Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: [Samba] Failing to add XP SP3 client to Samba domain

46 views
Skip to first unread message

Wes Deviers

unread,
Sep 18, 2009, 5:20:04 PM9/18/09
to
On Friday 18 September 2009 04:29:47 pm Steve Cayford wrote:
> Hi,
>
> I'm running samba 3.2.5 as a domain controller on a Debian Lenny server
> with authentication data stored in a local openldap instance. The server
> has been running smoothly since I originally set it up on Sarge. I upgraded
> to Etch a while back and then to Lenny about a month ago.
>
> I'm trying to add a new Windows XP SP3 client to the domain for the first
> time since the latest upgrade and I'm getting the error message "The user
> name could not be found" on the client. I've joined clients to the domain
> previously with no problems using the "root" account on the server.
>
> Upon examining the ldap entries I can see that an account *was* created for
> the computer (named foshan), but it is incomplete as it only has the
> following attributes:
>
> cn foshan$
> description Computer
> gecos Computer
> gidNumber 515
> homeDirectory /dev/null
> loginShell /bin/false
> uid foshan$
> uidNumber 4905

Steve,

Are you using OpenLDAP? Is it possible that during the Debian upgrade, the
OpenLDAP schema files got changed, and so it's failing because updates would
violate the schema (perhaps, because, the samba schema file is now missing or
not being loaded..?)

Somewhere in there, I think Debian switched from using OpenLDAP with schema
configuration files to schema-over-LDAP updates. If it tried to convert your
schema and failed, or even just flat-out ignored it, that would cause the
problem.

Turn slapd's logging to debug or sniff the LDAP transaction when you try to
join the machine and see what that gets you?

Wes
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba

Steve Cayford

unread,
Sep 18, 2009, 5:20:24 PM9/18/09
to
Hi,

I'm running samba 3.2.5 as a domain controller on a Debian Lenny server
with authentication data stored in a local openldap instance. The server
has been running smoothly since I originally set it up on Sarge. I upgraded
to Etch a while back and then to Lenny about a month ago.

I'm trying to add a new Windows XP SP3 client to the domain for the first
time since the latest upgrade and I'm getting the error message "The user
name could not be found" on the client. I've joined clients to the domain
previously with no problems using the "root" account on the server.

Upon examining the ldap entries I can see that an account *was* created for
the computer (named foshan), but it is incomplete as it only has the
following attributes:

cn foshan$
description Computer
gecos Computer
gidNumber 515
homeDirectory /dev/null
loginShell /bin/false
uid foshan$
uidNumber 4905

Looking at a previously joined computer account, it should contain the
following (some details removed):

cn clientname$
description Computer
displayName CLIENTNAME$


gecos Computer
gidNumber 515
homeDirectory /dev/null
loginShell /bin/false

sambaAcctFlags [W ]
sambaNTPassword ...
sambaPrimaryGroupSID ...
sambaPwdCanChange ...
sambaPwdLastSet ...
sambaPwdMustChange ...
sambaSID ...
sn clientname$
uid clientname$
uidNumber 3023

The log file log.foshan has these error messages interspersed throughout it:

[2009/09/18 15:02:04, 0] lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error Connection
reset by peer
[2009/09/18 15:02:04, 0] smbd/process.c:srv_send_smb(74)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)

However the join itself doesn't seemed to have failed:

[2009/09/18 15:02:04, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2009/09/18 15:02:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 544
[2009/09/18 15:02:04, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 512
[2009/09/18 15:02:05, 0] lib/util_sock.c:write_data(1136)
[2009/09/18 15:02:05, 0] lib/util_sock.c:get_peer_addr_internal(1676)
getpeername failed. Error was Transport endpoint is not connected
write_data: write failure in writing to client 0.0.0.0. Error Connection
reset by peer
[2009/09/18 15:02:05, 0] smbd/process.c:srv_send_smb(74)
Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2009/09/18 15:02:05, 2] lib/smbldap.c:smbldap_open_connection(796)
smbldap_open_connection: connection opened
[2009/09/18 15:02:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(571)
init_sam_from_ldap: Entry found for user: root
[2009/09/18 15:02:05, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 512
[2009/09/18 15:02:05, 2] auth/auth.c:check_ntlm_password(308)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2009/09/18 15:02:05, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 544
[2009/09/18 15:02:05, 2] passdb/pdb_ldap.c:init_group_from_ldap(2344)
init_group_from_ldap: Entry found for group: 512
[2009/09/18 15:02:06, 2] rpc_server/srv_samr_nt.c:_samr_LookupDomain(3490)
Returning domain sid for domain MAC -> S-1-... etc


Thanks for any suggestions on what to look for.

-Steve

Steve Cayford

unread,
Sep 18, 2009, 6:20:17 PM9/18/09
to

That sounds likely. I'll look into it.

-Steve

Steve Cayford

unread,
Sep 21, 2009, 4:30:10 PM9/21/09
to
Steve Cayford wrote:

> Wes Deviers wrote:
>> Are you using OpenLDAP? Is it possible that during the Debian
>> upgrade, the OpenLDAP schema files got changed, and so it's failing
>> because updates would violate the schema (perhaps, because, the samba
>> schema file is now missing or not being loaded..?)
>>
>> Somewhere in there, I think Debian switched from using OpenLDAP with
>> schema configuration files to schema-over-LDAP updates. If it tried to
>> convert your schema and failed, or even just flat-out ignored it, that
>> would cause the problem.
>>
>> Turn slapd's logging to debug or sniff the LDAP transaction when you
>> try to join the machine and see what that gets you?
>>
>> Wes
>
> That sounds likely. I'll look into it.

I've done some more digging and realized two things:

1. My "add machine script" is "smbldap-useradd -w '%u'", but the -w switch
only creates a posix machine account. Apparently what I want is the -i
switch which is not listed on the man page.

2. Using the -i switch and running smbldap-useradd from the command line
gives me the error:

"failed to add entry: structural object class modification from 'account'
to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311,
<STDIN> line 2."

Looking at smbldap-useradd I can see that it first creates a posix machine
account with this code in smbldap_tools.pm:

my $add = $ldap->add (
"uid=$user,$config{computersdn}",
attr => [
'objectclass' => [
'top', 'account', 'posixAccount'
],
'cn' => "$user",
'uid' => "$user",
'uidNumber' => "$uid",
'gidNumber' => "$gid",
'homeDirectory' => '/dev/null',
'loginShell' => '/bin/false',
'description' => 'Computer',
'gecos' => 'Computer',
]
);

Then it tries to modify the entry with this code in smbldap-useradd which
is where it dies:

my $modify = $ldap_master->modify (
"uid=$userName,$config{computersdn}",
changes => [
replace => [
objectClass => [
'top', 'person', 'organizationalPerson',
'inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => '0'],
add => [sambaPwdMustChange => '2147483647'],
add => [sambaPwdLastSet => "$date"],
add => [sambaAcctFlags => '[I ]'],
add => [sambaLMPassword => "$lmpassword"],
add => [sambaNTPassword => "$ntpassword"],
add => [sambaSID => "$user_sid"],
add => [sambaPrimaryGroupSID => "$config{SID}-515"]
]
);

Looking at all the other entries I see no other accounts with an object
class of "account" so this seems to be the problem. But I don't know what
to do about it.

Wes Deviers

unread,
Sep 22, 2009, 9:10:08 AM9/22/09
to


It's defining it as objectClass 'account' in the first entry.

attr => [
'objectclass' => [
'top', 'account', 'posixAccount'
],

You'll have to look at your schema, but you can probably get away with
replacing "account" in the first codelet with "inetOrgPerson"

Wes

Steve Cayford

unread,
Sep 23, 2009, 11:50:11 AM9/23/09
to
Wes Deviers wrote:
> [...]

> It's defining it as objectClass 'account' in the first entry.
>
> attr => [
> 'objectclass' => [
> 'top', 'account', 'posixAccount'
> ],
>
> You'll have to look at your schema, but you can probably get away with
> replacing "account" in the first codelet with "inetOrgPerson"

Thanks. That seems to have done the trick. Along with making sure the W
Samba account flag was set.

-Steve

0 new messages