Zimbra + Samba LDAP, cannot add winxp

[fajarpri]

Hello all,
After successfully struggling with the getent passwd/group on Opensuse10.2 and zimbra 4.5.6, now I face another one: I cannot add my windowsxp client to zimbra ldap domain.

The zimbra samba UI is working fine.

This is my /etc/samba/smb.conf:

Code:

[global]
workgroup = vulcan.com
netbios name = fajar102
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Opensuse102)
wins support = yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3 
max log size = 1000
syslog only = no
syslog = 5
#panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://192.168.1.101
ldap admin dn ="uid=zimbra,cn=admins,cn=zimbra"
ldap suffix = dc=vulcan,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUnix\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n *password\supdated\ssuccessfully*
domain logons = yes
logon path = \\fajar102.vulcan.com\%U\profile
logon home = \\fajar102.vulcan.com\%U
logon script = logon.cmd
#add user script = /usr/sbin/useradd --quiet --disabled-password --gecos "" %u
#add machine script = /usr/sbin/useradd --shell /bin/false --disabled-password --quiet "machine account" --force-badname %u
#add user script = /usr/sbin/useradd --quiet %u
#add machine script = /usr/sbin/useradd --shell /bin/false --quiet %u
######## FOR OPENSUSE ##########
username map = /etc/samba/smbusers
add user script = /usr/local/bin/smbldap-useradd -m %u
delete user script = /usr/local/bin/smbldap-userdel %u
add group script = /usr/local/bin/smbldap-groupadd -p %g
delete group script = /usr/local/bin/smbldap-groupdel %g
add user to group script = /usr/local/bin/smbldap-groupmod -m %g %u
delete user from group script = /usr/local/bin/smbldap-groupmod -x %g %u
set primary group script = /usr/local/bin/smbldap-usermod -g %g %u
add machine script = /usr/local/bin/smbldap-useradd -w %u
# if you want to add machines to domain automaticaly, add machine script is:
#add machine script = /usr/local/bin/smbldap-useradd -w -i %u
#################################
socket options = TCP_NODELAY
domain master = yes
local master = yes

The part that I'm not sure is the useradd script, I used the one from Greg's howto, but seems like it's for Ubuntu, so I use the smbldap-tools from scalix and if use independently it seems to be working. I can query user from ldap from it.

Code:

fajar102:~ # smbldap-usershow adminsmb4
dn: uid=adminsmb4,ou=people,dc=vulcan,dc=com
displayName: Admin SMB4
givenName: Admin
objectClass: organizationalPerson,zimbraAccount,amavisAccount,posixAccount,sambaSamAccount
zimbraId: 3b832a17-132c-49af-95c3-46a1219c13df
zimbraMailStatus: enabled
zimbraMailDeliveryAddress: adminsmb4@vulcan.com
uid: adminsmb4
mail: adminsmb4@vulcan.com
cn: Admin SMB4
zimbraMailTransport: lmtp:fajar102.vulcan.com:7025
zimbraMailHost: fajar102.vulcan.com
sn: SMB4

This is the error that in samba log:

Code:

Jul  5 13:49:07 fajar102 smbd[22231]: [2007/07/05 13:49:07, 3] smbd/service.c:make_connection_snum(950)
Jul  5 13:49:07 fajar102 smbd[22231]:   acer-centrino (192.168.1.237) connect to service IPC$ initially as user adminsmb4 (uid=20001, gid=20003) (pid 22231)

Jul  5 13:49:08 fajar102 smbd[22231]:   api_rpcTNP: rpc command: SAMR_LOOKUP_DOMAIN
Jul  5 13:49:08 fajar102 smbd[22231]: [2007/07/05 13:49:08, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2797)
Jul  5 13:49:08 fajar102 smbd[22231]:   Returning domain sid for domain VULCAN.COM -> S-1-5-21-1439140547-2811502038-3238742711

Jul  5 13:49:08 fajar102 smbd[22231]:   api_rpcTNP: rpc command: SAMR_OPEN_DOMAIN
Jul  5 13:49:08 fajar102 smbd[22231]: [2007/07/05 13:49:08, 3] lib/util_seaccess.c:se_access_check(250)
Jul  5 13:49:08 fajar102 smbd[22231]: [2007/07/05 13:49:08, 3] lib/util_seaccess.c:se_access_check(251)
Jul  5 13:49:08 fajar102 smbd[22231]:   se_access_check: user sid is S-1-5-21-1439140547-2811502038-3238742711-41002

Jul  5 13:49:08 fajar102 smbd[22231]:   api_rpcTNP: rpc command: SAMR_CREATE_USER
Jul  5 13:49:08 fajar102 smbd[22231]: [2007/07/05 13:49:08, 3] smbd/sec_ctx.c:push_sec_ctx(208)

Jul  5 13:49:09 fajar102 smbd[22231]: [2007/07/05 13:49:09, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
Jul  5 13:49:09 fajar102 smbd[22231]:   _samr_create_user: Running the command `/usr/local/bin/smbldap-useradd -w acer-centrino$' gave 3
Jul  5 13:49:09 fajar102 smbd[22231]: [2007/07/05 13:49:09, 3] passdb/pdb_interface.c:pdb_default_create_user(384)
Jul  5 13:49:09 fajar102 smbd[22231]:   pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER
Jul  5 13:49:09 fajar102 smbd[22231]: [2007/07/05 13:49:09, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
Jul  5 13:49:09 fajar102 smbd[22231]:   pop_sec_ctx (20001, 20003) - sec_ctx_stack_ndx = 0

From windowxp, the error was:
Your computer could not be joined to the domain because the following error has occured: The user name could not be found

Anyone has able to overcome this?
Thanks.

[fajarpri]

With reduced log level:

Code:

Jul  5 14:07:13 fajar102 smbd[24518]: [2007/07/05 14:07:13, 0] lib/util_sock.c:write_data(562)
Jul  5 14:07:13 fajar102 smbd[24518]:   write_data: write failure in writing to client 192.168.1.237. Error Connection reset by peer
Jul  5 14:07:13 fajar102 smbd[24518]: [2007/07/05 14:07:13, 0] lib/util_sock.c:send_smb(769)
Jul  5 14:07:13 fajar102 smbd[24518]:   Error writing 4 bytes to client. -1. (Connection reset by peer)
Jul  5 14:07:14 fajar102 smbd[24519]: [2007/07/05 14:07:14, 1] passdb/pdb_ldap.c:ldapsam_getgroup(2224)
Jul  5 14:07:14 fajar102 smbd[24519]:   ldapsam_getgroup: Duplicate entries for filter (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-21-1439140547-2811502038-3238742711-512)): count=2
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (member) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaGroupType) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaGroupType) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:14 fajar102 slapd[19349]: <= bdb_equality_candidates: (sambaSIDList) index_param failed (18)
Jul  5 14:07:25 fajar102 smbd[24519]: [2007/07/05 14:07:25, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
Jul  5 14:07:25 fajar102 smbd[24519]:   _samr_create_user: Running the command `/usr/local/bin/smbldap-useradd -w acer-centrino$' gave 3

[fajarpri]

Code:

fajar102:~ # smbldap-useradd -w acer$
Could not find base dn, to get next uidNumber at /usr/local/bin//smbldap_tools.pm line 1046.

[fajarpri]

Hello,
After several days of searching the forum using all kinds of keywords, finally I found the solution:

It's on Zimbra Samba ext - no machine accounts

Oh boy! I'm so glad. Now, the I can join windowsxp to my Zimbra domain.
The writer is correct, since the howto is written for Ubuntu, the user add script cannot be used for Opensuse. In Opensuse, it should be:

Code:

add user script = /usr/sbin/useradd -m %u
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

I think it should be on the FAQ

[dijichi2]

useradd should not be used for samba/ldap. use the ldap scripts that come with samba - on some distros you might have to search for them but they should be there somewhere. adding computer to domain has always been a little flakey but check your root/administrator ldap entry is working and is being recognised as a domain admin and your computer entry should add ok. older versions of samba used to have a bug that reported an error but if you look the computer entry is actually added to the tree.

i find these packages are well built and up-to-date, often much more so than distro packages:
Enterprise Samba: samba-enterprise

samba updates frequently and often fix many bugs that often don't get backported to distro packages.