Wait, you are using samba with openldap backend.
Why are you using useradd ??? with this backend you need smbldap instead.
like this:
passdb backend = ldapsam:ldap://your ldap server
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=root,dc=domain,dc=com,dc=br
ldap suffix = dc=domain,dc=com,dc=br
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = sambaDomainName=DOMAIN
idmap backend = ldap:ldap://ldap server
idmap alloc backend = ldap:ldap://ldap server
idmap uid = 1000-20000
idmap gid = 1000-20000
idmap alloc config:range = 1000-20000
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
# add/remove users
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
# add/remove Groups
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
# add/remove user in groups
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
# define primary group of user
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# add machines in domain
add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
regards
On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
<[email protected]> wrote:
You user script may be adding a LOCAL unix account (in /etc/passwd.) Do
you see the accounts in there? You may need to custom script that adds the
accounts to ldap.
The following may help
https://gna.org/projects/smbldap-tools/
Remember, that being root on your unix system does not automatically make
you LDAP admin.
If you have a single server then having your unix may be OK- samba will
match the samba user to the unix user via the user id. I have multiple
server so I use LDAP for unix accounts (previously used NIS.) So now an
LDAP user has both windows and unix account info.
On 09/27/2010 11:08 AM, Claudio Prono wrote:
Gaiseric Vandal ha scritto:
Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
It is possible to configure scripts that the unix account is created
by samba if necessary when samba creates the "Windows" account for the
machine. I don't have it set up this way, so I need to create the
unix account 1st.
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s
/bin/false %m$
This script automatically add the machine if needed, or i am wrong ?
Also, I found that since the underlying unix OS may need validate the
machine account, I put my machine accounts in either the same ldap ou
as people (or in a sub ou.) ("getent passwd" command may need to show
your machine accounts as well as people accounts.)
If you have manually created the unix account for the machine, can you
them manually create the samba account for it
e.g. smbpasswd -m -a SOMEMACHINE
(I think you leave the $ off .)
I use LDAP for both "unix" and "windows" clients so my config choices
may not be applicable to a windows-only client environment.
On 09/27/2010 09:59 AM, Claudio Prono wrote:
Hello all,
I have some problems to make work a configuration like Samba and
OpenLDAP as domain controller. My operative system is OpenSuSE 11.3.
Here is my testparm:
[global]
workgroup = MEDIADC
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s /bin/false %m$
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
idmap uid = 1000-60000
idmap gid = 1000-60000
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
If i try to join a windows xp into the domain i have this results:
[2010/09/27 14:58:52.229946, 0]
lib/util_sock.c:1432(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
[2010/09/27 14:58:52.233371, 2] smbd/reply.c:536(reply_special)
netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
[2010/09/27 14:58:52.233498, 2] smbd/reply.c:547(reply_special)
netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/27 14:58:52.234068, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:52.233647, 0] lib/util_sock.c:675(write_data)
[2010/09/27 14:58:52.234876, 0]
lib/util_sock.c:1432(get_peer_addr_internal)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error
Connection reset by peer
[2010/09/27 14:58:52.236855, 0] smbd/process.c:79(srv_send_smb)
Error writing 4 bytes to client. -1. (Transport endpoint is not
connected)
[2010/09/27 14:58:52.238615, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:52.239888, 2]
lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/27 14:58:52.242954, 2]
passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: Administrator
[2010/09/27 14:58:52.295749, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [Administrator] succeeded
[2010/09/27 14:58:52.780610, 0]
rpc_server/srv_netlog_nt.c:669(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate: no challenge sent to client TESTAFS
[2010/09/27 14:58:53.337111, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:53.338938, 2]
smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/27 14:58:53.339808, 2]
lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/27 14:58:53.342371, 2]
passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: Administrator
[2010/09/27 14:58:53.347683, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [Administrator] ->
[Administrator] -> [Administrator] succeeded
[2010/09/27 14:58:53.812728, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain MEDIADC ->
S-1-5-21-1949818787-1514111066-129980733
[2010/09/27 14:58:53.814002, 2]
rpc_server/srv_samr_nt.c:4124(_samr_LookupDomain)
Returning domain sid for domain MEDIADC ->
S-1-5-21-1949818787-1514111066-129980733
As it seems all works fine, but windows give an error like "Access
Denied" and the computer is not added to the domain.
What can be the problem? How to debug it?
Any hint is welcome...
Cordially,
Claudio Prono.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
