View previous topic :: View next topic |
Author |
Message |
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Fri Jan 27, 2006 3:44 pm Post subject: LDAP+Samba Authentication problem |
|
|
Hi all!
I have followed the guide on http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC
I did and it worked fine
I did Code: | smbldap-useradd -a -m -P testuser | and that also worked out fine.
but!
when I try to login on my PDC using Code: | net join MYDOMAIN -U testuser | i get this
Code: | Creation of workstation account failed
Unable to join domain FEST. |
and my samba log says:
Code: | [2006/01/27 16:41:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
get_md4pw: Workstation ECHELON$: no account in domain
[2006/01/27 16:41:36, 1] auth/auth_util.c:make_server_info_sam(840)
User testuser in passdb, but getpwnam() fails!
[2006/01/27 16:41:36, 0] auth/auth_sam.c:check_sam_security(324)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Error: modifications require authentication at /usr/sbin//smbldap_tools.pm line 1005.
[2006/01/27 16:41:37, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
_samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1 |
Please help me with this as I have googled for hours to no avail... _________________ ted. |
|
Back to top |
|
|
steveb Advocate
Joined: 18 Sep 2002 Posts: 4564
|
Posted: Sat Jan 28, 2006 12:43 am Post subject: |
|
|
This looks strange to me: Code: | _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1 |
Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).
cheers
SteveB |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Sat Jan 28, 2006 11:23 am Post subject: |
|
|
steveb wrote: | This looks strange to me: Code: | _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1 |
Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).
cheers
SteveB |
you mean the $ sign?
that is meant to be there. I have tried to run this command manually with success, so the command should work.
anyhow, I could paste my testparm output...
Code: |
Load smb config files from /etc/samba/smb.conf
Processing section "[ftp]"
Processing section "[incoming]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
# Global parameters
[global]
dos charset = 850
unix charset = ISO8859-15
workgroup = FEST
server string = echelon PDC server [on Gentoo :: Samba server %v]
interfaces = lo, eth0
bind interfaces only = Yes
map to guest = Bad User
passdb backend = ldapsam:ldaps://127.0.0.1/
enable privileges = Yes
name resolve order = wins lmhosts host bcast
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' && /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl -m '%u' '%g'
set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl - g '%g' '%u'
add machine script = smbldap-useradd -w -d /dev/null -c 'Machine Account ' -s /bin/false '%u'
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=manager,dc=ted,dc=keso,dc=net
ldap group suffix = ou=Group
ldap machine suffix = ou=Hosts
ldap suffix = dc=ted,dc=keso,dc=net
ldap user suffix = ou=Users
admin users = root
case sensitive = Yes
hide unreadable = Yes
[ftp]
comment = the ftp
path = /mnt/ted.keso.net
valid users = ted, pingu, emil
write list = @users
read only = No
create mask = 0664
[incoming]
comment = incoming
path = /mnt/ted.keso.net/incoming
guest ok = Yes
|
the
Code: | net join MYDOMAIN -U testuser |
line in my previous message should be
Code: | net join FEST -U testuser |
thanks /ted _________________ ted. |
|
Back to top |
|
|
steveb Advocate
Joined: 18 Sep 2002 Posts: 4564
|
Posted: Sat Jan 28, 2006 12:50 pm Post subject: |
|
|
No. The $ is okay. But the double ' at the end of the command is not okay.
This is not okay: Code: | smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' |
This is okay: Code: | smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$' |
Why is the '' after the $ there? It should not be there.
cheers
SteveB |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Sat Jan 28, 2006 9:46 pm Post subject: |
|
|
steveb wrote: | No. The $ is okay. But the double ' at the end of the command is not okay.
This is not okay: Code: | smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' |
This is okay: Code: | smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$' |
Why is the '' after the $ there? It should not be there.
cheers
SteveB |
that is part of the log message.
`smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''
starts with ` and ends with '
Is there anyone out there who could give me a hint on what is wrong here? _________________ ted. |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Sun Jan 29, 2006 9:39 pm Post subject: |
|
|
bump... _________________ ted. |
|
Back to top |
|
|
Po0ky Tux's lil' helper
Joined: 21 Apr 2005 Posts: 142 Location: Belgium
|
Posted: Mon Jan 30, 2006 7:37 am Post subject: |
|
|
I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually? _________________ -- I'll eat it-- |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Mon Jan 30, 2006 9:25 am Post subject: |
|
|
Po0ky wrote: | I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually? |
all the scripts are on the PATH, so it works either way.
yes, I have tried to run it manually, and it works fine... _________________ ted. |
|
Back to top |
|
|
Po0ky Tux's lil' helper
Joined: 21 Apr 2005 Posts: 142 Location: Belgium
|
Posted: Mon Jan 30, 2006 10:16 am Post subject: |
|
|
I personally never got the add machine script to work. Development on the smbldap tools is quit low.
I started using lam (ldap account manager, http://lam.sf.net) and add machines manually before I try to let them join the domain.
Maybe this aint an option for you. In that case, maybe you should consider writing your own script that adds machines to the ldap. _________________ -- I'll eat it-- |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Wed Feb 01, 2006 11:06 pm Post subject: |
|
|
why can't samba add users/machines/etc on its own?
why do it need to rely on external scripts?
the authentication is done "natively" by samba, so why not the adding of users, machines etc??
do people normally use the IDEALX scripts? or am I going in the wrong direction here?
the HowTo tells me to do it, and it seems quite up to date..
I need some guideance here. _________________ ted. |
|
Back to top |
|
|
steveb Advocate
Joined: 18 Sep 2002 Posts: 4564
|
Posted: Thu Feb 02, 2006 1:01 am Post subject: |
|
|
I have done serval setups with Red Hat Enterprise Linux 4.x and the Idealx LDAP tools and all of them do automaticly add the machine when the user tries to connect to Samba.
I don't know why your setup does not add the user automaticly.
cheers
SteveB |
|
Back to top |
|
|
thedd n00b
Joined: 01 Jul 2003 Posts: 20 Location: sweden
|
Posted: Thu Feb 02, 2006 1:02 am Post subject: |
|
|
ok, I have solved one problem now..
I found out that I need to login with the root user in order for samba to be able to add a new machine..
so now when I login with root I don't get the error message "gave 1" in my samba log.
BUT... I still get the "Creation of workstation account failed" from the net command.
like this:
Code: |
#net join FEST -U root
Password:
Creation of workstation account failed
Unable to join domain FEST.
|
so now the remaining part of my question is..
why do I get "Creation of workstation account failed" when I try to join my domain?
when I look in my ldap the workstation DID get created, but for some reason samba thinks something went wrong.. _________________ ted. |
|
Back to top |
|
|
Po0ky Tux's lil' helper
Joined: 21 Apr 2005 Posts: 142 Location: Belgium
|
Posted: Thu Feb 02, 2006 11:01 am Post subject: |
|
|
Check your ldap server for the machine records... You should have some that are hostname$ with the dollar sign behind them. I had the same problem and solved it by changing some values to hostname without the $ sign. I don't know by heart which ones, but will check tomorrow at work.
You might wanna try removing the dollar sign in the cn directive. _________________ -- I'll eat it-- |
|
Back to top |
|
|
eyexer0 Tux's lil' helper
Joined: 13 Dec 2003 Posts: 75 Location: Fort Smith, Arkansas
|
|
Back to top |
|
|
kahler n00b
Joined: 01 Nov 2003 Posts: 62
|
Posted: Mon Apr 30, 2007 9:34 pm Post subject: |
|
|
I had the same problem when my sambaUnixIdPooldn entry was set to the wrong value. _________________ -----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d- s:+ a-- C++++ UL++++$ P+>+++ L++ E--- W+++$ N+ o+ K? w O M V- PS+ PE++ Y+ PGP- t--- 5--- X-- R tv b DI++ D+ G e h r y?+
------END GEEK CODE BLOCK------ |
|
Back to top |
|
|
|