Author Topic: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied  (Read 11396 times)

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #15 on: November 20, 2010, 05:04:43 am »
Actually, the idea of the subscription + support is to save the sysadmin time and avoid risks
in production deployments. In the webpage and the official offering we clearly state
that the free version is meant for testing environments. If you put the community version of Zentyal
in a production environment is under your own criteria and risk.
I still do have this version 2 on VM for testing. Borked my server with 1.4 when I upgraded from 1.2 so I learned my lesson from that.

US$255 subscription + US$645 support per year? Which I would probably use 1-2x in a year? Thanks but I'll just stick with 1.4 in the meantime.

I don't know about the others here but personally I think it would be nice to have a working distribution in exchange for all the BUG TESTING we are doing for you.

Isn't that the concept of having a community version? We tell you the problem, you fix it, and charge other people for it.

You get something ... we get something too.  ;)

javivazquez

  • Guest
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #16 on: November 20, 2010, 07:33:36 pm »
I don't know about the others here but personally I think it would be nice to have a working distribution in exchange for all the BUG TESTING we are doing for you.

Isn't that the concept of having a community version? We tell you the problem, you fix it, and charge other people for it.

You get something ... we get something too.  ;)

There are thousands of Zentyal 2.0 servers working out there, in many industries, from high schools and universities to finance companies. A few of them are even published in our website:
http://www.zentyal.com/en/products/success/

We much appreciate the support and collaboration of our community, it's huge and supportive.  Zentyal Server couldn't have reached 250.000 downloads in the last 12 months (almost 1.000 downloads/day in average last 3 months by the way) without your help: supporting others with doubts, finding bugs, translating Zentyal UI to dozens of different languages...

On the other hand, as any other open source company, we offer products and services around our open source product Zentyal Server: subscriptions, add-ons, tech support, consultancy and training.

However, I would like to stress that there is not such a community version of Zentyal Server, there is only once source public code repository. If we strongly recommend subscriptions for servers in production is because of:
* First, the quality assurance (QA) for updates.
As you know, we depend on third-party open source modules included with Ubuntu Server. Sometimes, getting updates directly from Ubuntu repositories breaks Zentyal Server, so we make sure that our paying customers get their updates from our quality-assured-packages repository.
* Secondly, the different services included with them: alerts, reports, monitoring, remote administration, etc.
* And finally, tech support is only eligible in case you have a subscription.

In summary, eboxbuggy, we sincerely thank you by your help finding bugs. As you will understand, we are much interested in continuously improving Zentyal Server, because that's the same software our customers rely on.

The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)
« Last Edit: November 20, 2010, 07:35:21 pm by javivazquez »

pgarcia

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #17 on: November 21, 2010, 09:03:55 pm »
==> /var/log/samba/servidor <==
[2010/11/19 17:09:40,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED


I have this same issues with PDC and Windows 2003.

I hope some one can resolve it.

Sam Graf

  • Guest
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #18 on: November 22, 2010, 08:25:44 am »
In summary, eboxbuggy, we sincerely thank you by your help finding bugs. As you will understand, we are much interested in continuously improving Zentyal Server, because that's the same software our customers rely on.

The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)

Please keep in mind that some of us may just be (legitimately?) confused about what direction Zentyal is moving in, and what to expect from the project. In particular, nachico's comments have caused me some confusion about how things work; not the comments themselves, but how things have unfolded since they were published.

I certainly appreciate the great patience that the Zentyal staff show toward the community here. At the same time, perhaps things are not as clear to us as they are to those inside the project. Things are always clearer to those in-the-know than to those who aren't. :)

pgarcia

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #19 on: November 25, 2010, 06:49:42 pm »
I have notify my issue here with more info and logs: http://trac.ebox-platform.com/ticket/2542

I hope someone can help us.

Thanks

javivazquez

  • Guest
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #20 on: November 26, 2010, 01:16:54 am »
The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)

Please keep in mind that some of us may just be (legitimately?) confused about what direction Zentyal is moving in, and what to expect from the project. In particular, nachico's comments have caused me some confusion about how things work; not the comments themselves, but how things have unfolded since they were published.

I certainly appreciate the great patience that the Zentyal staff show toward the community here. At the same time, perhaps things are not as clear to us as they are to those inside the project. Things are always clearer to those in-the-know than to those who aren't. :)

Sam, sorry for the late reply, I hadn't seen your comment until now.

Regarding to the nachico's comment in August, the Localization Team was launched and quite a few guys joined it, what has much improved the number of languages totally (or almost) translated. In the future, we hope to launch similar groups for e.g. beta-testing.

The rest of the current work on Zentyal Server (from development to marketing, etc.) is mainly done by Zentyal staff, and the community helps as commented: supporting others with doubts, finding bugs, ... It's true, we couldn't be here without you guys.

Finally, our paying customers have priority on bugfixing or some new features, just because of the business relation.

In case my post doesn't reply all your doubts, please feel free to ask further.  I much appreciate to know your thoughts.
« Last Edit: November 26, 2010, 01:18:34 am by javivazquez »

Sam Graf

  • Guest
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #21 on: November 26, 2010, 06:09:56 pm »
I don't have doubts, just to be clear, just confusion. :)

Perhaps part of the problem is just how I'm reading nachico's announcement. You and I are clearly reading it differently :) . But it's not my purpose to debate nachico's intent, only to point out that the community and the staff apparently can see sentences like, "But we believe that more people, not just the employees of one single company, should have the chance to get involved in the project and have the right to assume responsibilities, give their opinion and help taking decisions" very differently. :)

So I just ask that Zentyal staff take that into account as we in the community respond to Zentyal as an open source project and product. I'm not trying to say that the community understanding is the right understanding, only that I think there is some room for us to be legitimately confused about the big picture and the details (so that we can know clearly what our testing experience should look like).

For example, to tell potential customers testing Zentyal that bugs they've run across are not as important to fix as the bugs found by existing customers could be sending the wrong message, People most likely are assuming that what they download to test should work exactly as advertised over the short term. To more or less say that the public download can be expected to have bugs and that fixing them may be low priority not only seems to me contrary to the spirit of nachico's announcement (according to my reading :) ), but also to good salesmanship :) .

All just my humble opinion, of course. :)
« Last Edit: November 26, 2010, 06:14:08 pm by Sam Graf »

bamalam

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #22 on: November 26, 2010, 11:05:57 pm »
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.

The solution starts by using a user created in Zentyal for the username and password in joining the domain. This user must have the following for PDC/File Sharing - Administration rights and I had User Account: Enabled

This didn't work initially and then I gave this user a working shell and not the nologin one that eboxbuggy appears to have as mentioned in a post above. This should normally be done by having the Default Shell: bash. Also the Enable PAM was ticked. Using bash for this account means that it can issue commands so this is very logical. Note that it is possible to modify this for an existing user by altering the loginShell value for the user in the LDAP database using the ldap_modify command from a superuser shell.

Note that the errors in the original post about "endpoint termination" and so on are irrelevant. This was not causing the problem and are still there afterwards even though the shares and other features work. The PC used for testing was wirelessly connected - maybe that had something to do with it.

In any case - there is no need to fiddle with setting up users for each PC connected - that is why it wasn't built into Zentyal! Let's not assume it is buggy - sure documentation could be expanded on (Wiki needed) but I have been very impressed with my evaluation of Zentyal so far. It is full of terrific ideas and well presented.

bamalam

nachico

  • Zentyal Staff
  • Zen Samurai
  • *****
  • Posts: 338
  • Karma: +31/-1
    • View Profile
    • Learning To Fly
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #23 on: November 28, 2010, 10:08:18 pm »
Hi Sam,

I don't have doubts, just to be clear, just confusion. :)

Perhaps part of the problem is just how I'm reading nachico's announcement. You and I are clearly reading it differently :) . But it's not my purpose to debate nachico's intent, only to point out that the community and the staff apparently can see sentences like, "But we believe that more people, not just the employees of one single company, should have the chance to get involved in the project and have the right to assume responsibilities, give their opinion and help taking decisions" very differently. :)

I don't see the announcement I made as confusing: it is our goal to open up much more to the community and to move to a community-based development model. And we have carried out every single promise that was included in that announce: we have launched the localization team, assigning responsibility over the management of the translation to members of the community who are not employees of our company. We have set a series of rules to manage the different language groups and the whole translation team in a similar manner as it is handled in other communities. And we are planning to continue with the following team and continue opening up.

Maybe the confusion came from the fact that you expected it to be a faster process. So did we. We expected to receive a more general support to the idea, and even some excitement, but as you can see my announcement had zero responses. We got some pretty good volunteers for the translation team but only after leading the whole process and being very proactive, so the natural conclusion we drew was that we have to invest a great effort before we can finally have a community-based development model. So, unfortunately we will open up slower than expected, with the available energy after having invested the time we need in keeping improving the project and being economically sustainable.

So I just ask that Zentyal staff take that into account as we in the community respond to Zentyal as an open source project and product. I'm not trying to say that the community understanding is the right understanding, only that I think there is some room for us to be legitimately confused about the big picture and the details (so that we can know clearly what our testing experience should look like).

I am very open to any question you want to ask anytime you feel confused about our decisions. In fact, I would be delighted to answer such questions in the forum :-)

For example, to tell potential customers testing Zentyal that bugs they've run across are not as important to fix as the bugs found by existing customers could be sending the wrong message, People most likely are assuming that what they download to test should work exactly as advertised over the short term. To more or less say that the public download can be expected to have bugs and that fixing them may be low priority not only seems to me contrary to the spirit of nachico's announcement (according to my reading :) ), but also to good salesmanship :) .

Well, I don't think that's what Javi meant. We take great care of every bug that is reported and we are eventually going to fix them all. But concerning priorities, when we have to choose between investing our efforts in fixing a bug that helps improve the product and fixing a bug that helps improve the product and the economical sustainability of the project, it is a no-brainer that we should focus first in the later before solving the former, right? Obviously, we are open to get help in debugging or receiving patches and those are very valid (and welcome) ways to accelerate the fixing of a bug.
CEO at Zentyal

Sam Graf

  • Guest
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #24 on: November 29, 2010, 12:13:39 am »
I don't see the announcement I made as confusing: it is our goal to open up much more to the community and to move to a community-based development model.

As I mentioned earlier, the announcement seems straightforward enough. Where I get confused is in the implementation. The differences between Ubuntu as a project and Zentyal as a project are as instructive as the similarities.

But it's not my place or especially my desire to "argue" this further. Economic sustainability is, of course, a two-way street. Those of us in the SMB market using Zentyal in testing environments (and perhaps desperately trying to prove something one way or another to management) are testing not just a product, but also an idea: the long-term economic viability of Linux-driven solutions in general in our market space, and Zentyal in particular as an instance of that kind of solution.

In the end, we all work within the information and resources and priorities we have. Thanks to all for the excellent responses; I appreciate them much. :)

pgarcia

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #25 on: November 30, 2010, 10:40:34 am »
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.

The solution starts by using a user created in Zentyal for the username and password in joining the domain. This user must have the following for PDC/File Sharing - Administration rights and I had User Account: Enabled

First, I have the problem with Samba PDC Slave and i cant get it run.

I added some users with  Administration rights and User Account: Enabled

This didn't work initially and then I gave this user a working shell and not the nologin one that eboxbuggy appears to have as mentioned in a post above. This should normally be done by having the Default Shell: bash. Also the Enable PAM was ticked. Using bash for this account means that it can issue commands so this is very logical. Note that it is possible to modify this for an existing user by altering the loginShell value for the user in the LDAP database using the ldap_modify command from a superuser shell.
bamalam


Also I have tried with some  Default Shell: bash, rbash and nologin without  result.

pgarcia

  • Zen Apprentice
  • *
  • Posts: 44
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #26 on: December 01, 2010, 01:37:41 am »
I experimented with a stand alone master PDC and a slave PDC with a clean installation, the master PDC have worked but the slave has made the same mistake I've reported previously.

Any idea??


bamalam

  • Zen Apprentice
  • *
  • Posts: 16
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #27 on: December 01, 2010, 09:59:43 pm »
pgarcia

Note that the one thing I forgot to mention above is that I did an update of the Zentyal components so that they are the latest available. There are updates available for an installed 2.0-2 system.

I've gone through the ticket you raised on this problem (now at http://trac.zentyal.org/ticket/2542) but I still don't understand your setup. Do you want to have one server as a PDC master (a windows 2003 box?) and another as a Samba PDC slave (known as a Backup Domain controller - BDC)? Is the BDC combined with the LDAP master or is this another server?

Note that a Samba PDC is only designed to work with a Samba BDC and mixing things with a Windows PDC is likely to be complicated and may not work. See the options here:
     http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
If you want redundancy the better option might be to have two Zentyal servers one as Samba PDC/LDAP master and the other as Samba BDC/LDAP slave.

Note that the script that adds the client PC (or machine as it is known in LDAP) is called smbldap-useradd according to your smb.conf file but it has no reference that I can see:
     http://manpages.ubuntu.com/manpages/lucid/en/man8/smbldap-useradd.8.html
to a separate host. Presumably if you wanted to set LDAP as a separate server you would have to equip the Samba PDC as an LDAP client with a connection pointing to the ldaps port of the LDAP master.

Note that the only experience I have is with one server that is an LDAP master and Samba PDC master combined.

bamalam

eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #28 on: December 02, 2010, 05:50:30 am »
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.
.

Thanks for the info bamalam ... will try this one out with a new install. I upgraded my old installation and it somehow borked everything on my LDAP Master. Will post the bugs in a new thread.  ;D


eboxbuggy

  • Zen Monk
  • **
  • Posts: 89
  • Karma: +0/-0
    • View Profile
Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
« Reply #29 on: December 02, 2010, 07:57:58 am »
Well it looks like it still doesn't work bamalam ...  ???

Edited the admin users, and created new ones with PAM ENABLED, gave them /bin/bash login shell. Tried /bin/sh too but that didn't work either.

Still getting ACCESS DENIED
Code: [Select]
12/02 14:57:43 NetpDoDomainJoin
12/02 14:57:43 NetpMachineValidToJoin: 'XPTEST'
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpMachineValidToJoin: status: 0x0
12/02 14:57:43 NetpJoinDomain
12/02 14:57:43 Machine: XPTEST
12/02 14:57:43 Domain: DOMAIN
12/02 14:57:43 MachineAccountOU: (NULL)
12/02 14:57:43 Account: DOMAIN\admin1
12/02 14:57:43 Options: 0x27
12/02 14:57:43 OS Version: 5.1
12/02 14:57:43 Build number: 2600
12/02 14:57:43 ServicePack: Service Pack 3
12/02 14:57:43 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
12/02 14:57:43 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
12/02 14:57:43 NetpValidateName: name 'DOMAIN' is valid for type 3
12/02 14:57:43 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
12/02 14:57:43 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
12/02 14:57:43 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
12/02 14:57:43 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
12/02 14:57:43 NetpLsaOpenSecret: status: 0xc0000034
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpLsaOpenSecret: status: 0xc0000034
12/02 14:57:43 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDCSERVER' for 'XPTEST$' failed: 0x5
12/02 14:57:43 NetpJoinDomain: status of creating account: 0x5
12/02 14:57:43 NetpJoinDomain: initiaing a rollback due to earlier errors
12/02 14:57:43 NetpLsaOpenSecret: status: 0x0
12/02 14:57:43 NetpJoinDomain: rollback: status of deleting secret: 0x0
12/02 14:57:43 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
12/02 14:57:43 NetpDoDomainJoin: status: 0x5
« Last Edit: December 02, 2010, 08:04:32 am by eboxbuggy »