Re: [Samba] Samba 3.0.10 join domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/27/2007 03:57 PM, Daniel Davidson wrote: I have found a fixed my previous problems (two typos that were hard to find) and now the smbldap-tools all work as expected if I run them as root. However when I try to join a domain from a windows machine, the scripts never run and get an Access is denied message. Since I am using 0.10 I do not think I can use net rpc rights, so do I need to add that into ldap manually? Add what into LDAP? Or do I have to use a specific user other than just someone in domain admins? AFAIK, privileges came with 3.0.11, so you need to use root account, or an account with uid:gid equivalent (0:0). And Domain Admins would not work as expected on versions previous than 3.0.11. thanks, Dan Kind regards, - -- Felipe Augusto van de Wiel [EMAIL PROTECTED] Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5bJkCj65ZxU4gPQRAg0nAJ9bo8WPgDLBwwpHaLCKGJUj3nJuLwCgo+Bk 8VTD+FbIspVL7fKzyChFh6E= =y0NK -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.10 join domain
This is really getting frustrating. The exact message when joining the domain is user name could not be found, however I have the Administrator account set up with the proper data. And i have tried administrator with and without the A in caps. I can take this username, log into the server, and the files I create show up as owned by root. # Administrator, People, igb.uiuc.edu dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu uid: Administrator objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Administrator sn: Administrator mail: [EMAIL PROTECTED] loginShell: /bin/bash homeDirectory: /home/a-m/Administrator gecos: Administrator sambaSID: S-1-5-21-3679620730-2824407525-958489067-500 sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512 sambaAcctFlags: UX gidNumber: 0 uidNumber: 0 sambaLMPassword: somethingremoved sambaNTPassword: somethingremoved My Sid matches up: [EMAIL PROTECTED] samba]# net getlocalsid SID for domain IGB-FILE-SERVER is: S-1-5-21-3679620730-2824407525-958489067 The server should be the master browser: * [2007/02/28 10:20:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282) become_domain_master_browser_bcast: Attempting to become domain master browser on workgroup IGB on subnet 128.174.124.12 [2007/02/28 10:20:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295) become_domain_master_browser_bcast: querying subnet 128.174.124.12 for domain master browser on workgroup IGB [2007/02/28 10:20:47, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(124) become_logon_server_success: Samba is now a logon server for workgroup IGB on subnet 128.174.124.12 [2007/02/28 10:20:51, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113) * Samba server IGB-FILE-SERVER is now a domain master browser for workgroup IGB on subnet 128.174.124.12 * If I look at the log for doing the add, it appears as if this might be where the error is if I look at the tail end of the smb log for the client trying to add with a loglevel of 5: [2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc807 [2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24 len2=24 [2007/02/28 10:31:12, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66) auth_context challenge set by NTLMSSP callback (NTLM2) [2007/02/28 10:31:12, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67) challenge is: [2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999) [000] 81 8F 46 13 26 F9 07 3E ..F... For info, my globals from smb.conf are [global] workgroup = igb netbios name = IGB-FILE-SERVER server string = Samba Server passdb backend = ldapsam:ldap://auth.igb.uiuc.edu log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes dns proxy = No wins support = Yes ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu ldap group suffix = ou=group ldap suffix = dc=igb,dc=uiuc,dc=edu ldap ssl = on ldap user suffix = ou=People ldap machine suffix = ou=computer cups options = raw log level = 10 add machine script = /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w preferred master = Yes domain master = Yes os level = 65 password server = None idmap uid = 1000-33554431 idmap gid = 1000-33554431 template shell = /bin/false username map = /etc/samba/smbusers winbind use default domain = no Any help still very much appreciated, Dan On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote: I have found a fixed my previous problems (two typos that were hard to find) and now the smbldap-tools all work as expected if I run them as root. However when I try to join a domain from a windows machine, the scripts never run and get an Access is denied message. Since I am using 0.10 I do not think I can use net rpc rights, so do I need to add that into ldap manually? Or do I
Re: [Samba] Samba 3.0.10 join domain
Daniel, Try adding ldap idmap suffix = ou=People Since I noticed that ldap user suffix and ldap group suffix do not seem to be used. Also, check you LDAP log files to see if you can spot the samba search string! Andrew This is really getting frustrating. The exact message when joining the domain is user name could not be found, however I have the Administrator account set up with the proper data. And i have tried administrator with and without the A in caps. I can take this username, log into the server, and the files I create show up as owned by root. # Administrator, People, igb.uiuc.edu dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu uid: Administrator objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount cn: Administrator sn: Administrator mail: [EMAIL PROTECTED] loginShell: /bin/bash homeDirectory: /home/a-m/Administrator gecos: Administrator sambaSID: S-1-5-21-3679620730-2824407525-958489067-500 sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512 sambaAcctFlags: UX gidNumber: 0 uidNumber: 0 sambaLMPassword: somethingremoved sambaNTPassword: somethingremoved My Sid matches up: [EMAIL PROTECTED] samba]# net getlocalsid SID for domain IGB-FILE-SERVER is: S-1-5-21-3679620730-2824407525-958489067 The server should be the master browser: * [2007/02/28 10:20:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282) become_domain_master_browser_bcast: Attempting to become domain master browser on workgroup IGB on subnet 128.174.124.12 [2007/02/28 10:20:43, 0] nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295) become_domain_master_browser_bcast: querying subnet 128.174.124.12 for domain master browser on workgroup IGB [2007/02/28 10:20:47, 0] nmbd/nmbd_logonnames.c:become_logon_server_success(124) become_logon_server_success: Samba is now a logon server for workgroup IGB on subnet 128.174.124.12 [2007/02/28 10:20:51, 0] nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113) * Samba server IGB-FILE-SERVER is now a domain master browser for workgroup IGB on subnet 128.174.124.12 * If I look at the log for doing the add, it appears as if this might be where the error is if I look at the tail end of the smb log for the client trying to add with a loglevel of 5: [2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505) UNIX token of user 0 Primary group is 0 and contains 0 supplementary groups [2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296) change_to_root_user: now uid=(0,0) gid=(0,0) [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655) wct=12 flg2=0xc807 [2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535) Doing spnego session setup [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566) NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002 5.1] PrimaryDomain=[] [2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615) Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24 len2=24 [2007/02/28 10:31:12, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66) auth_context challenge set by NTLMSSP callback (NTLM2) [2007/02/28 10:31:12, 5] auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67) challenge is: [2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999) [000] 81 8F 46 13 26 F9 07 3E ..F... For info, my globals from smb.conf are [global] workgroup = igb netbios name = IGB-FILE-SERVER server string = Samba Server passdb backend = ldapsam:ldap://auth.igb.uiuc.edu log file = /var/log/samba/%m.log max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 domain logons = Yes dns proxy = No wins support = Yes ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu ldap group suffix = ou=group ldap suffix = dc=igb,dc=uiuc,dc=edu ldap ssl = on ldap user suffix = ou=People ldap machine suffix = ou=computer cups options = raw log level = 10 add machine script = /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w preferred master = Yes domain master = Yes os level = 65 password server = None idmap uid = 1000-33554431 idmap gid = 1000-33554431 template shell = /bin/false username map = /etc/samba/smbusers winbind use default domain = no Any help still very much appreciated, Dan On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote: I have found a fixed my previous problems (two typos that were hard to find) and now the smbldap-tools all work as expected if I run them as root. However
Re: [Samba] Samba 3.0.10 join domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Daniel, This is really getting frustrating. The exact message when joining the domain is user name could not be found, When joining a Samba domain usually this means that the machine account could not be found.but I haven't followed this entire thread. cheers, jerry -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.4 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFF5b9aIR7qMdg1EfYRAuuFAKDvPHM/juyXpiNNQvyQjgQJjMNn9wCg0PMU 2E9XjIT7NdkPIDunK4g69qc= =N2GS -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Samba 3.0.10 join domain
Apologies for the nast of the accompanied text, but I thought it best to include everying from the ldap log in relation to a request to join a domain. It all looks fine to me, except for the text= string never being populated, but please let me know if you can find anything of if that is a problem. The idmap suffix did not resolve the issue. I do not need to set this account up locally, right? thanks, Dan Feb 28 12:20:53 auth slapd[6527]: conn=636 fd=40 ACCEPT from IP=128.174.124.12:54545 (IP=0.0.0.0:389) Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 BIND dn=cn=ldapadmin,dc=igb,dc=uiuc,dc=edu method=128 Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 BIND dn=cn=ldapadmin,dc=igb,dc=uiuc,dc=edu mech=SIMPLE ssf=0 Feb 28 12:20:53 auth slapd[6527]: conn=636 op=0 RESULT tag=97 err=0 text= Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((uid=administrator)(objectClass=sambaSamAccount)) Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp Feb 28 12:20:53 auth slapd[6527]: conn=636 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 28 12:20:53 auth slapd[6527]: conn=637 fd=41 ACCEPT from IP=128.174.124.12:54546 (IP=0.0.0.0:389) Feb 28 12:20:53 auth slapd[6527]: conn=637 op=0 BIND dn= method=128 Feb 28 12:20:53 auth slapd[6527]: conn=637 op=0 RESULT tag=97 err=0 text= Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixAccount)(uid=Administrator)) Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 28 12:20:53 auth slapd[6527]: conn=637 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 28 12:20:54 auth slapd[6527]: conn=637 op=2 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixAccount)(uid=Administrator)) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=uid=administrator,ou=people,dc=igb,dc=uiuc,dc=edu))) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SRCH attr=gidNumber Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates: (memberUid) index_param failed (18) Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates: (uniqueMember) index_param failed (18) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=3 SEARCH RESULT tag=101 err=0 nentries=2 text= Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixGroup)(uniqueMember=cn=domain admins,ou=group,dc=igb,dc=uiuc,dc=edu)) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SRCH attr=gidNumber Feb 28 12:20:54 auth slapd[6527]: = bdb_equality_candidates: (uniqueMember) index_param failed (18) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=4 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SRCH base=ou=group,dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=sambaGroupMapping)(gidNumber=0)) Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Feb 28 12:20:54 auth slapd[6527]: conn=636 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text= Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SRCH base=ou=group,dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=sambaGroupMapping)(gidNumber=512)) Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SRCH attr=gidNumber sambaSID sambaGroupType sambaSIDList description displayName cn objectClass Feb 28 12:20:54 auth slapd[6527]: conn=636 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixAccount)(uid=Administrator)) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 28 12:20:54 auth slapd[6527]: conn=637 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text= Feb 28 12:20:54 auth slapd[6527]: conn=637 op=6 SRCH base=dc=igb,dc=uiuc,dc=edu scope=2 filter=((objectClass=posixAccount)(uid=administrator)) Feb 28 12:20:54 auth slapd[6527]: conn=637 op=6 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Feb 28 12:20:54 auth
Re: [Samba] Samba 3.0.10 join domain
I was looking around for more help on my problem and found this info on a gentoo page even though I am using RHEL4 regarding the configuration of ldap. Anyone know what they are talking about by Field names here must be all caps? Dan for database you can either use bdb or ldbm. bdb is generally favoured by the openldap project as it is faster and more stable, it is somewhat difficult to setup when your server is under high load. Hint: create a DB_CONFIG file in your data directory (/var/lib/openldap-data/) and read the berkeley db documentation at sleepycat.com. suffix is the suffix for the root of our LDAP tree. The field names here must be all caps, or Windows will turn up its nose when asked to join your domain, with an error stating User account not found. It will be very frustrating. directory designates the data directory for our LDAP database. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba 3.0.10 join domain
I have found a fixed my previous problems (two typos that were hard to find) and now the smbldap-tools all work as expected if I run them as root. However when I try to join a domain from a windows machine, the scripts never run and get an Access is denied message. Since I am using 0.10 I do not think I can use net rpc rights, so do I need to add that into ldap manually? Or do I have to use a specific user other than just someone in domain admins? thanks, Dan -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba