Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
LDAP+Samba Authentication problem
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Fri Jan 27, 2006 3:44 pm    Post subject: LDAP+Samba Authentication problem Reply with quote

Hi all!

I have followed the guide on http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC

I did
Code:
smbldap-populate
and it worked fine
I did
Code:
smbldap-useradd -a -m -P testuser
and that also worked out fine.

but!

when I try to login on my PDC using
Code:
net join MYDOMAIN -U testuser
i get this
Code:
Creation of workstation account failed
Unable to join domain FEST.


and my samba log says:
Code:
[2006/01/27 16:41:34, 0] rpc_server/srv_netlog_nt.c:get_md4pw(244)
  get_md4pw: Workstation ECHELON$: no account in domain
[2006/01/27 16:41:36, 1] auth/auth_util.c:make_server_info_sam(840)
  User testuser in passdb, but getpwnam() fails!
[2006/01/27 16:41:36, 0] auth/auth_sam.c:check_sam_security(324)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Error: modifications require authentication at /usr/sbin//smbldap_tools.pm line 1005.
[2006/01/27 16:41:37, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1


Please help me with this as I have googled for hours to no avail... :(
_________________
ted.
Back to top
View user's profile Send private message
steveb
Advocate
Advocate


Joined: 18 Sep 2002
Posts: 4564

PostPosted: Sat Jan 28, 2006 12:43 am    Post subject: Reply with quote

This looks strange to me:
Code:
  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1


Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).


cheers

SteveB
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Sat Jan 28, 2006 11:23 am    Post subject: Reply with quote

steveb wrote:
This looks strange to me:
Code:
  _samr_create_user: Running the command `smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'' gave 1


Could you post your smb.conf? It looks like you have a typo there (see the '' at the end of your machine name?).


cheers

SteveB


you mean the $ sign?
that is meant to be there. I have tried to run this command manually with success, so the command should work.
anyhow, I could paste my testparm output...
Code:

Load smb config files from /etc/samba/smb.conf
Processing section "[ftp]"
Processing section "[incoming]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

# Global parameters
[global]
        dos charset = 850
        unix charset = ISO8859-15
        workgroup = FEST
        server string = echelon PDC server [on Gentoo :: Samba server %v]
        interfaces = lo, eth0
        bind interfaces only = Yes
        map to guest = Bad User
        passdb backend = ldapsam:ldaps://127.0.0.1/
        enable privileges = Yes
        name resolve order = wins lmhosts host bcast
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
        add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g' &&               /usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/ {print $2}'
        add user to group script = /usr/share/samba/scripts/smbldap-groupmod.pl               -m '%u' '%g'
        set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl -              g '%g' '%u'
        add machine script = smbldap-useradd -w -d /dev/null -c 'Machine Account              ' -s /bin/false '%u'
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=manager,dc=ted,dc=keso,dc=net
        ldap group suffix = ou=Group
        ldap machine suffix = ou=Hosts
        ldap suffix = dc=ted,dc=keso,dc=net
        ldap user suffix = ou=Users
        admin users = root
        case sensitive = Yes
        hide unreadable = Yes

[ftp]
        comment = the ftp
        path = /mnt/ted.keso.net
        valid users = ted, pingu, emil
        write list = @users
        read only = No
        create mask = 0664

[incoming]
        comment = incoming
        path = /mnt/ted.keso.net/incoming
        guest ok = Yes



the
Code:
net join MYDOMAIN -U testuser

line in my previous message should be
Code:
net join FEST -U testuser


thanks /ted
_________________
ted.
Back to top
View user's profile Send private message
steveb
Advocate
Advocate


Joined: 18 Sep 2002
Posts: 4564

PostPosted: Sat Jan 28, 2006 12:50 pm    Post subject: Reply with quote

No. The $ is okay. But the double ' at the end of the command is not okay.

This is not okay:
Code:
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''


This is okay:
Code:
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'



Why is the '' after the $ there? It should not be there.

cheers

SteveB
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Sat Jan 28, 2006 9:46 pm    Post subject: Reply with quote

steveb wrote:
No. The $ is okay. But the double ' at the end of the command is not okay.

This is not okay:
Code:
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''


This is okay:
Code:
smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$'



Why is the '' after the $ there? It should not be there.

cheers

SteveB


that is part of the log message.
`smbldap-useradd -w -d /dev/null -c 'Machine Account' -s /bin/false 'echelon$''
starts with ` and ends with '

Is there anyone out there who could give me a hint on what is wrong here?
_________________
ted.
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Sun Jan 29, 2006 9:39 pm    Post subject: Reply with quote

bump...
_________________
ted.
Back to top
View user's profile Send private message
Po0ky
Tux's lil' helper
Tux's lil' helper


Joined: 21 Apr 2005
Posts: 142
Location: Belgium

PostPosted: Mon Jan 30, 2006 7:37 am    Post subject: Reply with quote

I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually?
_________________
-- I'll eat it--
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Mon Jan 30, 2006 9:25 am    Post subject: Reply with quote

Po0ky wrote:
I noticed you run the /usr/share/samba/scripts/smbldap... scripts on most of the commands except the machine add one. Is this for a special reason?
What happens if you run the command manually?


all the scripts are on the PATH, so it works either way.
yes, I have tried to run it manually, and it works fine...
_________________
ted.
Back to top
View user's profile Send private message
Po0ky
Tux's lil' helper
Tux's lil' helper


Joined: 21 Apr 2005
Posts: 142
Location: Belgium

PostPosted: Mon Jan 30, 2006 10:16 am    Post subject: Reply with quote

I personally never got the add machine script to work. Development on the smbldap tools is quit low.
I started using lam (ldap account manager, http://lam.sf.net) and add machines manually before I try to let them join the domain.

Maybe this aint an option for you. In that case, maybe you should consider writing your own script that adds machines to the ldap.
_________________
-- I'll eat it--
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Wed Feb 01, 2006 11:06 pm    Post subject: Reply with quote

why can't samba add users/machines/etc on its own?
why do it need to rely on external scripts?

the authentication is done "natively" by samba, so why not the adding of users, machines etc??

do people normally use the IDEALX scripts? or am I going in the wrong direction here?
the HowTo tells me to do it, and it seems quite up to date..

I need some guideance here.
_________________
ted.
Back to top
View user's profile Send private message
steveb
Advocate
Advocate


Joined: 18 Sep 2002
Posts: 4564

PostPosted: Thu Feb 02, 2006 1:01 am    Post subject: Reply with quote

I have done serval setups with Red Hat Enterprise Linux 4.x and the Idealx LDAP tools and all of them do automaticly add the machine when the user tries to connect to Samba.

I don't know why your setup does not add the user automaticly.

cheers

SteveB
Back to top
View user's profile Send private message
thedd
n00b
n00b


Joined: 01 Jul 2003
Posts: 20
Location: sweden

PostPosted: Thu Feb 02, 2006 1:02 am    Post subject: Reply with quote

ok, I have solved one problem now..
I found out that I need to login with the root user in order for samba to be able to add a new machine..
so now when I login with root I don't get the error message "gave 1" in my samba log.
BUT... I still get the "Creation of workstation account failed" from the net command.
like this:

Code:

#net join FEST -U root
Password:
Creation of workstation account failed
Unable to join domain FEST.


so now the remaining part of my question is..
why do I get "Creation of workstation account failed" when I try to join my domain?
when I look in my ldap the workstation DID get created, but for some reason samba thinks something went wrong..
_________________
ted.
Back to top
View user's profile Send private message
Po0ky
Tux's lil' helper
Tux's lil' helper


Joined: 21 Apr 2005
Posts: 142
Location: Belgium

PostPosted: Thu Feb 02, 2006 11:01 am    Post subject: Reply with quote

Check your ldap server for the machine records... You should have some that are hostname$ with the dollar sign behind them. I had the same problem and solved it by changing some values to hostname without the $ sign. I don't know by heart which ones, but will check tomorrow at work.

You might wanna try removing the dollar sign in the cn directive.
_________________
-- I'll eat it--
Back to top
View user's profile Send private message
eyexer0
Tux's lil' helper
Tux's lil' helper


Joined: 13 Dec 2003
Posts: 75
Location: Fort Smith, Arkansas

PostPosted: Fri Aug 18, 2006 1:40 am    Post subject: Reply with quote

do you guys have any ideas on my problem? I can't even get openldap to compile I get an error I made a post about it but no one seems to have a clue..

https://forums.gentoo.org/viewtopic-p-3514586.html#3514586
Back to top
View user's profile Send private message
kahler
n00b
n00b


Joined: 01 Nov 2003
Posts: 62

PostPosted: Mon Apr 30, 2007 9:34 pm    Post subject: Reply with quote

I had the same problem when my sambaUnixIdPooldn entry was set to the wrong value.
_________________
-----BEGIN GEEK CODE BLOCK-----
Version: 3.1
GIT d- s:+ a-- C++++ UL++++$ P+>+++ L++ E--- W+++$ N+ o+ K? w O M V- PS+ PE++ Y+ PGP- t--- 5--- X-- R tv b DI++ D+ G e h r y?+
------END GEEK CODE BLOCK------
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum