[Samba] Can't log in, but logs say auth succeeded?
I've just gotten my first machine to join the domain, and now I'm trying to log in as a normal user. I get this error in windows The system could not log you on. Make sure your username and password are correct (bla bla...). However, when I check the log for that machine it says at the end that authentication succeeded? /var/log/samba/log.melisa: (log level=2, debug timestamp=no) netsec_decode: FAILED: packet sequence number: [000] 7D AD 7D F4 29 CE 7C D4 }.}.).|. should be: [000] 00 00 00 00 80 00 00 00 smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: melisa$ init_sam_from_ldap: Entry found for user: bdavis init_group_from_ldap: Entry found for group: 512 init_group_from_ldap: Entry found for group: 0 init_group_from_ldap: Entry found for group: 100 check_ntlm_password: authentication for user [bdavis] - [bdavis] - [bdavis] succeeded -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't log in, but logs say auth succeeded?
*sigh* I hate it when I finally answer my own question _right_ after posting to the list... I figured out that the reason I was getting this error was because my SIDs for my users did not contain the value of net getlocalsid.. must have been an old SID. Is there an easy way to update the SIDs of all my users? maybe I'll just write a script... Anyways, it works now :-) now onto the more complex stuff :-P Ben Davis wrote: I've just gotten my first machine to join the domain, and now I'm trying to log in as a normal user. I get this error in windows The system could not log you on. Make sure your username and password are correct (bla bla...). However, when I check the log for that machine it says at the end that authentication succeeded? /var/log/samba/log.melisa: (log level=2, debug timestamp=no) netsec_decode: FAILED: packet sequence number: [000] 7D AD 7D F4 29 CE 7C D4 }.}.).|. should be: [000] 00 00 00 00 80 00 00 00 smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: melisa$ init_sam_from_ldap: Entry found for user: bdavis init_group_from_ldap: Entry found for group: 512 init_group_from_ldap: Entry found for group: 0 init_group_from_ldap: Entry found for group: 100 check_ntlm_password: authentication for user [bdavis] - [bdavis] - [bdavis] succeeded -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools not playing nice w/ samba ?
Tony Earnshaw wrote: tor, 07.04.2005 kl. 20.10 skrev Ben Davis: I tried this and it still did not work. The problem as far as I can tell is that samba is not even attempting to search for the user after it adds it. The very last operations in my slapd.log after the error occured, were: This is not so: onn=20539 op=1 SRCH base=dc=pca-wichita,dc=com scope=2 filter=((objectClass=posixAccount)(uid=melisa$)) This is a search, scope sub, for ((objectClass=posixAccount)(uid=melisa$)) onn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=20539 op=2 SRCH This is the log entry that says that no object is found. I.e., there is either no combination of objectClass=posixAccount and uid=melisa$, or the LDAP ACL prohibits it being read. Right, but that is only the FIRST operation for that connection. Read that log again. The LAST operation is where it adds the entry. Therefore it is my understanding that samba (or the idealx script) is searching for the entry which doesn't exist (as expected, because this is the first time the machine has joined) and then adding it... My point was that the very LAST thing that happened is the machine user gets added, and then nothing else (so searches or anything) happens after that. My question is why isn't samba doing anything _after_ the user gets added to LDAP? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Samba binding anonymously (was: Re: [Samba] smbldap-tools not playing nice w/ samba ?)
After looking at this further, I realized I had only grepped the log for the last connection that I saw. What happened was samba opened up a connection (conn=20538), and after that a new connection (conn=20539) was opened up, the conn=20539 connection was the one that _added_ the machine account... and it looks like samba did some further operations on the 20538 connection, the last of which is a search for the machine user. So, Tony, I stand corrected! I discovered that the reason this search failed is because samba was binding anonymously on the 20538 connection, and my ACLs are set up to deny access for anonymous binds. My conf file is set up to bind with the cn=Manager dn. Why would Samba ever bind to ldap anonymously? Tony Earnshaw wrote: tor, 07.04.2005 kl. 20.10 skrev Ben Davis: I tried this and it still did not work. The problem as far as I can tell is that samba is not even attempting to search for the user after it adds it. The very last operations in my slapd.log after the error occured, were: This is not so: conn=20539 op=1 SRCH base=dc=pca-wichita,dc=com scope=2 filter=((objectClass=posixAccount)(uid=melisa$)) This is a search, scope sub, for ((objectClass=posixAccount)(uid=melisa$)) conn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=20539 op=2 SRCH This is the log entry that says that no object is found. I.e., there is either no combination of objectClass=posixAccount and uid=melisa$, or the LDAP ACL prohibits it being read. Do a search with 'ldapsearch -x' and the same filter. If it doesn't return anything, the object probably doesn't exist. Don't get led astray by nss, it's not used here. The samba ldapsam backend and tools (not idealx) are first class and brilliantly written. --Tonni -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools not playing nice w/ samba ?
Joaquin wrote: Ben Davis wrote: Please help! I'm having a difficult time getting a machine to join my domin. Samba sucessfully adds the machine account using the smbldap-useradd -w script, but I get the error The user name could not be found. Here's what it looks like it's doing in the ldap logs: 1. There's a login as cn=Manager, which searches for the root account, and then for a bunch of gidNumbers. It then searches for the machine$ with a sambaSamAccount objectclass, and exits. 2. It then reconnects anonymously and searches for machine$ and MACHINE$ twice (no results). 3. After that it connects again as cn=Manager and and searches for the machine$ under posixAccount (still no restuls). It then finally adds the entry for machine$ but without the sambaSamAccount objectclass. After that there are no more LDAP queries. What could be causing the error I'm getting? If you have a Machines= suffix different as the Users= suffix, the problem is in the ldap.conf settings. Nothing to do with the smbldap-tools. The smbldap-tools creates only a posix entry in the Machines tree, leaving to samba the addition of the SambaSamAccount class to the machine entry. The problem is that Samba relies in the ldap.conf config to search for the machine account. Usually, you have only a search here for the users account. The trick is to add a second nss_base_password line pinting to the machines tree of LDAP. And then works. Yeah, I read about that earlier and changed my nss_base_password line to read: nss_base_passwd dc=pca-wichita,dc=com?sub (that is my base dn). The problem is that in the slapd logs, the LAST thing happens before I get the error is samba ADDS the posix machine account. It does nothing after that. Here's the slapd log of all operations of the last connection before the error occurs: conn=9996 fd=18 ACCEPT from IP=127.0.0.1:52517 (IP=0.0.0.0:389) conn=9996 op=0 BIND dn=cn=Manager,dc=pca-wichita,dc=com method=128 conn=9996 op=0 BIND dn=cn=Manager,dc=pca-wichita,dc=com mech=SIMPLE ssf=0 conn=9996 op=0 RESULT tag=97 err=0 text= conn=9996 op=1 SRCH base=dc=pca-wichita,dc=com scope=2 filter=((objectClass=posixAccount)(uid=melisa$)) conn=9996 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=9996 op=2 SRCH base=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com scope=0 filter=(objectClass=sambaUnixIdPool) conn=9996 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=9996 op=3 MOD dn=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com conn=9996 op=3 MOD attr=uidNumber conn=9996 op=3 RESULT tag=103 err=0 text= conn=9996 op=3 RESULT tag=103 err=0 text= conn=9996 op=4 SRCH base=dc=pca-wichita,dc=com scope=2 filter=(uidNumber=1108) conn=9996 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=9996 op=5 ADD dn=uid=melisa$,ou=Computers,dc=pca-wichita,dc=com conn=9996 op=5 RESULT tag=105 err=0 text= conn=9996 op=5 RESULT tag=105 err=0 text= conn=9996 op=6 UNBIND conn=9996 fd=18 closed As soon as it ADDs the machine account, it doesn't try to modify it's objectClass, or anything like that. What's going on here? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] smbldap-tools not playing nice w/ samba ?
I tried this and it still did not work. The problem as far as I can tell is that samba is not even attempting to search for the user after it adds it. The very last operations in my slapd.log after the error occured, were: conn=20539 op=1 SRCH base=dc=pca-wichita,dc=com scope=2 filter=((objectClass=posixAccount)(uid=melisa$)) conn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=20539 op=2 SRCH base=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com scope=0 filter=(objectClass=sambaUnixIdPool) conn=20539 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=20539 op=3 MOD dn=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com conn=20539 op=3 MOD attr=uidNumber conn=20539 op=3 RESULT tag=103 err=0 text= conn=20539 op=3 RESULT tag=103 err=0 text= conn=20539 op=4 SRCH base=dc=pca-wichita,dc=com scope=2 filter=(uidNumber=1109) conn=20539 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=20539 op=5 ADD dn=uid=melisa$,ou=Computers,dc=pca-wichita,dc=com conn=20539 op=5 RESULT tag=105 err=0 text= conn=20539 op=5 RESULT tag=105 err=0 text= conn=20539 op=6 UNBIND conn=20539 fd=32 closed So, according to this, samba searches for the machine, and when it doesn't find it, it adds the machine successfully to the LDAP directory, and that is the last thing that happens. Any idea what's going on? Joaquin Villanueva wrote: I had the same problem here. The change you've made was the same. Going up to the root level of LDAP and set a sub search. No way. The solution was to put TWO nss_base_passwd lines: nss_base_passwd ou=Users,dc=liga-acb,dc=es?one nss_base_passwd ou=Computers,dc=liga-acb,dc=es?one Try it and let me know... Ben Davis wrote: Joaquin wrote: Ben Davis wrote: Please help! I'm having a difficult time getting a machine to join my domin. Samba sucessfully adds the machine account using the smbldap-useradd -w script, but I get the error The user name could not be found. Here's what it looks like it's doing in the ldap logs: 1. There's a login as cn=Manager, which searches for the root account, and then for a bunch of gidNumbers. It then searches for the machine$ with a sambaSamAccount objectclass, and exits. 2. It then reconnects anonymously and searches for machine$ and MACHINE$ twice (no results). 3. After that it connects again as cn=Manager and and searches for the machine$ under posixAccount (still no restuls). It then finally adds the entry for machine$ but without the sambaSamAccount objectclass. After that there are no more LDAP queries. What could be causing the error I'm getting? If you have a Machines= suffix different as the Users= suffix, the problem is in the ldap.conf settings. Nothing to do with the smbldap-tools. The smbldap-tools creates only a posix entry in the Machines tree, leaving to samba the addition of the SambaSamAccount class to the machine entry. The problem is that Samba relies in the ldap.conf config to search for the machine account. Usually, you have only a search here for the users account. The trick is to add a second nss_base_password line pinting to the machines tree of LDAP. And then works. Yeah, I read about that earlier and changed my nss_base_password line to read: nss_base_passwd dc=pca-wichita,dc=com?sub (that is my base dn). The problem is that in the slapd logs, the LAST thing happens before I get the error is samba ADDS the posix machine account. It does nothing after that. Here's the slapd log of all operations of the last connection before the error occurs: conn=9996 fd=18 ACCEPT from IP=127.0.0.1:52517 (IP=0.0.0.0:389) conn=9996 op=0 BIND dn=cn=Manager,dc=pca-wichita,dc=com method=128 conn=9996 op=0 BIND dn=cn=Manager,dc=pca-wichita,dc=com mech=SIMPLE ssf=0 conn=9996 op=0 RESULT tag=97 err=0 text= conn=9996 op=1 SRCH base=dc=pca-wichita,dc=com scope=2 filter=((objectClass=posixAccount)(uid=melisa$)) conn=9996 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=9996 op=2 SRCH base=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com scope=0 filter=(objectClass=sambaUnixIdPool) conn=9996 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= conn=9996 op=3 MOD dn=sambaDomainName=PCA-USERS,dc=pca-wichita,dc=com conn=9996 op=3 MOD attr=uidNumber conn=9996 op=3 RESULT tag=103 err=0 text= conn=9996 op=3 RESULT tag=103 err=0 text= conn=9996 op=4 SRCH base=dc=pca-wichita,dc=com scope=2 filter=(uidNumber=1108) conn=9996 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= conn=9996 op=5 ADD dn=uid=melisa$,ou=Computers,dc=pca-wichita,dc=com conn=9996 op=5 RESULT tag=105 err=0 text= conn=9996 op=5 RESULT tag=105 err=0 text= conn=9996 op=6 UNBIND conn=9996 fd=18 closed As soon as it ADDs the machine account, it doesn't try to modify it's objectClass, or anything like that. What's going on here? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] smbldap-tools not playing nice w/ samba ?
Please help! I'm having a difficult time getting a machine to join my domin. Samba sucessfully adds the machine account using the smbldap-useradd -w script, but I get the error The user name could not be found. Here's what it looks like it's doing in the ldap logs: 1. There's a login as cn=Manager, which searches for the root account, and then for a bunch of gidNumbers. It then searches for the machine$ with a sambaSamAccount objectclass, and exits. 2. It then reconnects anonymously and searches for machine$ and MACHINE$ twice (no results). 3. After that it connects again as cn=Manager and and searches for the machine$ under posixAccount (still no restuls). It then finally adds the entry for machine$ but without the sambaSamAccount objectclass. After that there are no more LDAP queries. What could be causing the error I'm getting? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Strange LDAP add machine problem
I'm setting up a Samba/LDAP PDC (samba-3.0.13 / openldap-2.1.30) and I'm trying to join a machine (called melisa) to the domain. When I try to join the domain, I type in the Administrator (which maps to root) credentials. and after a few seconds I get a windows error that says: The following error occurred while attempting to joing the domain PCA-USERS: The user name could not be found. The machine was successfully added to the ldap dir, in ou=Computers, but I can't seem to figure out why I'm getting this error. I saw the following searches in my slapd.log: SRCH base=dc=pca-wichita,dc=com scope=2 filter=((uid=melisa$)(objectClass=sambaSamAccount)) SRCH base=ou=Users,dc=pca-wichita,dc=com scope=1 filter=((objectClass=posixAccount)(uid=melisa$)) The first search returned 1 entry, but the second search returned 0. I'm not really sure why it's looking in ou=Users and using a scope of 1 (isn't that the base scope?). My smb.conf settings have the following: ldap user suffix = ou=Users ldap machine suffix = ou=Computers Does anyone know of anything else I can look at to try and troubleshoot this problem? -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba odd behaviour on double NAT network
I'm using a rather strange config, borne out of neccessity rather than
choice at home. My internet 'router' is a Win2000 Pro box running
Winroute, and my three Linux boxen (running 7.2/8.0/9.0 RH) are networked
thru to the Win box using SNAT on the box I work on (don't ask why - it's
just pratical, and I can't afford a hub/switch to do this). In any case,
it's a bit of an experiment to go hand-in-hand with my studies.
Basically it looks like this ('scuse ascii-art)
INTERNET GATEWAY (ADSL-DHCP)
/
/eth0 (213.x.x.x)
|
winbox1 -- eth1 (192.x.x.1) [SNAT for incoming]
|
/
/eth1 (192.x.x.10) [SNAT for incoming from eth0]
|
lin1-- eth0 (192.x.x.20)
|
lin2-- eth0 (192.x.x.21)
|
lin3-- eth0 (192.x.x.22)
I decided to use the same subnet and simply SNAT the connections from lin2
and lin3 which works a treat, I can access (outgoing) anything I like from
all the lin boxes, having cleverly g set up the routing tables. I've
configured Samba to act as filesharing for all the boxes, being as how
memory is a constraint, and since I've got files spread across the hosts I
don't want to use NFS in combination with SMB as it adds overheads; I did
it in the past, using a central Samba server to share NFS mounted volumes,
and it creates an awful lot of network traffic in the NFS setup, not to
mention the security problems of opening up NFS ports.
I realise this is an arse-up approach to doing things, ideally I'd install
another linux box in front of the damn thing, but that's more of a
network/cost/logistics problem on a home network. I'm using Samba 2.2.x
and 3.x on the Linux boxes and Win2000, no WINS server, no DNS proxy etc.,
just plain old /etc/hosts, /etc/samba/lmhosts and equiv. on the Windows
box. I can see everything from the Windows box, and I can connect to
shares on any of the Linux boxes BUT: accessing individual files on
lin1 which is SNATting (mebbe a prob.) I can't read any files, I can see
them, but any attempt to copy/read them results in the Win box going
looking 'out to sea' ie using it's external connection to go fishing for
the files. I can see this from a dump (a la tcpdump) - although the
Win2000 box knows where and what the files are, it just hangs sending out
packets on eth0 to the internet.
I've tried lots of tests, from lin3 to lin2 from lin2 to lin1 and from
lin1 to winbox1 everything works hunky-dory - except from winbox1 to lin1.
I hope this isn't a routing problem, because I spent ages setting it up -
I even tried downgrading from 3.x to 2.x on lin1, as all the other linux
hosts are running 2.x -- to no avail. I just don't understand that if the
Winbox can make a connection to the shared volumes on every other Linux
box and read/write files, why should it have a problem with lin1; apart
from the fact that it's SNATting... any ideas?
--
- Ben Davis -
T: 0044-161-285-1338
e: [EMAIL PROTECTED] / [EMAIL PROTECTED]
@ Manchester, UK
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + MySQL
I'm having some trouble setting up the config file for samba + mysql. I've got most everything working, but I'm a bit confused about how I'm supposed to set up the database. If anyone knows someone else who can better answer this question, please forward this message. I can't seem to exclude fields from the database that I won't be using. For instance, when I don't include the unkown 6 column, I get the following error when executing `smbpasswd -a user`: Error while executing MySQL query Unknown column 'unknown_str' in 'field list' I get the same error when trying to use `pdbedit -L`Are these fields actually required by samba in order to work?? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba + MySQL
If you don't want to store this field in the database, set the value of 'identifier:unknown string column' to NULL: I forgot to mention that I did that for those fields, and after a little more troubleshooting I found that in order to add a user, the columns logon_divs hours_len are required (it isn't made clear in the howto which ones are actually required). The INSERT query executes successfully, however, it seems that smbpasswd tried to execute another query (that can't be seen) before it does the insert, because I still get the error: Error while executing MySQL query Unknown column 'unknown_5' in 'field list'even though the insert was successful. I still get that same error when trying to execute pdbedit -L. Any ideas? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] PDC Machine Trust Accounts
I read in the Samba HOWTO Collection that every machine in the domain needs to have a corresponding UNIX account. Does this mean whenever I add a machine to the network, I must create a UNIX account for each one?? Am I supposed to create Unix accounts for my users as well? Doesn't this defeat the purpose of using a centralized authentication backend such as LDAP or MySQL? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] PDC Machine Trust Accounts
I'm currently using a MySQL backend for samba.. I have it working for existing unix users. What I was thinking about doing is using the pam_mysql module to trick samba into thinking the unix account already exists, while it is actually just in the database. This means, though, that I would have to create the account manually because it needs to see that the account exists before it creates it. That means I would have to figure out how to generate SSIDs and such, which I'd rather not do. Any suggestions on how I can work around this with pam_mysql? -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
