Re: [Samba] Domain Logins across VPN
- Original Message - From: "Duncan Brannen" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: Sent: Tuesday, May 30, 2006 12:23 PM Subject: Re: [Samba] Domain Logins across VPN [EMAIL PROTECTED] wrote: - Original Message - From: "Duncan Brannen" <[EMAIL PROTECTED]> Cc: Sent: Friday, May 26, 2006 4:12 AM Subject: Re: [Samba] Domain Logins across VPN This configuration works. If I change passdb to 127.0.0.1 instead of the Master LDAP's IP, this pops up in samba.smbd: [2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198) failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com with: Server is unwilling to perform shadow context; no update referral [2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258) Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL That's the only error I see popping up. Ideas? Has the entry dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com replicated across to your slave ldap server successfully? Check your ldap logs on the slave, I think samba does a lookup for the domain and adds it if it doesn't exist, otherwise is the updateref set in your slaves slapd.conf file? If the slave ldap server is telling samba it doesn't accept changes but not telling it where to send changes ( no update referral) you might get this problem. Hope this helps Duncan Hi Duncan, I'm not using slurpd for replication; I'm using syncrepl. The database exists and is updated fine (if I add a user on the master, it exists on the slave, etc). I'm using the smbldap tools for samba, and on the slave machines, they generate an error any time I try to use them (unless I point them at the Master LDAP). for example, if I try this: smbldap-useradd -a testuser it returns: Error: shadow context; no update referral at /usr/local/sbin//smbldap_tools.pm line 1005. I believe this has something to do with the issue. -- Rob Hi Rob, The replication method shouldn't matter. updateref is used for both slurpd and syncrepl and tells the slave where to send clients who try to make changes. eg Samba -> ldap slave "Add/Update this entry" ldap slave -> samba "I don't accept changes, please write to the master at " If you don't have updateref set, the slave will refuse the change but not tell the client where to make the change. If you do have updateref set and it still doesn't work, I'd try to add an entry using the (I assume openldap) client tools to the slave, check the slave logs, turning up logging if necessary and the master logs. You should see the client connect to the slave, get an error and an updateref, then the change should show up in the logs of the master. If the slave returns the updateref but the client does not then contact the master, the client doesn't understand update references and you'll need to update your clients or make changes to the master directly. If it works using the openldap tools, try it again with the samba ldap tools, you should see the same thing, client connects to slave, slave provides update ref, client connects to and updates master. I'm fairly sure my BDC's didn't try to write to the ldap servers after the PDC had written the domain info in. (Though I wouldn't swear I checked) Can the samba user can pull out the complete domain info using ldapsearch? Any joy? Duncan Well, I added the updateref directive to the slave's slapd.conf file - now the error msg has changed to: Error: Referral received at /usr/local/sbin//smbldap_tools.pm line 1005. ldapsearch works fine - I'm assuming that's because the database is sync'd and it's searching locally. /var/log/debug shows this upon an attempt to run smbldap-useradd: May 30 16:19:28 bgserver slapd[9602]: conn=1 fd=13 ACCEPT from IP=127.0.0.1:54940 (IP=0.0.0.0:389) May 30 16:19:28 bgserver slapd[9602]: conn=1 op=0 EXT oid=1.3.6.1.4.1.1466.20037 May 30 16:19:28 bgserver slapd[9602]: do_extended: unsupported operation "1.3.6.1.4.1.1466.20037" May 30 16:19:28 bgserver slapd[9602]: conn=1 op=0 RESULT tag=120 err=2 text=unsupported extended operation May 30 16:19:28 bgserver slapd[9602]: conn=1 op=1 BIND dn="cn=Manager,dc=atworkpersonnel,dc=com" method=128 May 30 16:19:28 bgserver slapd[9602]: conn=1 op=1 BIND dn="cn=Manager,dc=atworkpersonnel,dc=com" mech=SIMPLE ssf=0 May 30 16:19:28 bgserver slapd[9602]: conn=1 op=1 RESULT tag=97 err=0 text= May 30 16:19:28 bgserver slapd[9602]: conn=1 op=2 SRCH base="dc=atworkpersonnel,dc=com" scope=2 deref=2 filter="(&(objectClass=posixAccount)(uid=testuser))" May 30 16:19:28 bgserver slapd[9602]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= May 30 16:19:28 bgserver slapd[9602]: conn=1 op=3 SRCH base="sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com" scope=0 deref=2 filter="(objectClass=sambaUnixIdPool)" May 30 16:19:28 bgserver slapd[9602]: conn=1 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= May 30 16:19:28 bgserver sl
Re: [Samba] Domain Logins across VPN
- Original Message - [EMAIL PROTECTED] wrote: [EMAIL PROTECTED] wrote: I've been trying to get this to work for a few days now. I read that domain requests are sent via broadcast, and to use WINS to get around it. Well, I've enabled the WINS server on my Samba PDC, and told the BDC's on each VPN segment that the PDC is a WINS server. WINS resolution works apparently, I can sit on a VPN'd network segment and ping machines across the VPN via their NETBIOS name, but I can't log into the domain. Windows tells me it can't find the domain. Is there something I'm missing? sorry rob, i forgot to reply-to-all the first time. do you have domain master = no domain logons = yes that set up works for me. and i also use local master = yes though i don't think the local master is required for bdc functionality. -- Anthony Yeah, I have that in my conf. Actually, I got it working earlier, but I had to tell samba to use my master LDAP server to do it - I was hoping I could make samba read off of the local slave server so if the connection to the master was severed, domain logins would still be functional. I'll tool around with it some more tomorrow and see if I can make it work the way I intend. hmmm... i also use a replicated ldap server on the bdc localhost. could you post your smb.conf and any errors you see in your samba log? -- Anthony sure, here's my smb.conf: [global] netbios name = workgroup = WORKGROUP server string = Server String security = user hosts allow = 192.168.0. 127. load printers = no log file = var/log/samba.%m max log size = 50 log level = 1 passdb backend = ldapsam:ldap:// socket options = TCP_NODELAY interfaces = os level = 64 domain master = no preferred master = auto domain logons = yes #LDAP stuff: ldap admin dn = cn=,dc=,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=People ldap passwd sync = yes ldap suffix = dc=,dc=com ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.01 idmap uid = 1-2 idmap gid = 1-2 logon script = logon.bat logon path = logon drive = H: wins server = wins proxy = yes dns proxy = no # domain user stuff: add user script = /usr/local/sbin/smbldap-useradd -a '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user script = /usr/local/sbin/smbldap-userdel '%u' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' delete group script = /usr/local/sbin/smbldap-groupdel '%g' --- This configuration works. If I change passdb to 127.0.0.1 instead of the Master LDAP's IP, this pops up in samba.smbd: [2006/05/24 14:53:30, 1] lib/smbldap_util.c:add_new_domain_info(198) failed to add domain dn= sambaDomainName=ATWORK,dc=atworkpersonnel,dc=com with: Server is unwilling to perform shadow context; no update referral [2006/05/24 14:53:30, 0] lib/smbldap_util.c:smbldap_search_domain_info(258) Adding domain info for ATWORK failed with NT_STATUS_UNSUCCESSFUL That's the only error I see popping up. Ideas? -- Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Domain logins: 2 small issues
- Original Message - From: "Rob Hall" <[EMAIL PROTECTED]> To: Sent: Wednesday, May 17, 2006 8:50 AM Subject: [Samba] Domain logins: 2 small issues Hey gang, I've managed to get samba servers working as PDCs/BDCs with LDAP backend for replication. Working fine. Here's my problems: 1) A new machine will not join the domain on the first attempt. Apparently samba creates the machine account but can't authenticate it. I have attempt to join a second time for it to authenticate and succeed. This isn't that big of a deal, and if I don't figure it out, I'm not in a major bind. 2) After a machine joins a domain, EVERYTHING in msconfig is gibberish. Looking in the registry, every entry now has either a "C" or just "" for it's entry. Also, the machines now pop up the system32 folder on login. This is the one I *REALLY* need help with. My smb.conf is as follows: -- [global] netbios name = workgroup = server string = security = user hosts allow = log file = /var/log/samba.%m max log size = 50 log level = 1 passdb = ldapsam:ldap://127.0.0.1 socket options = TCP_NODELAY interfaces = local master = yes os level = 64 domain master = yes preferred master = auto domain logins = yes # LDAP authentication stuff: ldap admin dn = cn=Manager,dc=,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=,dc=com ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 logon script = logon.bat logon path = logon drive = H: wins support = yes wins proxy = no dns proxy = no # domain scripts add user script = /usr/local/sbin/smbldap-useradd -a '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user script = /usr/local/sbin/smbldap-userdel '%u' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' delete group script = /usr/local/sbin/smbldap-groupdel '%g' # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no share modes = no [shared] comment = Shared Space path = /usr/local/share/common public = yes writable = yes printable = no create mask = 777 -- end smb.conf Any help/suggestions is greatly appreciated. Thanks! -- Rob Nobody has any suggestions? -- Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Domain logins: 2 small issues
Hey gang, I've managed to get samba servers working as PDCs/BDCs with LDAP backend for replication. Working fine. Here's my problems: 1) A new machine will not join the domain on the first attempt. Apparently samba creates the machine account but can't authenticate it. I have attempt to join a second time for it to authenticate and succeed. This isn't that big of a deal, and if I don't figure it out, I'm not in a major bind. 2) After a machine joins a domain, EVERYTHING in msconfig is gibberish. Looking in the registry, every entry now has either a "C" or just "" for it's entry. Also, the machines now pop up the system32 folder on login. This is the one I *REALLY* need help with. My smb.conf is as follows: -- [global] netbios name = workgroup = server string = security = user hosts allow = log file = /var/log/samba.%m max log size = 50 log level = 1 passdb = ldapsam:ldap://127.0.0.1 socket options = TCP_NODELAY interfaces = local master = yes os level = 64 domain master = yes preferred master = auto domain logins = yes # LDAP authentication stuff: ldap admin dn = cn=Manager,dc=,dc=com ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = Yes ldap suffix = dc=,dc=com ldap user suffix = ou=Users idmap backend = ldap:ldap://127.0.0.1 idmap uid = 1-2 idmap gid = 1-2 logon script = logon.bat logon path = logon drive = H: wins support = yes wins proxy = no dns proxy = no # domain scripts add user script = /usr/local/sbin/smbldap-useradd -a '%u' add group script = /usr/local/sbin/smbldap-groupadd -p '%g' add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g' delete user script = /usr/local/sbin/smbldap-userdel '%u' delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u' add machine script = /usr/local/sbin/smbldap-useradd -w '%u' delete group script = /usr/local/sbin/smbldap-groupdel '%g' # Share Definitions == [homes] comment = Home Directories browseable = no writable = yes # Un-comment the following and create the netlogon directory for Domain Logons [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon guest ok = yes writable = no share modes = no [shared] comment = Shared Space path = /usr/local/share/common public = yes writable = yes printable = no create mask = 777 -- end smb.conf Any help/suggestions is greatly appreciated. Thanks! -- Rob -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.22 PDC - "The parameter is incorrect"
Nevermind gang, I fixed it. I had to uncomment the interfaces field and set it, even though I only have 1 nic configured in this box. Rob Hall <[EMAIL PROTECTED]> wrote: I just set my samba log level to 10, and noticed that I'm getting: [2006/04/30 10:54:09, 0] lib/access.c:check_access(328) Denied connection from (192.168.0.102) [2006/04/30 10:54:09, 1] smbd/process.c:process_smb(1107) Connection denied from 192.168.0.102 each time my test client tries to connect, even though in smb.conf I have the hosts allow option set to allow 192.168.0. Ideas? Rob Hall wrote: If I try that, I get "The specified network name is no longer available." Wolfgang Ratzka wrote: > I supply it with \\DOMAINNAME\root and the password I set. This should be DOMAINNAME\root (w/o the leading double backslashes). -- Wolfgang Ratzka - Get amazing travel prices for air and hotel in one click on Yahoo! FareChase -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba - Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba - New Yahoo! Messenger with Voice. Call regular phones from your PC and save big. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.22 PDC - "The parameter is incorrect"
I just set my samba log level to 10, and noticed that I'm getting: [2006/04/30 10:54:09, 0] lib/access.c:check_access(328) Denied connection from (192.168.0.102) [2006/04/30 10:54:09, 1] smbd/process.c:process_smb(1107) Connection denied from 192.168.0.102 each time my test client tries to connect, even though in smb.conf I have the hosts allow option set to allow 192.168.0. Ideas? Rob Hall <[EMAIL PROTECTED]> wrote: If I try that, I get "The specified network name is no longer available." Wolfgang Ratzka wrote: > I supply it with \\DOMAINNAME\root and the password I set. This should be DOMAINNAME\root (w/o the leading double backslashes). -- Wolfgang Ratzka - Get amazing travel prices for air and hotel in one click on Yahoo! FareChase -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba - Blab-away for as little as 1¢/min. Make PC-to-Phone Calls using Yahoo! Messenger with Voice. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.22 PDC - "The parameter is incorrect"
If I try that, I get "The specified network name is no longer available." Wolfgang Ratzka <[EMAIL PROTECTED]> wrote: > I supply it with \\DOMAINNAME\root and the password I set. This should be DOMAINNAME\root (w/o the leading double backslashes). -- Wolfgang Ratzka - Get amazing travel prices for air and hotel in one click on Yahoo! FareChase -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.22 PDC - "The parameter is incorrect"
Hi everyone; I have searched the internet up & down for an answer to this problem. I'm stumped. Here's what I've got: Samba 3.0.22 configured as a PDC using tdbsam as the passdb backend (switching to LDAP when I get everything working). testparm says everything is fine. I've added the root user and a normal user to the database (using smbpasswd). I even went so far as to manually create a machine trust account. The problem is, when I try to join a machine to the domain, it asks for the domain credentials. I supply it with \\DOMAINNAME\root and the password I set. I get a message back saying: "The following error occured attempting to join the domain : The parameter is incorrect. Any suggestions? - Get amazing travel prices for air and hotel in one click on Yahoo! FareChase -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba