Re: [Samba] samba ldap domain join
still haven't found any resolution for this problem. I tried using a "-t" parameter with smbldap-passwd, but that didn't make any difference. The debug output still shows that it simply can't find the created computer account, eventhough it creates it the right ou. I wish there was a way to no have to deal with computer accounts at all. here's the relevant part of debug output. machine name is cia. Finding user cia$ Trying _Get_Pwnam(), username as lowercase is cia$ Checking combinations of 0 uppercase letters in cia$ Get_Pwnam_internals didn't find user [cia$]! _samr_create_user: Running the command `/usr/local/samba/sbin/smbldap-useradd -t 5 -n -d /dev/null -s /bin/false -w "cia"' gave 0 Finding user cia$ Trying _Get_Pwnam(), username as lowercase is cia$ Checking combinations of 0 uppercase letters in cia$ Get_Pwnam_internals didn't find user [cia$]! cia (192.168.1.94) closed connection to service IPC$ some other relevant config parts. ( the actual config files have correct dns) ). Domain Admins (S-1-5-21-572523613-314456280-397268875-512) -> sambaadmins Domain Users (S-1-5-21-572523613-314456280-397268875-513) -> admins Domain Guests (S-1-5-21-572523613-314456280-397268875-514) -> users Domain Computers (S-1-5-21-572523613-314456280-397268875-515) -> guests init_sam_from_ldap: Entry found for user: administrator Home server: brutus Home server: brutus --- Unix username:administrator NT username: administrator Account Flags:[U ] User SID: S-1-5-21-572523613-314456280-397268875-500 Primary Group SID:S-1-5-21-572523613-314456280-397268875-1041 Full Name:administrator Home Directory: \\brutus\administrator HomeDir Drive: Logon Script: Profile Path: \\brutus\administrator\profile Domain: LDAPAUTH Account desc: Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 22:14:07 EST Kickoff time: Mon, 18 Jan 2038 22:14:07 EST Password last set:Mon, 15 May 2006 10:00:52 EDT Password can change: Mon, 08 May 2006 14:39:02 EDT Password must change: Mon, 18 Jan 2038 22:14:07 EST Last bad password : 0 Bad password count : 0 Logon hours : FF -- > > > smb.conf > > add user script = /usr/local/samba/sbin/smbldap-useradd -n "%u" >add machine script = /usr/local/samba/sbin/smbldap-useradd -n -d > /dev/null -s /bin/false -w "%m" > ldap suffix = dc=mydomain,dc=com > ldap admin dn = "cn=Directory Manager" > ldap group suffix = ou=groups,dc=mydomain,dc=com > ldap idmap suffix = ou=idmap,dc=mydomain,dc=com > ldap machine suffix =ou=computers,dc=mydomain,dc=com > ldap ssl = no > ldap user suffix = ou=people > idmap backend = ldapsam:ldap://myldapserver > idmap uid = 1-3 > idmap gid = 1-3 > smb-ldap.conf > > suffix="dc=mydomain,dc=com" > > usersdn="ou=People,${suffix}" > computersdn="ou=computers,${suffix}" > groupsdn="ou=Groups,${suffix}" > idmapdn="ou=idmap,${suffix}" > sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
> You don't need to give anonymous write access. > You just need to give the ldap admin you set in smb.conf write access to > the tree and properly set the ldap password with smbpasswd -w > Thank you, but this isn't really the issue for me right now. The rest of the message described the problem I can't figure out. By the way, I had smbpasswd -w set to Directory Manager's credentials, all the time, but I was getting Insufficient 'write' privilege to the 'uidNumber' attribute of > entry 'sambadomainname and Insufficient add privileges for ou=computers, until I just made both objects writable by anyone. anyway... this is working right now and I'll deal with security implications later, but joining the domain still produces errors that I described below. Maybe it's worth mentioning that I use Sun ONE directory 5.2, not OpenLDAP ? It seems that eventhough the machine accounts get created upon successful authentication, it fails to find that same machine account during the same or another operation to actually join the domain. The search string it uses has objectclass=sambaSamAccount. Apparently, the newly created machine account doesn't have that object class. Also there's no sambasid entry for the machine account ( not sure if it needs one, but if sambaSamAccount requires that, I guess it does ? ) In addition to that, the search base it uses to look for the machine accounts only has the parent suffix, without the "ou=computers. Samba user accounts can be added with smbpasswd and all the sids, passwords and other attributes are set correctly. Another issue is that idmap ou doesn't get seem to get populated with any entries at all, but I also don't know if it should be. base => [dc=mydomain,dc=com] > > [(&(uid=computer$)(objectclass=sambaSamAccount))] smb.conf add user script = /usr/local/samba/bin/smbldap-useradd -n "%u" add machine script = /usr/local/samba/bin/smbldap-useradd -n -d /dev/null -s /bin/false -w "%m" ldap admin dn = "cn=Directory Manager" ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap suffix = dc=mydomain,dc=com ldap ssl = no ldap user suffix = ou=people idmap backend = ldapsam:ldap://myldapserver idmap uid = 1-3 idmap gid = 1-3 smb-ldap.conf suffix="dc=mydomain,dc=com" usersdn="ou=People,${suffix}" computersdn="ou=computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
On Thu, 2006-05-11 at 10:52 -0400, [EMAIL PROTECTED] wrote: > I got passed this by permitting anonymous writes to sambadomain > and ou=computers in LDAP ( not ideal, but I really want this to work > already ). Now I'm running into another problem. You don't need to give anonymous write access. You just need to give the ldap admin you set in smb.conf write access to the tree and properly set the ldap password with smbpasswd -w Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
I got passed this by permitting anonymous writes to sambadomain and ou=computers in LDAP ( not ideal, but I really want this to work already ). Now I'm running into another problem. It seems that eventhough the machine accounts get created upon successful authentication, it fails to find that same machine account during the same or another operation to actually join the domain. The search string it uses has objectclass=sambaSamAccount. Apparently, the newly created machine account doesn't have that object class. Also there's no sambasid entry for the machine account ( not sure if it needs one, but if sambaSamAccount requires that, I guess it does ? ) In addition to that, the search base it uses to look for the machine accounts only has the parent suffix, without the "ou=computers. Samba user accounts can be added with smbpasswd and all the sids, passwords and other attributes are set correctly. Another issue is that idmap ou doesn't get seem to get populated with any entries at all, but I also don't know if it should be. base => [dc=mydomain,dc=com] > [(&(uid=computer$)(objectclass=sambaSamAccount))] smb.conf add user script = /usr/local/samba/bin/smbldap-useradd -n "%u" add machine script = /usr/local/samba/bin/smbldap-useradd -n -d /dev/null -s /bin/false -w "%m" ldap admin dn = "cn=Directory Manager" ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap suffix = dc=mydomain,dc=com ldap ssl = no ldap user suffix = ou=people idmap backend = ldapsam:ldap://myldapserver idmap uid = 1-3 idmap gid = 1-3 smb-ldap.conf suffix="dc=mydomain,dc=com" usersdn="ou=People,${suffix}" computersdn="ou=computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}" thank you. > Still can't figure this one out. > > I get > > Error: Insufficient 'write' privilege to the 'uidNumber' attribute of > entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16, > 0] rpc_server/srv_samr_nt.c:(2415) > _samr_create_user: Running the command > `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d > /dev/null -s /bin/false computer$' gave 1 > > when trying to join the domain from WinXP workstation. > > but if I run this manually > /usr/local/samba/bin/smbldap-useradd -w machine$ > > machine$ computer account gets created exactly where it's expected, under > ou=computers. Why isn't the default action creating machine > accounts with -w switch ? Do I misunderstand something ? > > > If simply browsing shares all windows auth. works fine via ldap. > > thank you all. > > > >> >> -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
Still can't figure this one out. I get Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16, 0] rpc_server/srv_samr_nt.c:(2415) _samr_create_user: Running the command `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d /dev/null -s /bin/false computer$' gave 1 when trying to join the domain from WinXP workstation. but if I run this manually /usr/local/samba/bin/smbldap-useradd -w machine$ machine$ computer account gets created exactly where it's expected, under ou=computers. Why isn't the default action creating machine accounts with -w switch ? Do I misunderstand something ? If simply browsing shares all windows auth. works fine via ldap. thank you all. > > All LDAP authentciation works just fine, > windows passwords can be set LDAP users. Windows workstations can connect > to the machine's shares using windows passwords stored in LDAP> > > LDAP tools are configured with the right LDAP credentials and DN settings, > for people and computers. The logs show authenticated connections with > Directory Manager's credentials, but the computer accounts don't get > created. > > Any advise ? > > This seems to be the last issue I need to get fixed. > > Error: Insufficient 'write' privilege to the 'uidNumber' attribute of > entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17, > 0] rpc_server/srv_samr_nt.c:(2415) > _samr_create_user: Running the command > `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d > /dev/null -s /bin/false computer$' gave 1 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ldap domain join
All LDAP authentciation works just fine, windows passwords can be set LDAP users. Windows workstations can connect to the machine's shares using windows passwords stored in LDAP> LDAP tools are configured with the right LDAP credentials and DN settings, for people and computers. The logs show authenticated connections with Directory Manager's credentials, but the computer accounts don't get created. Any advise ? This seems to be the last issue I need to get fixed. Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17, 0] rpc_server/srv_samr_nt.c:(2415) _samr_create_user: Running the command `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d /dev/null -s /bin/false computer$' gave 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba