Re: [Samba] samba ldap domain join
still haven't found any resolution for this problem. I tried using a "-t"
parameter with smbldap-passwd, but that didn't make any difference. The
debug output still shows that it simply can't find the created computer
account, eventhough it creates it the right ou.
I wish there was a way to no have to deal with computer accounts at all.
here's the relevant part of debug output. machine name is cia.
Finding user cia$
Trying _Get_Pwnam(), username as lowercase is cia$
Checking combinations of 0 uppercase letters in cia$
Get_Pwnam_internals didn't find user [cia$]!
_samr_create_user: Running the command
`/usr/local/samba/sbin/smbldap-useradd -t 5 -n -d /dev/null -s
/bin/false -w "cia"' gave 0
Finding user cia$
Trying _Get_Pwnam(), username as lowercase is cia$
Checking combinations of 0 uppercase letters in cia$
Get_Pwnam_internals didn't find user [cia$]!
cia (192.168.1.94) closed connection to service IPC$
some other relevant config parts. ( the actual config files have correct
dns) ).
Domain Admins (S-1-5-21-572523613-314456280-397268875-512) -> sambaadmins
Domain Users (S-1-5-21-572523613-314456280-397268875-513) -> admins
Domain Guests (S-1-5-21-572523613-314456280-397268875-514) -> users
Domain Computers (S-1-5-21-572523613-314456280-397268875-515) -> guests
init_sam_from_ldap: Entry found for user: administrator
Home server: brutus
Home server: brutus
---
Unix username:administrator
NT username: administrator
Account Flags:[U ]
User SID: S-1-5-21-572523613-314456280-397268875-500
Primary Group SID:S-1-5-21-572523613-314456280-397268875-1041
Full Name:administrator
Home Directory: \\brutus\administrator
HomeDir Drive:
Logon Script:
Profile Path: \\brutus\administrator\profile
Domain: LDAPAUTH
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: Mon, 18 Jan 2038 22:14:07 EST
Kickoff time: Mon, 18 Jan 2038 22:14:07 EST
Password last set:Mon, 15 May 2006 10:00:52 EDT
Password can change: Mon, 08 May 2006 14:39:02 EDT
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password : 0
Bad password count : 0
Logon hours : FF
--
>
>
> smb.conf
>
> add user script = /usr/local/samba/sbin/smbldap-useradd -n "%u"
>add machine script = /usr/local/samba/sbin/smbldap-useradd -n -d
> /dev/null -s /bin/false -w "%m"
>
ldap suffix = dc=mydomain,dc=com
> ldap admin dn = "cn=Directory Manager"
> ldap group suffix = ou=groups,dc=mydomain,dc=com
> ldap idmap suffix = ou=idmap,dc=mydomain,dc=com
> ldap machine suffix =ou=computers,dc=mydomain,dc=com
> ldap ssl = no
> ldap user suffix = ou=people
> idmap backend = ldapsam:ldap://myldapserver
> idmap uid = 1-3
> idmap gid = 1-3
> smb-ldap.conf
>
> suffix="dc=mydomain,dc=com"
>
> usersdn="ou=People,${suffix}"
> computersdn="ou=computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
> You don't need to give anonymous write access.
> You just need to give the ldap admin you set in smb.conf write access to
> the tree and properly set the ldap password with smbpasswd -w
>
Thank you, but this isn't really the issue for me right now. The rest of
the message described the problem I can't figure out.
By the way, I had smbpasswd -w set to Directory Manager's credentials,
all the time, but I was getting
Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname
and Insufficient add privileges for ou=computers, until I just made both
objects writable by anyone. anyway... this is working right now and I'll
deal with security implications later, but joining the domain still
produces errors that I described below. Maybe it's worth mentioning that
I use Sun ONE directory 5.2, not OpenLDAP ?
It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )
In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.
Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.
Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.
base => [dc=mydomain,dc=com]
> > [(&(uid=computer$)(objectclass=sambaSamAccount))]
smb.conf
add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=people
idmap backend = ldapsam:ldap://myldapserver
idmap uid = 1-3
idmap gid = 1-3
smb-ldap.conf
suffix="dc=mydomain,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
On Thu, 2006-05-11 at 10:52 -0400, [EMAIL PROTECTED] wrote: > I got passed this by permitting anonymous writes to sambadomain > and ou=computers in LDAP ( not ideal, but I really want this to work > already ). Now I'm running into another problem. You don't need to give anonymous write access. You just need to give the ldap admin you set in smb.conf write access to the tree and properly set the ldap password with smbpasswd -w Simo. -- Simo Sorce Samba Team GPL Compliance Officer email: [EMAIL PROTECTED] http://samba.org -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
I got passed this by permitting anonymous writes to sambadomain
and ou=computers in LDAP ( not ideal, but I really want this to work
already ). Now I'm running into another problem.
It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )
In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.
Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.
Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.
base => [dc=mydomain,dc=com]
> [(&(uid=computer$)(objectclass=sambaSamAccount))]
smb.conf
add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=people
idmap backend = ldapsam:ldap://myldapserver
idmap uid = 1-3
idmap gid = 1-3
smb-ldap.conf
suffix="dc=mydomain,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"
thank you.
> Still can't figure this one out.
>
> I get
>
> Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16,
> 0] rpc_server/srv_samr_nt.c:(2415)
> _samr_create_user: Running the command
> `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
> /dev/null -s /bin/false computer$' gave 1
>
> when trying to join the domain from WinXP workstation.
>
> but if I run this manually
> /usr/local/samba/bin/smbldap-useradd -w machine$
>
> machine$ computer account gets created exactly where it's expected, under
> ou=computers. Why isn't the default action creating machine
> accounts with -w switch ? Do I misunderstand something ?
>
>
> If simply browsing shares all windows auth. works fine via ldap.
>
> thank you all.
>
>
>
>>
>>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] samba ldap domain join
Still can't figure this one out. I get Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16, 0] rpc_server/srv_samr_nt.c:(2415) _samr_create_user: Running the command `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d /dev/null -s /bin/false computer$' gave 1 when trying to join the domain from WinXP workstation. but if I run this manually /usr/local/samba/bin/smbldap-useradd -w machine$ machine$ computer account gets created exactly where it's expected, under ou=computers. Why isn't the default action creating machine accounts with -w switch ? Do I misunderstand something ? If simply browsing shares all windows auth. works fine via ldap. thank you all. > > All LDAP authentciation works just fine, > windows passwords can be set LDAP users. Windows workstations can connect > to the machine's shares using windows passwords stored in LDAP> > > LDAP tools are configured with the right LDAP credentials and DN settings, > for people and computers. The logs show authenticated connections with > Directory Manager's credentials, but the computer accounts don't get > created. > > Any advise ? > > This seems to be the last issue I need to get fixed. > > Error: Insufficient 'write' privilege to the 'uidNumber' attribute of > entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17, > 0] rpc_server/srv_samr_nt.c:(2415) > _samr_create_user: Running the command > `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d > /dev/null -s /bin/false computer$' gave 1 > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] samba ldap domain join
All LDAP authentciation works just fine, windows passwords can be set LDAP users. Windows workstations can connect to the machine's shares using windows passwords stored in LDAP> LDAP tools are configured with the right LDAP credentials and DN settings, for people and computers. The logs show authenticated connections with Directory Manager's credentials, but the computer accounts don't get created. Any advise ? This seems to be the last issue I need to get fixed. Error: Insufficient 'write' privilege to the 'uidNumber' attribute of entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/04 10:15:17, 0] rpc_server/srv_samr_nt.c:(2415) _samr_create_user: Running the command `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d /dev/null -s /bin/false computer$' gave 1 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
