[SOLVED] Samba Integration - unable to join machines to domain

[acrowe]

Hopefully someone out there can help me out. I'm at a loss, and after a few days of trying just about everything I can think of, reading all of the LDAP/SAMBA/Zimbra/Domain Admins/Machine Account posts I can find I'm still not able to add a computer to my domain.

We're using ZCS NE Version 5.0.16 and samba version 3.0.33-3.14.el5

I followed the wiki instructions:
UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

Everything looks good up until trying to add a machine to the domain. On XP I get a "The username could not be found"

The user is in LDAP and Samba, and is able to login via samba (domain shares work fine).

In my group entry the the memberUid looks really odd, 1 line per digit. See below:

Here are the excerpted logs from the samba side during the join request (full logs attached):

Code:

[2011/02/15 13:03:39, 5] auth/auth_util.c:debug_nt_user_token(448)
  NT user token: (NULL)
[2011/02/15 13:03:39, 5] auth/auth_util.c:debug_unix_user_token(474)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2011/02/15 13:03:39, 5] lib/smbldap.c:smbldap_search_ext(1182)
  smbldap_search_ext: base => [ou=groups,dc=stratacache,dc=com], filter => [(&(objectClass=sambaGroupMapping)(|(displayName=ALLYN-97D805B86$)(cn=ALLYN-97D805B86$)))], scope => [2]
[2011/02/15 13:03:39, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2244)
  ldapsam_getgroup: Did not find group

[2011/02/15 13:03:39, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2623)
  _samr_create_user: -1 can add this account : False
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_alloc(131)
  Finding user ALLYN-97D805B86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is allyn-97d805b86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(83)
  Trying _Get_Pwnam(), username as given is ALLYN-97D805B86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in allyn-97d805b86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [ALLYN-97D805B86$]!
sh: /usr/sbin/useradd: Permission denied
[2011/02/15 13:03:39, 0] passdb/pdb_interface.c:pdb_default_create_user(329)
  _samr_create_user: Running the command `/usr/sbin/useradd -n -c "Workstation (allyn-97d805b86$)" -M -d /nohome -s /bin/false "allyn-97d805b86$"' gave 126
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_alloc(131)
  Finding user ALLYN-97D805B86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(75)
  Trying _Get_Pwnam(), username as lowercase is allyn-97d805b86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(83)
  Trying _Get_Pwnam(), username as given is ALLYN-97D805B86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(102)
  Checking combinations of 0 uppercase letters in allyn-97d805b86$
[2011/02/15 13:03:39, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals didn't find user [ALLYN-97D805B86$]!
[2011/02/15 13:03:39, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
  pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER

From what I can see samba isn't able to run the useradd command.

I am using the smb.conf for CentOS/RHEL from this post:
Zimbra & Samba -- error joining machine to Domain

smbd and nmbd are both running as root:

Code:

root       316  0.0  0.1  15172  2848 ?        Ss   12:53   0:00 smbd -D
root       319  0.1  0.0   9416  1460 ?        Ss   12:53   0:00 nmbd -D
root       320  0.0  0.0   9608   780 ?        S    12:53   0:00 nmbd -D
root       323  0.0  0.0  15172  1264 ?        S    12:53   0:00 smbd -D

Can anyone point me in the right direction?

Thanks!

[acrowe]

I manually added the workstation account using the string and got an "Access is denied" message this time.

here are the lines I think are why with full logs attached (down around line 10525)

Code:

[2011/02/15 13:16:34, 5] lib/username.c:Get_Pwnam_internals(108)
  Get_Pwnam_internals did find user [ALLYN-97D805B86$]!
[2011/02/15 13:16:34, 2] lib/smbldap_util.c:smbldap_search_domain_info(256)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=STRATACACHE))]
[2011/02/15 13:16:34, 5] lib/smbldap.c:smbldap_search_ext(1182)
  smbldap_search_ext: base => [dc=stratacache,dc=com], filter => [(&(objectClass=sambaDomain)(sambaDomainName=STRATACACHE))], scope => [2]
[2011/02/15 13:16:34, 0] lib/smbldap.c:smbldap_open(1014)
  smbldap_open: cannot access LDAP when not root..
[2011/02/15 13:16:34, 2] lib/smbldap_util.c:smbldap_search_domain_info(263)
  smbldap_search_domain_info: Problem during LDAPsearch: Insufficient access
[2011/02/15 13:16:34, 2] lib/smbldap_util.c:smbldap_search_domain_info(264)
  smbldap_search_domain_info: Query was: dc=stratacache,dc=com, (&(objectClass=sambaDomain)(sambaDomainName=STRATACACHE))
[2011/02/15 13:16:34, 3] passdb/pdb_ldap.c:ldapsam_get_new_rid(4471)
  Could not get domain info: NT_STATUS_UNSUCCESSFUL
[2011/02/15 13:16:34, 3] passdb/passdb.c:samu_set_unix_internal(217)
  Could not allocate a new RID
[2011/02/15 13:16:34, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
  pdb_default_create_user: failed to create a new user structure: NT_STATUS_ACCESS_DENIED

[mavlenko]

What linux do you use? and show me your configs
smb.conf
nsswitch.conf
ldap.conf

[acrowe]

Quote:

Originally Posted by mavlenko

What linux do you use? and show me your configs
smb.conf
nsswitch.conf
ldap.conf

We're using RHEL5 on both our new samba PDC and our ZCS server.

Here is the smb.conf:

Code:

[root@net1 ~]# cat /etc/samba/smb.conf
[global]

workgroup = STRATACACHE 
server string = Samba Server Version %v

netbios name = NET1

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

# logs split per machine
log file = /var/log/samba/%m.log
log level = 5

# max 50KB per log file, then rotate
max log size = 1000

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

security = user
passdb backend = ldapsam:ldap://XXX.XXX.XXX/
ldap admin dn = "cn=config"
ldap suffix = dc=XXX,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines

ldap passwd sync = yes
socket options = TCP_NODELAY
security = domain
obey pam restrictions = no
domain master = yes
domain logons = yes
local master = yes
wins support =yes
# the login script name depends on the machine name
logon script =
# disables profiles support by specifing an empty path
logon path =

add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"

local master = yes
os level = 33
preferred master = yes


load printers = yes
cups options = raw

; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes



[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no

nsswitch.conf

Code:

[root@net1 ~]# cat /etc/nsswitch.conf 
#
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       nisplus or nis+         Use NIS+ (NIS version 3)
#       nis or yp               Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the local database (.db) files
#       compat                  Use NIS on compat mode
#       hesiod                  Use Hesiod for user lookups
#       [NOTFOUND=return]       Stop searching if not found so far
#

# To use db, put the "db" in front of "files" for entries you want to be
# looked up first in the databases
#
# Example:
#passwd:    db files nisplus nis
#shadow:    db files nisplus nis
#group:     db files nisplus nis

passwd:     files ldap
shadow:     files ldap
group:      files ldap

#hosts:     db files nisplus nis dns
hosts:      files dns

# Example - obey only what nisplus tells us...
#services:   nisplus [NOTFOUND=return] files
#networks:   nisplus [NOTFOUND=return] files
#protocols:  nisplus [NOTFOUND=return] files
#rpc:        nisplus [NOTFOUND=return] files
#ethers:     nisplus [NOTFOUND=return] files
#netmasks:   nisplus [NOTFOUND=return] files     

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files ldap

publickey:  nisplus

automount:  files ldap
aliases:    files nisplus

ldap.conf:

Code:

[root@net1 ~]# cat /etc/ldap.conf
host XXX.XXX.XXX
base dc=XXXXX,dc=com
binddn cn=config
bindpw XXXXX
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://XXX.XXX.XXX/
tls_cacertdir /etc/openldap/cacerts
pam_password md5i

nss_base_passwd ou=people,dc=XXX,dc=com?one
nss_base_shadow ou=people,dc=XXX,dc=com?one
# Replace the lines above with
# nss_base_passwd dc=gregzimbra1,dc=zimbra,dc=com?sub
# nss_base_shadow dc=gregzimbra1,dc=zimbra,dc=com?sub
# if you want to store windows computers account in LDAP
nss_base_group ou=groups,dc=XXX,dc=com?one
nss_base_hosts ou=machines,dc=XXX,dc=com?one

[mavlenko]

I think you need to look this way:
1. for RHEL it's enough:
add machine script = /usr/sbin/useradd -M -s /sbin/nologin %u


2. "ldap admin dn = " in the smb.conf must be the same as "binddn =" and "rootbinddn =" in the ldap.conf.

Look at my ldap.conf

Quote:

timelimit 120
bind_timelimit 120
idle_timelimit 3600
bind_policy soft

host server.local
uri ldap://192.168.100.100
base dc=domain,dc=local
binddn uid=zimbra,cn=admins,cn=zimbra
rootbinddn uid=zimbra,cn=admins,cn=zimbra
bindpw ****

nss_base_passwd ou=people,dc=domain,dc=local?one
nss_base_passwd ou=machines,dc=domain,dc=local?one
nss_base_shadow ou=people,dc=domain,dc=local?one
nss_base_group ou=groups,dc=domain,dc=local?one
nss_base_hosts ou=machines,dc=domain,dc=local?one

ssl no
pam_password md5

and smb.conf

Quote:

passdb backend = ldapsam:ldap://192.168.100.100
ldap ssl = off
ldap suffix = dc=domain,dc=local
ldap admin dn = uid=zimbra,cn=admins,cn=zimbra
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap passwd sync = Yes

add machine script = /usr/sbin/useradd -M -s /sbin/nologin %u

3. did you ran a command "smbpasswd -w LdapAdminPasswd" after samba configuring ? Where LdapAdminPasswd it's a passwd for user pointed in "ldap admin dn = "

[acrowe]

Ok looks like we've got it!

I changed the machine script to the one you suggest.

in ladap.conf I changed the binddn to the same as the rootbinddn.

However when I tried to change the admin dn in smb.conf to the same smb couldn't connect to the ldap server.

But leaving it as config is ok, machines can join the domain and domain auth still works as expected.

So it looks like it was the binddn in ldap that was the problem.

Thanks for the Help!!

[mavlenko]

Quote:

However when I tried to change the admin dn in smb.conf to the same smb couldn't connect to the ldap server.

did you ran a command "smbpasswd -w zimbra_ldap_password" after samba reconfiguring ??

to find zimbra_ldap_password do the command as user zimbra:
zmlocalconfig -s zimbra_ldap_password
it shows:
zimbra_ldap_password = secret
then do as root:
smbpasswd -w secret

and go to the store for a bottle of beer for me