Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
On 7/11/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Yes, but I had to install nss which I thought was not neccesary. After that samba got perfectly integrated (the getent group and getent passwd showed the samba users in the ldap apart from the system users). The packages are libnss-ldap for debian/ubuntu and nss_ldap for gentoo. After that, the users could join the domain perfectly and the samba attributes were added by samba itself (as it should be). If you need any further information or config files just let me know. Hope it helps. Thanks for the info. I will have to try to track this down when I get time as I know this is not my problem as I have been using nss_ldap under gentoo for 3 years and both getent commands work correctly. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Did you find a working solution other than using an external tool as I suggested? Thanks, John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Hi, I have been trying different approaches to get it working and apparently I do need nss installed to get it working (which I have not found as mandatory in many tutorials). Once I installed nss-ldap and configured it still failed, but then I removed the line ldapsam:trusted = yes and the machines started to join the domain correctly. Summing up, I needed nss-ldap and I did not need ldapsam:trusted = yes. Now I am trying to get the whole thing working with ldapsam:trusted = yes uncommented. Thank you all very much for your help. I expect to be able to help others solve the problems I have had. Edmundo Valle Neto wrote: mikelOn escreveu: The last few lines of the pdbedit -v root command show the following: pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected init_sam_from_ldap: Entry found for user: root Unix username:root NT username: root Account Flags:[U ] User SID: S-1-5-21-325600022-3777026502-3741709481-500 ldapsam_getgroup: Did not find group Primary Group SID:S-1-5-21-325600022-3777026502-3741709481-513 Full Name:root Home Directory: \\SAMBA\root HomeDir Drive:H: Logon Script: LOGON.BAT Profile Path: \\SAMBA\profiles\root Domain: EREMU Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: mar, 19 ene 2038 04:14:07 CET Kickoff time: mar, 19 ene 2038 04:14:07 CET Password last set:mié, 27 jun 2007 20:35:52 CEST Password can change: 0 Password must change: sáb, 11 ago 2007 20:35:52 CEST Last bad password : 0 Bad password count : 0 Logon hours : FF As you can see, the same error shows up: GROUP NOT FOUND Do you know why? Thanks Edmundo Valle Neto wrote: mikelOn escreveu: I have added the parameter ldapsam:trusted = yes and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] - [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What pdbedit -v root shows? Regards. Edmundo Valle Net Whats the output of: net groupmap list smbldap-usershow root smbldap-groupshow Domain Admins ? ps: Im not interested in your password hashes :) You said that root belongs to Domain Admins group, but the RID 513 is the known RID of the Domin Users group. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11356183 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: Hi, I have been trying different approaches to get it working and apparently I do need nss installed to get it working (which I have not found as mandatory in many tutorials). Once I installed nss-ldap and configured it still failed, but then I removed the line ldapsam:trusted = yes and the machines started to join the domain correctly. Summing up, I needed nss-ldap and I did not need ldapsam:trusted = yes. Now I am trying to get the whole thing working with ldapsam:trusted = yes uncommented. Thank you all very much for your help. I expect to be able to help others solve the problems I have had. NSS is mandatory in the samba documentation, about the other cake recipes that you have readed, probably are incomplete. You can read smb.conf man page to see what is expected from ldapsam:trusted = yes. You dont need it to samba work, but it speeds up name resolution, resolving names directly in LDAP without consulting NSS. You must have all samba accounts in LDAP and with samba and posix attributes together in each object. So, yes, it can be problematic. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
The last few lines of the pdbedit -v root command show the following: pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected init_sam_from_ldap: Entry found for user: root Unix username:root NT username: root Account Flags:[U ] User SID: S-1-5-21-325600022-3777026502-3741709481-500 ldapsam_getgroup: Did not find group Primary Group SID:S-1-5-21-325600022-3777026502-3741709481-513 Full Name:root Home Directory: \\SAMBA\root HomeDir Drive:H: Logon Script: LOGON.BAT Profile Path: \\SAMBA\profiles\root Domain: EREMU Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: mar, 19 ene 2038 04:14:07 CET Kickoff time: mar, 19 ene 2038 04:14:07 CET Password last set:mié, 27 jun 2007 20:35:52 CEST Password can change: 0 Password must change: sáb, 11 ago 2007 20:35:52 CEST Last bad password : 0 Bad password count : 0 Logon hours : FF As you can see, the same error shows up: GROUP NOT FOUND Do you know why? Thanks Edmundo Valle Neto wrote: mikelOn escreveu: I have added the parameter ldapsam:trusted = yes and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] - [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What pdbedit -v root shows? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11338348 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: The last few lines of the pdbedit -v root command show the following: pm_process() returned Yes smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected smbldap_search_domain_info: Searching for:[((objectClass=sambaDomain)(sambaDomainName=EREMU))] smbldap_open_connection: connection opened ldap_connect_system: succesful connection to the LDAP server The LDAP server is succesfully connected init_sam_from_ldap: Entry found for user: root Unix username:root NT username: root Account Flags:[U ] User SID: S-1-5-21-325600022-3777026502-3741709481-500 ldapsam_getgroup: Did not find group Primary Group SID:S-1-5-21-325600022-3777026502-3741709481-513 Full Name:root Home Directory: \\SAMBA\root HomeDir Drive:H: Logon Script: LOGON.BAT Profile Path: \\SAMBA\profiles\root Domain: EREMU Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: mar, 19 ene 2038 04:14:07 CET Kickoff time: mar, 19 ene 2038 04:14:07 CET Password last set:mié, 27 jun 2007 20:35:52 CEST Password can change: 0 Password must change: sáb, 11 ago 2007 20:35:52 CEST Last bad password : 0 Bad password count : 0 Logon hours : FF As you can see, the same error shows up: GROUP NOT FOUND Do you know why? Thanks Edmundo Valle Neto wrote: mikelOn escreveu: I have added the parameter ldapsam:trusted = yes and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] - [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What pdbedit -v root shows? Regards. Edmundo Valle Net Whats the output of: net groupmap list smbldap-usershow root smbldap-groupshow Domain Admins ? ps: Im not interested in your password hashes :) You said that root belongs to Domain Admins group, but the RID 513 is the known RID of the Domin Users group. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Edmundo Valle Neto escribió: If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a %u Not really, theres nothing wrong with that. If you use the User Manager windows application, the posix account is created and samba creates the rest. If you are using the shell, then yes, -a is needed (but typing it IN THE SHELL not inside smb.conf). You can consult the samba documentation or idealx documentation about setting those options. I don't use the User Manager app: I create the users from the shell with some home-made scripts. delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd %g You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a %g Same thing. And I dont know what -m means to smbldap-groupadd script. Ooops, Fat fingers! It should be '-p' Then... which'd be the problem? If this settings are not related to the errors, perhaps it's a DNS-related question. Thanks for the explanation. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Hi Edmundo, I do agree with you. The first thing I wanted was to be able to add a machine to the domain and once I have been able to do so, I have been debugging to get to know why LAM was succeeding and the console scripts not. Yesterday, I found out that when the windows machine is added through the console script, the uidNumber assigned is superior to 1000 (1001, 1002 and so on...) but when added through the LAM it requested a number superior to 5. I do not exactly know why, but if I create the machiness via the console script (smbldap-useradd -w) the username not found message appears and the machine is assigned a number superior to 1000. If I then change such uidNumber to 5000x, the machine can then join the domain. This morning I wanted to review the smbldap-useradd perl script to see if there is any place (config file or so) where I can indicate the base number I want for the machines. ¿Do I need to set that base uidNumber somewhere? ¿Why must it be set to above than 5? ¿Did you ever experience anything similar? Thanks for your help. Edmundo Valle Neto wrote: Just to make it clear that its not normal a system really need to have accounts created that way. I dont think is a good idea to call a workaround used on a system that someone didnt got it working properly (who knows why) as a solution, samba works very fine creating workstation accounts automatically when joining the clients and can even use accounts other than root trough privileges to join the client. The list has several posts about that and the samba documentation shows how to do that automatically and manually. But anyway if the user that asked simply said that its fine for him that way, and dropped the thread ... Regards. Edmundo Valle Neto mikelOn escreveu: Great!!! I have created a couple of machine accounts through the LAM utility and I have eventually been able to join the domain. Thank you very much for your help. John Drescher-2 wrote: I have had the same problem with a similar setup for at least 3 years. My solution is to create the account for the windows workstation either via the smbldap-useradd and the linux useradd commands or a gui wizard that does this for me. I currently use ldap-account-manager http://lam.sourceforge.net/ for as well as user management. And then after the account is created the windows add to domain boxes work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320015 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escribió: This morning I wanted to review the smbldap-useradd perl script to see if there is any place (config file or so) where I can indicate the base number I want for the machines. ¿Do I need to set that base uidNumber somewhere? ¿Why must it be set to above than 5? ¿Did you ever experience anything similar? (I suppose you have executed the smbldap-populate script) When you execute the smbldap-populate you can pass some parameters to set the first uid/gid number that will be assigned to the users/groups. This scripts read the value from the sambaDomainName LDAP entry and updates it when adding groups/users. I think this values are the uidNumber and gidNumber attributes, but I'm not sure. As LAM doesn't use the smbldap scripts it has different starting numbers (see the lam.conf file, usually at /usr/share/ldap-account-manager/config) AFAIK this is used to separate regular unix accounts from LDAP accounts to prevent overlapping. Look at your /etc/passwd file and slapcat output for id collision. Perhaps that was your problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Sorry, I was wrong. After changing such value the machines are added with a number above 5 but still cannot join the domain. I will keep comparing the records created by the script and the LAM and give some feedback. Thanks for your help. Asier Baranguán wrote: mikelOn escribió: This morning I wanted to review the smbldap-useradd perl script to see if there is any place (config file or so) where I can indicate the base number I want for the machines. ¿Do I need to set that base uidNumber somewhere? ¿Why must it be set to above than 5? ¿Did you ever experience anything similar? (I suppose you have executed the smbldap-populate script) When you execute the smbldap-populate you can pass some parameters to set the first uid/gid number that will be assigned to the users/groups. This scripts read the value from the sambaDomainName LDAP entry and updates it when adding groups/users. I think this values are the uidNumber and gidNumber attributes, but I'm not sure. As LAM doesn't use the smbldap scripts it has different starting numbers (see the lam.conf file, usually at /usr/share/ldap-account-manager/config) AFAIK this is used to separate regular unix accounts from LDAP accounts to prevent overlapping. Look at your /etc/passwd file and slapcat output for id collision. Perhaps that was your problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320403 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
browsable = no
create mode = 0644
directory mode = 0755
guest ok = yes
[homes]
path = /home/%U
browseable = no
valid users = %S
read only = no
create mask = 0664
directory mask = 0775
8
The slapd.conf is the following:
8
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
password-hash {md5}
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
loglevel1024
databasebdb
suffix dc=eremu,dc=org
checkpoint 32 30 # kbyte min
rootdn cn=root,dc=eremu,dc=org
rootpw {MD5}HEREGOESTHEHASH
directory /var/lib/openldap-data
index sambaSIDeq
index sambaPrimaryGroupSIDeq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname
eq,subinitial
index default eq
index phpgwContactOwner
pres,eq,sub
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
8
The smbldap.conf is the following:
8
# Put your own SID. To obtain this number do: net getlocalsid.
# If not defined, parameter is taking from net getlocalsid return
SID=S-1-5-21-3696253194-4255541209-1824430252
sambaDomain=eremu
slaveLDAP=localhost
slavePort=389
masterLDAP=localhost
masterPort=389
ldapTLS=0
verify=none
hash_encrypt=MD5
suffix=dc=eremu,dc=org
usersdn=ou=Users,${suffix}
computersdn=ou=Computers,${suffix}
groupsdn=ou=Groups,${suffix}
idmapdn=ou=Idmap,${suffix}
sambaUnixIdPooldn=sambaDomainName=eremu,${suffix}
scope=sub
crypt_salt_format=%s
userLoginShell=/bin/bash
userHome=/home/%U
userHomeDirectoryMode=700
userGecos=System User
defaultUserGid=513
defaultComputerGid=515
skeletonDir=/etc/skel
defaultMaxPasswordAge=45
userSmbHome=\\SAMBA\%U
userProfile=\\SAMBA\profiles\%U
userHomeDrive=Z:
mailDomain=eremu.org
with_smbpasswd=0
smbpasswd=/usr/bin/smbpasswd
with_slappasswd=0
slappasswd=/usr/sbin/slappasswd
8
Should you need further details, please just let me know.
Any help would be appreciated. Thanks a lot.
P.S.: ¿Can it have anything to do with other stuff such as the DNS server?
--
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320579
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320957 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
The RID portion doesn't really matters as it doesn't clash with known RIDs (below 1000), and other created RIDs (you cannot have two accounts with the same RID, composing the same SID). Regards. Edmundo Valle Neto mikelOn escreveu: Sorry, I was wrong. After changing such value the machines are added with a number above 5 but still cannot join the domain. I will keep comparing the records created by the script and the LAM and give some feedback. Thanks for your help. Asier Baranguán wrote: mikelOn escribió: This morning I wanted to review the smbldap-useradd perl script to see if there is any place (config file or so) where I can indicate the base number I want for the machines. ¿Do I need to set that base uidNumber somewhere? ¿Why must it be set to above than 5? ¿Did you ever experience anything similar? (I suppose you have executed the smbldap-populate script) When you execute the smbldap-populate you can pass some parameters to set the first uid/gid number that will be assigned to the users/groups. This scripts read the value from the sambaDomainName LDAP entry and updates it when adding groups/users. I think this values are the uidNumber and gidNumber attributes, but I'm not sure. As LAM doesn't use the smbldap scripts it has different starting numbers (see the lam.conf file, usually at /usr/share/ldap-account-manager/config) AFAIK this is used to separate regular unix accounts from LDAP accounts to prevent overlapping. Look at your /etc/passwd file and slapcat output for id collision. Perhaps that was your problem. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 Very strange as it appears that it will only work for me if the sambaSAMAccount is there before having windows join to the domain via the windows XP dialogs. This is what LAM is doing that the idealx scripts are not doing. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. I think you are wrong, because the add machine script DOES get executed when adding a machine to a domain. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. I have read the documentation you point out and many other tutorials and howtos but I find myself in the same situation I was some days ago. I have even tried to install everything in three different linux distros and in one of them I have reinstalled everything from scratch three or four times. This is why I am trying alternate methods. So, samba is not doing its job and it may be because I am missing something but I still do not know what it is. Anyway, I can post the samba log if you think it is helpful to find out the source of the error. Thanks for the advice, Mikel Edmundo Valle Neto wrote: mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11328114 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I have tried to add a new machine right now and this is the log of the operation: [2007/06/27 18:53:42, 3] passdb/pdb_interface.c:pdb_default_create_user(368) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w mikelvm$' gave 0 [2007/06/27 18:53:42, 3] passdb/pdb_interface.c:pdb_default_create_user(384) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER As you can see is not of much help (at least for me). I even debugged the domain addition process in windows which failed in the NetUserAdd api with the same error (NT_STATUS_NO_SUCH_USER). The only think I can guess is that samba is not doing its job... Thanks for your time, Mikel Edmundo Valle Neto wrote: mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11328348 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I am not running nscd :( Thanks for your response simo-7 wrote: On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11328840 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. A snip from an old post in the history of the list, you should expect something like that when adding a machine with a loglevel of 3 (look, only -w used, and samba saying that it will create the rest): A samba log with a level 3 output: ... [2006/06/26 14:47:28, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2324) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w testmachine$' gave 0 ... [2006/06/26 14:47:28, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1832) ldapsam_add_sam_account: User exists without samba attributes: adding them [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912) init_ldap_from_sam: Setting entry for user: testmachine$ [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1942) ldapsam_add_sam_account: added: uid == testmachine$ in the LDAP database ... Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. I think you are wrong, because the add machine script DOES get executed when adding a machine to a domain. OK, yes it is. I answered this without context. (I already said this earlier, in aprevious post) http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. I have read the documentation you point out and many other tutorials and howtos but I find myself in the same situation I was some days ago. I have even tried to install everything in three different linux distros and in one of them I have reinstalled everything from scratch three or four times. This is why I am trying alternate methods. So, samba is not doing its job and it may be because I am missing something but I still do not know what it is. Anyway, I can post the samba log if you think it is helpful to find out the source of the error. Theres a LOT of things that can got wrong when using LDAP as you can populate and use it the way YOU want, but samba expects it in a proper way. Its recommended that you populate it using smbldap-populate. You need to have the tools configured properly. You need to have an user that have rights to join machines, a root account WITH samba attributes, or another user with proper privileges assigned by hand. Samba must know the password of the ldap administrator to be able to change it. Regards. Edmundo Valle Neto Thanks for the advice, Mikel Edmundo Valle Neto wrote: mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Sorry if it is a bit of a pain that I am also answering this thread but I do experience the same problem... Theres a LOT of things that can got wrong when using LDAP as you can populate and use it the way YOU want, but samba expects it in a proper way. Its recommended that you populate it using smbldap-populate. Did not do that. You need to have the tools configured properly. Yes, according to the docs I have this correct. You need to have an user that have rights to join machines, a root account WITH samba attributes, or another user with proper privileges assigned by hand. Yes. It does not matter weather I use root or a user with the correct privelages. Samba must know the password of the ldap administrator to be able to change it. Samba has that for me. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
What distro are you using? How did you populate it? I use Debian (its a little different), but how did you configured NSS? (getent passwd shows your machine accounts?) What user are you using to join? (if root, smbclient -L localhost -Uroot works on the shell to list the shares?) Regards. Edmundo Valle Neto mikelOn escreveu: I am not running nscd :( Thanks for your response simo-7 wrote: On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I am using debian etch for the testing but I have had the same problem with gentoo 2007.0. I used smbldap-populate (the admin user is root so no parameters at all) and I also tried with -u 5 and -g 5 so that user ids do not overlap. Do I need anything else (nss) if I am not authenticating *nix clients? getent passwd does not show the machine accounts, should they be also be there and not only in the ldap? I thought that was not necessary. I user the root user to join the machines and the smb query you suggest works properly. I can even list the samba shares from the windows machines. Thanks again Edmundo Valle Neto wrote: What distro are you using? How did you populate it? I use Debian (its a little different), but how did you configured NSS? (getent passwd shows your machine accounts?) What user are you using to join? (if root, smbclient -L localhost -Uroot works on the shell to list the shares?) Regards. Edmundo Valle Neto mikelOn escreveu: I am not running nscd :( Thanks for your response simo-7 wrote: On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11329305 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: I am using debian etch for the testing but I have had the same problem with gentoo 2007.0. I used smbldap-populate (the admin user is root so no parameters at all) and I also tried with -u 5 and -g 5 so that user ids do not overlap. Probably you didnt configured something in all the distros. High ids are used principally in migrations when you dont want them to clash with old ids (made who knows how). Do I need anything else (nss) if I am not authenticating *nix clients? getent passwd does not show the machine accounts, should they be also be there and not only in the ldap? I thought that was not necessary. Yes, do you need NSS working. I dont know where exactly it breaks when you dont have it. If you dont want to use posix accounts with samba simply give them a null shell (set the loginShell attribute with /bin/false) and they will not be able to be used (if you dont have configured PAM, I doubt that you can use them too). (If I remember right smbldap-tools in debian already creates accounts with a null shell) Samba has an option called ldap:trusted = yes, but I dont know if NSS is really NOT USED even if you do that in recent versions of samba. Maybe the developers can answer that. Anyway the system uses NSS to resolve posix account names. And samba need posix accounts to map samba accounts. In debian you install and configure the package libnss-ldap and set it to be used in /etc/nsswitch.conf. You can test NSS with getent passwd and getent group, your accounts in ldap must be visible then. Regards. Edmundo Valle Neto I user the root user to join the machines and the smb query you suggest works properly. I can even list the samba shares from the windows machines. Thanks again Edmundo Valle Neto wrote: What distro are you using? How did you populate it? I use Debian (its a little different), but how did you configured NSS? (getent passwd shows your machine accounts?) What user are you using to join? (if root, smbclient -L localhost -Uroot works on the shell to list the shares?) Regards. Edmundo Valle Neto mikelOn escreveu: I am not running nscd :( Thanks for your response simo-7 wrote: On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
John Drescher escreveu: Sorry if it is a bit of a pain that I am also answering this thread but I do experience the same problem... Theres a LOT of things that can got wrong when using LDAP as you can populate and use it the way YOU want, but samba expects it in a proper way. Its recommended that you populate it using smbldap-populate. Did not do that. Its just recommended not necessary. I think its more error prone to that using ldif files (idealx scripts already does the initial population for you, without problems). Of course, in a clean install. You need to have the tools configured properly. Yes, according to the docs I have this correct. You need to have an user that have rights to join machines, a root account WITH samba attributes, or another user with proper privileges assigned by hand. Yes. It does not matter weather I use root or a user with the correct privelages. Would be easyer just looking the log errors. Samba must know the password of the ldap administrator to be able to change it. Samba has that for me. John Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I will install nss tomorrow I soon as I get to work and I will give feedback of the experience. I hope the problem is there! Thank you very much Edmundo Valle Neto wrote: mikelOn escreveu: I am using debian etch for the testing but I have had the same problem with gentoo 2007.0. I used smbldap-populate (the admin user is root so no parameters at all) and I also tried with -u 5 and -g 5 so that user ids do not overlap. Probably you didnt configured something in all the distros. High ids are used principally in migrations when you dont want them to clash with old ids (made who knows how). Do I need anything else (nss) if I am not authenticating *nix clients? getent passwd does not show the machine accounts, should they be also be there and not only in the ldap? I thought that was not necessary. Yes, do you need NSS working. I dont know where exactly it breaks when you dont have it. If you dont want to use posix accounts with samba simply give them a null shell (set the loginShell attribute with /bin/false) and they will not be able to be used (if you dont have configured PAM, I doubt that you can use them too). (If I remember right smbldap-tools in debian already creates accounts with a null shell) Samba has an option called ldap:trusted = yes, but I dont know if NSS is really NOT USED even if you do that in recent versions of samba. Maybe the developers can answer that. Anyway the system uses NSS to resolve posix account names. And samba need posix accounts to map samba accounts. In debian you install and configure the package libnss-ldap and set it to be used in /etc/nsswitch.conf. You can test NSS with getent passwd and getent group, your accounts in ldap must be visible then. Regards. Edmundo Valle Neto I user the root user to join the machines and the smb query you suggest works properly. I can even list the samba shares from the windows machines. Thanks again Edmundo Valle Neto wrote: What distro are you using? How did you populate it? I use Debian (its a little different), but how did you configured NSS? (getent passwd shows your machine accounts?) What user are you using to join? (if root, smbclient -L localhost -Uroot works on the shell to list the shares?) Regards. Edmundo Valle Neto mikelOn escreveu: I am not running nscd :( Thanks for your response simo-7 wrote: On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote: About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or something alike) but no more specific details. The machine account (posix) gets created automatically but the samba attributes are not added by samba. look for nscd running, it may cache a negative response and samba never see the created posix attributes in time to add samba stuff. Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330033 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn wrote: I have tried to add a new machine right now and this is the log of the operation: [2007/06/27 18:53:42, 3] passdb/pdb_interface.c:pdb_default_create_user(368) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w mikelvm$' gave 0 [2007/06/27 18:53:42, 3] passdb/pdb_interface.c:pdb_default_create_user(384) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER As you can see is not of much help (at least for me). I even debugged the domain addition process in windows which failed in the NetUserAdd api with the same error (NT_STATUS_NO_SUCH_USER). The only think I can guess is that samba is not doing its job... Thanks for your time, Mikel Edmundo Valle Neto wrote: mikelOn escreveu: Hi Alex, I don´t think those modifiers would change anything but I have tried them anyway and the objectclass is still not being added. Thanks for the suggestion. Alex Crow wrote: On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote: Hi all, I finally found where the problem is. The samba attributes are not being added when the workstation entry is created. The sambaSamAccount objectclass is missing. Why is it not being added if it is suppossed to be a windows workstation? Is there a bug in the smbldap-useradd script when invoked with the -w parameter? You need both -a and -m passwd to smbldap-useradd for the samba attributes to be added, IMHO. Alex -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Again, those scripts are used only by tools that create accounts trough samba, like net or usrmgr, if you dont use it those lines will not be used. About the samba attributes, when you add a machine account the script add machine must NOT ADD SAMBA ATTRIBUTES, only posix, samba does that alone. Refer to the idealx documentation (if you really want that things work properly, reading the documentation is not an option), it was already discussed here and the documentation explains how to configure that and how it should work. http://sourceforge.net/docman/display_doc.php?docid=33543group_id=166108 About knowing what is happening, put a log level 2 or 3 and try to join a machine. Look at the logs, it should say what exit the script gave and what samba tried to do. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba What does the your /etc/libnss-ldap.conf or /etc/ldap.conf look like? -- Ray Klassen Computer SysAdmin MCC Supportive Care Services -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I have added the parameter ldapsam:trusted = yes and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] - [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330248 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Regarding the primary group of [root] not found message, the sambaSID of Domain Admins is the same as the sambaPrimaryGroupSID in root. The user root is inside the group Users. http://www.nabble.com/file/p11330386/ldap_view.gif Hope it helps. Thanks. -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330386 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
mikelOn escreveu: I have added the parameter ldapsam:trusted = yes and now the samba error has changed to NT_STATUS_UNSUCCESSFUL. The logs say the following: [2007/06/27 22:41:11, 4] auth/auth_sam.c:sam_account_ok(138) sam_account_ok: Checking SMB password for user root [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:push_sec_ctx(208) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] smbd/uid.c:push_conn_ctx(353) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2007/06/27 22:41:11, 3] passdb/pdb_ldap.c:ldapsam_enum_group_memberships(2663) primary group of [root] not found [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:pop_sec_ctx(339) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_UNSUCCESSFUL' [2007/06/27 22:41:11, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [eremu] was for this SAM. [2007/06/27 22:41:11, 2] auth/auth.c:check_ntlm_password(319) check_ntlm_password: Authentication for user [root] - [root] FAILED with error NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/error.c:error_packet(146) error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_UNSUCCESSFUL [2007/06/27 22:41:11, 3] smbd/process.c:timeout_processing(1359) timeout_processing: End of file from client (client has disconnected). [2007/06/27 22:41:11, 3] smbd/sec_ctx.c:set_sec_ctx(241) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0 [2007/06/27 22:41:11, 3] smbd/connection.c:yield_connection(69) Yielding connection to [2007/06/27 22:41:11, 3] smbd/server.c:exit_server_common(675) Server exit (normal exit) Do you see anything familiar here? Thanks What pdbedit -v root shows? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
password-hash {md5}
pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args
loglevel1024
databasebdb
suffix dc=eremu,dc=org
checkpoint 32 30 # kbyte min
rootdn cn=root,dc=eremu,dc=org
rootpw {MD5}HEREGOESTHEHASH
directory /var/lib/openldap-data
index sambaSIDeq
index sambaPrimaryGroupSIDeq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname
eq,subinitial
index default eq
index phpgwContactOwner pres,eq,sub
access to attrs=userPassword
by self write
by anonymous auth
by * none
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by self write
by * read
8
The smbldap.conf is the following:
8
# Put your own SID. To obtain this number do: net getlocalsid.
# If not defined, parameter is taking from net getlocalsid return
SID=S-1-5-21-3696253194-4255541209-1824430252
sambaDomain=eremu
slaveLDAP=localhost
slavePort=389
masterLDAP=localhost
masterPort=389
ldapTLS=0
verify=none
hash_encrypt=MD5
suffix=dc=eremu,dc=org
usersdn=ou=Users,${suffix}
computersdn=ou=Computers,${suffix}
groupsdn=ou=Groups,${suffix}
idmapdn=ou=Idmap,${suffix}
sambaUnixIdPooldn=sambaDomainName=eremu,${suffix}
scope=sub
crypt_salt_format=%s
userLoginShell=/bin/bash
userHome=/home/%U
userHomeDirectoryMode=700
userGecos=System User
defaultUserGid=513
defaultComputerGid=515
skeletonDir=/etc/skel
defaultMaxPasswordAge=45
userSmbHome=\\SAMBA\%U
userProfile=\\SAMBA\profiles\%U
userHomeDrive=Z:
mailDomain=eremu.org
with_smbpasswd=0
smbpasswd=/usr/bin/smbpasswd
with_slappasswd=0
slappasswd=/usr/sbin/slappasswd
8
Should you need further details, please just let me know.
Any help would be appreciated. Thanks a lot.
P.S.: ¿Can it have anything to do with other stuff such as the DNS server?
--
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11301709
Sent from the Samba - General mailing list archive at Nabble.com.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
I have had the same problem with a similar setup for at least 3 years. My solution is to create the account for the windows workstation either via the smbldap-useradd and the linux useradd commands or a gui wizard that does this for me. I currently use ldap-account-manager http://lam.sourceforge.net/ for as well as user management. And then after the account is created the windows add to domain boxes work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Great!!! I have created a couple of machine accounts through the LAM utility and I have eventually been able to join the domain. Thank you very much for your help. John Drescher-2 wrote: I have had the same problem with a similar setup for at least 3 years. My solution is to create the account for the windows workstation either via the smbldap-useradd and the linux useradd commands or a gui wizard that does this for me. I currently use ldap-account-manager http://lam.sourceforge.net/ for as well as user management. And then after the account is created the windows add to domain boxes work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11310118 Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: add user script = /usr/sbin/smbldap-useradd -m %u If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd %g You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a %g P.S.: ¿Can it have anything to do with other stuff such as the DNS server? Perhaps yes... I have a Samba server with OpenLDAP acting as a PDC and we use dnsmasq as our DNS server. It's small, fast and deals very well with Samba and Windows clients. We use it also as DHCP server so all the machines have the correct IP, DNS server, WINS Server and so on. One question... the user mikelvm is a regular UNIX user or one added with the smbldap-useradd tool? -- Asier. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
On 6/26/07, Asier Baranguán [EMAIL PROTECTED] wrote: El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: add user script = /usr/sbin/smbldap-useradd -m %u If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd %g You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a %g Thanks for the info. Perhaps I have that wrong too and that is the reason it fails causing me to have to do this manually on the linux side before the windows side. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Just to make it clear that its not normal a system really need to have accounts created that way. I dont think is a good idea to call a workaround used on a system that someone didnt got it working properly (who knows why) as a solution, samba works very fine creating workstation accounts automatically when joining the clients and can even use accounts other than root trough privileges to join the client. The list has several posts about that and the samba documentation shows how to do that automatically and manually. But anyway if the user that asked simply said that its fine for him that way, and dropped the thread ... Regards. Edmundo Valle Neto mikelOn escreveu: Great!!! I have created a couple of machine accounts through the LAM utility and I have eventually been able to join the domain. Thank you very much for your help. John Drescher-2 wrote: I have had the same problem with a similar setup for at least 3 years. My solution is to create the account for the windows workstation either via the smbldap-useradd and the linux useradd commands or a gui wizard that does this for me. I currently use ldap-account-manager http://lam.sourceforge.net/ for as well as user management. And then after the account is created the windows add to domain boxes work. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
Asier Baranguán escreveu: El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: add user script = /usr/sbin/smbldap-useradd -m %u If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a %u Not really, theres nothing wrong with that. If you use the User Manager windows application, the posix account is created and samba creates the rest. If you are using the shell, then yes, -a is needed (but typing it IN THE SHELL not inside smb.conf). You can consult the samba documentation or idealx documentation about setting those options. The difference is that with -a you will receive an error, but the user will be created anyway. delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd %g You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a %g Same thing. And I dont know what -m means to smbldap-groupadd script. P.S.: ¿Can it have anything to do with other stuff such as the DNS server? Perhaps yes... I have a Samba server with OpenLDAP acting as a PDC and we use dnsmasq as our DNS server. It's small, fast and deals very well with Samba and Windows clients. We use it also as DHCP server so all the machines have the correct IP, DNS server, WINS Server and so on. One question... the user mikelvm is a regular UNIX user or one added with the smbldap-useradd tool? Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
John Drescher escreveu: On 6/26/07, Asier Baranguán [EMAIL PROTECTED] wrote: El Martes, 26 de Junio de 2007 10:23, mikelOn escribió: add user script = /usr/sbin/smbldap-useradd -m %u If your users are Windows users you should add an '-a' here, and add the users with the '-a' flag. Like this: add user script = /usr/sbin/smbldap-useradd -m -a %u delete user script = /usr/sbin/smbldap-userdel -r %u add group script = /usr/sbin/smbldap-groupadd %g You should add '-a -p' here: add group script = /usr/sbin/smbldap-groupadd -m -a %g Thanks for the info. Perhaps I have that wrong too and that is the reason it fails causing me to have to do this manually on the linux side before the windows side. John If you are talking about your problem creating machine accounts, absolutely not. Machine accounts are created using the add machine script, not cited above. Regards. Edmundo Valle Neto -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba and LDAP: Trouble adding Win XP machines to the domain
If you are talking about your problem creating machine accounts, absolutely not. Machine accounts are created using the add machine script, not cited above. Thanks. It looks like I did not read that clearly. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
