Bug 1531 - joining to own domain fails
Summary: joining to own domain fails
Status: RESOLVED INVALID
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.4
Hardware: x86 Linux
: P3 major
Target Milestone: none
Assignee: Samba Bugzilla Account
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-07-14 12:45 UTC by Andreas Schlager
Modified: 2004-07-29 22:50 UTC (History)
0 users

See Also:


Attachments
Sorry, WRONG smb.conf (1.50 KB, text/plain)
2004-07-14 12:46 UTC, Andreas Schlager
no flags Details
This is smb.conf (2.18 KB, text/plain)
2004-07-14 12:54 UTC, Andreas Schlager
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Schlager 2004-07-14 12:45:28 UTC
I try to set up a Samba3-PDC w/ OpenLDAP as backend. I set up the ldap with the
smbldap-populate script, and it seems to be OK. Testing the installation as
described in the very good Howtos was successful.

I try to make a samba PDC with following command: "net rpc join -U
Administrator". It fails with the error:
  User specified does not have administrator privileges
  Unable to join domain SAMBA-TEST.

I found following in the logs:
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [dc=kaindl,dc=com], filter =>
[(&(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))(obje
ctclass=sambaSamAccount))], scope => [2]
[2004/07/14 20:31:54, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1157)
  ldapsam_getsampwnam: Unable to locate user [sbg1dhcpc13$] count=0
[2004/07/14 20:31:54, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0
[2004/07/14 20:31:54, 10] rpc_server/srv_samr_nt.c:_samr_create_user(2203)
  checking account sbg1dhcpc13$ at pos 11 for $ termination
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam(293)
  Finding user sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(239)
  Trying _Get_Pwnam(), username as uppercase is SBG1DHCPC13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(247)
  Checking combinations of 0 uppercase letters in sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals didn't find user [sbg1dhcpc13$]!
[2004/07/14 20:31:54, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245)
  _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w
sbg1dhcpc13' gave 0
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam(293)
  Finding user sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(223)
  Trying _Get_Pwnam(), username as lowercase is sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(251)
  Get_Pwnam_internals did find user [sbg1dhcpc13$]!
[2004/07/14 20:31:54, 10] passdb/pdb_get_set.c:pdb_set_username(612)
  pdb_set_username: setting username sbg1dhcpc13$, was
[2004/07/14 20:31:54, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512)
  element 12 -> now SET

This seems to be OK to me. The machine name (sbg1dhcpc13$) was not found in the
directory, so it is being created.
Later on in this log:
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [dc=kaindl,dc=com], filter =>
[(&(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))(obje
ctclass=sambaSamAccount))], scope => [2]
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [dc=kaindl,dc=com], filter =>
[(&(sambaSID=S-1-5-21-1425597653-641218338-4259131718-3002
)(objectclass=sambaSamAccount))], scope => [2]
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [dc=kaindl,dc=com], filter =>
[(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))], scop
e => [2]
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932)
  smbldap_search: base => [dc=kaindl,dc=com], filter =>
[(&(sambaSID=S-1-5-21-1425597653-641218338-4259131718-3002
)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))], scope => [2]
[2004/07/14 20:31:54, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1690)
  ldapsam_add_sam_account: Adding new user
[2004/07/14 20:31:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(812)
  init_ldap_from_sam: Setting entry for user: sbg1dhcpc13$
[2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_add(1022)
  smbldap_add: dn => [uid=sbg1dhcpc13$,ou=Users,dc=kaindl,dc=com]
[2004/07/14 20:31:54, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1312)
  ldapsam_modify_entry: Failed to add user dn=
uid=sbg1dhcpc13$,ou=Users,dc=kaindl,dc=com with: Already exists

[2004/07/14 20:31:54, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1729)
  ldapsam_add_sam_account: failed to modify/add user with uid = sbg1dhcpc13$ (dn
= uid=sbg1dhcpc13$,ou=Users,dc=ka
indl,dc=com)

It seems that Samba tries to create the machine account a second time.

I'm gotten stuck here, and I hope, someone can pull me out...

Many thanks in advance!

Kind Regards,

-Andreas.
Comment 1 Andreas Schlager 2004-07-14 12:46:35 UTC
Created attachment 570 [details]
Sorry, WRONG smb.conf

Added my smb.conf here.
Comment 2 Andreas Schlager 2004-07-14 12:50:14 UTC
Comment on attachment 570 [details]
Sorry, WRONG smb.conf

# Samba config file created using SWAT
# from 172.16.0.91 (172.16.0.91)
# Date: 2004/07/08 15:36:42

# Global parameters
[global]
	workgroup = SAMBA-TEST
	netbios name = SBG1DHCPC13
	server string = %h server (Samba %v)
	passdb backend = ldapsam:ldap://127.0.0.1/
	passwd program = /usr/local/sbin/smbldap-tools/smbldap-passwd %u
	passwd chat = *new*password* %n\n *new*password* %n\n
*all*authentication*tokens*updated*
	log level = 10 passdb:10 auth:10 winbind:10
	syslog = 0
	log file = /var/log/samba/log.%m
	max log size = 1000
	name resolve order = wins bcast hosts
	add user script = /usr/local/sbin/smbldap-useradd %U
	delete user script = /usr/local/sbin/smbldap-userdel %U
	add group script = /usr/local/sbin/smbldap-groupadd %G
	delete group script = /usr/local/sbin/smbldap-groupdel %G
	add user to group script = /usr/local/sbin/smbldap-useradd -G %G %U./
	add machine script = /usr/local/sbin/smbldap-useradd -w %m
	domain logons = Yes
	domain master = Yes
	preferred master = Yes
	security = user
	dns proxy = No
	wins support = Yes
	ldap suffix = dc=kaindl,dc=com
	ldap machine suffix = ou=Users
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
	ldap admin dn = cn=admin,dc=kaindl,dc=com
	ldap ssl = no
	utmp = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap uid = 10000-19999
	idmap gid = 10000-19999
	winbind separator = +
	winbind enum users = Yes
	winbind enum groups = Yes
	map acl inherit = Yes
	veto files = /*.eml/*.nws/*.{*}/
	veto oplock files = /*doc/*.xls/*.mdb/

[homes]
	comment = Home Directories
	create mask = 0700
	directory mask = 0700
	browseable = No

[printers]
	comment = All Printers
	path = /tmp
	create mask = 0700
	printable = Yes
	browseable = No

[print$]
	comment = Printer Drivers
	path = /var/lib/samba/printers
Comment 3 Andreas Schlager 2004-07-14 12:54:20 UTC
Created attachment 571 [details]
This is smb.conf

This now is the smb.conf from the correct server...
Comment 4 Andreas Schlager 2004-07-29 22:46:42 UTC
Hi Samba-Team,

finally I could resolve this problem. It was a configuration mistake.
First, in /etc/ldap/ldap.conf I modified the entries
#nss_base_passwd   ou=Users,dc=kaindl,dc=com?one
#nss_base_shadow   ou=Users,dc=kaindl,dc=com?one
#nss_base_group    ou=Groups,dc=kaindl,dc=com?one

to 

nss_base_passwd   dc=kaindl,dc=com
nss_base_shadow   dc=kaindl,dc=com
nss_base_group    dc=kaindl,dc=com

Second, the ldap filter in smb.conf was set incorrectly. I set it as described
in the Samba3 Howto to the value "ldap filter =
(&(uid=%u)(objectclass=sambaSamAccount))". This doesn't work.
I found a note from Jerry that says that the filter should be empty. This is a
little bit confusing. The filter at the default value "(uid=%u)" solved my problems.

Hope, that helps anyone with similar problems.

-Andreas.
Comment 5 Andreas Schlager 2004-07-29 22:50:08 UTC
Sorry, missed a line while cut&pasting /etc/ldap/ldap.conf. Correct entries are:

scope sub
nss_base_passwd   dc=kaindl,dc=com
nss_base_shadow   dc=kaindl,dc=com
nss_base_group    dc=kaindl,dc=com

-Andreas.