[Samba] problem with samba and ldap
hi, I have a problem with samba and ldap, when I add a machine in a domain, samba is not searching on *ou=machine*, but on *ou=users*. But if i change in smbldap.conf *computersdn=ou=machine,${suffix}* to * computersdn=ou=users,${suffix}* it works. bellow is my smb.conf [global] workgroup = TEST netbios name = PDC server string = Samba Server passdb backend = ldapsam:ldap://127.0.0.1 log file = /var/log/samba/log.%m max log size = 500 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add group script = /opt/IDEALX/sbin/smbldap-groupadd -p %g delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins proxy = Yes wins support = Yes ldap admin dn = cn=Manager,dc=test,dc=com,dc=br ldap delete dn = Yes ldap group suffix = ou=group ldap idmap suffix = ou=users ldap machine suffix = ou=machine ldap passwd sync = yes ldap suffix = dc=test,dc=com,dc=br ldap ssl = no idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 admin users = root Does anybody know what might be happening? -- Daniel Theodoro (LPIC-1) Junior Level Linux Professional (LPIC-2) Advanced Level Linux Professional -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem with samba and ldap
On Wed, Aug 5, 2009 at 4:28 PM, Theodorodaniel.theod...@gmail.com wrote: Does anybody know what might be happening? In /etc/ldap.conf, I bet your nss_base_passwd is ou=users,dc=test,dc=com,dc=br. It should be dc=test,dc=com,dc=br. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem with samba and ldap
hi, On Wed, Aug 5, 2009 at 4:42 PM, Miguel Medalha miguelmeda...@sapo.ptwrote: In order to help you, I must know the following: Are you using nss with ldap? yes What is your samba version? I tried with 3.0.33 on RHEL5.3 and now with 3.3.7 Your version of the smbldap scripts is too old. Version 0.9.5 resides here. I'm using 0.9.5 http://download.gna.org/smbldap-tools/0.9.2-1packages/http://download.gna.org/smbldap-tools/packages/ The project page can be found here: https://gna.org/projects/smbldap-tools/ -- Daniel Theodoro 9399-3364 (LPIC-1) Junior Level Linux Professional (LPIC-2) Advanced Level Linux Professional -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Problem using samba with ldap
Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using samba with ldap
do you have nss_ldap installed and working? Michael JOLY wrote: Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using samba with ldap
Try add this user without the -P attribute and check if this has created. After try #smbldap-usershow toto if this command return the user config, try: # smbldap-passwd toto -- Reggards, -- Iarly Selbir ( Ski0s ) On Wed, Oct 29, 2008 at 4:03 PM, Michael JOLY [EMAIL PROTECTED] wrote: Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using samba with ldap
The user is create in the ldap but when i try to connect to smb, i have the error. nss_ldap isn't install Sincerely yours Mick 2008/10/29 Adam Williams [EMAIL PROTECTED] do you have nss_ldap installed and working? Michael JOLY wrote: Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using samba with ldap
I have solved my problem installing nss_ldap Thans for your help Adam. Best regards Mick 2008/10/29 Michael JOLY [EMAIL PROTECTED] The user is create in the ldap but when i try to connect to smb, i have the error. nss_ldap isn't install Sincerely yours Mick 2008/10/29 Adam Williams [EMAIL PROTECTED] do you have nss_ldap installed and working? Michael JOLY wrote: Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem using samba with ldap
you should to install nss_ldap, this is needed for integration between ldap and unix accounts After install and configure you can check it with getent passwd command. -- Reggards, -- Iarly Selbir ( Ski0s ) On Wed, Oct 29, 2008 at 4:48 PM, Michael JOLY [EMAIL PROTECTED] wrote: The user is create in the ldap but when i try to connect to smb, i have the error. nss_ldap isn't install Sincerely yours Mick 2008/10/29 Adam Williams [EMAIL PROTECTED] do you have nss_ldap installed and working? Michael JOLY wrote: Hello, I've just installed samba with ldap on a debian etch. I have a problem when i attempt to create a user with the command smbldap-useradd -a -P -c toto DUPONT -u 1001 toto and to log in with it after. I obtain this error : [2008/10/29 17:35:26, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for toto [2008/10/29 17:35:26, 1] auth/auth_util.c:make_server_info_sam(572) User toto in passdb, but getpwnam() fails! [2008/10/29 17:35:26, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' The user is created in the ldap but not in /etc/passwd. Could someone help me ? Thanks Mick -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with samba and ldap
Hello and sorry for the late answer, I tried to change add machine script line but this is not the solution I think : smbldap-useradd returns 0 when computer does not exist in the ldap directory. Even if I change the line, it always returns 9 when the computer account already exists. getent passwd machine_account$ returns nothing because I don't use nss nor pam for the moment. I'll try later but last time I tried ldap/samba, nss worked like a charm :) Joining domain (for windows clients) didn't work. I tried to search in phpldapadmin what was the difference between a computer account and a user account. My computer account does not have any sambaSamAccount, just posixAccount ! I think it cannot work like this because windows clients needs a sambaSamAccount. I tried to add the sambaSamAccount property to my computer account. PhpLdapAdmin guessed me to put SambaSID (SID+group number). I tried again to join the domain (with net join and windows client) and it worked ! Now I am looking for ways to modify the machine adding method in order to put sambaSamAccount automatically. I don't know if this is normal or if it's a bug but it works :) Merci Regards, Michaël Todorovic - Selon Quinn Fissler [EMAIL PROTECTED]: Bonjour, I have seen this behaviour myself on more than one occasion and for different reasons. It took some time to diagnose at first but it was an education :-) The first thing to remember is that samba uses two methods to talk to ldap. As far as I remember, when you first issue the join, the client tries to log into to the domain - this fails so it tries to create an account - this is done by samba using the method configured in smb.conf viz: add machine script = /usr/sbin/smbldap-useradd -w %u. which itself uses a perl module to make the connection and which is confirgured by the smbldap_bind.conf and smbldap.conf. Once the script has been called, samba checks that it worked using the nssldap libraries. Here, samba does the equivalent of: getent passwd MyMachineName Try running this - there are so many reasons it could fail - does it work from the command line? As you haven't included this in your description, I presume that it's the bit you overlooked. It is configured using ldap.conf - I found that these are in /etc and /etc/openldap so I hard linked to make one file. I am going to work now - let us know if you need more help with that file. Bonne Année ! Regards, Quinn On 01/01/2008, Michaël Todorovic [EMAIL PROTECTED] wrote: Hello and happy new year :) I have to set up a samba server as a PDC with a openldap backend. My openldap server is fully functionnal and it is not secured yet (so no problems with tls). I must use debian etch or lenny. My server's IP is 192.168.9.10/24. I have set up a dns server (bind9) for my domain named mik. It's a local domain for testing only. There is a piece of the configuration file of bind : pdc A 192.168.9.10 _ldap._tcp.dc._msdcsIN CNAME pdc This permits windows clients to find the pdc. When I try to join the domain under linux, it fails. I try with net join mik -U root on the pdc (no other pc than the pdc to test) and it returns : Creation of workstation account failed Unable to join domain MIK. Here are the logs : /var/log/samba/log.pdc : [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: root [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2008/01/01 11:44:49, 0] passdb/pdb_interface.c:pdb_default_create_user(329) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w pdc$' gave 9 smbldap-useradd returns 9 when the user already exists in the directory but it does not change anything if I delete it. It returns 0 (no problems) but joining domain fails again. root authentification is ok : the log is produced with the correct password; I tried with a wrong password and it said me that the password is bad so the authentification is ok. /var/log/samba/log.192.168.9.10 : [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) get_md4pw: Workstation PDC$: no account in domain [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) _net_auth2: failed to get machine password for account PDC$: NT_STATUS_ACCESS_DENIED I don't know why it tries to find a password for a workstation. It does not make sense for me. It seems to be a known problem but still no answers. You can find my configuration files in enclosives ;) Here are
Re: [Samba] Problem with samba and ldap
Bonjour, I have seen this behaviour myself on more than one occasion and for different reasons. It took some time to diagnose at first but it was an education :-) The first thing to remember is that samba uses two methods to talk to ldap. As far as I remember, when you first issue the join, the client tries to log into to the domain - this fails so it tries to create an account - this is done by samba using the method configured in smb.conf viz: add machine script = /usr/sbin/smbldap-useradd -w %u. which itself uses a perl module to make the connection and which is confirgured by the smbldap_bind.conf and smbldap.conf. Once the script has been called, samba checks that it worked using the nssldap libraries. Here, samba does the equivalent of: getent passwd MyMachineName Try running this - there are so many reasons it could fail - does it work from the command line? As you haven't included this in your description, I presume that it's the bit you overlooked. It is configured using ldap.conf - I found that these are in /etc and /etc/openldap so I hard linked to make one file. I am going to work now - let us know if you need more help with that file. Bonne Année ! Regards, Quinn On 01/01/2008, Michaël Todorovic [EMAIL PROTECTED] wrote: Hello and happy new year :) I have to set up a samba server as a PDC with a openldap backend. My openldap server is fully functionnal and it is not secured yet (so no problems with tls). I must use debian etch or lenny. My server's IP is 192.168.9.10/24. I have set up a dns server (bind9) for my domain named mik. It's a local domain for testing only. There is a piece of the configuration file of bind : pdc A 192.168.9.10 _ldap._tcp.dc._msdcsIN CNAME pdc This permits windows clients to find the pdc. When I try to join the domain under linux, it fails. I try with net join mik -U root on the pdc (no other pc than the pdc to test) and it returns : Creation of workstation account failed Unable to join domain MIK. Here are the logs : /var/log/samba/log.pdc : [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: root [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2008/01/01 11:44:49, 0] passdb/pdb_interface.c:pdb_default_create_user(329) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w pdc$' gave 9 smbldap-useradd returns 9 when the user already exists in the directory but it does not change anything if I delete it. It returns 0 (no problems) but joining domain fails again. root authentification is ok : the log is produced with the correct password; I tried with a wrong password and it said me that the password is bad so the authentification is ok. /var/log/samba/log.192.168.9.10 : [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) get_md4pw: Workstation PDC$: no account in domain [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) _net_auth2: failed to get machine password for account PDC$: NT_STATUS_ACCESS_DENIED I don't know why it tries to find a password for a workstation. It does not make sense for me. It seems to be a known problem but still no answers. You can find my configuration files in enclosives ;) Here are the versions used of samba, openldap ans smbldap-tools : samba: Installé : 3.0.28-1~lenny1 Candidat : 3.0.28-1~lenny1 Table de version : *** 3.0.28-1~lenny1 0 500 http://security.debian.org lenny/updates/main Packages 100 /var/lib/dpkg/status 3.0.27a-1 0 500 http://ftp.fr.debian.org lenny/main Packages slapd: Installé : 2.3.38-1+lenny1 Candidat : 2.3.38-1+lenny1 Table de version : *** 2.3.38-1+lenny1 0 500 http://security.debian.org lenny/updates/main Packages 100 /var/lib/dpkg/status 2.3.38-1 0 500 http://ftp.fr.debian.org lenny/main Packages smbldap-tools: Installé : 0.9.4-1 Candidat : 0.9.4-1 Table de version : *** 0.9.4-1 0 500 http://ftp.fr.debian.org lenny/main Packages 100 /var/lib/dpkg/status Maybe one clue : slapd log says me that some keys are not indexed. I don't think that it hurts (this is just for performance ?) Do you have some tip to make the pdc functionnal ? If you need more information, please do not hesitate to ask. Best regards, Michaël Todorovic # Global parameters [global] workgroup = mik netbios name = PDC security = user enable privileges = yes server string = Samba Server %v encrypt passwords = Yes min passwd length = 3
[Samba] Problem with samba and ldap
Hello and happy new year :) I have to set up a samba server as a PDC with a openldap backend. My openldap server is fully functionnal and it is not secured yet (so no problems with tls). I must use debian etch or lenny. My server's IP is 192.168.9.10/24. I have set up a dns server (bind9) for my domain named mik. It's a local domain for testing only. There is a piece of the configuration file of bind : pdc A 192.168.9.10 _ldap._tcp.dc._msdcsIN CNAME pdc This permits windows clients to find the pdc. When I try to join the domain under linux, it fails. I try with net join mik -U root on the pdc (no other pc than the pdc to test) and it returns : Creation of workstation account failed Unable to join domain MIK. Here are the logs : /var/log/samba/log.pdc : [2008/01/01 11:44:47, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) init_sam_from_ldap: Entry found for user: root [2008/01/01 11:44:47, 2] auth/auth.c:check_ntlm_password(309) check_ntlm_password: authentication for user [root] - [root] - [root] succeeded [2008/01/01 11:44:49, 0] passdb/pdb_interface.c:pdb_default_create_user(329) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w pdc$' gave 9 smbldap-useradd returns 9 when the user already exists in the directory but it does not change anything if I delete it. It returns 0 (no problems) but joining domain fails again. root authentification is ok : the log is produced with the correct password; I tried with a wrong password and it said me that the password is bad so the authentification is ok. /var/log/samba/log.192.168.9.10 : [2008/01/01 11:44:46, 2] lib/smbldap.c:smbldap_open_connection(786) smbldap_open_connection: connection opened [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) get_md4pw: Workstation PDC$: no account in domain [2008/01/01 11:44:46, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) _net_auth2: failed to get machine password for account PDC$: NT_STATUS_ACCESS_DENIED I don't know why it tries to find a password for a workstation. It does not make sense for me. It seems to be a known problem but still no answers. You can find my configuration files in enclosives ;) Here are the versions used of samba, openldap ans smbldap-tools : samba: Installé : 3.0.28-1~lenny1 Candidat : 3.0.28-1~lenny1 Table de version : *** 3.0.28-1~lenny1 0 500 http://security.debian.org lenny/updates/main Packages 100 /var/lib/dpkg/status 3.0.27a-1 0 500 http://ftp.fr.debian.org lenny/main Packages slapd: Installé : 2.3.38-1+lenny1 Candidat : 2.3.38-1+lenny1 Table de version : *** 2.3.38-1+lenny1 0 500 http://security.debian.org lenny/updates/main Packages 100 /var/lib/dpkg/status 2.3.38-1 0 500 http://ftp.fr.debian.org lenny/main Packages smbldap-tools: Installé : 0.9.4-1 Candidat : 0.9.4-1 Table de version : *** 0.9.4-1 0 500 http://ftp.fr.debian.org lenny/main Packages 100 /var/lib/dpkg/status Maybe one clue : slapd log says me that some keys are not indexed. I don't think that it hurts (this is just for performance ?) Do you have some tip to make the pdc functionnal ? If you need more information, please do not hesitate to ask. Best regards, Michaël Todorovic # Global parameters [global] workgroup = mik netbios name = PDC security = user enable privileges = yes server string = Samba Server %v encrypt passwords = Yes min passwd length = 3 unix password sync = yes ldap passwd sync = yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = Changing *\nNew password* %n\n *Retype new password* %n\n log level = 2 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = H: logon home = logon path = domain logons = Yes domain master = Yes os level = 65 preferred master = Yes wins support = yes passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=admin,dc=mik ldap suffix = dc=mik ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add user script = /usr/sbin/smbldap-useradd -m %u delete user script = /usr/sbin/smbldap-userdel %u add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u
[Samba] Problem with Samba PDC LDAP backend and groups
I have configured a SambaPDC with a OpenLDAP backend. I recently upgraded Samba from 3.0.10-1.4E.9, to 3.0.23c and have run into a problem with groups. Specifically, the machines I have joined to the domain, are not able to retrieve group information. Please note that net rpc user works as expected on both smbd versions.0 Version Information: OpenLDAP 2.3.27 Samba version 3.0.10-1.4E.9 OS: CentOS release 4.4 I join the domain from a FreeBSD box, and then run a net rpc groups, it is able to pull group information, and display. I then switch to the new binaries. Restart slapd and smbd. I run a net rpc group and no information is returned. Again net rpc user works as expected. I also make sure to flush the system and add users so that it is not just retrieving cached information. Please also note this is a test Samba PDC, and is meant to be a proof of concept / testing machine. Thanks Alex Below is my smb.conf file: [global] workgroup = ESCPDC netbios name = ESC-17 server string = SambaPDC printcap name = /etc/printcap load printers = yes log level = 10 log file = /var/log/samba/%m.log max log size = 50 security = user #include = /etc/samba/smb.conf.%m socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 local master = yes os level = 65 domain master = yes preferred master = yes domain logons = yes logon script = %U.bat logon path = \\%L\profiles\%U logon drive = Z: #hlogon path = name resolve order = wins lmhosts host bcast wins support = yes dns proxy = no passdb backend = ldapsam:ldap://localhost ldap suffix = dc=escldap,dc=com ldap suffix = dc=escldap,dc=com ldap admin dn = cn=root,dc=escldap,dc=com ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=People ldap passwd sync = yes admin users = root Administrator null passwords = yes add user script = /usr/local/sbin/smbldap-useradd.pl -m %u add machine script = /usr/local/sbin/smbldap-useradd -w %u idmap uid = 10-20 idmap gid = 10-20 template shell = /bin/false winbind use default domain = no time server = yes [homes] comment = Home Directories browseable = no writable = yes [printers] comment = All Printers path = /var/spool/samba browseable = no guest ok = no writable = no printable = yes -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem with Samba PDC LDAP backend and groups
On Thu, Oct 12, 2006 at 01:04:51PM -0700, Alex Long wrote: I join the domain from a FreeBSD box, and then run a net rpc groups, it is able to pull group information, and display. I then switch to the new binaries. Restart slapd and smbd. I run a net rpc group and no information is returned. Again net rpc user works as expected. I also make sure to flush the system and add users so that it is not just retrieving cached information. Do you have group mappings for all the groups? Volker -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Friday 02 April 2004 12:16 am, Craig White wrote: On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote: Ldapsearch was being a pain, so just grabbed the info from a slapcat instead, which was simpler. --- crutches - life with LDAP is infinitely easier when you can get command of the ldap queries from the command line. That sharpens your understanding and skills of using LDAP. --- Well, sometimes the best way is the simple way. Ldapsearch has a lot of arguments to type to get a simple result. Besides, it asks for a password. ;- So, now that I know what my problem is/was I am able to move forward. The only issue I have now is that I have 9000 users that I want to be able to log onto multiple domains. By having to have the SID match the domain It presents a problem... I only want one password database to maintain... I guess I could get clever with LDAP replication and have multiple LDAP's... This is a less than Ideal solution. At this time I have large smbpasswd files that I would like to not use. I guess my ideal solution would look like: /--- Domain A / LDAP ---+ \ \--- Domain B Since we use a web based password changer, I could have a separate LDAP per Domain. I guess, in my ideal world I would have an LDAP with multiple sambaSID's, each samba server would just pick the one out of the LDAP that was appropriate to that Domain. I realize that the current schema does not allow for this and that samba is not set up to handle it either. Any ides on how to accomplish something similar without that ability. ahh - the million dollar question. Don't you want users to be able to change their password using the typical Windows change password tool instead of requiring them to change it via http? What about UserMgr.exe? No. We are forcing all users to do password changes inside the campus portal. This was a decision made to simplify support and drive people into using the portal. Good or bad, it was the decision made. Anyway, if your LDAP skills are strong enough (I suspect not), you can use replication to have each PDC run the master of the primary Domain it is serving up and become a slave on the domains that it is not. Together with winbindd, this should prove to be the most flexible - of course you must set up 'trusts' between the various domains. LDAP itself is a cake walk. The hard part is finding the best way to support what we have, with all the limitations that comes along with what we have. I'll admit this is the first time integrating it with Samba. I want to seemlessly change everything from using smbpaswd files (historical, we used them before there was anything else) to LDAP and to simplify our backend. If it is not seemless, I have unhappy users. LDAP is the tiger that you apparently don't want to ride but I have found it to be quite predictable. Actually I am pushing LDAP, I have been using it in some form for about 4 years. Thanks for the advice, though you could lose the condescending tone. Ted - -- | Ted WisniewskiE-Mail: [EMAIL PROTECTED]| | Manager, Systems GroupWEB:http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264Fax:(603) 535-2263 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbXVKLoXjVqfQ0u4RAj1UAKDDBkWto7KxEwwXOJxTd9h51LQSCgCeM0ug NSzVK3mK85pFgeZ9ksm13q4= =8m1R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Thanks for the response, but the odd thing is that both had the same set of parameters in the LDAP. I took your advice and added some other parameters to the LDAP for a non working entry... Same result. Example LDIF (Working): dn: uid=newuser, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: New User sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: newuser sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 sambaPwdCanChange: 1080739453 sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE Example LDIF (NOT WORKING) dn: uid=notworking, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: Not Working sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: notworking sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 sambapwdCanChange: 1080739453 sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Any ideas? I can map to the home share without difficulty... It is only a problem when doing a domain logon. If I delete the LDAP entry and do the (smbpasswd -a) from the command line, the entries look identical. The only difference is one works and the other does not. Is there another place where info is recorded? In the LDAP? in a TDB file? Ted On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is a description of what I am trying to do (with Samba 3.0.2a openldap 2.1.27): I have all my users populated into the LDAP with all the applicable attributes; Users can map drives to a server using LDAP as the authentication backend without issue. Where I am running into problems is bringing up a PDC using Samba w/LDAP. * I added the appropriate machine accounts (using smbpasswd -a -m) and was able to join the domain. * Any user in the pre-populated LDAP cannot log in, however, any user I add to the LDAP from the machine with Samba running on it CAN log in properly. If I delete the original entry from the LDAP, add a new on via (smbpasswd - -a), then the user can log in. This works, but is ultimately not scalable... I can then place the original LDAP entry back in place and they can log in... Just as long as the password for the account is not changed. I am sure there is something I am missing, but I cannot see it for the life of me.The odd thing is, that in the log.smbd, I get odd errors about reading a socket, but only for the users that have not been added by the local smbpasswd command. They are both in the same LDAP. Any help would be greatly appreciated. Ted - -- SNIP -- Global section of smb.conf - - it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig - -- | Ted WisniewskiE-Mail: [EMAIL PROTECTED]| | Manager, Systems GroupWEB:http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State University Phone: (603) 535-2661 | | Plymouth NH, 03264Fax:(603) 535-2263 | -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQFAbCUOLoXjVqfQ0u4RAlMJAKDtX1d/e6APTME3VC7uGEUDm4+z3wCgjQyL XVfh2hqDuua+mD54Ai46LE8= =GIld -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 LDAP
On Thu, 2004-04-01 at 07:30, Ted Wisniewski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Sorry, I found a clue. In these below, I made the SID the same and it worked. In my case, I will have multiple domains all pulling from the same LDAP. How can I make this work without having to have the SID's for each domain be the same. (Which I am pretty sure would be a bad idea, right?) Ted On Thursday 01 April 2004 09:19 am, Ted Wisniewski wrote: Thanks for the response, but the odd thing is that both had the same set of parameters in the LDAP. I took your advice and added some other parameters to the LDAP for a non working entry... Same result. Example LDIF (Working): dn: uid=newuser, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: New User sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: newuser sambaSID: S-1-5-21-204843054-3526713080-3458795326-37000 sambaPwdCanChange: 1080739453 sambaNTPassword: 5A6A0AFE9618570BF8B167BC1B9E4B1D sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1063 sambaLMPassword: 54E8D1FD3821A0A8AAD3B435B51404EE Example LDIF (NOT WORKING) dn: uid=notworking, ou=People, dc=plymouth,dc=edu sambaPwdLastSet: 1080739453 sambaAcctFlags: [U ] displayName: Not Working sambaPwdMustChange: 2147483647 objectClass: sambaSamAccount objectClass: account uid: notworking sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 sambapwdCanChange: 1080739453 sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Any ideas? I can map to the home share without difficulty... It is only a problem when doing a domain logon. If I delete the LDAP entry and do the (smbpasswd -a) from the command line, the entries look identical. The only difference is one works and the other does not. Is there another place where info is recorded? In the LDAP? in a TDB file? It appeared that you edited the info to the point of making it difficult to trust what is actually being reported from the ldapsearch command. It seems as though your smbuser in one case matches up to a unix user and in the other case (where it doesn't work) doesn't match up but if it works when you delete and then create the samba user, then both parts are certainly done. I have both posix and sambaSamAccount objectclass for all my users... a typical user looks like: # testuser, People, Domain US dn: uid=testuser, ou=People,o=Domain,c=US sambaPwdCanChange: 1075657455 sambaPwdMustChange: 2147483647 sambaPwdLastSet: 1075657455 shadowLastChange: 12449 sambaProfilePath: \\linserv1\profiles\testuser sambaLogonScript: users-pr.bat cn: testuser uidNumber: 1054 sambaAcctFlags: [U ] gecos: testuser mail: [EMAIL PROTECTED] sambaLMPassword: **removed** uid: testuser sambaHomePath: \\linserv2\homes\testuser homeDirectory: /home/users/testuser objectClass: posixAccount objectClass: shadowAccount objectClass: inetOrgperson objectClass: sambaSamAccount sambaDomainName: DOMAIN gidNumber: 1000 sambaSID: S-1-5-21-1292501092-333717336-619646970-3108 sambaNTPassword: **removed** sn: User givenName: Test loginShell: /bin/sh userPassword:: **removed** sambaPrimaryGroupSID: S-1-5-21-1292501092-333717336-619646970-513 NOTE: sambaPrimaryGroupSID: ends in -513 (Domain Users) posix attributes not necessary with samba: loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses posixAccount-inetOrgPerson-shadowAccount LDAP for samba should have 1 and only 1 domain (windows variety) and 1 SID (obtainable with net getlocalSID command). Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 LDAP
(* Example LDIF (NOT WORKING) (* dn: uid=notworking, ou=People, dc=plymouth,dc=edu (* sambaPwdLastSet: 1080739453 (* sambaAcctFlags: [U ] (* displayName: Not Working (* sambaPwdMustChange: 2147483647 (* objectClass: sambaSamAccount (* objectClass: account (* uid: notworking (* sambaSID: S-1-5-21-204843054-3526713080-3458795326-3472 (* sambapwdCanChange: 1080739453 (* sambaNTPassword: 8F851644E0A37D3FB3476910A6A93303 (* sambaPrimaryGroupSID: S-1-5-21-204843054-3526713080-3458795326-1399 (* sambaLMPassword: F12E9CF522B3C3FBAAD3B435B51404EE Ldapsearch was being a pain, so just grabbed the info from a slapcat instead, which was simpler. Anyway, I did paste in the SID into the Non working entry from the first (working) entry. I was then able to log on as the non-working user. (* (* It appeared that you edited the info to the point of making it difficult (* to trust what is actually being reported from the ldapsearch command. (* (* It seems as though your smbuser in one case matches up to a unix user (* and in the other case (where it doesn't work) doesn't match up but if it (* works when you delete and then create the samba user, then both parts (* are certainly done. (* (* I have both posix and sambaSamAccount objectclass for all my users... a (* typical user looks like: What I have is very similar. Many of the attributes are not required. (* NOTE: (* sambaPrimaryGroupSID: ends in -513 (Domain Users) (* posix attributes not necessary with samba: (* loginShell, givenName, sn, cn, gecos, homeDirectory, and objectclasses (* posixAccount-inetOrgPerson-shadowAccount (* (* LDAP for samba should have 1 and only 1 domain (windows variety) and 1 (* SID (obtainable with net getlocalSID command). So, now that I know what my problem is/was I am able to move forward. The only issue I have now is that I have 9000 users that I want to be able to log onto multiple domains. By having to have the SID match the domain It presents a problem... I only want one password database to maintain... I guess I could get clever with LDAP replication and have multiple LDAP's... This is a less than Ideal solution. At this time I have large smbpasswd files that I would like to not use. I guess my ideal solution would look like: /--- Domain A / LDAP ---+ \ \--- Domain B Since we use a web based password changer, I could have a separate LDAP per Domain. I guess, in my ideal world I would have an LDAP with multiple sambaSID's, each samba server would just pick the one out of the LDAP that was appropriate to that Domain. I realize that the current schema does not allow for this and that samba is not set up to handle it either. Any ides on how to accomplish something similar without that ability. Ted -- | Ted Wisniewski E-Mail: [EMAIL PROTECTED]| | Manager, Systems Group WEB: http://oz.plymouth.edu/~ted/ | | Information Technology Services| | Plymouth State UniversityPhone: (603) 535-2661 | | Plymouth NH, 03264 Fax: (603) 535-2263 | -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Problem w/ Samba 3 LDAP
On Thu, 2004-04-01 at 16:40, Ted Wisniewski wrote: Ldapsearch was being a pain, so just grabbed the info from a slapcat instead, which was simpler. --- crutches - life with LDAP is infinitely easier when you can get command of the ldap queries from the command line. That sharpens your understanding and skills of using LDAP. --- So, now that I know what my problem is/was I am able to move forward. The only issue I have now is that I have 9000 users that I want to be able to log onto multiple domains. By having to have the SID match the domain It presents a problem... I only want one password database to maintain... I guess I could get clever with LDAP replication and have multiple LDAP's... This is a less than Ideal solution. At this time I have large smbpasswd files that I would like to not use. I guess my ideal solution would look like: /--- Domain A / LDAP ---+ \ \--- Domain B Since we use a web based password changer, I could have a separate LDAP per Domain. I guess, in my ideal world I would have an LDAP with multiple sambaSID's, each samba server would just pick the one out of the LDAP that was appropriate to that Domain. I realize that the current schema does not allow for this and that samba is not set up to handle it either. Any ides on how to accomplish something similar without that ability. ahh - the million dollar question. Don't you want users to be able to change their password using the typical Windows change password tool instead of requiring them to change it via http? What about UserMgr.exe? Anyway, if your LDAP skills are strong enough (I suspect not), you can use replication to have each PDC run the master of the primary Domain it is serving up and become a slave on the domains that it is not. Together with winbindd, this should prove to be the most flexible - of course you must set up 'trusts' between the various domains. LDAP is the tiger that you apparently don't want to ride but I have found it to be quite predictable. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Problem w/ Samba 3 LDAP
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is a description of what I am trying to do (with Samba 3.0.2a openldap 2.1.27): I have all my users populated into the LDAP with all the applicable attributes; Users can map drives to a server using LDAP as the authentication backend without issue. Where I am running into problems is bringing up a PDC using Samba w/LDAP. * I added the appropriate machine accounts (using smbpasswd -a -m) and was able to join the domain. * Any user in the pre-populated LDAP cannot log in, however, any user I add to the LDAP from the machine with Samba running on it CAN log in properly. If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), then the user can log in. This works, but is ultimately not scalable... I can then place the original LDAP entry back in place and they can log in... Just as long as the password for the account is not changed. I am sure there is something I am missing, but I cannot see it for the life of me.The odd thing is, that in the log.smbd, I get odd errors about reading a socket, but only for the users that have not been added by the local smbpasswd command. They are both in the same LDAP. Any help would be greatly appreciated. Ted Excerpt from log.smb (non-functional user): - [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [testuser] - [testuser] - [testuser] succeeded [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) Searching for:[((objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) smbldap_open_connection: connection opened [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) read_socket_data: recv failure for 4. Error = Connection reset by peer [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) Excerpt from log.smbd (functional user): - -- [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] - [newuser] - [newus er] succeeded [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] - [newuser] - [newuser] succeeded [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) pubtest (158.136.115.89) connect to service profiles initially as user newuser (uid=18000, gid=31) (pid 85352) [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain TEST_DOM - S-1-5-21-204843054-3526713080-3458 795326 [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser - --- Global section of smb.conf - --- ; [global] print command = lpr -r -P%p %s printer name = lp printcap name = /etc/printcap guest account = nobody dont descend = /dev,/proc lock directory= /usr/local/server/samba/var/locks load printers = yes server string = EMERALD - Samba Server %v socket options = TCP_NODELAY os level = 65 max disk size = 2000 printer admin = @winprint netbios name = EMERALD workgroup = TEST_DOM preferred master = yes domain master = yes local master = yes max log size = 35000 wins support = yes domain logons = yes logon script = logon.bat security = user encrypt passwords = yes debug level = 2 logon drive = m: logon home = \\emerald\%u logon path = \\emerald\profiles\%U ldap admin dn = cn=Manager,dc=plymouth,dc=edu passdb backend = ldapsam:ldap://localhost:389 ldap delete dn =
Re: [Samba] Problem w/ Samba 3 LDAP
On Wed, 2004-03-31 at 12:47, Ted Wisniewski wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Here is a description of what I am trying to do (with Samba 3.0.2a openldap 2.1.27): I have all my users populated into the LDAP with all the applicable attributes; Users can map drives to a server using LDAP as the authentication backend without issue. Where I am running into problems is bringing up a PDC using Samba w/LDAP. * I added the appropriate machine accounts (using smbpasswd -a -m) and was able to join the domain. * Any user in the pre-populated LDAP cannot log in, however, any user I add to the LDAP from the machine with Samba running on it CAN log in properly. If I delete the original entry from the LDAP, add a new on via (smbpasswd -a), then the user can log in. This works, but is ultimately not scalable... I can then place the original LDAP entry back in place and they can log in... Just as long as the password for the account is not changed. I am sure there is something I am missing, but I cannot see it for the life of me.The odd thing is, that in the log.smbd, I get odd errors about reading a socket, but only for the users that have not been added by the local smbpasswd command. They are both in the same LDAP. Any help would be greatly appreciated. Ted Excerpt from log.smb (non-functional user): - [2004/03/31 10:24:11, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:24:11, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:11, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [testuser] - [testuser] - [testuser] succeeded [2004/03/31 10:24:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: testuser [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_search_domain_info(1331) Searching for:[((objectClass=sambaDomain)(sambaDomainName=TEST_DOM))] [2004/03/31 10:24:24, 2] lib/smbldap.c:smbldap_open_connection(626) smbldap_open_connection: connection opened [2004/03/31 10:24:24, 0] lib/util_sock.c:read_socket_data(342) read_socket_data: recv failure for 4. Error = Connection reset by peer [2004/03/31 10:24:24, 2] smbd/server.c:exit_server(558) Excerpt from log.smbd (functional user): - -- [2004/03/31 10:26:04, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: pubtest$ [2004/03/31 10:26:04, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:04, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] - [newuser] - [newus er] succeeded [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser [2004/03/31 10:26:05, 2] auth/auth.c:check_ntlm_password(305) check_ntlm_password: authentication for user [newuser] - [newuser] - [newuser] succeeded [2004/03/31 10:26:05, 1] smbd/service.c:make_connection_snum(705) pubtest (158.136.115.89) connect to service profiles initially as user newuser (uid=18000, gid=31) (pid 85352) [2004/03/31 10:26:05, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2461) Returning domain sid for domain TEST_DOM - S-1-5-21-204843054-3526713080-3458 795326 [2004/03/31 10:26:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(462) init_sam_from_ldap: Entry found for user: newuser - --- Global section of smb.conf - it appears that the 'non-functional' user doesn't have the domain attribute set (or at least set properly). ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=non-functional)' and then ldapsearch -x -h whateverhost -D 'rootbinddn' -W '(uid=functional)' and the functional users will have attributes such as sambaDomainName properly set that the non-functional's do not. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba