I try to set up a Samba3-PDC w/ OpenLDAP as backend. I set up the ldap with the smbldap-populate script, and it seems to be OK. Testing the installation as described in the very good Howtos was successful. I try to make a samba PDC with following command: "net rpc join -U Administrator". It fails with the error: User specified does not have administrator privileges Unable to join domain SAMBA-TEST. I found following in the logs: [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [dc=kaindl,dc=com], filter => [(&(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))(obje ctclass=sambaSamAccount))], scope => [2] [2004/07/14 20:31:54, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1157) ldapsam_getsampwnam: Unable to locate user [sbg1dhcpc13$] count=0 [2004/07/14 20:31:54, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 512) - sec_ctx_stack_ndx = 0 [2004/07/14 20:31:54, 10] rpc_server/srv_samr_nt.c:_samr_create_user(2203) checking account sbg1dhcpc13$ at pos 11 for $ termination [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam(293) Finding user sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(239) Trying _Get_Pwnam(), username as uppercase is SBG1DHCPC13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(247) Checking combinations of 0 uppercase letters in sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals didn't find user [sbg1dhcpc13$]! [2004/07/14 20:31:54, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245) _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w sbg1dhcpc13' gave 0 [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam(293) Finding user sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(223) Trying _Get_Pwnam(), username as lowercase is sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/username.c:Get_Pwnam_internals(251) Get_Pwnam_internals did find user [sbg1dhcpc13$]! [2004/07/14 20:31:54, 10] passdb/pdb_get_set.c:pdb_set_username(612) pdb_set_username: setting username sbg1dhcpc13$, was [2004/07/14 20:31:54, 10] passdb/pdb_get_set.c:pdb_set_init_flags(512) element 12 -> now SET This seems to be OK to me. The machine name (sbg1dhcpc13$) was not found in the directory, so it is being created. Later on in this log: [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [dc=kaindl,dc=com], filter => [(&(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))(obje ctclass=sambaSamAccount))], scope => [2] [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [dc=kaindl,dc=com], filter => [(&(sambaSID=S-1-5-21-1425597653-641218338-4259131718-3002 )(objectclass=sambaSamAccount))], scope => [2] [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [dc=kaindl,dc=com], filter => [(&(uid=sbg1dhcpc13$)(objectclass=sambaSamAccount))], scop e => [2] [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_search(932) smbldap_search: base => [dc=kaindl,dc=com], filter => [(&(sambaSID=S-1-5-21-1425597653-641218338-4259131718-3002 )(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))], scope => [2] [2004/07/14 20:31:54, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1690) ldapsam_add_sam_account: Adding new user [2004/07/14 20:31:54, 2] passdb/pdb_ldap.c:init_ldap_from_sam(812) init_ldap_from_sam: Setting entry for user: sbg1dhcpc13$ [2004/07/14 20:31:54, 5] lib/smbldap.c:smbldap_add(1022) smbldap_add: dn => [uid=sbg1dhcpc13$,ou=Users,dc=kaindl,dc=com] [2004/07/14 20:31:54, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1312) ldapsam_modify_entry: Failed to add user dn= uid=sbg1dhcpc13$,ou=Users,dc=kaindl,dc=com with: Already exists [2004/07/14 20:31:54, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1729) ldapsam_add_sam_account: failed to modify/add user with uid = sbg1dhcpc13$ (dn = uid=sbg1dhcpc13$,ou=Users,dc=ka indl,dc=com) It seems that Samba tries to create the machine account a second time. I'm gotten stuck here, and I hope, someone can pull me out... Many thanks in advance! Kind Regards, -Andreas.
Created attachment 570 [details] Sorry, WRONG smb.conf Added my smb.conf here.
Comment on attachment 570 [details] Sorry, WRONG smb.conf # Samba config file created using SWAT # from 172.16.0.91 (172.16.0.91) # Date: 2004/07/08 15:36:42 # Global parameters [global] workgroup = SAMBA-TEST netbios name = SBG1DHCPC13 server string = %h server (Samba %v) passdb backend = ldapsam:ldap://127.0.0.1/ passwd program = /usr/local/sbin/smbldap-tools/smbldap-passwd %u passwd chat = *new*password* %n\n *new*password* %n\n *all*authentication*tokens*updated* log level = 10 passdb:10 auth:10 winbind:10 syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 name resolve order = wins bcast hosts add user script = /usr/local/sbin/smbldap-useradd %U delete user script = /usr/local/sbin/smbldap-userdel %U add group script = /usr/local/sbin/smbldap-groupadd %G delete group script = /usr/local/sbin/smbldap-groupdel %G add user to group script = /usr/local/sbin/smbldap-useradd -G %G %U./ add machine script = /usr/local/sbin/smbldap-useradd -w %m domain logons = Yes domain master = Yes preferred master = Yes security = user dns proxy = No wins support = Yes ldap suffix = dc=kaindl,dc=com ldap machine suffix = ou=Users ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) ldap admin dn = cn=admin,dc=kaindl,dc=com ldap ssl = no utmp = Yes panic action = /usr/share/samba/panic-action %d idmap uid = 10000-19999 idmap gid = 10000-19999 winbind separator = + winbind enum users = Yes winbind enum groups = Yes map acl inherit = Yes veto files = /*.eml/*.nws/*.{*}/ veto oplock files = /*doc/*.xls/*.mdb/ [homes] comment = Home Directories create mask = 0700 directory mask = 0700 browseable = No [printers] comment = All Printers path = /tmp create mask = 0700 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/printers
Created attachment 571 [details] This is smb.conf This now is the smb.conf from the correct server...
Hi Samba-Team, finally I could resolve this problem. It was a configuration mistake. First, in /etc/ldap/ldap.conf I modified the entries #nss_base_passwd ou=Users,dc=kaindl,dc=com?one #nss_base_shadow ou=Users,dc=kaindl,dc=com?one #nss_base_group ou=Groups,dc=kaindl,dc=com?one to nss_base_passwd dc=kaindl,dc=com nss_base_shadow dc=kaindl,dc=com nss_base_group dc=kaindl,dc=com Second, the ldap filter in smb.conf was set incorrectly. I set it as described in the Samba3 Howto to the value "ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))". This doesn't work. I found a note from Jerry that says that the filter should be empty. This is a little bit confusing. The filter at the default value "(uid=%u)" solved my problems. Hope, that helps anyone with similar problems. -Andreas.
Sorry, missed a line while cut&pasting /etc/ldap/ldap.conf. Correct entries are: scope sub nss_base_passwd dc=kaindl,dc=com nss_base_shadow dc=kaindl,dc=com nss_base_group dc=kaindl,dc=com -Andreas.