Author Topic: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied  (Read 11391 times)

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
« on: November 18, 2010, 09:11:10 am »
edit: title might be confusing so here's a brief network description
192.168.0.1 ldap master
192.168.0.2 samba pdc
192.168.0.3 winxp client

Am trying to connect my WinXP SP3 workstation with the Samba PDC.

I've changed the domain name numerous times, gave every user admin access, rebooted, had coffee, drank water, had tea ... wth?

Am I missing something?  ???

/var/log/samba/workstation1
Code: [Select]
[2010/11/18 16:03:44,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/11/18 16:03:44,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.

tail /var/log/messages
Code: [Select]
Nov 18 16:03:43 pdcserver smbd_audit: user1|192.168.1.x|connect|ok|IPC$
Nov 18 16:03:43 pdcserver smbd_audit: user1|192.168.1.x|disconnect|ok|IPC$
Nov 18 16:03:44 pdcserver smbd_audit: user2|192.168.1.x|connect|ok|IPC$
Nov 18 16:03:45 pdcserver smbd_audit: user2|192.168.1.x|disconnect|ok|IPC$

tail /var/log/syslog
Code: [Select]
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (uid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (memberUid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (uid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (memberUid) not indexed

« Last Edit: December 02, 2010, 08:16:37 am by eboxbuggy »

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #1 on: November 18, 2010, 09:29:01 am »
The weird thing is if I try to connect through smbclient with the same username/password it works? ???
Code: [Select]
user@server ~ $ smbclient -L 192.168.1.x -U user1
Enter user1's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.9]

        Sharename       Type      Comment
        ---------       ----      -------
        testshare      Disk      Testshare share directory
        ebox-internal-backups Disk
        ebox-quarantine Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (PDCSERVER File Server)
        user1   Disk      Home Directories
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.9]

        Server               Comment
        ---------            -------
        PDCSERVER               PDCSERVER File Server

        Workgroup            Master
        ---------            -------
        DOMAIN              PDCSERVER

ldapsearch -x -b dc=ldap,dc=server
Code: [Select]
# Domain Admins, Groups, ldap.server
dn: cn=Domain Admins,ou=Groups,dc=ldap,dc=server
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: user1
memberUid: user2
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-1-11-12345667-123123123-1231231231-123
« Last Edit: November 18, 2010, 09:43:31 am by eboxbuggy »

javi

  • Zen Hero
  • *****
  • Posts: 1042
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #2 on: November 18, 2010, 09:38:52 am »
Where does it fail? When you try to join the machine to the domain?

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #3 on: November 18, 2010, 09:45:51 am »
Where does it fail? When you try to join the machine to the domain?
Yes. I can't join it to the domain. If I use the WRONG PASSWORD it says:
Code: [Select]
Logon failure: unknown username or bad password
I'm sure WinXP sees the user list from LDAP but somehow misses that the users are already administrators/domain admins ???

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #4 on: November 18, 2010, 09:50:03 am »
Is there a need to add every WinXP workstation to LDAP?
Code: [Select]
smbldap-useradd -w client-winxp
edit: didn't work either
« Last Edit: November 18, 2010, 10:06:49 am by eboxbuggy »

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #5 on: November 18, 2010, 10:00:54 am »
saw this link in ubuntu forum but it didn't work
http://ubuntuforums.org/showthread.php?t=1196622

trustbyte

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #6 on: November 18, 2010, 12:45:53 pm »
i could be wrong, but do you have firewall activated on xp or zentyal or in between them?

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #7 on: November 18, 2010, 02:52:20 pm »
i could be wrong, but do you have firewall activated on xp or zentyal or in between them?
tried it on a fresh xp sp3 vm ... no firewall, no av on both ???

accessing the shares works fine with the username/password
Code: [Select]
\\192.168.1.x\testshare
xp somehow does not recognize the user as a domain admin/administrator
everything seems to work though if i do an ldap search

smbldap-groupshow "Administrators"
Code: [Select]
dn: cn=Administrators,ou=Groups,dc=ldap,dc=server
cn: Administrators
gidNumber: 544
objectClass: posixGroup,sambaGroupMapping,eboxGroup
memberUid: user1,user2
displayName: Administrators
sambaGroupType: 5
sambaSID: S-1-1-12-123

smbldap-groupshow "Domain Admins"
Code: [Select]
dn: cn=Domain Admins,ou=Groups,dc=ldap,dc=server
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup,sambaGroupMapping,eboxGroup
memberUid: user1,user2
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-1-12-1234567890-1234567-123456789-123

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #8 on: November 18, 2010, 04:38:22 pm »
well off to bed ...

here's the latest log
/var/log/samba/client-winxp1
Code: [Select]
[2010/11/18 23:32:39,  0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account CLIENT-WINXP1$: NT_STATUS_ACCESS_DENIED
[2010/11/18 23:32:51,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/11/18 23:32:51,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/11/18 23:33:40,  0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
  get_md4pw: Workstation CLIENT-WINXP1$: no account in domain
[2010/11/18 23:33:40,  0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account CLIENT-WINXP1$: NT_STATUS_ACCESS_DENIED

ldapsearch
Code: [Select]
# CLIENT-WINXP1$, Computers, ldap.server
dn: uid=CLIENT-WINXP1$,ou=Computers,dc=ldap,dc=server
objectClass: top
objectClass: account
objectClass: posixAccount
cn: CLIENT-WINXP1$
uid: CLIENT-WINXP1$
uidNumber: 2022
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #9 on: November 19, 2010, 11:41:25 am »
hmmm ... guess it still is buggy ... no upgrades yet for me then :-\

C:\Windows\debug\NetSetup.log
Code: [Select]
11/19 18:29:24 -----------------------------------------------------------------
11/19 18:29:24 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:24 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:24 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:33 -----------------------------------------------------------------
11/19 18:29:33 NetpDoDomainJoin
11/19 18:29:33 NetpMachineValidToJoin: 'CLIENT-WINXP1'
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpMachineValidToJoin: status: 0x0
11/19 18:29:33 NetpJoinDomain
11/19 18:29:33 Machine: CLIENT-WINXP1
11/19 18:29:33 Domain: DOMAIN
11/19 18:29:33 MachineAccountOU: (NULL)
11/19 18:29:33 Account: DOMAIN\user1
11/19 18:29:33 Options: 0x25
11/19 18:29:33 OS Version: 5.1
11/19 18:29:33 Build number: 2600
11/19 18:29:33 ServicePack: Service Pack 3
11/19 18:29:33 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:33 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:33 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:33 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
11/19 18:29:33 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
11/19 18:29:33 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
11/19 18:29:33 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
11/19 18:29:33 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 Failed to validate machine account for CLIENT-WINXP1 against \\PDCSERVER: 0xc000006d
11/19 18:29:34 NetpJoinDomain: w9x: status of validating account: 0x52e
11/19 18:29:34 NetpJoinDomain: initiaing a rollback due to earlier errors
11/19 18:29:34 NetpLsaOpenSecret: status: 0x0
11/19 18:29:34 NetpJoinDomain: rollback: status of deleting secret: 0x0
11/19 18:29:34 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
11/19 18:29:34 NetpDoDomainJoin: status: 0x52e
11/19 18:29:34 -----------------------------------------------------------------
11/19 18:29:34 NetpDoDomainJoin
11/19 18:29:34 NetpMachineValidToJoin: 'CLIENT-WINXP1'
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpMachineValidToJoin: status: 0x0
11/19 18:29:34 NetpJoinDomain
11/19 18:29:34 Machine: CLIENT-WINXP1
11/19 18:29:34 Domain: DOMAIN
11/19 18:29:34 MachineAccountOU: (NULL)
11/19 18:29:34 Account: DOMAIN\user1
11/19 18:29:34 Options: 0x27
11/19 18:29:34 OS Version: 5.1
11/19 18:29:34 Build number: 2600
11/19 18:29:34 ServicePack: Service Pack 3
11/19 18:29:34 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:34 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:34 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:34 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
11/19 18:29:34 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
11/19 18:29:34 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
11/19 18:29:34 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
11/19 18:29:34 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDCSERVER' for 'CLIENT-WINXP1$' failed: 0x5
11/19 18:29:34 NetpJoinDomain: status of creating account: 0x5
11/19 18:29:34 NetpJoinDomain: initiaing a rollback due to earlier errors
11/19 18:29:34 NetpLsaOpenSecret: status: 0x0
11/19 18:29:34 NetpJoinDomain: rollback: status of deleting secret: 0x0
11/19 18:29:34 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
11/19 18:29:34 NetpDoDomainJoin: status: 0x5

« Last Edit: November 19, 2010, 11:45:17 am by eboxbuggy »

trustbyte

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #10 on: November 19, 2010, 11:44:13 am »
loginShell: /bin/false

Shouldn´t have a viable shell? Or it is not related with the documentation??

# Set a valid shell like 'bash' in "Users and Groups -> LDAP Settings"
# The above change will only affect the users we create from now on.




eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #11 on: November 19, 2010, 11:50:11 am »
loginShell: /bin/false

Shouldn´t have a viable shell? Or it is not related with the documentation??

# Set a valid shell like 'bash' in "Users and Groups -> LDAP Settings"
# The above change will only affect the users we create from now on.
Hmmm ... the /bin/false was default for adding the machine account. I did the machine adding manually.

If you setup LDAP & Samba manually with a different distribution you need to add the machine account. You probably didn't do this when you had yours working right?
Code: [Select]
smbldap-useradd -w client-winxp
edit: I found a site that said to add a -i option in addmachine script of smb.conf but it always reverted to the default when I restart it. So I did this again manually but still failed
Code: [Select]
smbldap-useradd -i -w client-winxp
« Last Edit: November 19, 2010, 11:56:13 am by eboxbuggy »

trustbyte

  • Zen Apprentice
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #12 on: November 19, 2010, 12:09:56 pm »
Quote
You probably didn't do this when you had yours working right?
Code: [Select]
smbldap-useradd -w client-winxp

Nope, nothing like that.

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #13 on: November 19, 2010, 12:15:55 pm »
Yeah this thing is supposed to work OOB  ::)

Anyway, I'll try to go with your "ALL-IN-ONE" box design. Will just change my logon scripts to bind the other file server shares.

more overtime work for me without pay :o

edit: nvm ... lol
« Last Edit: November 19, 2010, 12:26:57 pm by eboxbuggy »

mburillo

  • Zentyal Staff
  • Zen Apprentice
  • *****
  • Posts: 43
  • Karma: +4/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #14 on: November 19, 2010, 09:58:52 pm »
Quote
more overtime work for me without pay

Actually, the idea of the subscription + support is to save the sysadmin time and avoid risks
in production deployments. In the webpage and the official offering we clearly state
that the free version is meant for testing environments. If you put the community version of Zentyal
in a production environment is under your own criteria and risk.
Zentyal Staff - Product Manager