Re: [Samba] Domain authentification problem with LDAP
On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE can you edit it with some type of GUI editor like phpldapmin or gq? can you fetch it with ldapsearch, modify it with ldapmodify? can you delete it and then fix it by running smbldap-populate again? (assuming that you have smbldap-tools configuration file fixed) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
Craig White [EMAIL PROTECTED] a écrit: On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE can you edit it with some type of GUI editor like phpldapmin or gq? yes, we use gq can you fetch it with ldapsearch, modify it with ldapmodify? well, I guest not, because this is what I get when I try to execute the command : [EMAIL PROTECTED] openldap]# ldapsearch -LLL (dc=intair) SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database can you delete it and then fix it by running smbldap-populate again? (assuming that you have smbldap-tools configuration file fixed) The server is a slave ldap server, so we use slapcat on the master, then slapadd on the slave to populate it. ... do you have an idea why a member of the group Domain Admins is able to access the shares, but not a member of the Domain Users group ? What is the difference for samba between the two's ? Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
On Mon, 2006-03-20 at 14:36 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Mon, 2006-03-20 at 12:55 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE can you edit it with some type of GUI editor like phpldapmin or gq? yes, we use gq can you fetch it with ldapsearch, modify it with ldapmodify? well, I guest not, because this is what I get when I try to execute the command : [EMAIL PROTECTED] openldap]# ldapsearch -LLL (dc=intair) SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80) additional info: SASL(-13): user not found: no secret in database can you delete it and then fix it by running smbldap-populate again? (assuming that you have smbldap-tools configuration file fixed) The server is a slave ldap server, so we use slapcat on the master, then slapadd on the slave to populate it. you do recognize that this is really a one time proposition and from that point forward, slurpd replicates changes on the master to the slave, right? Therefore, the changes must be made to the master and replicated to the slave. You should probably verify... - the objectclass sambaDomain on the master - the objectclass sambaDomain on the slave that they are correct and the same, and then finally, - that replication is working properly from master to slave ... do you have an idea why a member of the group Domain Admins is able to access the shares, but not a member of the Domain Users group ? What is the difference for samba between the two's ? I wouldn't know that but perhaps it's in the permissions of the share or in the general section itself. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig Here is what I have now : [EMAIL PROTECTED] openldap]# net groupmap list | grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines [EMAIL PROTECTED] openldap]# net getlocalsid SID for domain HIPPOLYTE is: S-1-5-21-3194588850-3670737847-3710085093 ... but I still cannot join an xp workstation to the domain, and a domain user on windows 98 cannot logon to the domain, althought a domain admin can. By the way, HIPPOLYTE is the name of the server; the domain name is INTAIR. Why is the command net getlocalsid returning SID for domain HIPPOLYTE Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James james, i've been paging through this thread, and i would like to see your change to the idealx scripts as i have had the same issue: smbldap-useradd does not properly add a machine account to ldap. i am using smbldap-tools-0.9.1-1.2.fc4.rf.rpm from the rpmforge.net repo. thank you. -- My Website: http://messinet.com My Online Gallery: http://messinet.com/modules.php?name=Web_Linksl_op=visitlid=3 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
I know that the last 2 versions of the script I am working with are missing this function when using the -w switch (as documented) it will NOT add the sambaSAMAccount information. I have had several users also request a copy of this script from me solving their problems with a similar issue. It seems very odd that there are so many similar issues lately on the posts concerning the (I can't connect to the Domain). Had it not been for the fact I decided to look at the script itself I would not have found this problem. Going to the IDEALX site I would love to send them comments but as my French is very minimal not too sure where to go. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:09 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
#1 - click on the 'English flag' button - et voila, English #2 - you should at least state which smbldap-tools you are speaking of that you have fixed so others have a chance to compare and where you got it from, idealx.com or from your distribution, and report the issue to the place where it came from. #3 - people are likely to ask you for if they are struggling and they don't know why and you authoritatively suggest that your solution will fix things for them. I think we had a very recent issue where that wasn't the problem but the problem lied in his pam/ldap.conf. #4 - suggesting that people do a complete replace the file that came packaged with their system by one that you have modified doesn't seem like the best solution at all...you could offer a 'patch' which should throw up an alert if the file looks different or just the suggestions about where you have modified the code and why...in fact, we have a wiki for that kind of stuff now... http://wiki.samba.org Craig On Fri, 2006-03-17 at 10:22 -0800, James Taylor wrote: I know that the last 2 versions of the script I am working with are missing this function when using the -w switch (as documented) it will NOT add the sambaSAMAccount information. I have had several users also request a copy of this script from me solving their problems with a similar issue. It seems very odd that there are so many similar issues lately on the posts concerning the (I can't connect to the Domain). Had it not been for the fact I decided to look at the script itself I would not have found this problem. Going to the IDEALX site I would love to send them comments but as my French is very minimal not too sure where to go. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:09 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
Cool, will post on your wiki... -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:58 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP #1 - click on the 'English flag' button - et voila, English #2 - you should at least state which smbldap-tools you are speaking of that you have fixed so others have a chance to compare and where you got it from, idealx.com or from your distribution, and report the issue to the place where it came from. #3 - people are likely to ask you for if they are struggling and they don't know why and you authoritatively suggest that your solution will fix things for them. I think we had a very recent issue where that wasn't the problem but the problem lied in his pam/ldap.conf. #4 - suggesting that people do a complete replace the file that came packaged with their system by one that you have modified doesn't seem like the best solution at all...you could offer a 'patch' which should throw up an alert if the file looks different or just the suggestions about where you have modified the code and why...in fact, we have a wiki for that kind of stuff now... http://wiki.samba.org Craig On Fri, 2006-03-17 at 10:22 -0800, James Taylor wrote: I know that the last 2 versions of the script I am working with are missing this function when using the -w switch (as documented) it will NOT add the sambaSAMAccount information. I have had several users also request a copy of this script from me solving their problems with a similar issue. It seems very odd that there are so many similar issues lately on the posts concerning the (I can't connect to the Domain). Had it not been for the fact I decided to look at the script itself I would not have found this problem. Going to the IDEALX site I would love to send them comments but as my French is very minimal not too sure where to go. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:09 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
You still should report the problem and your 'fix' to wherever you got the smbldap-tools package from, be it your distribution or idealx.com FWIW, I have never seen this issue myself and while I generally use tools other than idealx to manage users/groups, I do add machines on the fly which does use the idealx script to accomplish and is the discussion item...adding machine accounts and getting the proper attributes. This of course does require a properly configured smbldap-tools configuration for both 'binding' to LDAP and for attributes, the configuration of which has been split into 2 files for some time now. Idealx.com - as I said, the 'English flag' button at the top right takes you to their English language site. As for the wiki - that belongs to you - the users - we just try to maintain some semblance of order. Craig On Fri, 2006-03-17 at 11:03 -0800, James Taylor wrote: Cool, will post on your wiki... -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:58 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP #1 - click on the 'English flag' button - et voila, English #2 - you should at least state which smbldap-tools you are speaking of that you have fixed so others have a chance to compare and where you got it from, idealx.com or from your distribution, and report the issue to the place where it came from. #3 - people are likely to ask you for if they are struggling and they don't know why and you authoritatively suggest that your solution will fix things for them. I think we had a very recent issue where that wasn't the problem but the problem lied in his pam/ldap.conf. #4 - suggesting that people do a complete replace the file that came packaged with their system by one that you have modified doesn't seem like the best solution at all...you could offer a 'patch' which should throw up an alert if the file looks different or just the suggestions about where you have modified the code and why...in fact, we have a wiki for that kind of stuff now... http://wiki.samba.org Craig On Fri, 2006-03-17 at 10:22 -0800, James Taylor wrote: I know that the last 2 versions of the script I am working with are missing this function when using the -w switch (as documented) it will NOT add the sambaSAMAccount information. I have had several users also request a copy of this script from me solving their problems with a similar issue. It seems very odd that there are so many similar issues lately on the posts concerning the (I can't connect to the Domain). Had it not been for the fact I decided to look at the script itself I would not have found this problem. Going to the IDEALX site I would love to send them comments but as my French is very minimal not too sure where to go. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:09 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: https
RE: [Samba] Domain authentification problem with LDAP
Just reported it to IDEALX. My IE Client did not show the convert to English function but when you made the comment I swiped my mouse over the screen and it showed me the link. I should load Mozilla on this box. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 11:27 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP You still should report the problem and your 'fix' to wherever you got the smbldap-tools package from, be it your distribution or idealx.com FWIW, I have never seen this issue myself and while I generally use tools other than idealx to manage users/groups, I do add machines on the fly which does use the idealx script to accomplish and is the discussion item...adding machine accounts and getting the proper attributes. This of course does require a properly configured smbldap-tools configuration for both 'binding' to LDAP and for attributes, the configuration of which has been split into 2 files for some time now. Idealx.com - as I said, the 'English flag' button at the top right takes you to their English language site. As for the wiki - that belongs to you - the users - we just try to maintain some semblance of order. Craig On Fri, 2006-03-17 at 11:03 -0800, James Taylor wrote: Cool, will post on your wiki... -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:58 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP #1 - click on the 'English flag' button - et voila, English #2 - you should at least state which smbldap-tools you are speaking of that you have fixed so others have a chance to compare and where you got it from, idealx.com or from your distribution, and report the issue to the place where it came from. #3 - people are likely to ask you for if they are struggling and they don't know why and you authoritatively suggest that your solution will fix things for them. I think we had a very recent issue where that wasn't the problem but the problem lied in his pam/ldap.conf. #4 - suggesting that people do a complete replace the file that came packaged with their system by one that you have modified doesn't seem like the best solution at all...you could offer a 'patch' which should throw up an alert if the file looks different or just the suggestions about where you have modified the code and why...in fact, we have a wiki for that kind of stuff now... http://wiki.samba.org Craig On Fri, 2006-03-17 at 10:22 -0800, James Taylor wrote: I know that the last 2 versions of the script I am working with are missing this function when using the -w switch (as documented) it will NOT add the sambaSAMAccount information. I have had several users also request a copy of this script from me solving their problems with a similar issue. It seems very odd that there are so many similar issues lately on the posts concerning the (I can't connect to the Domain). Had it not been for the fact I decided to look at the script itself I would not have found this problem. Going to the IDEALX site I would love to send them comments but as my French is very minimal not too sure where to go. Thanks James -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 10:09 AM To: James Taylor Cc: 'Daniel Tousignant'; samba@lists.samba.org Subject: RE: [Samba] Domain authentification problem with LDAP James - this is the second time you have made that reference to the smbldap-useradd script. There have been a lot and lot of versions of the smbldap-tools and perhaps the version that you are looking at is missing something like that but I assure you that most versions aren't. Craig On Fri, 2006-03-17 at 10:03 -0800, James Taylor wrote: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login
Re: [Samba] Domain authentification problem with LDAP
The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? James Taylor [EMAIL PROTECTED] a écrit: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Domain authentification problem with LDAP
It could be ACL's but I am wondering how your /etc/ldap.conf file looks. Also, does the Domain Users group have the sambaGroupMapping objectClass? Also is it associated with the right samba Domain under the sambaSID? Otherwise the domain won't refer to that group. James -Original Message- From: Daniel Tousignant [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 12:08 PM To: James Taylor Cc: samba@lists.samba.org Subject: Re: [Samba] Domain authentification problem with LDAP The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? James Taylor [EMAIL PROTECTED] a écrit: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain net getlocalsid why don't you post up what comes from those commands... Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
The only thing that is configured in the ldap.conf file is the Base(dc=INTAIR, dc=transit) and Host (localhost) (with no SSL support). And yes, the objectclass is there with the right sambaSID. By the way the tools are the IDEALX 0.9.1 James Taylor [EMAIL PROTECTED] a écrit: It could be ACL's but I am wondering how your /etc/ldap.conf file looks. Also, does the Domain Users group have the sambaGroupMapping objectClass? Also is it associated with the right samba Domain under the sambaSID? Otherwise the domain won't refer to that group. James -Original Message- From: Daniel Tousignant [mailto:[EMAIL PROTECTED] Sent: Friday, March 17, 2006 12:08 PM To: James Taylor Cc: samba@lists.samba.org Subject: Re: [Samba] Domain authentification problem with LDAP The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? James Taylor [EMAIL PROTECTED] a écrit: The LDAP users you have created (including the machines) need to have the objectclass: sambaSAMAccount and the subsequent fields. What are your user add scripts and machine add scripts you are using. Also, I have found that the IDEALX tools have an error in the smbldap-useradd script which includes that when you use the add machine switch the sambaSAMAccount information is not added to the LDAP database. I do have a copy of this modified file if you need it. Otherwise if you can edit the script yourself. James -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Tousignant Sent: Friday, March 17, 2006 9:11 AM To: samba@lists.samba.org Subject: [Samba] Domain authentification problem with LDAP We use samba 3.0.13 and openldap 2.3.6 Members of the ldap group Domain Admins are working fine, but members of the group Domain Users can not login to the domain, and do not have access to the shares. Also, we are unable to join a windows xp workstation to the domain. Can anyone give me a hint where to start looking ... Thank you -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE why don't you post up what comes from those commands... Craig Daniel Tousignant Support informatique Intair Transit Courriel : [EMAIL PROTECTED] Telephone : (514) 286-8515 poste 3326 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain authentification problem with LDAP
On Fri, 2006-03-17 at 16:14 -0500, Daniel Tousignant wrote: Craig White [EMAIL PROTECTED] a écrit: On Fri, 2006-03-17 at 15:08 -0500, Daniel Tousignant wrote: The objectclass sambaSAMAccount and subsequent fields have been created. We are using the standard perl script tools that are installed with the mandriva 2006 distro (samba 3.0.13 and openldap 2.3.6). What I really do not understand is that if I put a user in the standard ldap group Domain Admins (gid=512), the user is able to logon to the domain, but not when it is in the Domain Users group (gid=513). What is the big difference for Samba between the two's ? Can it be an ACL problems ? not very likely to be an ACL problem. net groupmap list|grep Domain Domain Users (S-1-5-21-3194588850-3670737847-3710085093-513) - Domain Users Domain Guests (S-1-5-21-3194588850-3670737847-3710085093-514) - Domain Guests Domain Admins (S-1-5-21-3194588850-3670737847-3710085093-512) - Domain Admins Domain Machines (S-1-5-21-3194588850-3670737847-3710085093-515) - Domain Machines net getlocalsid [2006/03/17 16:09:20, 0] utils/net.c:net_getlocalsid(494) Can't fetch domain SID for name: HIPPOLYTE this is a MAJOR problem...it should look like dn: sambaDomainName=EXAMPLE,dc=example,dc=net sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain objectClass: sambaDomain objectClass: sambaUnixIdPool sambaSID: S-1-5-21-89274850-471284788-6498272 sambaDomainName: EXAMPLE gidNumber: 1021 uidNumber: 1095 and should have been created either by hand or by idealx 'populate' script if you followed someones directions somewhere. Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
