[Samba] LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.

[Torben Thomsen]

Hi,
I have a LDAP backend for my Samba 3.0.2, and everything seems to work 
except adding XP machines to the domain, and unix logins with a ldap client.

Since this mail is very long, I have created a small index, so you don't 
 get exhaustet in the middle of all the logs... ;)

1. LDAP user-creation
2. Group info
3. pam/nss info
4. smb.conf [global]
5. Log from trying to add machine to domain
6. Log fror trying to unix-login the user
7. conclution


1)
I create new users through a webinterface where i have created test3 as 
a domain admin and a ldap search returns the following attributes on test3:

uidnumber:  10009
sambasid:  S-1-5-21-2409322033-11024189-1315579533-21018
cn:  test3
displayname:  test3
sn:  test3
uid:  test3
loginshell:  /bin/bash
homedirectory:  /samba/home/test3
gidnumber:  512
objectclass:  inetOrgPerson
objectclass:  sambaSAMAccount
objectclass:  posixAccount
sambahomepath:  \\LOGIN\homes
sambahomedrive:  H:
sambaacctflags:  [U ]
sambadomainname:  SKOLE1
sambalogonscript:  \\LOGIN\logonScript\test3.bat
sambaprofilepath:  \\LOGIN\test3\.profile
sambaprimarygroupsid:  S-1-5-21-2409322033-11024189-1315579533-512
sambalmpassword:  07E9BB454DCA7EBCAAD3B435B51404EE
sambantpassword:  C3F7CE8E37AB104169F3313FF2C6AC6A
userpassword:  {MD5}WnsFSpsqzAhNDorh9YhDpA==
I can validate the user with smbclient -L localhost -U test3 but NOT 
login the user in linux!

2)
A net groupmap list return the interesting parts like:
Domain Admins (S-1-5-21-2409322033-11024189-1315579533-512) - admin
Domain Computers (S-1-5-21-2409322033-11024189-1315579533-553) - Domain 
Computers

And all the admin tools seems to work as well, smbpasswd, and the 
smbldat tools in /usr/local/sbin seems to work (I can create new users 
with smbldap-useradd.pl)!

and ls -l /usr/local/sbin returns:

-rwxr-xr-x1 root staff   2 Feb 12 16:22 mkntpwd
-rwxr-xr-x1 root staff4367 Feb 10 21:05 smbldap-groupadd.pl
-rwxr-xr-x1 root staff2324 Feb 10 21:05 smbldap-groupdel.pl
-rwxr-xr-x1 root staff7869 Feb 10 21:05 smbldap-groupmod.pl
-rwxr-xr-x1 root staff1884 Feb 10 21:05 smbldap-groupshow.pl
-rwxr-xr-x1 root staff7158 Feb 10 21:05 
smbldap-migrate-accounts.pl
-rwxr-xr-x1 root staff4974 Feb 10 21:05 
smbldap-migrate-groups.pl
-rwxr-xr-x1 root staff5599 Feb 10 21:05 smbldap-passwd.pl
-rwxr-xr-x1 root staff8995 Feb 10 21:05 smbldap-populate.pl
-rw-r--r--1 root staff5521 Feb 10 21:05 smbldap-tools.spec
-rwxr-x--x1 root admin   16100 Mar  2 18:45 smbldap-useradd.pl
-rwxr-x--x1 root staff   16162 Mar  2 18:37 smbldap-useradd.pl~
-rwxr-xr-x1 root staff2950 Feb 10 21:05 smbldap-userdel.pl
-rwxr-xr-x1 root staff   15085 Feb 10 21:05 smbldap-usermod.pl
-rwxr-xr-x1 root staff1826 Feb 10 21:05 smbldap-usershow.pl
-rwxr-x-wx1 root admin3842 Mar  4 20:21 smbldap_conf.pm
-rwxr-x-wx1 root admin3844 Mar  4 20:17 smbldap_conf.pm~
-rw-r--r--1 root staff   18882 Feb 10 21:05 smbldap_tools.pm

3)
I suspect nss/pam as the problem, but I don't know how to solve it...
My /etc/nsswitch.conf :

passwd: files ldap
group:  files ldap
shadow: files ldap
hosts:  files dns
networks:   files
protocols:  db files
services:   db files
ethers: db files
rpc:db files
netgroup:   nis

4)
- SMB.CONF -
[global]
   workgroup = SKOLE1
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap suffix = dc=login
   ldap machine suffix = ou=machines
   ldap user suffix = ou=people
   ldap group suffix = ou=groups
   ldap admin dn = cn=admin,dc=login
   ldap passwd sync = yes
   ldap delete dn = yes
   ldap filter = ((uid=%u)(objectclass=sambaSamAccount))
   ldap ssl = no
   passwd chat debug = Yes
   passwd program =/usr/local/bin/smbldap-passwd.pl -o %u
   passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   add machine script = /usr/local/sbin/smbldap-useradd.pl -a -w %m
   add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
   delete user script = /usr/local/sbin/smbldap-useradd.pl -d %u
   add group script = /usr/local/sbin/smbldap-useradd.pl -a -g %g
   delete group script = /usr/local/sbin/smbldap-useradd.pl -d -g %g
   add user to group script = /usr/local/sbin/smbldap-useradd.pl -j -u 
%u -g %g
   delete user from group script = /usr/local/sbin/smbldap-useradd.pl 
-j -u %u -g %g
   set primary group script = /usr/local/sbin/smbldap-useradd.pl -m -u 
%u -gid %g
   server string = thePri Samba Server
   netbios name = THEPRI
   #printcap name = cups
   load printers = no
   #printing = cups
   log file = /var/log/samba/%m.log
   log level = 3
   max log size = 5000
   security = user
   encrypt passwords = true
   socket options = TCP_NODELAY 

Re:[Samba] LDAP issue, access denied adding machine to domain, and LDAP user can't make unix-login on the box.

[zergio]

I think you need to delete sting:
ldap filter = ((uid=%u)(objectclass=sambaSamAccount))
I got similar problem with adding machine account. Stated above helped, thank to 
@[EMAIL PROTECTED]


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba