Re: [Samba] Re: Cross-subnet browsing...AGAIN!!!
On Fri, 2005-08-12 at 09:27 +0100, Robin Bowes wrote: > Doug VanLeuven wrote: > > Robin Bowes wrote: > > All the XP machines are pointing to 192.168.1.5 for wins? > > Yes. It's assigned by DHCP. dhcpd on the 192.168.1.x network: > > option netbios-name-servers 192.168.1.5; What's your netbios-node-type set to in your dhcpd.conf file? My server is setup on another subnet, and I don't have problems. My value is set to 4, but you may want to try 8. Regards, dk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SuSE 9.3 + Samba 3 + LDAP
On Wed, 2005-08-10 at 22:48 -0500, David Krider wrote: > As someone replied to me, the latest version of Samba no longer needs > the "ldap filter" configuration setting. I think this is too bad, > because it looks like the relevant line in the IDEALX Howto -- which is > commented out in the docs -- does *EXACTLY* what I think needs to be > done. Like I'm implying here, I think this is a bug in the Samba code. I > guess this means I ought to enter a bug in Samba's bugzilla? Holy crap! On a lark, I added "ldap filter = (&(objectClass=sambaSamAccount)(uid=%u))" to my smb.conf file -- like the IDEALX script _used_ to say (but was commented out), and which the LDAP logs suggested I needed -- and, lo and behold, IT WORKED!!! I got a machine added to the domain. Notes: * I changed the gid of the "root" LDAP user to 512. It seemed to choke on the fact that there was no group with an id of 0. * I had to re-add all the "%u"'s to the various script lines in my smb.conf file. Apparently, SWAT wiped them off. * There's still some problem with the "ldap filter" parameter in logging into the domain. Samba still wants to only search on 'objectClass=sambaSamAccount'. The filter parameter causes this to be redundant (which doesn't hurt anything), but it's the (uid=%u) that's saving the day. Now that I think about it, the filter ought to have just been (uid=%u) -- or maybe (&(uid=&u)), depending -- I'll have to test this further on the next machine join. * The IDEALX smbldap-useradd script example in their smb.conf file is a little misleading. You'll need a `-a' to get it to add a sambaSamAccount object-classed account. * phpldapadmin is fantastic. I highly recommend it. It looks to me like the Samba people need to revoke the ldap-filter-isn't-needed-any-more line, and the IDEALX people need to address the fact that you don't need a uid 0 account to add machines to the domain any more. (Or is this also not NOT true now?) The bottom line here, Horst, is that I think you need this in your smb.conf file: ldap filter = (uid=%u) Please let us know how you get on. Regards, dk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: SuSE 9.3 + Samba 3 + LDAP
On Thu, 2005-08-11 at 11:37 +1000, Horst B. Simon wrote: > I am not near the box now, I think you are on the right track. I will > post tonight the relevant parts of my ldap.conf and smb.conf. Yes my > binddn is uid=Manager,dc=hsimon,dc=com,dc=au and the user are in > ou=Users,ou=OxObjects,dc=hsimon,dc=com,dc=au. I tried to use the root > user and I set up a administrator according > to the information in the IDEALX document. I've posted a couple of messages recently about this issue. I'm getting the exact same error message upon trying to join the domain as you are. If you could, please check your /var/log/messages for slapd errors that say something about "Duplicate entries." You can check my recent post "Bug in LDAP Stuff?" for the details, but it seems to me that Samba is "pre-filtering" the LDAP search for the user you're (we're) trying to use to join the domain. It's finding all the users instead of just the one. (It's not limiting to the one user.) As someone replied to me, the latest version of Samba no longer needs the "ldap filter" configuration setting. I think this is too bad, because it looks like the relevant line in the IDEALX Howto -- which is commented out in the docs -- does *EXACTLY* what I think needs to be done. Like I'm implying here, I think this is a bug in the Samba code. I guess this means I ought to enter a bug in Samba's bugzilla? Regards, dk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: RE [Samba] Bug in LDAP stuff?
On Wed, 2005-08-10 at 17:29 +0200, [EMAIL PROTECTED] wrote: > since samba-3.0.20rc1 the ldap filter parameter is removed. > > you can resolve your problem by comment the ldap-filter parameter. I had seen this note before, so my "ldap filter" was equal to nothing. I commented it completely out, but nothing changed. I still get the same sorts of "filters" in my logs when I try to join the domain. Thanks, dk -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Bug in LDAP stuff?
I think I've found a bug in the LDAP stuff. I've got a LDAP backend setup based on the idealx scripts. When I try to join a machine to my domain, I get the following. The important bit I want to point out is that the LDAP search is looking for (a lot of) properties, but it seems to be looking for _ALL_ objectClass=sambaSamAccount's. At this point in the trace, it should be trying to validate the login *as root* in order to join the machine. The query it's making does indeed return two entries: root and nobody, as it should, but two entries screws up the process now. Shouldn't the filter here be more like '(&(objectClass=sambaSamAccount)(uid=root))'? (Or whatever uid you're using to try to join the machine with. I know that the idealx stuff is out of date now post 3.0.11 with the "root" requirement. Here's hoping they update their stuff soon.) The filter is being supplied by Samba itself; hence, I'm thinking it's a bug. The question is: where do I go from here? Regards, dk Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 3] lib/smbldap.c:smbldap_connect_system(866) Aug 10 09:38:50 excelsior smbd[32235]: ldap_connect_system: succesful connection to the LDAP server Aug 10 09:38:50 excelsior smbd[32235]: ldap_connect_system: LDAP server does support paged resultsAug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 4] lib/smbldap.c:smbldap_open(929) Aug 10 09:38:50 excelsior smbd[32235]: The LDAP server is succesfully connected Aug 10 09:38:50 excelsior slapd[31471]: conn=64 op=2 SRCH base="dc=starfleet,dc=mil" scope=2 deref=0 filter="(&(objectClass=sambaSamAccount))" Aug 10 09:38:50 excelsior slapd[31471]: conn=64 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 1] passdb/pdb_ldap.c:ldapsam_getsampwnam(1338) Aug 10 09:38:50 excelsior smbd[32235]: ldapsam_getsampwnam: Duplicate entries for this user [root] Failing. count=2 Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 3] smbd/sec_ctx.c:pop_sec_ctx(386) Aug 10 09:38:50 excelsior smbd[32235]: pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 3] auth/auth_sam.c:check_sam_security(257) Aug 10 09:38:50 excelsior smbd[32235]: check_sam_security: Couldn't find user 'root' in passdb. Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 3] auth/auth_winbind.c:check_winbind_security(80) Aug 10 09:38:50 excelsior smbd[32235]: check_winbind_security: Not using winbind, requested domain [STARFLEET] was for this SAM. Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 2] auth/auth.c:check_ntlm_password(312)Aug 10 09:38:50 excelsior smbd[32235]: check_ntlm_password: Authentication for user [root] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER Aug 10 09:38:50 excelsior smbd[32235]: [2005/08/10 09:38:50, 3] smbd/sesssetup.c:do_map_to_guest(41)Aug 10 09:38:50 excelsior smbd[32235]: No such user root [STARFLEET] - using guest account -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Can't join machines to a Samba PDC using LDAP
I've been trying to do this for days, and I think I'm really close. It's become one of those so-close-yet-so-far sorts of things. I'm running Gentoo -- all sync'ed up and current as of a week ago -- with the following package versions: openldap-2.1.30-r5 pam_ldap-178-r1 nss_ldap-239-r1 smbldap-tools-0.9.1-r1 phpldapadmin-0.9.5 (very cool, I must say!) samba-3.0.14a-r2 I've been following the ideal.org howto as closely as I can, but from what I've google'd since having my problem, I guess it's a little out of date. Apparently, you do NOT have to join machines to the domain using a uid 0 account. However, I don't really care about that; I just want to get it joined. Specifically, I'm trying to join a Win2K (fully patched) client to the domain.] The error I'm getting seems like it ought to be solvable, but I haven't seen it anywhere on the net, though I've seen one pretty close (full log below): smbd[20039]: _samr_create_user: Running the command `/usr/sbin/smbldap-u seradd -w "defiant$"' gave 1 It's clear from "slapd[13182]: conn=999 op=2 RESULT tag=103 err=8 text=modifications requir e authentication" that I'm not getting logged into the ldap server. Unfortunately, I don't know how or what to get more logging on to be able to get any more information. I can use phpldapadmin to triple check that the password I'm using for root is what's in openldap (and is different from the root account in /etc/passwd). There's always another error message in my logs with each attempt, but I have no idea where it's coming from, and I don't know if it has anything to do with anything: rc-scripts: /sbin/runscript.sh: must be root to run init scripts If I create the machine account with `smbldap-useradd -w' (to try to join the machine in two steps like can be done in a Windows-only environment), I get errors in the log about not being able to access the ldap directory unless root. The stupid part is that I *am* trying to join the machine as root. (From what I've read, this is a bug. Since I don't have to have this functionality, I'm not worrying about it.) Thanks for whatever help anyone can give. It's not like I'm a noob here. I've run a smbpasswd-backend'ed domain at another site for many years now. It's just that I'm trying to get everything tied together on my development machines now, and I'm having no luck. I've already put about 20 hours of research into this, and I just don't know what else to try (except to wait for the next version of Samba to hit the portage tree). Regards, dk Here's slapd.conf: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args databasebdb checkpoint 32 30 # suffix "dc=starfleet,dc=mil" rootdn "cn=Manager,dc=starfleet,dc=mil" rootpw secret directory /var/lib/openldap-data index objectClass,uidNumber,gidNumber eq index cn,sn,uid,displayName pres,sub,eq index memberUid,mail,givennameeq,subinitial index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by * read Here's (the main section of) smb.conf: - [global] workgroup = STARFLEET server string = Excelsior map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ log level = 9 add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = startup.bat domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=starfleet,dc=mil ldap delete dn = Yes ldap filter = ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=starfleet,dc=mil ldap user suffix = ou=Users ldap idmap suffix = ou=Users #enable privileges = Yes Full log: Aug 8 07:32:08 excelsior slapd[13181]: conn=998 fd=29 ACCEPT from IP=127.0.0.1:53428 (IP=0.0.0.0:38 9) Aug 8 07:32:08 excelsior slapd