Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Felipe Augusto van de Wiel
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 02/27/2007 03:57 PM, Daniel Davidson wrote:
 I have found a fixed my previous problems (two typos that were hard to
 find) and now the smbldap-tools all work as expected if I run them as
 root.  However when I try to join a domain from a windows machine, the
 scripts never run and get an Access is denied message.  Since I am
 using 0.10 I do not think I can use net rpc rights, so do I need to add
 that into ldap manually?  

Add what into LDAP?


 Or do I have to use a specific user other than
 just someone in domain admins?

AFAIK, privileges came with 3.0.11, so you need to use
root account, or an account with uid:gid equivalent (0:0). And
Domain Admins would not work as expected on versions previous
than 3.0.11.




 thanks,
 Dan

Kind regards,

- --
Felipe Augusto van de Wiel [EMAIL PROTECTED]
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/   Phone: (+55 41 3350 3300)
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5bJkCj65ZxU4gPQRAg0nAJ9bo8WPgDLBwwpHaLCKGJUj3nJuLwCgo+Bk
8VTD+FbIspVL7fKzyChFh6E=
=y0NK
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Daniel Davidson
This is really getting frustrating.  The exact message when joining the
domain is user name could not be found, however I have the
Administrator account set up with the proper data.  And i have tried
administrator with and without the A in caps.  I can take this username,
log into the server, and the files I create show up as owned by root.

# Administrator, People, igb.uiuc.edu
dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu
uid: Administrator
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Administrator
sn: Administrator
mail: [EMAIL PROTECTED]
loginShell: /bin/bash
homeDirectory: /home/a-m/Administrator
gecos: Administrator
sambaSID: S-1-5-21-3679620730-2824407525-958489067-500
sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512
sambaAcctFlags: UX
gidNumber: 0
uidNumber: 0
sambaLMPassword: somethingremoved
sambaNTPassword: somethingremoved

My Sid matches up:

[EMAIL PROTECTED] samba]# net getlocalsid
SID for domain IGB-FILE-SERVER is:
S-1-5-21-3679620730-2824407525-958489067

The server should be the master browser:

  *
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup IGB on subnet
128.174.124.12
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
  become_domain_master_browser_bcast: querying subnet 128.174.124.12 for
domain master browser on workgroup IGB
[2007/02/28 10:20:47, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
  become_logon_server_success: Samba is now a logon server for workgroup
IGB on subnet 128.174.124.12
[2007/02/28 10:20:51, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)
  *

  Samba server IGB-FILE-SERVER is now a domain master browser for
workgroup IGB on subnet 128.174.124.12

  *


If I look at the log for doing the add, it appears as if this might be
where the error is if I look at the tail end of the smb log for the
client trying to add with a loglevel of 5:


[2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24
len2=24
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66)
  auth_context challenge set by NTLMSSP callback (NTLM2)
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67)
  challenge is: 
[2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999)
  [000] 81 8F 46 13 26 F9 07 3E   ..F... 


For info, my globals from smb.conf are


[global]
workgroup = igb
netbios name = IGB-FILE-SERVER
server string = Samba Server
passdb backend = ldapsam:ldap://auth.igb.uiuc.edu
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu
ldap group suffix = ou=group
ldap suffix = dc=igb,dc=uiuc,dc=edu
ldap ssl = on
ldap user suffix = ou=People
ldap machine suffix =  ou=computer
cups options = raw
log level = 10

add machine script
= /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w
preferred master = Yes
domain master = Yes
os level = 65
password server = None
idmap uid = 1000-33554431
idmap gid = 1000-33554431
template shell = /bin/false
username map = /etc/samba/smbusers
winbind use default domain = no


Any help still very much appreciated,

Dan

On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote:
 I have found a fixed my previous problems (two typos that were hard to
 find) and now the smbldap-tools all work as expected if I run them as
 root.  However when I try to join a domain from a windows machine, the
 scripts never run and get an Access is denied message.  Since I am
 using 0.10 I do not think I can use net rpc rights, so do I need to add
 that into ldap manually?  Or do I 

Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Andrew Watkins


Daniel,

Try adding ldap idmap suffix = ou=People

Since I noticed that ldap user suffix and ldap group suffix do not 
seem to be used.


Also, check you LDAP log files to see if you can spot the samba search 
string!


Andrew


This is really getting frustrating.  The exact message when joining the
domain is user name could not be found, however I have the
Administrator account set up with the proper data.  And i have tried
administrator with and without the A in caps.  I can take this username,
log into the server, and the files I create show up as owned by root.

# Administrator, People, igb.uiuc.edu
dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu
uid: Administrator
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Administrator
sn: Administrator
mail: [EMAIL PROTECTED]
loginShell: /bin/bash
homeDirectory: /home/a-m/Administrator
gecos: Administrator
sambaSID: S-1-5-21-3679620730-2824407525-958489067-500
sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512
sambaAcctFlags: UX
gidNumber: 0
uidNumber: 0
sambaLMPassword: somethingremoved
sambaNTPassword: somethingremoved

My Sid matches up:

[EMAIL PROTECTED] samba]# net getlocalsid
SID for domain IGB-FILE-SERVER is:
S-1-5-21-3679620730-2824407525-958489067

The server should be the master browser:

  *
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup IGB on subnet
128.174.124.12
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
  become_domain_master_browser_bcast: querying subnet 128.174.124.12 for
domain master browser on workgroup IGB
[2007/02/28 10:20:47, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
  become_logon_server_success: Samba is now a logon server for workgroup
IGB on subnet 128.174.124.12
[2007/02/28 10:20:51, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)
  *

  Samba server IGB-FILE-SERVER is now a domain master browser for
workgroup IGB on subnet 128.174.124.12

  *


If I look at the log for doing the add, it appears as if this might be
where the error is if I look at the tail end of the smb log for the
client trying to add with a loglevel of 5:


[2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24
len2=24
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66)
  auth_context challenge set by NTLMSSP callback (NTLM2)
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67)
  challenge is: 
[2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999)
  [000] 81 8F 46 13 26 F9 07 3E   ..F... 



For info, my globals from smb.conf are


[global]
workgroup = igb
netbios name = IGB-FILE-SERVER
server string = Samba Server
passdb backend = ldapsam:ldap://auth.igb.uiuc.edu
log file = /var/log/samba/%m.log
max log size = 50
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain logons = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu
ldap group suffix = ou=group
ldap suffix = dc=igb,dc=uiuc,dc=edu
ldap ssl = on
ldap user suffix = ou=People
ldap machine suffix =  ou=computer
cups options = raw
log level = 10

add machine script
= /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w
preferred master = Yes
domain master = Yes
os level = 65
password server = None
idmap uid = 1000-33554431
idmap gid = 1000-33554431
template shell = /bin/false
username map = /etc/samba/smbusers
winbind use default domain = no


Any help still very much appreciated,

Dan

On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote:

I have found a fixed my previous problems (two typos that were hard to
find) and now the smbldap-tools all work as expected if I run them as
root.  However 

Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Gerald (Jerry) Carter
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Daniel,

 This is really getting frustrating.  The exact message 
 when joining the domain is user name could not
 be found,

When joining a Samba domain usually this means that
the machine account could not be found.but I haven't
followed this entire thread.






cheers, jerry
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.4 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF5b9aIR7qMdg1EfYRAuuFAKDvPHM/juyXpiNNQvyQjgQJjMNn9wCg0PMU
2E9XjIT7NdkPIDunK4g69qc=
=N2GS
-END PGP SIGNATURE-
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Daniel Davidson
Apologies for the nast of the accompanied text, but I thought it best to
include everying from the ldap log in relation to a request to join a
domain.  It all looks fine to me, except for the text= string never
being populated, but please let me know if you can find anything of if
that is a problem.  The idmap suffix did not resolve the issue.  I do
not need to set this account up locally, right?

thanks,

Dan


Feb 28 12:20:53 auth slapd[6527]: conn=636 fd=40 ACCEPT from
IP=128.174.124.12:54545 (IP=0.0.0.0:389) 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 BIND
dn=cn=ldapadmin,dc=igb,dc=uiuc,dc=edu method=128 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 BIND
dn=cn=ldapadmin,dc=igb,dc=uiuc,dc=edu mech=SIMPLE ssf=0 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 RESULT tag=97 err=0
text= 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((uid=administrator)(objectClass=sambaSamAccount)) 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp 
Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Feb 28 12:20:53 auth slapd[6527]: conn=637 fd=41 ACCEPT from
IP=128.174.124.12:54546 (IP=0.0.0.0:389) 
Feb 28 12:20:53 auth slapd[6527]: conn=637 op=0 BIND dn= method=128 
Feb 28 12:20:53 auth slapd[6527]: conn=637 op=0 RESULT tag=97 err=0
text= 
Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixAccount)(uid=Administrator)) 
Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass 
Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=2 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixAccount)(uid=Administrator)) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=2 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=uid=administrator,ou=people,dc=igb,dc=uiuc,dc=edu)))
 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SRCH attr=gidNumber 
Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates:
(memberUid) index_param failed (18) 
Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates:
(uniqueMember) index_param failed (18) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SEARCH RESULT tag=101
err=0 nentries=2 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixGroup)(uniqueMember=cn=domain
admins,ou=group,dc=igb,dc=uiuc,dc=edu)) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SRCH attr=gidNumber 
Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates:
(uniqueMember) index_param failed (18) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SEARCH RESULT tag=101
err=0 nentries=0 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SRCH
base=ou=group,dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=sambaGroupMapping)(gidNumber=0)) 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SEARCH RESULT tag=101
err=0 nentries=0 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SRCH
base=ou=group,dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=sambaGroupMapping)(gidNumber=512)) 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SRCH attr=gidNumber
sambaSID sambaGroupType sambaSIDList description displayName cn
objectClass 
Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixAccount)(uid=Administrator)) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SEARCH RESULT tag=101
err=0 nentries=1 text= 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=6 SRCH
base=dc=igb,dc=uiuc,dc=edu scope=2
filter=((objectClass=posixAccount)(uid=administrator)) 
Feb 28 12:20:54 auth slapd[6527]: conn=637 op=6 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass 
Feb 28 12:20:54 auth 

Re: [Samba] Samba 3.0.10 join domain

2007-02-28 Thread Daniel Davidson
I was looking around for more help on my problem and found this info on
a gentoo page even though I am using RHEL4 regarding the configuration
of ldap.  Anyone know what they are talking about by Field names here
must be all caps?

Dan


for database you can either use bdb or ldbm. bdb is generally
favoured by the openldap project as it is faster and more stable, it is
somewhat difficult to setup when your server is under high load. Hint:
create a DB_CONFIG file in your data directory (/var/lib/openldap-data/)
and read the berkeley db documentation at sleepycat.com. suffix is the
suffix for the root of our LDAP tree. The field names here must be all
caps, or Windows will turn up its nose when asked to join your domain,
with an error stating User account not found. It will be very
frustrating. directory designates the data directory for our LDAP
database. 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba


[Samba] Samba 3.0.10 join domain

2007-02-27 Thread Daniel Davidson
I have found a fixed my previous problems (two typos that were hard to
find) and now the smbldap-tools all work as expected if I run them as
root.  However when I try to join a domain from a windows machine, the
scripts never run and get an Access is denied message.  Since I am
using 0.10 I do not think I can use net rpc rights, so do I need to add
that into ldap manually?  Or do I have to use a specific user other than
just someone in domain admins?

thanks,

Dan

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba