admin dn = cn=manager,dc=msdpl,dc=com ldap group suffix = ou=Groups ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap idmap suffix = ou=Idmap idmap backend = ldap:ldap://msdpl.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes winbind use default domain = no template shell = /bin/false ##[Share Definations]### [homes] comment = Home Directories valid users = %S browseable = no read only = no nt acl support = Yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon/scripts guest ok = yes browseable = no write list = root [printers] comment = All Printers path = /var/spool/samba create mask = 0600 guest ok = Yes printable = yes use client driver = Yes browseable = no ## Regards Niranjan On 12/18/05, paul kölle [EMAIL PROTECTED] wrote: mallapadi niranjan wrote: Hi all I have samb3 with LDAP , My query is 1. My clients are windows 2000 professional, and the clients are not able to join the domain but if add the computer name in /etc/passwd ie computername$:x:110:200::/bin/false:/dev/null and then do smbpasswd -a -m computername , the computer is able to join the domain but i have mentioned the add machine script in smb.conf file It seems you missed the nss_ldap part, what is in your /etc/ldap.conf and /etc/nsswitch.conf? 2. After Joining the domain, i am unable to login as
[Samba] SAMBA3 + LDAP
Hi all I have samb3 with LDAP , My query is 1. My clients are windows 2000 professional, and the clients are not able to join the domain but if add the computer name in /etc/passwd ie computername$:x:110:200::/bin/false:/dev/null and then do smbpasswd -a -m computername , the computer is able to join the domain but i have mentioned the add machine script in smb.conf file 2. After Joining the domain, i am unable to login as Administrator, but able to login as root if i give command getent passwd | grep Administrator , there is no output 3. How do i create groups , and add users to the groups, it is not taking system groups, when i do smbldap-populate, it adds people,group, Domain Admins, Domain Users, etc and root, but not system groups so how to add system groups , 4. in have smbldap-tool 0.9 , in that there is no mkntpasswd , is it ok, or this should be there, when i downloaded from the IDEALX website, it was not there int the TAR.gz file. my smb.conf file is as follows [global] workgroup = testdomain.com server string = Samba Server interfaces = eth0, lo bind interfaces only = yes passdb backend = ldapsam:ldap://testdomain.com min passwd length = 8 hosts allow = 192.168.129. 192.168.130. 127. printcap name = /etc/printcap load printers = yes cups options = raw log file = /var/log/samba/%m.log max log size = 50 security = user encrypt passwords = yes unix password sync = Yes passwd program = /usr/local/sbin/smbldap-passwd -u %u passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *passwd:*all*authentication*tokens*updated*successfully* add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add machine script = /usr/local/sbin/smbldap-useradd -w %u add group script = /usr/local/sbin/smbldap-groupadd -p %g add user to group script = /usr/local/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/local/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = no os level = 65 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon path = \\%L\Profiles\%U wins support = yes dns proxy = no ldap suffix = dc=msdpl,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups # Share Definitions == ldap idmap suffix = ou=Idmap ldap admin dn = cn=manager,dc=msdpl,dc=com idmap backend = ldap:ldap://testdomain.com idmap uid = 1-2 idmap gid = 1-2 map acl inherit = yes template shell = /bin/false winbind use default domain = no # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /home/netlogon guest ok = yes writable = no share modes = no # Un-comment the following to provide a specific roving profile share # the default is to use the user's home directory [Profiles] path = /home/profiles browseable = no # NOTE: If you have a BSD-style print system there is no need to # specifically define each individual printer [printers] comment = All Printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writable = no printable = yes # This one is useful for people to share files ;[tmp] ; comment = Temporary file space ; path = /tmp ; read only = no ; public = yes # A publicly accessible directory, but read only, except for people in # the staff group ;[public] ; comment = Public Stuff ; path = /home/samba ; public = yes ; read only = yes ; write list = @staff # Other examples. # # A private printer, usable only by fred. Spool data will be placed in fred's # home directory. Note that fred must have write access to the spool directory, # wherever it is. ;[fredsprn] ; comment = Fred's Printer ; valid users = fred ; path = /homes/fred ; printer = freds_printer ; public = no ; writable = no ; printable = yes # A private directory, usable only by fred. Note that fred requires write # access to the directory. ;[fredsdir] ; comment = Fred's Service ; path = /usr/somewhere/private ; valid users = fred ; public = no ; writable = yes ; printable = no # a service which has a different directory for each machine that connects # this allows you to tailor configurations to incoming machines. You could # also use the %u option to tailor it by user name. # The %m gets replaced with the machine name that is connecting. ;[pchome] ; comment = PC Directories
[Samba] Samba3, ldap and password expiry
Hi all! We are using 1 Samba PDC and 2 bdc (Version 3.0.15pre3-SVN-build-UNKNOWN-PS-SuSE) with openldap2-2.2.6-37.38 on SLES 9. New users setup ok and first logon password change works. Because of HIPAA we need the passwords to change every 30 days however this isn't happening. I thought that I had this working once upon a time while I was testing and getting ready for production but somewhere along the line I must've changed something. At any rate we're moving into production (3 departments so far!) and this has come to my attention. Other relevant data: ldapsearch -x -b dc=hrh,dc=org (ObjectClass=*) current_ldapsearch.txt and looking up my account shows: # jslittl, People, hrh.org dn: uid=jslittl,ou=People,dc=hrh,dc=org objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: jslittl sn: jslittl uid: jslittl uidNumber: 1004 homeDirectory: /home/jslittl loginShell: /bin/bash gecos: System User sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008 description: domain admin sambaKickoffTime: 0 sambaPasswordHistory: sambaLogonHours: FF sambaAcctFlags: [U ] gidNumber: 512 sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512 sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1116358396 sambaPwdLastSet: 1116358396 displayName: little, john sambaProfilePath: \\hrhdc01\profiles\jslittl from smbldap-tools.conf: defaultMaxPasswordAge=30 under the Unix Accounts Configuration We are using smbldap-tools-0.9.1-1 for this. Please let me know what else to check/change for this to work. Regards, John Little Hendricks Regional Health [EMAIL PROTECTED] Sell on Yahoo! Auctions no fees. Bid on great items. http://auctions.yahoo.com/ -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3, ldap and password expiry
New users setup ok and first logon password change works. Because of HIPAA we need the passwords to change every 30 days however this isn't happening. I thought that I had this working once upon a time while I was testing and getting ready for production but somewhere along the line I must've changed something. At any rate we're moving into production (3 departments so far!) and this has come to my attention. Have you tried setting a password change policy via pdbedit? Other relevant data: ldapsearch -x -b dc=hrh,dc=org (ObjectClass=*) current_ldapsearch.txt and looking up my account shows: # jslittl, People, hrh.org dn: uid=jslittl,ou=People,dc=hrh,dc=org objectClass: top objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: jslittl sn: jslittl uid: jslittl uidNumber: 1004 homeDirectory: /home/jslittl loginShell: /bin/bash gecos: System User sambaSID: S-1-5-21-1418864132-1159184377-506600700-3008 description: domain admin sambaKickoffTime: 0 sambaPasswordHistory: sambaLogonHours: FF sambaAcctFlags: [U ] gidNumber: 512 sambaPrimaryGroupSID: S-1-5-21-1418864132-1159184377-506600700-512 sambaPwdMustChange: 2147483647 This is way more than 30 days into the future. sambaPwdCanChange: 1116358396 sambaPwdLastSet: 1116358396 signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3+LDAP: Can't join domain.
Hi Louis, Sorry I took so long to answer... El Miércoles, 6 de Julio de 2005 08:40, Louis van Belle escribió: Hi david, nice thats it's working, 1 question, i made some bad changes some days ago in my libnss_ldap.conf or pam_ldap.conf could you send me a copy of these ? No problem. Here they go. --libnss-ldap.conf base dc=gicomm,dc=iberica,dc=esp uri ldap://127.0.0.1/ ldap_version 3 rootbinddn cn=admin,dc=gicomm,dc=iberica,dc=esp scope sub --end --pam_ldap.conf-- host 127.0.0.1 base dc=gicomm,dc=iberica,dc=esp ldap_version 3 rootbinddn cn=admin,dc=gicomm,dc=iberica,dc=es pam_filter objectclass=posixAccount pam_login_attribute uid --end i would help me great. I hope so. :-) It's a very simple configuration. There aren't many changes from the original file. thanx. Louis Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: Regarding: [Samba] Samba3+LDAP: Can't join domain.
Please realize that you are posting to a mailinglist. Your last two postings did not contain information for people other than Louis. You're absolutely right. I apologize. And I promise to be more carefull next time on. Cheers, David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3+LDAP: Can't join domain.
Thanks Louis, I'm checking it out. I'll undo my setting and try again with your reciepe. Thanks for the tip. David El Martes, 5 de Julio de 2005 13:33, Louis van Belle escribió: I run this setup, my config is posted lastweek. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens David Szanto Verzonden: maandag 4 juli 2005 18:04 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba3+LDAP: Can't join domain. Hi everyone!! I'm having a bit of trouble join a Samba 3 PDC with LDAP authentication. First some tips on what system I'm using: - Debian Sarge - Samba 3.0.14a-Debian - OpenLDAP 2.2.24 : Protocol v.3 Well, Now I'll explain the problem and show you some log output. When ever I try to join the domain I get the following error: --begin- # net rpc join GICOMMNET Creation of workstation account failed Unable to join domain GICOMMNET. --end- So, I check my logs to see what's wrong and I see this in the Samba log: --begin- [2005/07/04 17:29:36, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244) get_md4pw: Workstation DAVIDSZANTO$: no account in domain Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1005, DATA line 283. [2005/07/04 17:29:39, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w davidszanto$' gave 1 --end So I check if everything alright with my smbldap-useradd command, and I try creating the account manually using exactly the same command. Everything works fine. The account is created and machine davidszanto$ is created. So then I scratch my head a bit, and while I'm loosing most of my hair I try something a bit easier. Let's see if I can recover the user list or the group list. I use the net user -I 192.168.xxx.xxx and it works fine. I get the whole list and smae with groups. So, if everything looks fine, where's the mistake? I try joining again and this time I check the slapd log as well and I get the biggest transaction log record in history!! : --begin-- Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: do_bind Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp, cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: do_bind: version=3 dn=cn=admin,dc=gicomm,dc=iberica,dc=esp method=128 Jul 4 17:38:49 localhost slapd[8515]: do_bind: v3 bind: cn=admin,dc=gicomm,dc=iberica,dc=esp to cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=0 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: do_search Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: , Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry: dn= Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=1 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:50 localhost slapd[8515]: do_search Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp, dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: = bdb_search Jul 4 17:38:50 localhost slapd[8515]: bdb_dn2entry(dc=gicomm,dc=iberica,dc=esp) Jul 4 17:38:50 localhost slapd[8515]: search_candidates: base=dc=gicomm,dc=iberica,dc=esp (0x0001) scope=2 Jul 4 17:38:50 localhost slapd[8515]: = bdb_dn2idl( dc=gicomm,dc=iberica,dc=esp ) Jul 4 17:38:50 localhost slapd[8515]: = bdb_equality_candidates (objectClass) Jul 4 17:38:50 localhost slapd[8515]: = key_read Jul 4 17:38:50 localhost slapd[8515]: = bdb_index_read: failed (-30990) Jul 4
Re: [Samba] Samba3+LDAP: Can't join domain.
Louis, YOU'RE A GENIUS!!! I read you posting and followed your instructions and it qorked GREAT!! I'll take another look on some options I saw which I'm not very familiar with in smb.conf to learn a bit more. THANKS A LOT!!! David El Martes, 5 de Julio de 2005 18:10, David Szanto escribió: Thanks Louis, I'm checking it out. I'll undo my setting and try again with your reciepe. Thanks for the tip. David El Martes, 5 de Julio de 2005 13:33, Louis van Belle escribió: I run this setup, my config is posted lastweek. -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens David Szanto Verzonden: maandag 4 juli 2005 18:04 Aan: samba@lists.samba.org Onderwerp: [Samba] Samba3+LDAP: Can't join domain. Hi everyone!! I'm having a bit of trouble join a Samba 3 PDC with LDAP authentication. First some tips on what system I'm using: - Debian Sarge - Samba 3.0.14a-Debian - OpenLDAP 2.2.24 : Protocol v.3 Well, Now I'll explain the problem and show you some log output. When ever I try to join the domain I get the following error: --begin- # net rpc join GICOMMNET Creation of workstation account failed Unable to join domain GICOMMNET. --end- So, I check my logs to see what's wrong and I see this in the Samba log: --begin- [2005/07/04 17:29:36, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244) get_md4pw: Workstation DAVIDSZANTO$: no account in domain Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1005, DATA line 283. [2005/07/04 17:29:39, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w davidszanto$' gave 1 --end So I check if everything alright with my smbldap-useradd command, and I try creating the account manually using exactly the same command. Everything works fine. The account is created and machine davidszanto$ is created. So then I scratch my head a bit, and while I'm loosing most of my hair I try something a bit easier. Let's see if I can recover the user list or the group list. I use the net user -I 192.168.xxx.xxx and it works fine. I get the whole list and smae with groups. So, if everything looks fine, where's the mistake? I try joining again and this time I check the slapd log as well and I get the biggest transaction log record in history!! : --begin-- Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: do_bind Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp, cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: do_bind: version=3 dn=cn=admin,dc=gicomm,dc=iberica,dc=esp method=128 Jul 4 17:38:49 localhost slapd[8515]: do_bind: v3 bind: cn=admin,dc=gicomm,dc=iberica,dc=esp to cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=0 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: do_search Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: , Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry: dn= Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=1 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:50 localhost slapd[8515]: do_search Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp, dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: = bdb_search Jul 4 17:38:50 localhost slapd[8515]: bdb_dn2entry(dc=gicomm,dc=iberica,dc
[Samba] Samba3+LDAP: Can't join domain.
Hi everyone!! I'm having a bit of trouble join a Samba 3 PDC with LDAP authentication. First some tips on what system I'm using: - Debian Sarge - Samba 3.0.14a-Debian - OpenLDAP 2.2.24 : Protocol v.3 Well, Now I'll explain the problem and show you some log output. When ever I try to join the domain I get the following error: --begin- # net rpc join GICOMMNET Creation of workstation account failed Unable to join domain GICOMMNET. --end- So, I check my logs to see what's wrong and I see this in the Samba log: --begin- [2005/07/04 17:29:36, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244) get_md4pw: Workstation DAVIDSZANTO$: no account in domain Error: modifications require authentication at /usr/share/perl5/smbldap_tools.pm line 1005, DATA line 283. [2005/07/04 17:29:39, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w davidszanto$' gave 1 --end So I check if everything alright with my smbldap-useradd command, and I try creating the account manually using exactly the same command. Everything works fine. The account is created and machine davidszanto$ is created. So then I scratch my head a bit, and while I'm loosing most of my hair I try something a bit easier. Let's see if I can recover the user list or the group list. I use the net user -I 192.168.xxx.xxx and it works fine. I get the whole list and smae with groups. So, if everything looks fine, where's the mistake? I try joining again and this time I check the slapd log as well and I get the biggest transaction log record in history!! : --begin-- Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: do_bind Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: cn=admin,dc=gicomm,dc=iberica,dc=esp, cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: do_bind: version=3 dn=cn=admin,dc=gicomm,dc=iberica,dc=esp method=128 Jul 4 17:38:49 localhost slapd[8515]: do_bind: v3 bind: cn=admin,dc=gicomm,dc=iberica,dc=esp to cn=admin,dc=gicomm,dc=i berica,dc=esp Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=0 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=1 tag=97 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:49 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:49 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:49 localhost slapd[8515]: do_search Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: Jul 4 17:38:49 localhost slapd[8515]: dnPrettyNormal: , Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry: dn= Jul 4 17:38:49 localhost slapd[8515]: = send_search_entry Jul 4 17:38:49 localhost slapd[8515]: send_ldap_result: conn=35 op=1 p=3 Jul 4 17:38:49 localhost slapd[8515]: send_ldap_response: msgid=2 tag=101 err=0 Jul 4 17:38:49 localhost slapd[8515]: connection_get(10): got connid=35 Jul 4 17:38:50 localhost slapd[8515]: connection_read(10): checking for input on id=35 Jul 4 17:38:50 localhost slapd[8515]: ber_get_next on fd 10 failed errno=11 (Resource temporarily unavailable) Jul 4 17:38:50 localhost slapd[8515]: do_search Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: dnPrettyNormal: dc=gicomm,dc=iberica,dc=esp, dc=gicomm,dc=iberica,dc=esp Jul 4 17:38:50 localhost slapd[8515]: = bdb_search Jul 4 17:38:50 localhost slapd[8515]: bdb_dn2entry(dc=gicomm,dc=iberica,dc=esp) Jul 4 17:38:50 localhost slapd[8515]: search_candidates: base=dc=gicomm,dc=iberica,dc=esp (0x0001) scope=2 Jul 4 17:38:50 localhost slapd[8515]: = bdb_dn2idl( dc=gicomm,dc=iberica,dc=esp ) Jul 4 17:38:50 localhost slapd[8515]: = bdb_equality_candidates (objectClass) Jul 4 17:38:50 localhost slapd[8515]: = key_read Jul 4 17:38:50 localhost slapd[8515]: = bdb_index_read: failed (-30990) Jul 4 17:38:50 localhost slapd[8515]: = bdb_equality_candidates: id=0, first=0, last=0 Jul 4 17:38:50 localhost slapd[8515]: = bdb_equality_candidates (uid) Jul 4 17:38:50 localhost slapd[8515]: = key_read Jul 4 17:38:50 localhost slapd[8515]: = bdb_index_read: failed (-30990) Jul 4 17:38:50 localhost slapd[8515]: = bdb_equality_candidates: id=0, first=0, last=0 Jul 4 17:38:50 localhost slapd[8515]: bdb_search_candidates: id=0 first=1 last=0 Jul 4 17:38:50 localhost slapd[8515]: bdb_search: no candidates Jul 4 17:38:50 localhost
Re: [Samba] Samba3+LDAP: Can't join domain.
El Lunes, 4 de Julio de 2005 18:33, escribió: Hi Fabio! Thanks for the quick response!! El Lunes, 4 de Julio de 2005 17:12, escribió: Hi! I manage a PDC with the same configuration. I suggest you to check SID in LDAP directory and smbldap configuration. net groupmap list shows errors? I've tried it again, just to make sure, and it doesn't show any errors... except that last time I so such a configuration samba groups maped correctly to their posix group name, and now I only get gidNumbers?? I've double checked my nsswitch.conf and libnss-ldap.conf files and I can't see what's wrong: -- begin # net groupmap list Gerencia (S-1-5-21-1243414039-471885888-144306045-21015) - 10007 Ventas y Comerciales (S-1-5-21-1243414039-471885888-144306045-21025) - 10012 Contabilidad (S-1-5-21-1243414039-471885888-144306045-5007) - 10005 Recambios (S-1-5-21-1243414039-471885888-144306045-21021) - 10010 Chapa y Pintura (S-1-5-21-1243414039-471885888-144306045-21009) - 10004 Administracion (S-1-5-21-2139989288-483860436-2398042574-21003) - 10001 Imperial de AutomBritFujiyama Motor (S-1-5-21-1243414039-471885888-144306045-21013) - 10006 Vook Rent a Car (S-1-5-21-1243414039-471885888-144306045-21027) - 10013 British Car (S-1-5-21-2139989288-483860436-2398042574-21007) - 10003 Talleres y Mecanicos (S-1-5-21-1243414039-471885888-144306045-21023) - 10011 Todos (S-1-5-21-2139989288-483860436-2398042574-21029) - 10014 London Taxi Company (S-1-5-21-1243414039-471885888-144306045-21019) - 10009 Informatica (S-1-5-21-2139989288-483860436-2398042574-21031) - 10015 Domain Admins (S-1-5-21-2139989288-483860436-2398042574-512) - 512 Domain Users (S-1-5-21-2139989288-483860436-2398042574-513) - 513 Domain Guests (S-1-5-21-2139989288-483860436-2398042574-514) - 514 Domain Computers (S-1-5-21-2139989288-483860436-2398042574-515) - 515 Administrators (S-1-5-32-544) - 544 Account Operators (S-1-5-32-548) - 548 Print Operators (S-1-5-32-550) - 550 Backup Operators (S-1-5-32-551) - 551 Replicators (S-1-5-32-552) - 552 -- end -- nsswitch.conf - passwd: files ldap group: files ldap shadow: files ldap ... -- end -- -- libnss-ldap.conf --- base dc=gicomm,dc=iberica,dc=esp uri ldap://127.0.0.1/ ldap_version 3 rootbinddn cn=admin,dc=gicomm,dc=iberica,dc=esp scope sub -- end -- The SID I get from net getlocalsid is: SID for domain GICOMM is: S-1-5-21-2139989288-483860436-2398042574 And I've compared it to the entries in my LDAP directory and they seem correct. Examples: User XXX has : sambaPrimaryGroupSID: S-1-5-21-2139989288-483860436-2398042574-513 sambaSID: S-1-5-21-2139989288-483860436-2398042574-3204 Any ideas? THANX a LOT!!! David -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA3 + LDAP = Round 5 :(((
Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [Administrator] succeeded [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575) Closing connections 3- The same Administrator, I create a root ldap user (same as the old smbldap-tools) [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [root] - [root] succeeded [2005/03/22 09:49:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:49:43, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575) Closing connections 4- In root (ldap root) [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:50:21, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/22 09:50:22, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:50:22, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:50:22, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:50:22, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:50:22, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:50:22, 2] smbd/server.c:exit_server(575) Closing connections Thanks all for helping me! -- To unsubscribe
RE: [Samba] SAMBA3 + LDAP = Round 5 :(((
Hi, i think i've found your problem. You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori thmicRidBase, Best Regards, Bruno Guerreiro -Original Message- From: Poil [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 8:55 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [Administrator] succeeded [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/22 09:47:05, 2] smbd/server.c:exit_server(575) Closing connections 3- The same Administrator, I create a root ldap user (same as the old smbldap-tools) [2005/03/22 09:49:42, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:49:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:49:42, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [root] - [root] succeeded [2005/03/22 09:49:43, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/22 09:49:43, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/22 09:49:43, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/22 09:49:43, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/22 09:49:43, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/22 09:49:43, 2] smbd/server.c:exit_server(575) Closing connections 4- In root (ldap root) [2005/03/22 09:50:21, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/22 09:50:21, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/22 09:50:21, 2
Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
I've got : # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local write by self write by anonymous auth # the objectClass needed for everyone access to attrs=objectClass,entry by dn=cn=samba,ou=DSA,dc=arzur,dc=local read by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by dn=cn=postfix-auth,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be readable by everyone access to attrs=uidNumber,gidNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self write by users read # some attributes need to be readable so that 'id user' can answer correctly access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be writable for samba access to [EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@sambaShare,@sambaConfigOption,@sambaPrivilege by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self read # samba need to be able to create the sambaDomain account and NextFreeUnixId access to dn=dc=arzur,dc=local attrs=children by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn=cn=NextFreeUnixId,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn.one=dc=arzur,dc=local filter=(objectClass=sambaDomain) by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new users account access to dn=ou=People,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new groups account access to dn=ou=Groups,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new computers account access to dn=ou=Computers,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new idmap entries access to dn=ou=Idmap,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # Default access rights access to * by self read Bruno Guerreiro a écrit : Hi, i think i've found your problem. You've set rootbinddn cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori thmicRidBase, Best Regards, Bruno Guerreiro -Original Message- From: Poil [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 8:55 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/22 09:47:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/22 09:47:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [Administrator] succeeded [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/22 09:47:05, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93
Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
When checking my samba log I have : [2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136) getpeername failed. Error was Transport endpoint is not connected [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) [2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575) Is it normal ? I think no ... :/ [EMAIL PROTECTED] a écrit : I've got : # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local write by self write by anonymous auth # the objectClass needed for everyone access to attrs=objectClass,entry by dn=cn=samba,ou=DSA,dc=arzur,dc=local read by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by dn=cn=postfix-auth,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be readable by everyone access to attrs=uidNumber,gidNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self write by users read # some attributes need to be readable so that 'id user' can answer correctly access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be writable for samba access to [EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@sambaShare,@sambaConfigOption,@sambaPrivilege by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self read # samba need to be able to create the sambaDomain account and NextFreeUnixId access to dn=dc=arzur,dc=local attrs=children by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn=cn=NextFreeUnixId,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn.one=dc=arzur,dc=local filter=(objectClass=sambaDomain) by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new users account access to dn=ou=People,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new groups account access to dn=ou=Groups,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new computers account access to dn=ou=Computers,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new idmap entries access to dn=ou=Idmap,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # Default access rights access to * by self read Bruno Guerreiro a écrit : Hi, i think i've found your problem. You've set rootbinddncn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori thmicRidBase, Best Regards, Bruno Guerreiro -Original Message- From: Poil [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 8:55 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain on my Windows XP (Access Deny) So I try : 1- An Administrator user create by smbldap-populate, I have root = Administrator on my /etc/samba/smbusers Error : [2005/03/21 10:09:03, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER 2- The same Administrator but I comment root = Administrator Error : [2005/03/22 09:47:04, 2] lib/smbldap.c:smbldap_open_connection(692
RE: [Samba] SAMBA3 + LDAP = Round 5 :(((
Yes, that's normal. And i see, that you've edited your slapd.conf. Does your setupwork now? Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 10:31 To: [EMAIL PROTECTED] Cc: Bruno Guerreiro; 'Poil'; samba@lists.samba.org Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( When checking my samba log I have : [2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136) getpeername failed. Error was Transport endpoint is not connected [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) [2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575) Is it normal ? I think no ... :/ [EMAIL PROTECTED] a écrit : I've got : # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local write by self write by anonymous auth # the objectClass needed for everyone access to attrs=objectClass,entry by dn=cn=samba,ou=DSA,dc=arzur,dc=local read by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by dn=cn=postfix-auth,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be readable by everyone access to attrs=uidNumber,gidNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self write by users read # some attributes need to be readable so that 'id user' can answer correctly access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be writable for samba access to [EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@ sambaShare,@sambaConfigOption,@sambaPrivilege by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self read # samba need to be able to create the sambaDomain account and NextFreeUnixId access to dn=dc=arzur,dc=local attrs=children by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn=cn=NextFreeUnixId,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn.one=dc=arzur,dc=local filter=(objectClass=sambaDomain) by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new users account access to dn=ou=People,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new groups account access to dn=ou=Groups,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new computers account access to dn=ou=Computers,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new idmap entries access to dn=ou=Idmap,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # Default access rights access to * by self read Bruno Guerreiro a écrit : Hi, i think i've found your problem. You've set rootbinddncn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgori thmicRidBase, Best Regards, Bruno Guerreiro -Original Message- From: Poil [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 8:55 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = Round 5 :((( Okay, if anyone can help me, I put all my config and log on http://www.arzurproduction.com/temp/ I cannot join the domain
RE: [Samba] SAMBA3 + LDAP = Round 5 :(((
Hi again. You did create that object (cn=samba,ou=DSA,dc=arzur,dc=local), right? Could you please try binding with the cn=Manager,dc=arzur,dc=local instead? Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 10:49 To: Bruno Guerreiro Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( Bruno Guerreiro a écrit : Yes, that's normal. And i see, that you've edited your slapd.conf. Does your setupwork now? Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 10:31 To: [EMAIL PROTECTED] Cc: Bruno Guerreiro; 'Poil'; samba@lists.samba.org Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( When checking my samba log I have : [2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136) getpeername failed. Error was Transport endpoint is not connected [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) [2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575) Is it normal ? I think no ... :/ [EMAIL PROTECTED] a écrit : I've got : # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local write by self write by anonymous auth # the objectClass needed for everyone access to attrs=objectClass,entry by dn=cn=samba,ou=DSA,dc=arzur,dc=local read by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by dn=cn=postfix-auth,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be readable by everyone access to attrs=uidNumber,gidNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self write by users read # some attributes need to be readable so that 'id user' can answer correctly access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be writable for samba access to [EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@ sambaShare,@sambaConfigOption,@sambaPrivilege by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self read # samba need to be able to create the sambaDomain account and NextFreeUnixId access to dn=dc=arzur,dc=local attrs=children by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn=cn=NextFreeUnixId,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn.one=dc=arzur,dc=local filter=(objectClass=sambaDomain) by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new users account access to dn=ou=People,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new groups account access to dn=ou=Groups,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new computers account access to dn=ou=Computers,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new idmap entries access to dn=ou=Idmap,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # Default access rights access to * by self read Bruno Guerreiro a écrit : Hi, i think i've found your problem. You've set rootbinddncn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaPr ofilePath,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSI D,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid
Re: [Samba] SAMBA3 + LDAP = Round 5 :(((
Yes object is (import http://www.arzurproduction.com/temp/openldap/smbldap-dsa.ldif) I'm trying with cn=Manager smbpasswd -w storing blabla bla trying WORKING Now I must find why that's not working in DSA ! Thank you very much :) Bruno Guerreiro a écrit : Hi again. You did create that object (cn=samba,ou=DSA,dc=arzur,dc=local), right? Could you please try binding with the cn=Manager,dc=arzur,dc=local instead? Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 10:49 To: Bruno Guerreiro Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( Bruno Guerreiro a écrit : Yes, that's normal. And i see, that you've edited your slapd.conf. Does your setupwork now? Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 10:31 To: [EMAIL PROTECTED] Cc: Bruno Guerreiro; 'Poil'; samba@lists.samba.org Subject: Re: [Samba] SAMBA3 + LDAP = Round 5 :((( When checking my samba log I have : [2005/03/22 11:25:39, 0] lib/util_sock.c:get_peer_addr(1136) getpeername failed. Error was Transport endpoint is not connected [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket_data(430) write_socket_data: write failure. Error = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:write_socket(455) write_socket: Error writing 4 bytes to socket 5: ERRNO = Connection reset by peer [2005/03/22 11:25:39, 0] lib/util_sock.c:send_smb(647) Error writing 4 bytes to client. -1. (Connection reset by peer) [2005/03/22 11:25:39, 2] smbd/server.c:exit_server(575) Is it normal ? I think no ... :/ [EMAIL PROTECTED] a écrit : I've got : # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local write by self write by anonymous auth # the objectClass needed for everyone access to attrs=objectClass,entry by dn=cn=samba,ou=DSA,dc=arzur,dc=local read by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by dn=cn=postfix-auth,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be readable by everyone access to attrs=uidNumber,gidNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes can be writable by users themselves access to attrs=description,telephoneNumber by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self write by users read # some attributes need to be readable so that 'id user' can answer correctly access to [EMAIL PROTECTED],@posixGroup,@inetOrgPerson by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by dn=cn=nssldap,ou=DSA,dc=arzur,dc=local read by self read # some attributes need to be writable for samba access to [EMAIL PROTECTED],@sambaGroupMapping,@sambaTrustPassword,@sambaDomain,@ sambaShare,@sambaConfigOption,@sambaPrivilege by dn=cn=samba,ou=DSA,dc=arzur,dc=local write by self read # samba need to be able to create the sambaDomain account and NextFreeUnixId access to dn=dc=arzur,dc=local attrs=children by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn=cn=NextFreeUnixId,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write access to dn.one=dc=arzur,dc=local filter=(objectClass=sambaDomain) by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new users account access to dn=ou=People,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new groups account access to dn=ou=Groups,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new computers account access to dn=ou=Computers,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # samba need to be able to create new idmap entries access to dn=ou=Idmap,dc=arzur,dc=local by dn=cn=samba,ou=DSA,dc=arzur,dc=local write # Default access rights access to * by self read Bruno Guerreiro a écrit : Hi, i think i've found your problem. You've set rootbinddncn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL but you didn't give that user Admin LDAP rights. Have you done this? http://samba.idealx.org/smbldap-howto.en.html#htoc116 And this? http://samba.idealx.org/smbldap-howto.en.html#htoc111 attention that since you're using an root bind different from Manager, you must give it admin acess. Something like access to * by cn=nssldap,ou=DSA,dc=ARZUR,dc=LOCAL write This is a very WIDE configuration, you may restrict which object you admin user can access, in order for it to have write permissions only to samba objects. Something like access to attrs=sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,samb aAcctFlags,displayName,sambaHomePath
[Samba] SAMBA3 + LDAP + WINDOWS XP = Round 1
Okay, now I can join a Domain with administrator accout ... But not with other account, here I would like to log-in with bdupuis, my computer is register in the domain : [2005/03/22 16:15:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 1] auth/auth_util.c:make_server_info_sam(822) User bdupuis in passdb, but getpwnam() fails! [2005/03/22 16:15:19, 0] auth/auth_sam.c:check_sam_security(312) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2005/03/22 16:15:19, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bdupuis] - [bdupuis] FAILED with error NT_STATUS_NO_SUCH_USER [2005/03/22 16:15:42, 2] smbd/server.c:exit_server(575) Closing connections Any idea ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA3 + LDAP + WINDOWS XP = Round 1
Hi (again) First, you must create that user ;-) Then there's several ways. You may add that user to the Domain Admins group Or, if using samba-3.0.11 or greater use the net rpc rights command. Something like 'net rpc rights grant bdupuis SeMachineAccountPrivilege -U Administrator' Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 15:26 To: 'samba@lists.samba.org' Subject: [Samba] SAMBA3 + LDAP + WINDOWS XP = Round 1 Okay, now I can join a Domain with administrator accout ... But not with other account, here I would like to log-in with bdupuis, my computer is register in the domain : [2005/03/22 16:15:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 1] auth/auth_util.c:make_server_info_sam(822) User bdupuis in passdb, but getpwnam() fails! [2005/03/22 16:15:19, 0] auth/auth_sam.c:check_sam_security(312) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2005/03/22 16:15:19, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bdupuis] - [bdupuis] FAILED with error NT_STATUS_NO_SUCH_USER [2005/03/22 16:15:42, 2] smbd/server.c:exit_server(575) Closing connections Any idea ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 + LDAP + WINDOWS XP = Round 1
Thx but, mastok:/home/data1/samba # net rpc user INFO bdupuis Password: Domain Admins Domain Users getent passwd InfoRD-1$:x:1007:515:Computer:/dev/null:/sbin/nologin bdupuis:x:1021:512:Benjamin DUPUIS:/home/data1/samba/bdupuis:/sbin/nologin So on my Windows XP Pro, I join the domain ARZUR-NT, name of the computer InfoRD-1 Rebooting Windows, trying to login on the domain with bdupuis ... FAIL trying to login on the domain with administrator OK It's Hard :p Bruno Guerreiro a écrit : Hi (again) First, you must create that user ;-) Then there's several ways. You may add that user to the Domain Admins group Or, if using samba-3.0.11 or greater use the net rpc rights command. Something like 'net rpc rights grant bdupuis SeMachineAccountPrivilege -U Administrator' Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: terça-feira, 22 de Março de 2005 15:26 To: 'samba@lists.samba.org' Subject: [Samba] SAMBA3 + LDAP + WINDOWS XP = Round 1 Okay, now I can join a Domain with administrator accout ... But not with other account, here I would like to log-in with bdupuis, my computer is register in the domain : [2005/03/22 16:15:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: bdupuis [2005/03/22 16:15:19, 1] auth/auth_util.c:make_server_info_sam(822) User bdupuis in passdb, but getpwnam() fails! [2005/03/22 16:15:19, 0] auth/auth_sam.c:check_sam_security(312) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2005/03/22 16:15:19, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [bdupuis] - [bdupuis] FAILED with error NT_STATUS_NO_SUCH_USER [2005/03/22 16:15:42, 2] smbd/server.c:exit_server(575) Closing connections Any idea ? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA3+LDAP PDC - Cannot join the domain
Okay, so I've RAZ my ldap-database since last week, I've check all my config from samba. Now I have another error :( When I try to join the domain in Administrator; (samba create the computer but ...) : Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin Here's the log of Samba log.poil-barebone ** [2005/03/21 10:51:41, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 10:51:41, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/21 10:51:41, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/21 10:51:41, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 10:51:42, 2] smbd/server.c:exit_server(575) Closing connections [2005/03/21 10:51:42, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 10:51:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/21 10:51:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/21 10:51:42, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 10:51:42, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZURNT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 10:51:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 10:51:42, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 10:51:42, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/21 10:51:42, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 10:51:42, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 10:51:42, 2] smbd/server.c:exit_server(575) Closing connections ** So I try to add a root user : root:x:0:0:System User:/home/data1/samba/root:/sbin/nologin When login with it : Here's the log of Samba log.poil-barebone ** [2005/03/21 10:57:36, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 10:57:36, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/21 10:57:36, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/21 10:57:36, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 10:57:37, 2] smbd/server.c:exit_server(575) Closing connections [2005/03/21 10:57:37, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 10:57:37, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: root [2005/03/21 10:57:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 513 [2005/03/21 10:57:37, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 10:57:37, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZURNT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 10:57:37, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 10:57:37, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 10:57:37, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/21 10:57:37, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 10:57:37, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 10:57:38, 2] smbd/server.c:exit_server(575) Closing connections ** HELP! :-) Thanks -- To
[Samba] SAMBA3 + LDAP = PDC = ROUND 3!
Okay, I've upgrade samba, now I use samba3.schema who is with my suse 9.2 So I delete all in /var/lib/ldap and in /var/lib/samba Redo smb-populate blablabla (from the howto http://samba.idealx.org/smbldap-howto.en.html) So now when i would like to join my Samba domain : [2005/03/21 15:45:51, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER When I SSH my box with login Administrator, it's okay! (no bash /sbin/nologin) I go to cry ! getent passwd : mastok:/etc/samba # getent passwd root:x:0:0:root:/root:/bin/bash ... Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin vi /etc/samba/smbusers : root = administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA3 + LDAP = PDC = ROUND 3!
Hi, Just my 2 cents. You're mapping administrator to root in your smbusers file. Try commenting the root = Administrator adminline. Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 14:56 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Okay, I've upgrade samba, now I use samba3.schema who is with my suse 9.2 So I delete all in /var/lib/ldap and in /var/lib/samba Redo smb-populate blablabla (from the howto http://samba.idealx.org/smbldap-howto.en.html) So now when i would like to join my Samba domain : [2005/03/21 15:45:51, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER When I SSH my box with login Administrator, it's okay! (no bash /sbin/nologin) I go to cry ! getent passwd : mastok:/etc/samba # getent passwd root:x:0:0:root:/root:/bin/bash ... Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin vi /etc/samba/smbusers : root = administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 3!
Thanks ... Done, Now When my windows XP try to join the domain, Accès refusé (Access Deny) So my log : /var/lob/samba/log.poil-barebone [2005/03/21 16:05:40, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/21 16:05:40, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/21 16:05:41, 2] smbd/server.c:exit_server(575) Closing connections Any Idea? Hi, Just my 2 cents. You're mapping administrator to root in your smbusers file. Try commenting the root = Administrator adminline. Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 14:56 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Okay, I've upgrade samba, now I use samba3.schema who is with my suse 9.2 So I delete all in /var/lib/ldap and in /var/lib/samba Redo smb-populate blablabla (from the howto http://samba.idealx.org/smbldap-howto.en.html) So now when i would like to join my Samba domain : [2005/03/21 15:45:51, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER When I SSH my box with login Administrator, it's okay! (no bash /sbin/nologin) I go to cry ! getent passwd : mastok:/etc/samba # getent passwd root:x:0:0:root:/root:/bin/bash ... Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin vi /etc/samba/smbusers : root = administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 3!
hi, I think you will have to create computer account in ldap using smbldap-useradd.pl -w option before joining the system to domain. As far as i know, Samba does not allow to create the computer account on the fly, i.e. when your joining the system to domain. If you have any idea about this then do let me know. Thanks Regards, Mandar Kulkarni Systems Administrator Softcell Technologies Ltd. [EMAIL PROTECTED] [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 21/03/2005 08:44 PM To Bruno Guerreiro [EMAIL PROTECTED] cc samba@lists.samba.org Subject Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Thanks ... Done, Now When my windows XP try to join the domain, Accès refusé (Access Deny) So my log : /var/lob/samba/log.poil-barebone [2005/03/21 16:05:40, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/21 16:05:40, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/21 16:05:41, 2] smbd/server.c:exit_server(575) Closing connections Any Idea? Hi, Just my 2 cents. You're mapping administrator to root in your smbusers file. Try commenting the root = Administrator adminline. Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 14:56 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Okay, I've upgrade samba, now I use samba3.schema who is with my suse 9.2 So I delete all in /var/lib/ldap and in /var/lib/samba Redo smb-populate blablabla (from the howto http://samba.idealx.org/smbldap-howto.en.html) So now when i would like to join my Samba domain : [2005/03/21 15:45:51, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER When I SSH my box with login Administrator, it's okay! (no bash /sbin/nologin) I go to cry ! getent passwd : mastok:/etc/samba # getent passwd root:x:0:0:root:/root:/bin/bash ... Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin vi /etc/samba/smbusers : root = administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA3 + LDAP = PDC = ROUND 3!
Yes it does allow ... You must have in your smb.conf add machine script = /path/to/smbldap-tools/smbldap-useradd -w %u Best regards, Bruno Guerreiro -Original Message- From: Mandar Kulkarni/PUN/IN/STTL [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 15:40 To: [EMAIL PROTECTED] Cc: Bruno Guerreiro; samba@lists.samba.org; [EMAIL PROTECTED] Subject: Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! hi, I think you will have to create computer account in ldap using smbldap-useradd.pl -w option before joining the system to domain. As far as i know, Samba does not allow to create the computer account on the fly, i.e. when your joining the system to domain. If you have any idea about this then do let me know. Thanks Regards, Mandar Kulkarni Systems Administrator Softcell Technologies Ltd. [EMAIL PROTECTED] [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 21/03/2005 08:44 PM ToBruno Guerreiro [EMAIL PROTECTED] [EMAIL PROTECTED] SubjectRe: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Thanks ... Done, Now When my windows XP try to join the domain, Accès refusé (Access Deny) So my log : /var/lob/samba/log.poil-barebone [2005/03/21 16:05:40, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/21 16:05:40, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/21 16:05:40, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 16:05:40, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/21 16:05:41, 2] smbd/server.c:exit_server(575) Closing connections Any Idea? Hi, Just my 2 cents. You're mapping administrator to root in your smbusers file. Try commenting the root = Administrator adminline. Best regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 14:56 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 3! Okay, I've upgrade samba, now I use samba3.schema who is with my suse 9.2 So I delete all in /var/lib/ldap and in /var/lib/samba Redo smb-populate blablabla (from the howto http://samba.idealx.org/smbldap-howto.en.html) So now when i would like to join my Samba domain : [2005/03/21 15:45:51, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [Administrator] - [root] FAILED with error NT_STATUS_NO_SUCH_USER When I SSH my box with login Administrator, it's okay! (no bash /sbin/nologin) I go to cry ! getent passwd : mastok:/etc/samba # getent passwd root:x:0:0:root:/root:/bin/bash ... Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin vi /etc/samba/smbusers : root = administrator -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o)
Okay I try this thing : mastok:/etc/samba # smbldap-useradd root mastok:/etc/samba # smbldap-usermod -u 0 -g 0 root mastok:/etc/samba # smbldap-usermod -a root mastok:/etc/samba # smbldap-passwd root # Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin root:x:0:0:System User:/home/data1/samba/root:/sbin/nologin # Connecting to the domain with account root. Computer Accout created : poil-barebone$:x:1005:515:Computer:/dev/null:/sbin/nologin But Access Deny on my Windows computer :( check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 17:38:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 17:38:14, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/21 17:38:14, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 17:38:14, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 17:38:15, 2] smbd/server.c:exit_server(575) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o)
On Monday 21 March 2005 09:45, [EMAIL PROTECTED] wrote: Okay I try this thing : mastok:/etc/samba # smbldap-useradd root mastok:/etc/samba # smbldap-usermod -u 0 -g 0 root mastok:/etc/samba # smbldap-usermod -a root mastok:/etc/samba # smbldap-passwd root # Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin root:x:0:0:System User:/home/data1/samba/root:/sbin/nologin # Connecting to the domain with account root. Computer Accout created : poil-barebone$:x:1005:515:Computer:/dev/null:/sbin/nologin But Access Deny on my Windows computer :( check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 17:38:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 17:38:14, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access ^^^ It would appear that your Samba configuration does not permit write access to the LDAP server. Did you set the LDAP admin password? This is done using: smbpasswd -w 'secret' - John T. [2005/03/21 17:38:14, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 17:38:14, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 17:38:15, 2] smbd/server.c:exit_server(575) -- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o)
Hi, Did you execute smbpasswd -w ldap bind password ? Another thing you're trying to add your Computer with the user root? This user, by default, doesn't belong to the Domain Admins groups. At least not with the scripts provided by smbldap-tools. If so, try adding the machine using the Administrator account. Best Regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 16:46 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o) Okay I try this thing : mastok:/etc/samba # smbldap-useradd root mastok:/etc/samba # smbldap-usermod -u 0 -g 0 root mastok:/etc/samba # smbldap-usermod -a root mastok:/etc/samba # smbldap-passwd root # Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin root:x:0:0:System User:/home/data1/samba/root:/sbin/nologin # Connecting to the domain with account root. Computer Accout created : poil-barebone$:x:1005:515:Computer:/dev/null:/sbin/nologin But Access Deny on my Windows computer :( check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 17:38:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 17:38:14, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/21 17:38:14, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 17:38:14, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 17:38:15, 2] smbd/server.c:exit_server(575) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o)
smbpasswd -w is set, I've try to write a wrong password for see the error, the error is not the same (Invalid credential) I've add root user for seeing if it's working .. but it's the same error than with Administrator. When joining with Administrator (Access Deny) : ### [2005/03/21 18:14:23, 2] lib/smbldap.c:smbldap_open_connection(692) smbldap_open_connection: connection opened [2005/03/21 18:14:23, 2] passdb/pdb_ldap.c:init_sam_from_ldap(518) init_sam_from_ldap: Entry found for user: Administrator [2005/03/21 18:14:23, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 512 [2005/03/21 18:14:23, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [administrator] - [administrator] - [Administrator] succeeded [2005/03/21 18:14:24, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 18:14:24, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93) _samr_open_domain: ACCESS DENIED (requested: 0x0211) [2005/03/21 18:14:24, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 18:14:24, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115) _samr_create_user: ACCESS DENIED (granted: 0x0201; required: 0x0010) [2005/03/21 18:14:24, 2] smbd/server.c:exit_server(575) Closing connections Bruno Guerreiro a écrit : Hi, Did you execute smbpasswd -w ldap bind password ? Another thing you're trying to add your Computer with the user root? This user, by default, doesn't belong to the Domain Admins groups. At least not with the scripts provided by smbldap-tools. If so, try adding the machine using the Administrator account. Best Regards, Bruno Guerreiro -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: segunda-feira, 21 de Março de 2005 16:46 To: samba@lists.samba.org Subject: [Samba] SAMBA3 + LDAP = PDC = ROUND 4 ;o) Okay I try this thing : mastok:/etc/samba # smbldap-useradd root mastok:/etc/samba # smbldap-usermod -u 0 -g 0 root mastok:/etc/samba # smbldap-usermod -a root mastok:/etc/samba # smbldap-passwd root # Administrator:x:998:512:Netbios Domain Administrator:/home/data1/samba/Administrator:/sbin/nologin nobody:x:999:514:nobody:/dev/null:/sbin/nologin root:x:0:0:System User:/home/data1/samba/root:/sbin/nologin # Connecting to the domain with account root. Computer Accout created : poil-barebone$:x:1005:515:Computer:/dev/null:/sbin/nologin But Access Deny on my Windows computer :( check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2005/03/21 17:38:14, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2482) Returning domain sid for domain ARZUR-NT - S-1-5-21-1874299889-3982645529-2160850509 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_group_from_ldap(2057) init_group_from_ldap: Entry found for group: 515 [2005/03/21 17:38:14, 2] passdb/pdb_ldap.c:init_ldap_from_sam(929) init_ldap_from_sam: Setting entry for user: poil-barebone$ [2005/03/21 17:38:14, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1552) ldapsam_modify_entry: Failed to modify user dn= uid=poil-barebone$,ou=Computers,dc=arzur,dc=local with: Insufficient access [2005/03/21 17:38:14, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1994) ldapsam_add_sam_account: failed to modify/add user with uid = poil-barebone$ (dn = uid=poil-barebone$,ou=Computers,dc=arzur,dc=local) [2005/03/21 17:38:14, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2272) could not add user/computer poil-barebone$ to passdb. Check permissions? [2005/03/21 17:38:15, 2] smbd/server.c:exit_server(575) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do ittwice)
Gustavo Lima wrote: Hi Tomasz, Can you clarify something in your setup? How do you setup smbldap-tools and smb.conf on the BDC to work with both master and slave ldap? I don't have any BDC, I have only PDC as it's enough for my needs. smb.conf doesn't have anything to do with choosing master or slave. It is done with smbldap-tools (0.85) - in /etc/smbldap-tools there should be two config files. You can specify there a master and a slave (master will be used for writing). In smb.conf there are configured tools which are used for adding useers or machines - these tools are smbldap-useradd etc. They read settings from /etc/smbldap-tools, and this is the whole mystery :) If you want, I can send these files anyway. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
Hello, I have the following test setup: 1) Samba3 + slave OpenLDAP - the same PC, win2k in same LAN 2) OpenLDAP master OpenLDAP slave and master are divided by a rather slow internet VPN link. Whenever I want to add a PC to a domain, I have to do it twice - with first time I get an error on a client side, second join is successful. I guess it's because master and slave are divided by slow link, and it takes some time to replicate from a master to slave, too, and it all confuses Samba as it can't find a username (machine name) it just added. I tried setting ldap replication sleep, started with 5000, and tried setting it as high as 10, but it didn't help. The only consequence of setting ldap replication sleep = 10 is that I have to wait a couple of minutes before it joins the domain when I try to do it for the second time (and succeeds). With ldap replication sleep = 5000, it joins the domain in about 15 secs (when I join the domain for the second time). The first time I try to join a domain I get an error after about 10-12 seconds, no matter value ldap replication sleep has. I use smbldap-tools 0.85 for adding users/machines. Any clue? Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
The first time I try to join a domain I get an error after about 10-12 seconds, no matter value ldap replication sleep has. I have had this happen almost perfectly consistantly on my network. To fix it, I've added a sleep line in the smbldap tools scripts to make it wait. While this isn't foolproof, I get about a 75% success on the first try, probably more if I'd increase the wait. In smbldap_tools.pm, around line 380 I added the sleep line in this snippet: $add-code warn failed to add entry: , $add-error ; # take down the session $ldap_master-unbind; sleep(5); } -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
Paul Gienger wrote: The first time I try to join a domain I get an error after about 10-12 seconds, no matter value ldap replication sleep has. I have had this happen almost perfectly consistantly on my network. To fix it, I've added a sleep line in the smbldap tools scripts to make it wait. While this isn't foolproof, I get about a 75% success on the first try, probably more if I'd increase the wait. In smbldap_tools.pm, around line 380 I added the sleep line in this snippet: $add-code warn failed to add entry: , $add-error ; # take down the session $ldap_master-unbind; sleep(5); } OK, thanks for the hint, it worked :) In case someone was using smbldap-tool 0.85, this change is around line 390, and looks like below (note there is no $ldap_master-unbind; and there is return 1;) - I set it to 15, just in case: $add-code warn failed to add entry: , $add-error ; # take down the session sleep(15); return 1; } Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
In case someone was using smbldap-tool 0.85, this change is around line 390, and looks like below (note there is no $ldap_master-unbind; and there is return 1;) - I set it to 15, just in case: Hrm, coulda sworn that I was using 0.85... but I have been wrong before, just once. It should be noted that you should make sure that LDAP is your issue before doing this just so that you aren't masking the real issue. In my case you could watch the LDAP query come through while watching the samba logs and you'd actually see samba asking for the sambaSAMAccount entry before it replicated through to the slave. This sounds like your issue as well if your 'high latency link' is slow enough. If you're running a simple non-replicated setup or if your slave isn't over a high(ish) latency link I'd keep looking for other issues. -- -- Paul GiengerOffice: 701-281-1884 Applied Engineering Inc. Systems Architect Fax:701-281-1322 URL: www.ae-solutions.com mailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
Paul Gienger wrote: In case someone was using smbldap-tool 0.85, this change is around line 390, and looks like below (note there is no $ldap_master-unbind; and there is return 1;) - I set it to 15, just in case: Hrm, coulda sworn that I was using 0.85... but I have been wrong before, just once. It should be noted that you should make sure that LDAP is your issue before doing this just so that you aren't masking the real issue. In my case you could watch the LDAP query come through while watching the samba logs and you'd actually see samba asking for the sambaSAMAccount entry before it replicated through to the slave. This sounds like your issue as well if your 'high latency link' is slow enough. If you're running a simple non-replicated setup or if your slave isn't over a high(ish) latency link I'd keep looking for other issues. I spent all yesterday thinking what can be wrong, and today the whole day trying to figure out by changing different settings / watching logs etc. I googled for people with similar problem, but there weren't many, the only solution to the problem I had was this sleep added to smbldap-tools (thanks for that). In logs I could see that Samba is complaining that it can't find the machine/name [it just added] (writing happens to a remote master over worst case slow ADSL/VPN link, then it's replicated to a slave over the same link), so I think that approach with adding sleep is good. But finally it works; sometimes I was thinking that these M$ guys talking about higher Linux TCO might be right :) Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - troubles joining domain (have to do it twice)
Paul Gienger wrote: In case someone was using smbldap-tool 0.85, this change is around line 390, and looks like below (note there is no $ldap_master-unbind; and there is return 1;) - I set it to 15, just in case: Hrm, coulda sworn that I was using 0.85... but I have been wrong before, just once. To be *perfectly* correct, I am using smbldap-tools 0.85-2. Another approach to solve this problem could be to have some sort of machine-management naming scheme; what I mean is to have all machine names already in LDAP database: pc001, pc002, pc003 etc. *before* joining the domain. Tomek -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 + LDAP - w2k says it couldn't change password (but it did)
Hello, I have a following test environment: 1) Samba PDC + OpenLDAP Slave (192.168.1.2) 2) OpenLDAP Master (192.168.1.1). Whatever is changed/added on the Master, it gets replicated to Slave. Now, when a user is logged in, and tries to change the password - he/she must supply the old password, and twice new one (normal behaviour). After pressing OK the user is said that the password wasn't changed, check BIG/small characters etc. (although old password and new were correctly typed). However, the password was changed in LDAP master, and replicated to the slave - so after a logout, user can log in with a new password (though this user was said that the password wasn't changed). This is what I have in log.machine with log level = 9: [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(519) decode_pw_buffer: incorrect password length (-954408756). [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(520) decode_pw_buffer: check that 'encrypt passwords = yes' The log is the same whether I have encrypt passwords = yes or don't have it at all. Any clue? Tomek -- Startuj z INTERIA.PL!!! http://link.interia.pl/f1837 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP - w2k says it couldn't change password (but it did)
[EMAIL PROTECTED] wrote: [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(519) decode_pw_buffer: incorrect password length (-954408756). [2004/11/02 15:24:20, 0] libsmb/smbencrypt.c:decode_pw_buffer(520) decode_pw_buffer: check that 'encrypt passwords = yes' I thought maybe it has something to do with passwd sync program, as thee output it gives is different as in examples hanging around (in examples it is like below: passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated* In my case (I use smbldap-tools 0.85) it's like that: # /usr/local/sbin/smbpasswd Changing password for bella New password : Retype new password : # So I changed this line to: passwd chat = *Changing*password*for*'%u'*\n *New*password* %n\n *Retype*new*password* %n\n* And now it says I don't have necessary permissions to change the password. Any clue? Below my smb.conf (passwd chat is like above though, I tried other possibilities too): [global] unix charset = LOCALE workgroup = MAGISTA netbios name = SERVER interfaces = eth0, lo bind interfaces only = Yes passdb backend = ldapsam:ldap://127.0.0.1 #ldap filter = (uid=%u) username map = /etc/samba/smbusers log level = 9 syslog = 0 log file = /var/log/samba/log.%m max log size = 50 smb ports = 139 445 name resolve order = wins bcast hosts time server = Yes #printcap name = CUPS #show add printer wizard = No encrypt passwords = yes add user script = /usr/local/sbin/smbldap-useradd -a -m '%u' delete user script = /usr/local/sbin/smbldap-userdel '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' delete group script = /usr/local/sbin/smbldap-groupdel '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' # must be %m, contrary to what HOWTOs say (they say %u) add machine script = /usr/local/sbin/smbldap-useradd -w '%m' ;password sync passwd program = /usr/local/sbin/smbldap-passwd %u # passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated* passwd chat = *New*password* %n\n *Retype*new*password* %n\n unix password sync = Yes logon script = scripts\logon.bat logon path = \\%L\profiles\%U logon drive = U: domain logons = Yes preferred master = Yes wins support = Yes ldap suffix = dc=magista,dc=de ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=replica,dc=magista,dc=de ldap replication sleep = 5000 idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1000-2 idmap gid = 500-2 map acl inherit = Yes #printing = cups #printer admin = Administrator, chrisr [Shared] path = /home/samba/shared comment = Shared folder browseable = yes writeable = yes create mask = 1666 directory mask = 1777 [profiles] path = /home/samba/profiles writeable = yes browseable = no create mask = 0600 directory mask = 0700 [netlogon] comment = Network Logon Service path = /home/netlogon read only = yes browseable = no write list = tom [unattended] comment = Installation Sources path = /home/unattended read only = yes browseable = no valid users = unattended -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 / ldap / idealx smbldap-tools / roaming profile
hi list, i am having problems with the smbldap-populate script from idealx. we are using samba3 server with openldap. we dont want roaming profiles for our users, so in smb.conf i set: logon path = logon drive = H #just for homedirs not for profile, we dont want roaming profileslogon home = in the configuration file for the smbldap-tools (smbldap_conf.pm) it says: # Just comment this if you want to use the smb.conf 'logon path' directive # and/or desabling roaming profiles #$_userProfile = q(ARTEMIS\\profiles\\); if we comment $_userProfile like above i get an error message when executing the smbldap-populate.pl script: adding new entry: uid=Administrator,ou=People,dc=eu,dc=xxx,dc=com failed to add entry: sambaprofilepath: value #0 invalid per syntax at /cluster/etc-o1/samba/bin/smbldap-populate.pl line 323, GEN1 line 6.adding new entry: uid=nobody,ou=People,dc=eu,dc=xxx,dc=com failed to add entry: sambaprofilepath: value #0 invalid per syntax at /cluster/etc-o1/samba/bin/smbldap-populate.pl line 323, GEN1 line 7. and neither the administrator nor nobody are added to the ldap db. what is the problem here ? any ideas ? we use samba rpms for suse linux enterprise server 8 from ftp.sernet.com regards, gnjb -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 - LDAP - USRMGR.EXE
boka [EMAIL PROTECTED] 27.07.2004 12:50 To: [EMAIL PROTECTED] cc: Subject:Re: [Samba] Samba3 - LDAP - USRMGR.EXE could You send me solution if You will get any ? shure, if i'll have one. greetz chris -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3-LDAP PDC and SUSE OpenExchange
Hi all, I have setup a Samba3 PDC and BDC with an LDAP backend to replace my current NT 4.0 infrastructure. This configuration is working fine. I also am testing integration of SuSE OpenExchange and would like to have it authenticate logons via the domain LDAP database. From my preliminary testing i have found that OpenExchange attempts an LDAP search for some information regarding the cyrus user (PreferredLanguage to be exact) during loading of the login page via the webmail interface. I do see the search request hit the PDC LDAP server, but because of the directory structure differences that OpenExchange is looking for, this obviously fails. Has anyone taken this on or have some input? I know this is probably more an OpenExchange question but i wanted to see if the Samba community has spent any time on this. I am assuming at this point it will take source modifications of the OpenExchange code but i am not sure. -- this message has been intercepted -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 + LDAP
Hi- Is there any way to make it so that Samba3 with an LDAP backend doesn't need to create local linux accounts to work? Thanks. _ Best Restaurant Giveaway Ever! Vote for your favorites for a chance to win $1 million! http://local.msn.com/special/giveaway.asp -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Is there any way to make it so that Samba3 with an LDAP backend doesn't need to create local linux accounts to work? Thanks. You *NEED* a POSIX account for each CIFS account, no way around that. Just use NSS and store the POSIX accounts in LDAP along with the CIFS accounts. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Samba3 + LDAP
You *NEED* a POSIX account for each CIFS account, no way around that. Just use NSS and store the POSIX accounts in LDAP along with the CIFS accounts. Unless you have winbind configured, and a Windows NT/2000/2003 domain with all the accounts in it. If you have that, you could then install Services for Unix on the Windows domain controller, and set up each account. Theoretically, it should work, although I never actually got it to. Apparently some people on this list have. Shannon -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
- Original Message - From: Adam Tauno Williams [EMAIL PROTECTED] To: Gregory Chagnon [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, May 29, 2004 5:20 PM Subject: Re: [Samba] Samba3 + LDAP Is there any way to make it so that Samba3 with an LDAP backend doesn't need to create local linux accounts to work? Thanks. You *NEED* a POSIX account for each CIFS account, no way around that. Just use NSS and store the POSIX accounts in LDAP along with the CIFS accounts. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba I was thinking this myself. Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Regards Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Nah. You don't need PAM. But NSS is part of glibc, so it would be amazing if you couldn't use the posixAccounts/posixGroups in LDAP. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
- Original Message - From: Adam Tauno Williams [EMAIL PROTECTED] To: Lee W [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Saturday, May 29, 2004 9:32 PM Subject: Re: [Samba] Samba3 + LDAP Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Nah. You don't need PAM. But NSS is part of glibc, so it would be amazing if you couldn't use the posixAccounts/posixGroups in LDAP. Apologies if this sounds like I am contradicting you, but I have just looked at padl.com (the people who do nss_ldap) and they do say that Linux with Linux-PAM is a requirement. Are you referring to a different implementation? Thanks again Lee -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 + LDAP
Does this mean that it would be impossible to create a Virtual Samba Server. I currently use Slackware which does not use PAM so LDAP though NSS I don't think is possible for me. Nah. You don't need PAM. But NSS is part of glibc, so it would be amazing if you couldn't use the posixAccounts/posixGroups in LDAP. Apologies if this sounds like I am contradicting you, but I have just looked at padl.com (the people who do nss_ldap) and they do say that Linux with Linux-PAM is a requirement. Are you referring to a different implementation? Do you have an nsswitch.conf file in /etc (or somewhere)? If not then they've extracted NSS and probably your only option is to use something like a NIS/LDAP gateway (beyond the scope of this list) or switch distributions. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3-ldap cannot add win2k/XP workstations
Hello, i have samba 3.0.2a, openldap 2.1.27, redhat linux 9. i have a samba PDC, i can add user account and log with this accounts into windows 98 but after i create a machine account i cannot add a windows 2K in the domain. the name of windows 2K workstation is added as machine account in ldap. this error message appear when trying to add workstation into domain: --- begin --- The following error occurred attempting to join the domain smb: The user name could not be found --- end --- have you add the machine correctly? machinename$ matze -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3-ldap cannot add win2k/XP workstations
hi, i have samba 3.0.2a, openldap 2.1.27, redhat linux 9. i have a samba PDC, i can add user account and log with this accounts into windows 98 but after i create a machine account i cannot add a windows 2K in the domain. the name of windows 2K workstation is added as machine account in ldap. this error message appear when trying to add workstation into domain: --- begin --- The following error occurred attempting to join the domain smb: The user name could not be found --- end --- root account is added into ldap. - Register for your free domain name! Plus free email and a personal portal http://www.namedemo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3-ldap and unix password sync
hi, in the beginning i want to say you that i have a working samba-ldap PDC (samba 3.0.2a, openldap 2.1.27, redhat linux 9, why redhat ? because slackware don't use pam and i didn't find a way to make samba-ldap work without pam). i want to make a synchronization between user password from samba (this is mail password, too. i use qmail-ldap) and user password from a database server (user is the same). i work at this by a week. for this i make a script with perl and when i change samba(mail, too) password i want to execute this script and change password in database. if i don't want this synchronization all this works great. i was thinking that if i use attributes unix password change, passwd program and passwd chat i can do this thing. but when the attributes unix password sync is activated and trie changing samba password from windows (98/2K/XP) didn't work, i receive this messaje You do not have permission to change your password. in my test i use even a verry common script (create some file, and write user+password) and i was drawing a conclusion: dosn't matter what scrip i use, unix password sync attribute is my problem :)) don't want to make and use some cgi(perl) script and change passwords from a web interface. don't want that my users be confused when use more that one methods to change their password. thanks, Mihai - Register for your free domain name! Plus free email and a personal portal http://www.namedemo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] SAMBA3 - LDAP
Hello! I have this Configuration: 1st Server (incl. openldap). On this server, i hold my User and Group-Management with smbldap-Tools. It work's great, the user's, group's and machine-account's stored in my ldap-db. This Server is not a PDC!! Now i want to setup a 2nd Server. I want to connect this Samba-Server with the ldap-db of the 1st Server. Now, the good news: The User works. With smbpasswd from 2nd Server i could change the Password of the users in my ldap-db on the 1st Server. But the group-setting (no unix-group, only a ldap-group) doesn't work. In my ldap-db (1st Server) is one user - smbuser and one group - normal On my 1st Server it works for a share with valid users = @normal On my 2nd Server there is also a share with valid users = @normal I now want to connect me to the share of the 2nd Server. The Errormessage is : tree connect failed: NT_STATUS_ACCESS_DENIED If i change the valid users-Parameter to valid users = smbuser everything is fine. Any hint? Greetings/thanx Stefan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] SAMBA3 - LDAP
On the second server, check with getent group if the group normal is present on the second server, if no, then check your /etc/nsswitch.conf regards odi Am Fr, den 27.02.2004 schrieb Stefan Bergner um 14: 08: Hello! I have this Configuration: 1st Server (incl. openldap). On this server, i hold my User and Group-Management with smbldap-Tools. It work's great, the user's, group's and machine-account's stored in my ldap-db. This Server is not a PDC!! Now i want to setup a 2nd Server. I want to connect this Samba-Server with the ldap-db of the 1st Server. Now, the good news: The User works. With smbpasswd from 2nd Server i could change the Password of the users in my ldap-db on the 1st Server. But the group-setting (no unix-group, only a ldap-group) doesn't work. In my ldap-db (1st Server) is one user - smbuser and one group - normal On my 1st Server it works for a share with valid users = @normal On my 2nd Server there is also a share with valid users = @normal I now want to connect me to the share of the 2nd Server. The Errormessage is : tree connect failed: NT_STATUS_ACCESS_DENIED If i change the valid users-Parameter to valid users = smbuser everything is fine. Any hint? Greetings/thanx Stefan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 Ldap on Suse 8.2
Hi I can't get a Windows 2000 SP4 client login on my PDC (SAMBA SERVER). Here are some infos about the server Samba version 3.0.2pre1 running Suse 8.2 with a OpenLDAP server version 2.1.12, nss_ldap and pam_ldap. I constantly get the message : User / Password is wrong from the client. The root is created.Here are the debug messages I get, starting by the LDAP and SMBD logs: ###log.ldap### Jan 16 16:01:05 tiger4 slapd[2813]: conn=37 fd=15 ACCEPT from IP=10.100.1.4:32863 (IP=:: 389) Jan 16 16:01:05 tiger4 slapd[2894]: conn=37 op=0 BIND dn=cn=Manager,dc=samba,dc=local method=128 Jan 16 16:01:05 tiger4 slapd[2894]: conn=37 op=0 AUTHZ dn=cn=Manager,dc=samba,dc=local mech=simple ssf=0 Jan 16 16:01:05 tiger4 slapd[2894]: conn=37 op=0 RESULT tag=97 err=0 text= Jan 16 16:01:05 tiger4 slapd[2875]: conn=37 op=1 SRCH base=dc=samba,dc=local scope=2 filter=((objectClass=sambaDomain)(sambaDomainName=SAMBA)) Jan 16 16:01:05 tiger4 slapd[2875]: conn=37 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 16:01:05 tiger4 slapd[2851]: conn=37 op=2 SRCH base=dc=samba,dc=local scope=2 filter=(((uid=root)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount)) Jan 16 16:01:05 tiger4 slapd[2851]: conn=37 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jan 16 16:01:05 tiger4 slapd[2813]: conn=37 fd=15 closed ###lo.ldap end### ###log.machine### [2004/01/16 16:01:05, 6] param/loadparm.c:lp_file_list_changed(2670) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Fri Jan 16 16:00:33 2004 [2004/01/16 16:01:05, 5] smbd/connection.c:claim_connection(170) claiming 0 [2004/01/16 16:01:05, 5] smbd/reply.c:reply_special(154) init msg_type=0x81 msg_flags=0x0 [2004/01/16 16:01:05, 6] lib/util_sock.c:write_socket(407) write_socket(5,4) [2004/01/16 16:01:05, 6] lib/util_sock.c:write_socket(410) write_socket(5,4) wrote 4 [2004/01/16 16:01:05, 10] lib/util_sock.c:read_smb_length_return_keepalive(463) got smb length of 133 [2004/01/16 16:01:05, 6] smbd/process.c:process_smb(889) got message type 0x0 of len 0x85 [2004/01/16 16:01:05, 3] smbd/process.c:process_smb(890) Transaction 1 of length 137 [2004/01/16 16:01:05, 5] lib/util.c:show_msg(456) [2004/01/16 16:01:05, 5] lib/util.c:show_msg(466) size=133 smb_com=0x72 smb_rcls=0 smb_reh=0 smb_err=0 smb_flg=24 smb_flg2=51283 smb_tid=0 smb_pid=65279 smb_uid=0 smb_mid=0 smt_wct=0 smb_bcc=98 [2004/01/16 16:01:05, 10] lib/util.c:dump_data(1830) [000] 02 50 43 20 4E 45 54 57 4F 52 4B 20 50 52 4F 47 .PC NETW ORK PROG [010] 52 41 4D 20 31 2E 30 00 02 4C 41 4E 4D 41 4E 31 RAM 1.0. .LANMAN1 [020] 2E 30 00 02 57 69 6E 64 6F 77 73 20 66 6F 72 20 .0..Wind ows for [030] 57 6F 72 6B 67 72 6F 75 70 73 20 33 2E 31 61 00 Workgrou ps 3.1a. [040] 02 4C 4D 31 2E 32 58 30 30 32 00 02 4C 41 4E 4D .LM1.2X0 02..LANM [050] 41 4E 32 2E 31 00 02 4E 54 20 4C 4D 20 30 2E 31 AN2.1..N T LM 0.1 [060] 32 00 2. [2004/01/16 16:01:05, 3] smbd/process.c:switch_message(685) switch message SMBnegprot (pid 2980) [2004/01/16 16:01:05, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/01/16 16:01:05, 5] auth/auth_util.c:debug_nt_user_token(486) NT user token: (NULL) [2004/01/16 16:01:05, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2004/01/16 16:01:05, 5] smbd/uid.c:change_to_root_user(218) change_to_root_user: now uid=(0,0) gid=(0,0) [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [PC NETWORK PROGRAM 1.0] [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LANMAN1.0] [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [Windows for Workgroups 3.1a] [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LM1.2X002] [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [LANMAN2.1] [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(455) Requested protocol [NT LM 0.12] [2004/01/16 16:01:05, 10] lib/util.c:set_remote_arch(1805) set_remote_arch: Client arch is 'Win2K' [2004/01/16 16:01:05, 6] param/loadparm.c:lp_file_list_changed(2670) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Fri Jan 16 16:00:33 2004 [2004/01/16 16:01:05, 6] param/loadparm.c:lp_file_list_changed(2670) lp_file_list_changed() file /etc/samba/smb.conf - /etc/samba/smb.conf last mod_time: Fri Jan 16 16:00:33 2004 [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_nt1(329) using SPNEGO [2004/01/16 16:01:05, 3] smbd/negprot.c:reply_negprot(532) Selected protocol NT LM 0.12 [2004/01/16 16:01:05, 5] smbd/negprot.c:reply_negprot(538) negprot index=5 [2004/01/16 16:01:05, 5] lib/util.c:show_msg(456) [2004/01/16 16:01:05, 5] lib/util.c:show_msg(466) size=127 smb_com=0x72 smb_rcls=0
Re: [Samba] Samba3+LDAP configuration... PLEASEEE
Hi, Go to samba.idealx.org and you'll find a howto and a script to generate what you need. th Áncor González Sosa wrote: I've spended days trying to get a Samba3 PDC configuration. It almost works now, but I have experimented a lot of problems and now my configuration is still FAR from perfect. I have no more time left so I'm looking for somebody to share his/her configuration files with me. That is what I'm setting: Samba 3.0.0 PDC with LDAP backend. The same LDAP users and groups as valid Unix users/groups (posixAccounts and posixGroups), so I can login in Linux clients using the LDAP as user database (I have nsswitch and PAM_LDAP properly configured in the PDC). Windows2000 Pro and Linux clients I want to manage de users and groups in the domain with usrmgr.exe from M$. Well, I think that's all. I would like somebody out there with this configuration working to send me his/her: LDAP schema, LDAP tree (slapcat output), smb.conf, scripts used to add user, remove machine, etc. /etc/passwd and /etc/group (though these files should be clean of Samba stuff), any other thing envolved in some way in the server configuration. Of course, I don't need the whole tree (just some users and groups, including root/administrator), but you can send it to me if you don't mind. I don't need real usernames, domain name or passwords. Please, send me EVERYTHING, don't tell me things like I use the default scripts, just send me your scripts and files. Of course, you don't have to send the files to the list, just to my address. Well, that's all, I think. I need this working as soon as possible and I can't spend hours fixing a lot of small mistakes in my LDAP/Samba 3 configuration. Thank you VERY much. Greetings -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3+LDAP configuration... PLEASEEE
I've spended days trying to get a Samba3 PDC configuration. It almost works now, but I have experimented a lot of problems and now my configuration is still FAR from perfect. I have no more time left so I'm looking for somebody to share his/her configuration files with me. That is what I'm setting: Samba 3.0.0 PDC with LDAP backend. The same LDAP users and groups as valid Unix users/groups (posixAccounts and posixGroups), so I can login in Linux clients using the LDAP as user database (I have nsswitch and PAM_LDAP properly configured in the PDC). Windows2000 Pro and Linux clients I want to manage de users and groups in the domain with usrmgr.exe from M$. Well, I think that's all. I would like somebody out there with this configuration working to send me his/her: LDAP schema, LDAP tree (slapcat output), smb.conf, scripts used to add user, remove machine, etc. /etc/passwd and /etc/group (though these files should be clean of Samba stuff), any other thing envolved in some way in the server configuration. Of course, I don't need the whole tree (just some users and groups, including root/administrator), but you can send it to me if you don't mind. I don't need real usernames, domain name or passwords. Please, send me EVERYTHING, don't tell me things like I use the default scripts, just send me your scripts and files. Of course, you don't have to send the files to the list, just to my address. Well, that's all, I think. I need this working as soon as possible and I can't spend hours fixing a lot of small mistakes in my LDAP/Samba 3 configuration. Thank you VERY much. Greetings -- .--. LINUX|o_o | |¡_/ | Usuario registrado #239475 // \ \ (| | ) Áncor González Sosa /'\_ _/`\ [EMAIL PROTECTED] \___)=(___/ Debian GNU/Linux 3.0 (Woody) -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
Hi On Thu, Dec 11, 2003 at 06:17:30PM -0500, John Campbell wrote: On Thu, 2003-12-11 at 16:18, Fabien Chevalier wrote: I suppose it must work the same way ... Would you mind trying to add passwd backend = tdbsam ldapsam:ldap://server and try a net groupmap list? i just tried it, and now get the list of domain groups i would expect. now the trouble is the profiles don't load properly on the clients. they got logged in with a temp profile. the samba logs for my test system show: . are you suggesting this may be a problem with samba3? because i've been trying to resolve this issue for several days now, thinking there must be a problem with our ldap setup. somehow, it seems strange that this could be a problem with samba. we thought that perhaps samba didn't like something in our ldap. surely others are able to get the ntgroups to show correctly with ldapsam as the first backendotherwise, no one would have a working samba3/ldap setup. We use samba3+openldap 2.1 correctly. net groupmapping also works correctly. Are your samba.schema is up to date? What is the ldap version? Did you tried omitting the SID value? putting tdpsam as the first backend allows for ntgroups, but since we don't use it, none of our profiles load if we do this. users get stuck with temp profiles. this is driving me bonkers:-) --john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
sambaHi: I have just get this a little. Mandrake cooker:samba 3.0.1rc1:openldap 2.1.23just for test. hear is my smb.conf: log level = 1 passdb:10 auth:10 winbind:0 ldap suffix = o=xxx ldap admin dn = cn=root,o=xxx #ldap server = 127.0.0.1 #ldap port = 389 ldap machine suffix = ou=Computer ldap user suffix = ou=People ldap group suffix = ou=Group #ldap idmap suffix = ou=People you also need to do a little ldap log analysis. SLAPDSYSLOGLEVEL=256 in /etc/sysconfig/ldap After i look deep into those log of ldap, i think there MUST exist an nobody(guest) UID GID. In you DEBUG log ,there is a UID of 4G-1, which I think it can't map to a real UID. as for me, user nobody: uidNumber=65534 gidNumber=65534,group nobody: gidNumber=65534 http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html good for refrence -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
Friday, December 12, 2003, 6:17:30 AM, John wrote: I don't understand why it is like this... Fabien are you suggesting this may be a problem with samba3? because i've been trying to resolve this issue for several days now, thinking there must be a problem with our ldap setup. somehow, it seems strange that this could be a problem with samba. we thought that perhaps samba didn't like something in our ldap. surely others are able to get the ntgroups to show correctly with ldapsam as the first backendotherwise, no one would have a working samba3/ldap setup. putting tdpsam as the first backend allows for ntgroups, but since we don't use it, none of our profiles load if we do this. users get stuck with temp profiles. this is driving me bonkers:-) Hi, 1. you must create group mapping manually. 2. unix group you've assigning to Domain Admins MUST be in ldap (not in /etc/group). ie. root# net groupmap modify rid=512 -d1 ntgroup=Domain Admins unixgroup=domadmin the domadmin group must be stored in ldap, not /etc/group. i found lot of typo or incorrect info in smb howto collection, i've ordering the printable version on amazon, hopefully it has different content than the online version. --john --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
We use samba3+openldap 2.1 correctly. net groupmapping also works correctly. Are your samba.schema is up to date? What is the ldap version? In my case i use OpenLDAP 2.1.23, with Samba 3.0.0 schemas. 'net groupmapping' works fine except you don't have default mappings when using an ldap backend as first backend, i.e.: with passwd backend = tdbsam ldapsam_compat://... dc-sorral-05:~# net groupmap list System Operators (S-1-5-32-549) - -1 Replicators (S-1-5-32-552) - -1 Guests (S-1-5-32-546) - -1 Domain Users (S-1-5-21-50507076-2264231353-679752913-513) - -1 Power Users (S-1-5-32-547) - -1 Print Operators (S-1-5-32-550) - -1 Administrators (S-1-5-32-544) - -1 Account Operators (S-1-5-32-548) - -1 Domain Guests (S-1-5-21-50507076-2264231353-679752913-514) - -1 Backup Operators (S-1-5-32-551) - -1 Users (S-1-5-32-545) - -1 Domain Admins (S-1-5-21-50507076-2264231353-679752913-512) - -1 dc-sorral-05:~# with passwd backend = ldapsam_compat:// tdbsam ... dc-sorral-05:~# net groupmap list Domain Users (S-1-5-21-50507076-2264231353-679752913-513) - utilisateurs Domain Admins (S-1-5-21-50507076-2264231353-679752913-512) - sambaadmin Domain Guests (S-1-5-21-50507076-2264231353-679752913-514) - guests dc-sorral-05:~# But you can still create mappings if you want (provided the unix group is stored in ldap and not int /etc/groups) Regards, Fabien Chevalier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
thanks for responding. scroll down for response On Fri, 2003-12-12 at 03:25, Beast wrote: Friday, December 12, 2003, 6:17:30 AM, John wrote: I don't understand why it is like this... Fabien are you suggesting this may be a problem with samba3? because i've been trying to resolve this issue for several days now, thinking there must be a problem with our ldap setup. somehow, it seems strange that this could be a problem with samba. we thought that perhaps samba didn't like something in our ldap. surely others are able to get the ntgroups to show correctly with ldapsam as the first backendotherwise, no one would have a working samba3/ldap setup. putting tdpsam as the first backend allows for ntgroups, but since we don't use it, none of our profiles load if we do this. users get stuck with temp profiles. this is driving me bonkers:-) Hi, 1. you must create group mapping manually. 2. unix group you've assigning to Domain Admins MUST be in ldap (not in /etc/group). the unix group *does* exist in ldap. i've attempted groupmapping with the correct syntax, and always get something like this: 2003/12/12 11:22:01, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/12 11:22:01, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=600))] adding entry for group Domain Admins failed! [2003/12/12 11:22:01, 2] utils/net.c:main(758) return code = -1 unfortunately, i'm no further ahead. your suggestion is much appreciated, though. thank you. --john ie. root# net groupmap modify rid=512 -d1 ntgroup=Domain Admins unixgroup=domadmin the domadmin group must be stored in ldap, not /etc/group. i found lot of typo or incorrect info in smb howto collection, i've ordering the printable version on amazon, hopefully it has different content than the online version. --john --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
Friday, December 12, 2003, 11:25:50 PM, John wrote: 1. you must create group mapping manually. 2. unix group you've assigning to Domain Admins MUST be in ldap (not in /etc/group). the unix group *does* exist in ldap. i've attempted groupmapping with the correct syntax, and always get something like this: what is the output from 'getent group |grep domadm' ? 2003/12/12 11:22:01, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group ^^ paste related smb.conf and ldif entry of domadmin group. samba seems can not find the group to be modified, check the ldap suffix. set loglevel in ldap to 256 and paste log when you do net groupmap add --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
I suppose it must work the same way ... Would you mind trying to add passwd backend = tdbsam ldapsam:ldap://server and try a net groupmap list? i just tried it, and now get the list of domain groups i would expect. now the trouble is the profiles don't load properly on the clients. they got logged in with a temp profile. the samba logs for my test system show: [2003/12/11 15:17:41, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! [2003/12/11 15:17:57, 1] smbd/service.c:close_cnum(885) eric (192.168.1.118) closed connection to service msmith [2003/12/11 15:18:20, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! i suppose i'm getting this because we're using ldap exclusively and don't use tdbsam. any ideas? It is what i thought of... When using ldapsam or ldapsam_compat as first backend, you don't have access to domain default group mappings anymore. You can still create mappings for your 'classic' nt groups, but only if you know the SID of the group you want to map. I don't understand why it is like this... Fabien -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
On Thu, 2003-12-11 at 16:18, Fabien Chevalier wrote: I suppose it must work the same way ... Would you mind trying to add passwd backend = tdbsam ldapsam:ldap://server and try a net groupmap list? i just tried it, and now get the list of domain groups i would expect. now the trouble is the profiles don't load properly on the clients. they got logged in with a temp profile. the samba logs for my test system show: [2003/12/11 15:17:41, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! [2003/12/11 15:17:57, 1] smbd/service.c:close_cnum(885) eric (192.168.1.118) closed connection to service msmith [2003/12/11 15:18:20, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! i suppose i'm getting this because we're using ldap exclusively and don't use tdbsam. any ideas? It is what i thought of... When using ldapsam or ldapsam_compat as first backend, you don't have access to domain default group mappings anymore. You can still create mappings for your 'classic' nt groups, but only if you know the SID of the group you want to map. I don't understand why it is like this... Fabien are you suggesting this may be a problem with samba3? because i've been trying to resolve this issue for several days now, thinking there must be a problem with our ldap setup. somehow, it seems strange that this could be a problem with samba. we thought that perhaps samba didn't like something in our ldap. surely others are able to get the ntgroups to show correctly with ldapsam as the first backendotherwise, no one would have a working samba3/ldap setup. putting tdpsam as the first backend allows for ntgroups, but since we don't use it, none of our profiles load if we do this. users get stuck with temp profiles. this is driving me bonkers:-) --john -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3/ldap/net groupmap fails
hi, we recently upgraded from samba 2.2.8a w/ldap to samba3 w/ldap and having troubles with domain group mappings. first symptom is that net groupmap list returns nothing. [EMAIL PROTECTED] root]# net groupmap list [EMAIL PROTECTED] root]# if we try to add a groupmapping, the command fails: net groupmap add sid=sid-gid ntgroup=Domain Admins unixgroup=domadm type=domain --debuglevel=4 gives the following output (please excuse voluminous output): --- [2003/12/11 13:47:26, 4] param/loadparm.c:lp_load(3946) pm_process() returned Yes [2003/12/11 13:47:26, 2] lib/interface.c:add_interface(79) added interface ip=192.168.1.1 bcast=192.168.1.255 nmask=255.255.255.0 [2003/12/11 13:47:26, 2] lib/interface.c:add_interface(79) added interface ip=192.168.4.1 bcast=192.168.4.255 nmask=255.255.255.0 [2003/12/11 13:47:26, 2] lib/interface.c:add_interface(79) added interface ip=192.168.2.1 bcast=192.168.2.255 nmask=255.255.255.0 [2003/12/11 13:47:26, 2] lib/interface.c:add_interface(79) added interface ip=192.168.5.1 bcast=192.168.5.255 nmask=255.255.255.0 [2003/12/11 13:47:26, 2] lib/smbldap.c:smbldap_search_domain_info(1296) Searching for:[((objectClass=sambaDomain)(sambaDomainName=MAXT))] [2003/12/11 13:47:26, 2] lib/smbldap.c:smbldap_search_suffix(1067) smbldap_search_suffix: searching for:[((objectClass=sambaDomain)(sambaDomainName=MAXT))] [2003/12/11 13:47:26, 2] lib/smbldap.c:smbldap_open_connection(624) smbldap_open_connection: connection opened [2003/12/11 13:47:26, 3] lib/smbldap.c:smbldap_connect_system(786) ldap_connect_system: succesful connection to the LDAP server [2003/12/11 13:47:26, 4] lib/smbldap.c:smbldap_open(837) The LDAP server is succesful connected [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=sambaGroupMapping)(gidNumber=4294967295))] [2003/12/11 13:47:26, 4] passdb/pdb_ldap.c:ldapsam_getgroup(1769) ldapsam_getgroup: Did not find group [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching for:[((objectClass=posixGroup)(gidNumber=4294967295))] [2003/12/11 13:47:26, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1624) ldapsam_search_one_group: searching
Re: [Samba] samba3/ldap/net groupmap fails
Le Thursday 11 December 2003 19:58, John Campbell a écrit : hi, we recently upgraded from samba 2.2.8a w/ldap to samba3 w/ldap and having troubles with domain group mappings. first symptom is that net groupmap list returns nothing. [EMAIL PROTECTED] root]# net groupmap list [EMAIL PROTECTED] root]# hmmm...i'm sorry i cannot help you with this issue, but i can give some more precisions about this strange effect. I suppose you're using ldapsam_compat as ldap backend? I used to use in my smb.conf the following: passwd backend = tdbsam ldapsam_compat:ldap://127.0.0.1 and had no issue with it. As soon as i inverted sam backends: passwd backend = ldapsam_compat:ldap://127.0.0.1 tdbsam net groupmap list didn't list any default or non default mapping. Anybody has an explanation about this fact? regards, Fabien Chevalier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
first symptom is that net groupmap list returns nothing. [EMAIL PROTECTED] root]# net groupmap list [EMAIL PROTECTED] root]# hmmm...i'm sorry i cannot help you with this issue, but i can give some more precisions about this strange effect. I suppose you're using ldapsam_compat as ldap backend? actually, no. we're using passdb backend = ldapsam:ldap://server thanks. hopefully someone will have an idea. au revoir! --john campbell I used to use in my smb.conf the following: passwd backend = tdbsam ldapsam_compat:ldap://127.0.0.1 and had no issue with it. As soon as i inverted sam backends: passwd backend = ldapsam_compat:ldap://127.0.0.1 tdbsam net groupmap list didn't list any default or non default mapping. Anybody has an explanation about this fact? regards, Fabien Chevalier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
Le Thursday 11 December 2003 20:41, John Campbell a écrit : first symptom is that net groupmap list returns nothing. [EMAIL PROTECTED] root]# net groupmap list [EMAIL PROTECTED] root]# hmmm...i'm sorry i cannot help you with this issue, but i can give some more precisions about this strange effect. I suppose you're using ldapsam_compat as ldap backend? actually, no. we're using passdb backend = ldapsam:ldap://server I suppose it must work the same way ... Would you mind trying to add passwd backend = tdbsam ldapsam:ldap://server and try a net groupmap list? Regards, Fabien Chevalier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba3/ldap/net groupmap fails
scroll down a bit for response... On Thu, 2003-12-11 at 15:06, Fabien Chevalier wrote: Le Thursday 11 December 2003 20:41, John Campbell a crit : first symptom is that net groupmap list returns nothing. [EMAIL PROTECTED] root]# net groupmap list [EMAIL PROTECTED] root]# hmmm...i'm sorry i cannot help you with this issue, but i can give some more precisions about this strange effect. I suppose you're using ldapsam_compat as ldap backend? actually, no. we're using passdb backend = ldapsam:ldap://server I suppose it must work the same way ... Would you mind trying to add passwd backend = tdbsam ldapsam:ldap://server and try a net groupmap list? i just tried it, and now get the list of domain groups i would expect. now the trouble is the profiles don't load properly on the clients. they got logged in with a temp profile. the samba logs for my test system show: [2003/12/11 15:17:41, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! [2003/12/11 15:17:57, 1] smbd/service.c:close_cnum(885) eric (192.168.1.118) closed connection to service msmith [2003/12/11 15:18:20, 0] passdb/pdb_tdb.c:tdbsam_getsampwrid(255) pdb_getsampwrid: Unable to open TDB rid database! i suppose i'm getting this because we're using ldap exclusively and don't use tdbsam. any ideas? thanks, --john campbell Regards, Fabien Chevalier -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] samba3 + ldap pdbedit machine trust account problem
Please help, I am experiencing a weird error when trying to join a winXP Pro workstation to my samba3 + LDAP Domain. When I specify the account to on my system that has uid 0, I receive a user account cannot be found error. Now I know this isnt the case since I can browse the samba server with this account. Note: it is in tdbsam not ldap When I look for the machine account in the ldap directory, it has created a posix account without the sambaSamAccount entries ??? I then tried to manually create the sambaSamAccount entries using pdbedit which failed. Output futher down. I have had this stuff working before, but this time I am running a slightly more complex ldap tree structure. As the output below shows it can find the machine account entry but then can't insert the sambaSAMAccount entries to go with it. Thanks in advance. David --- Output from pdbedit austin scripts # pdbedit -a -m -u cc1 INFO: Current debug levels: all: True/10 tdb: False/0 printdrivers: False/0 lanman: False/0 smb: False/0 rpc_parse: False/0 rpc_srv: False/0 rpc_cli: False/0 passdb: False/0 sam: False/0 auth: False/0 winbind: False/0 vfs: False/0 idmap: False/0 doing parameter workgroup = WA.INTRANET doing parameter netbios name = AUSTIN handle_netbios_name: set global_myname to: AUSTIN doing parameter server string = Samba Server %v doing parameter printcap name = cups doing parameter load printers = yes doing parameter printing = cups doing parameter log file = /var/log/samba3/log.%m doing parameter max log size = 50 doing parameter map to guest = bad user doing parameter security = user doing parameter encrypt passwords = yes doing parameter smb passwd file = /etc/samba/private/smbpasswd doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 doing parameter interfaces = 192.168.1.0/24 doing parameter local master = yes doing parameter os level = 33 doing parameter domain master = yes doing parameter preferred master = yes doing parameter domain logons = yes doing parameter logon script = %U.bat doing parameter logon path = \\%L\Profiles\%U doing parameter logon home = \\%L\%U\.profile doing parameter add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u' doing parameter delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u' doing parameter add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g' doing parameter delete user from group script = /usr/share/samba/scripts/smbldap-groupmod.pl -x '%u' '%g' doing parameter set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -g '%g' '%u' doing parameter add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}' doing parameter delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g' doing parameter add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d /dev/null -g 'Domain Computers' -c 'Machine Account' -s /bin/false %u doing parameter passdb backend = ldapsam:ldap://austin.intranet tdbsam guest doing parameter ldap admin dn = cn=root,dc=coolorcosy,dc=com,dc=au doing parameter ldap ssl = start_tls doing parameter ldap suffix = dc=coolorcosy,dc=com,dc=au doing parameter ldap user suffix = ou=People,dc=coolorcosy,dc=com,dc=au doing parameter ldap machine suffix = ou=Computers,ou=WA,ou=Locations doing parameter ldap group suffix = ou=Groups,ou=WA,ou=Locations doing parameter ldap passwd sync = Yes doing parameter wins support = yes doing parameter dns proxy = no pm_process() returned Yes lp_servicenumber: couldn't find homes set_server_role: role = ROLE_DOMAIN_PDC Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Substituting charset 'ANSI_X3.4-1968' for LOCALE Trying to load: ldapsam:ldap://austin.intranet Attempting to register passdb backend ldapsam Successfully added passdb backend 'ldapsam' Attempting to register passdb backend ldapsam_compat Successfully added passdb backend 'ldapsam_compat' Attempting to register passdb backend smbpasswd Successfully added passdb backend 'smbpasswd' Attempting to register passdb backend tdbsam Successfully added passdb backend 'tdbsam' Attempting to register passdb backend guest Successfully added passdb backend 'guest' Attempting to find an passdb backend to match ldapsam:ldap://austin.intranet (ldapsam) Found pdb backend ldapsam Searching for:[((objectClass=sambaDomain)(sambaDomainName=WA.INTRANET))] smbldap_search_suffix: searching
RE : [Samba] Samba3 LDAP Can't join domain with Win2k Pro
I tried to add with a pdbedit -a -uAdministrator -U0 -G0 -d99 I get an error message : Unable to find user... the user must be present in the ldap, pdbedit is going to add the samba attributes. I create an Administrator account in my /etc/passwd and tried again with the pdbedit command, it asked me to type password this time (Woot!!!) but at this end : samba found the user as a unix other. Ok [...] smbldap_open: already connected to the LDAP server ldapsam_modify_entry: Failed to add user dn= uid=Administrator,ou=Users with: No such object ldapsam_add_sam_account: failed to modify/add user with uid = Administrator (dn = uid=Administrator,ou=Users) Unable to add user! (does it already exist?) But in your smb.conf yo have ldap backend, so samba try to find the user in the ldap to add samba attributes. Une idée ? Il faut à samba un utilisateur unix ( soit dans /etc/passwd soit dans l'annuaire avec les attributs posix account positionnés ). Ensuite si tu choisis ldap comme backend samba doit trouver l'utilisateur dans l'annuaire. ( avec ou sans posix account ) En résumé Il y a deux niveaux distincts : 1 au niveau unix ( uid gid shell group dans /etc/passwd ou posixaccount, contrôlé par /etc/nsswitch.conf ) 1 au niveau samba ( dans le cas du backend ldap c'est pdbedit -a qui rajoute les attributs samba nécessaires dans l'annuaire) Dans ton cas ton user administrator existe au niveau unix mais il doit avoir une entrée dans l'annuaire avec uid=administrator. ( pdbedit fait le travail et rajoute les éléments samba nécessaires ) J'espère que c'est plus clair. A way to restart with an empty LDAP may be ? Non thanks all (et specialement Jean Marc) De rien. Jean-Marc -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: RE : [Samba] Samba3 LDAP Can't join domain with Win2k Pro
I tried to add with a pdbedit -a -uAdministrator -U0 -G0 -d99 I get an error message : Unable to find user... the user must be present in the ldap, pdbedit is going to add the samba attributes. I create an Administrator account in my /etc/passwd and tried again with the pdbedit command, it asked me to type password this time (Woot!!!) but at this end : Er, *user must be present in the ldap* You need to setup a add user script, see man smb.conf -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 LDAP Can't join domain with Win2k Pro
Salut, I removed Administrator / root account from my LDAP (still have ou, groups etc. from idealX populating script) I removed Administrator account from /etc/passwd. I tried to add with a pdbedit -a -uAdministrator -U0 -G0 -d99 I get an error message : Unable to find user... I create an Administrator account in my /etc/passwd and tried again with the pdbedit command, it asked me to type password this time (Woot!!!) but at this end : [...] smbldap_open: already connected to the LDAP server ldapsam_modify_entry: Failed to add user dn= uid=Administrator,ou=Users with: No such object ldapsam_add_sam_account: failed to modify/add user with uid = Administrator (dn = uid=Administrator,ou=Users) Unable to add user! (does it already exist?) My LDAP is the same from last message... Here my smb.conf for ldap : ldap admin dn = cn=Manager,dc=ERIOS,dc=FR ldap ssl = off passdb backend = ldapsam:ldap://127.0.0.1 ldap delete dn = no ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap suffix = dc=ERIOS,dc=FR ldap filter = ((uid=%u)(objectclass=sambaSamAccount)) Une idée ? A way to restart with an empty LDAP may be ? thanks all (et specialement Jean Marc) Nicko -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : [Samba] Samba3 LDAP Can't join domain with Win2k Pro
Correction : sn: Administrator uid: Administrator uidNumber: 1000 gidNumber: 513 uidnumber: 0 gidnumber: 0 But this not mandatory. Sambasid = 1000 and Samabagroupsid = 1001 is the important thing for samba. A+ Jean-marc -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3 LDAP Can't join domain with Win2k Pro
Bonjour, use pdbedit -a username to add samba attribute to the user ( the user must exist in the backend - ldap for me ). smbldap-useradd.pl is not supposed to do that for me ? Have a look at http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html I read it a lot of time, but it's a bit confused... This how-to don't start from nothing (like i do) and i'd never used Samba before so ... In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: [snip] The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins group (rid=512). I removed all normal / test users from LDAP and /etc/passwd I created Administrator Account with : smbldap-useradd.pl -a Administrator I change password for Administrator (different from root password) with: smbldap-passwd.pl Administrator I changed uid for Administrator with : smbldap-usermod.pl Administrator -u 0 I put Administrator in Domain Admins Group (Domains Admin has gid = 512) : smbldap-groupmod.pl -m Administrator Domain Admins I can open a session with Administrator account on my linux box. I tried to join Samba Domain with a Windows 2000 Server : with Administrator : unknown user or bad password with root : unknown user or bad password I created Administrator account in /etc/passwd with WebMin (Users Groups Module). I tried again to join Domain : with Administrator : unknown user or bad password I created root account in LDAP with smbldap-useradd.pl and put it in Domain Admins Group I tried again to join Domain : with Administrator : unknown user or bad password with root : unknown user or bad password Btw i'll try with pdbedit later (but at this time pdbedit -L show me Administrator and root so...) Any log that i could check ? Any info ? Nobody here installed Samba 3 + LDAP on a fresh Linux Box ? Thanks Nicko My LDAP Schema : [EMAIL PROTECTED] sbin]# ldapsearch -x -b 'dc=ERIOS,dc=FR' '(objectclass=*)' version: 2 # # filter: (objectclass=*) # requesting: ALL # # ERIOS, FR dn: dc=ERIOS,dc=FR objectClass: dcObject objectClass: organization dc: ERIOS o: ERIOS # Users, ERIOS, FR dn: ou=Users,dc=ERIOS,dc=FR objectClass: organizationalUnit ou: Users # Groups, ERIOS, FR dn: ou=Groups,dc=ERIOS,dc=FR objectClass: organizationalUnit ou: Groups # Computers, ERIOS, FR dn: ou=Computers,dc=ERIOS,dc=FR objectClass: organizationalUnit ou: Computers # Domain Admins, Groups, ERIOS, FR dn: cn=Domain Admins,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 512 cn: Domain Admins memberUid: Administrator memberUid: root description: Netbios Domain Administrators (need smb.conf configuration) # Domain Users, Groups, ERIOS, FR dn: cn=Domain Users,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 513 cn: Domain Users description: Netbios Domain Users (not implemented yet) memberUid: Administrator memberUid: root # Domain Guests, Groups, ERIOS, FR dn: cn=Domain Guests,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users (not implemented yet) # Administrators, Groups, ERIOS, FR dn: cn=Administrators,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName (not implemented yet) memberUid: Administrator # Users, Groups, ERIOS, FR dn: cn=Users,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 545 cn: Users description: Netbios Domain Ordinary users (not implemented yet) # Guests, Groups, ERIOS, FR dn: cn=Guests,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 546 cn: Guests memberUid: nobody description: Netbios Domain Users granted guest access to the computer/sambaDo mainName (not implemented yet) # Power Users, Groups, ERIOS, FR dn: cn=Power Users,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 547 cn: Power Users description: Netbios Domain Members can share directories and printers (not im plemented yet) # Account Operators, Groups, ERIOS, FR dn: cn=Account Operators,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts (not implemente d yet) # Server Operators, Groups, ERIOS, FR dn: cn=Server Operators,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 549 cn: Server Operators description: Netbios Domain Server Operators (need smb.conf configuration) # Print Operators, Groups, ERIOS, FR dn: cn=Print Operators,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators (need smb.conf configuration) # Backup Operators, Groups, ERIOS, FR dn: cn=Backup Operators,ou=Groups,dc=ERIOS,dc=FR objectClass: posixGroup gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files (not implemented yet) # Replicator, Groups, ERIOS, FR dn:
RE : [Samba] Samba3 LDAP Can't join domain with Win2k Pro
You must have for each users uid and gid store in local /etc/passwd or in ldap. But you must have them elsewhere. -Message d'origine- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] .org] De la part de Nicko Envoyé : lundi 20 octobre 2003 23:18 À : [EMAIL PROTECTED] Objet : [Samba] Samba3 LDAP Can't join domain with Win2k Pro Hy all, I tried since 2 weeks ... Still doesn't work... With Win98 Client it work perflectly but i can't join with Win2k Pro. Same message in Win2k Client : username or password incorrect. I try with root / Administrator / new account / everything... I change password for root / Administrator. My config : - RedHat 9.0 - Samba 3.0 - OpenLDAP 2.0 (RPM from RH9) - Populating the OpenLDAP schema with the smbldap-tools from IdealX (0.8.1) and smbldap-useradd to create users. - Linux is configured to use LDAP too for users accounts (authconfig) And it's seems that NT user must exist in Linux box (useradd), i dont understand why ... Any idea ? Thanks Nicko -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE : [Samba] Samba3 LDAP Can't join domain with Win2k Pro
Bonsoir, So when i create an user account with the script from IdealX (smbldap-useradd.pl), i can log with this user on my Linux Box it's normal, but if i want to use this account on Samba Network i have to create the same account in /etc/passwd with useradd ? use pdbedit -a username to add samba attribute to the user ( the user must exist in the backend - ldap for me ). So i have to create a root account too in my Ldap ? And an Administrator Account in my /etc/passwd ? Have a look at http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody and administrator BUT an account with uidNumber=0 (root or administrator) MUST be present if you need add XP/W2K ws. The reason: an administrative account is demanded in the ws side in the join process, and that account must have a uidNumber=0 in the unix world. Remember that in the ldapsam backend the rid mapping is algorthmic based: rid='2*uidNumber+1000' and primaryGroup='2*uidNumber+100+1', so a root or any administrative account must have a rid of 1000, and a sambaSID like: sambaSID: S-1-5-21-298858960-1863792627-3661451959-1000 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-1001 The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins group (rid=512). Jean-Marc. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3 LDAP Can't join domain with Win2k Pro
Hy all, I tried since 2 weeks ... Still doesn't work... With Win98 Client it work perflectly but i can't join with Win2k Pro. Same message in Win2k Client : username or password incorrect. I try with root / Administrator / new account / everything... I change password for root / Administrator. My config : - RedHat 9.0 - Samba 3.0 - OpenLDAP 2.0 (RPM from RH9) - Populating the OpenLDAP schema with the smbldap-tools from IdealX (0.8.1) and smbldap-useradd to create users. - Linux is configured to use LDAP too for users accounts (authconfig) And it's seems that NT user must exist in Linux box (useradd), i dont understand why ... Any idea ? Thanks Nicko -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba3, LDAP and FreeBSD 4.8 : need for NSS ?
Hi all, another French guy learning, don't bash me too hard... ;-) In fact, I'm in need of a confirmation : I'm on the way to create a Samba3+LDAP (new schemas) PDC server (no migration from NT4 nor 2K, only from an old Samba 2.0 with security=user using /etc/passwd, ie. no encrypt password). This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I tested it today, but no NSS available). I've read many docs, including the HEAD Samba HOWTO collection, HOWTO from Ignacio Coupeau (worth a read), old one from IdealX (which disapeared last week, I still have a hardcopy), and many others. The OpenLDAP 2.1 is up, with a few accounts populated (with both sambaSamAccount posixAccount objectclasses). PAM_LDAP auth works. Then comes the integration with Samba. I have not yet began the work of integrating Samba to LDAP (I'm learning LDAP). Here's my question : does Samba3 need a Unix account (in /etc/passwd) in addition to the one in the LDAP directory ? I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and PAM is only for authentication), but may someone confirm because I lose the few last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1 (-CURRENT), which should undoubtely lessen the need for a firm answer. Best regards, and thanks for the job for so many years (I live happily with Samba since 1996, in production since 1998). Jérôme ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. LogicaCMG ** -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba3, LDAP and FreeBSD 4.8 : need for NSS ?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tuesday 16 September 2003 22:35, Jérôme Fenal wrote: Hi all, another French guy learning, don't bash me too hard... ;-) T'inquiètes, ça fait 2 semaines que je suis dessus :) In fact, I'm in need of a confirmation : I'm on the way to create a Samba3+LDAP (new schemas) PDC server (no migration from NT4 nor 2K, only from an old Samba 2.0 with security=user using /etc/passwd, ie. no encrypt password). This Samba3 should be hosted on a FreeBSD 4.8 (ie. pam_ldap can work, I tested it today, but no NSS available). I've read many docs, including the HEAD Samba HOWTO collection, HOWTO from Ignacio Coupeau (worth a read), old one from IdealX (which disapeared last week, I still have a hardcopy), and many others. The OpenLDAP 2.1 is up, with a few accounts populated (with both sambaSamAccount posixAccount objectclasses). PAM_LDAP auth works. Then comes the integration with Samba. I have not yet began the work of integrating Samba to LDAP (I'm learning LDAP). Here's my question : does Samba3 need a Unix account (in /etc/passwd) in addition to the one in the LDAP directory ? I believe the answer is yes (since FreeBSD 4.8 doesn't have NSS, and PAM is only for authentication), but may someone confirm because I lose the few last hair I have ;-? Or, before the server is migrated to FreeBSD 5.1 (-CURRENT), which should undoubtely lessen the need for a firm answer. Best regards, and thanks for the job for so many years (I live happily with Samba since 1996, in production since 1998). OK, so basically, you do NOT need nss_ldap to use samba-3.0 with LDAP, but you DO need Unix accounts (if not using nss). So, you do not need any posixAccount object class entries in your LDAP since this is for authenticating Unix users (accept if you need it). I just built a FreeBSD-5.1 + nss_ldap + pam_ldap and samba-3.0 as a PDC. It works great. If you don't want to use 5.1, which I can understand, what I recommend you is to use Unix accounts and pdbedit to ass the samba users, you will almost have nothing to populate LDAP with, samba will take care of it. Basically, you just need a base.ldif file with your domain/organisation, some groups (users, computers, admins and guest) and some ou to add your users/computers into. If you need help, please do not hesitate, I've spent the last 2 weeks on the subject :) Antoine -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z3nHY3Hnhkr+5cQRAga0AJwMXGYMix2nPrrJLA/0ioVFn9lXxQCbB1Li SsE9un/nLd9ijw/30EgFLWU= =i/u3 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba