LDAP+Samba Authentication problem

Message

thedd · Post by **thedd** » Fri Jan 27, 2006 3:44 pm

Hi all!

I have followed the guide on http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC

I did

smbldap-populate

and it worked fine
I did

Code: Select all

smbldap-useradd -a -m -P testuser

and that also worked out fine.

but!

when I try to login on my PDC using

Code: Select all

net join MYDOMAIN -U testuser

i get this

Code: Select all

Creation of workstation account failed
Unable to join domain FEST.

and my samba log says:

Code: Select all

[2006/01/27 16:41:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
  get_md4pw: Workstation ECHELON$: no account in domain
[2006/01/27 16:41:36, 1] auth/auth_util.c:make_server_info_sam(840)
  User testuser in passdb, but getpwnam() fails!
[2006/01/27 16:41:36, 0] auth/auth_sam.c:check_sam_security(324)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Error: modifications require authentication at /usr/sbin//smbldap_tools.pm line 1005.
[2006/01/27 16:41:37, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1

Please help me with this as I have googled for hours to no avail...

steveb · Post by **steveb** » Sat Jan 28, 2006 12:43 am

This looks strange to me:

Code: Select all

  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1

Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).

cheers

SteveB

thedd · Post by **thedd** » Sat Jan 28, 2006 11:23 am

steveb wrote:This looks strange to me:
Code: Select all
  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1
Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).

cheers

SteveB

you mean the $ sign?
that is meant to be there. I have tried to run this command manually with success, so the command should work.
anyhow, I could paste my testparm output...

Code: Select all

Load smb config files from /etc/samba/smb.conf
Processing section "[ftp]"
Processing section "[incoming]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
        dos charset = 850
        unix charset = ISO8859-15
        workgroup = FEST
        server string = echelon PDC server [on Gentoo :: Samba server %v]
        interfaces = lo, eth0
        bind interfaces only = Yes
        map to guest = Bad User
        passdb backend = ldapsam:ldaps://127.0.0.1/
        enable privileges = Yes
        name resolve order = wins lmhosts host bcast
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
        add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' &&               /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
        add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl               -m '%u' '%g'
        set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -              g '%g' '%u'
        add machine script = smbldap-useradd -w -d /dev/null -c 'Machine Account              ' -s /bin/false '%u'
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=manager,dc=ted,dc=keso,dc=net
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Hosts
        ldap suffix = dc=ted,dc=keso,dc=net
        ldap user suffix = ou=Users
        admin users = root
        case sensitive = Yes
        hide unreadable = Yes

[ftp]
        comment = the ftp
        path = /mnt/ted.keso.net
        valid users = ted, pingu, emil
        write list = @users
        read only = No
        create mask = 0664

[incoming]
        comment = incoming
        path = /mnt/ted.keso.net/incoming
        guest ok = Yes

the

Code: Select all

net join MYDOMAIN -U testuser

line in my previous message should be

Code: Select all

net join FEST -U testuser

thanks /ted

steveb · Post by **steveb** » Sat Jan 28, 2006 12:50 pm

No. The $ is okay. But the double ' at the end of the command is not okay.

This is not okay:

Code: Select all

smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''

This is okay:

Code: Select all

smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'

Why is the '' after the $ there? It should not be there.

cheers

SteveB

thedd · Post by **thedd** » Sat Jan 28, 2006 9:46 pm

steveb wrote:No. The $ is okay. But the double ' at the end of the command is not okay.

This is not okay:
Code: Select all
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''
This is okay:
Code: Select all
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'
Why is the '' after the $ there? It should not be there.

cheers

SteveB

that is part of the log message.
`smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''
starts with ` and ends with '

Is there anyone out there who could give me a hint on what is wrong here?

thedd · Post by **thedd** » Sun Jan 29, 2006 9:39 pm

bump...

Po0ky · Post by **Po0ky** » Mon Jan 30, 2006 7:37 am

I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually?

thedd · Post by **thedd** » Mon Jan 30, 2006 9:25 am

Po0ky wrote:I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually?

all the scripts are on the PATH, so it works either way.
yes, I have tried to run it manually, and it works fine...

Po0ky · Post by **Po0ky** » Mon Jan 30, 2006 10:16 am

I personally never got the add machine script to work. Development on the smbldap tools is quit low.
I started using lam (ldap account manager, http://lam.sf.net) and add machines manually before I try to let them join the domain.

Maybe this aint an option for you. In that case, maybe you should consider writing your own script that adds machines to the ldap.

thedd · Post by **thedd** » Wed Feb 01, 2006 11:06 pm

why can't samba add users/machines/etc on its own?
why do it need to rely on external scripts?

the authentication is done "natively" by samba, so why not the adding of users, machines etc??

do people normally use the IDEALX scripts? or am I going in the wrong direction here?
the HowTo tells me to do it, and it seems quite up to date..

I need some guideance here.

steveb · Post by **steveb** » Thu Feb 02, 2006 1:01 am

I have done serval setups with Red Hat Enterprise Linux 4.x and the Idealx LDAP tools and all of them do automaticly add the machine when the user tries to connect to Samba.

I don't know why your setup does not add the user automaticly.

cheers

SteveB

thedd · Post by **thedd** » Thu Feb 02, 2006 1:02 am

ok, I have solved one problem now..
I found out that I need to login with the root user in order for samba to be able to add a new machine..
so now when I login with root I don't get the error message "gave 1" in my samba log.
BUT... I still get the "Creation of workstation account failed" from the net command.
like this:

Code: Select all

#net join FEST -U root
Password:
Creation of workstation account failed
Unable to join domain FEST.

so now the remaining part of my question is..
why do I get "Creation of workstation account failed" when I try to join my domain?
when I look in my ldap the workstation DID get created, but for some reason samba thinks something went wrong..

Po0ky · Post by **Po0ky** » Thu Feb 02, 2006 11:01 am

Check your ldap server for the machine records... You should have some that are hostname$ with the dollar sign behind them. I had the same problem and solved it by changing some values to hostname without the $ sign. I don't know by heart which ones, but will check tomorrow at work.

You might wanna try removing the dollar sign in the cn directive.

eyexer0 · Post by **eyexer0** » Fri Aug 18, 2006 1:40 am

do you guys have any ideas on my problem? I can't even get openldap to compile I get an error I made a post about it but no one seems to have a clue..

http://forums.gentoo.org/viewtopic-p-35 ... ml#3514586

kahler · Post by **kahler** » Mon Apr 30, 2007 9:34 pm

I had the same problem when my sambaUnixIdPooldn entry was set to the wrong value.