Zentyal Forum, Linux Small Business Server

Zentyal Server => Installation and Upgrades => Topic started by: eboxbuggy on November 18, 2010, 09:11:10 am

Title: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: eboxbuggy on November 18, 2010, 09:11:10 am
edit: title might be confusing so here's a brief network description
192.168.0.1 ldap master
192.168.0.2 samba pdc
192.168.0.3 winxp client

Am trying to connect my WinXP SP3 workstation with the Samba PDC.

I've changed the domain name numerous times, gave every user admin access, rebooted, had coffee, drank water, had tea ... wth?

Am I missing something?  ???

/var/log/samba/workstation1
Code: [Select]
[2010/11/18 16:03:44,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/11/18 16:03:44,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.

tail /var/log/messages
Code: [Select]
Nov 18 16:03:43 pdcserver smbd_audit: user1|192.168.1.x|connect|ok|IPC$
Nov 18 16:03:43 pdcserver smbd_audit: user1|192.168.1.x|disconnect|ok|IPC$
Nov 18 16:03:44 pdcserver smbd_audit: user2|192.168.1.x|connect|ok|IPC$
Nov 18 16:03:45 pdcserver smbd_audit: user2|192.168.1.x|disconnect|ok|IPC$

tail /var/log/syslog
Code: [Select]
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (uid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (memberUid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (uid) not indexed
Nov 18 16:08:33 pdcserver slapd[2591]: <= bdb_equality_candidates: (memberUid) not indexed

Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 09:29:01 am
The weird thing is if I try to connect through smbclient with the same username/password it works? ???
Code: [Select]
user@server ~ $ smbclient -L 192.168.1.x -U user1
Enter user1's password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.9]

        Sharename       Type      Comment
        ---------       ----      -------
        testshare      Disk      Testshare share directory
        ebox-internal-backups Disk
        ebox-quarantine Disk
        print$          Disk      Printer Drivers
        IPC$            IPC       IPC Service (PDCSERVER File Server)
        user1   Disk      Home Directories
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.4.9]

        Server               Comment
        ---------            -------
        PDCSERVER               PDCSERVER File Server

        Workgroup            Master
        ---------            -------
        DOMAIN              PDCSERVER

ldapsearch -x -b dc=ldap,dc=server
Code: [Select]
# Domain Admins, Groups, ldap.server
dn: cn=Domain Admins,ou=Groups,dc=ldap,dc=server
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: user1
memberUid: user2
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-1-11-12345667-123123123-1231231231-123
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: javi on November 18, 2010, 09:38:52 am
Where does it fail? When you try to join the machine to the domain?
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 09:45:51 am
Where does it fail? When you try to join the machine to the domain?
Yes. I can't join it to the domain. If I use the WRONG PASSWORD it says:
Code: [Select]
Logon failure: unknown username or bad password
I'm sure WinXP sees the user list from LDAP but somehow misses that the users are already administrators/domain admins ???
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 09:50:03 am
Is there a need to add every WinXP workstation to LDAP?
Code: [Select]
smbldap-useradd -w client-winxp
edit: didn't work either
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 10:00:54 am
saw this link in ubuntu forum but it didn't work
http://ubuntuforums.org/showthread.php?t=1196622
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: trustbyte on November 18, 2010, 12:45:53 pm
i could be wrong, but do you have firewall activated on xp or zentyal or in between them?
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 02:52:20 pm
i could be wrong, but do you have firewall activated on xp or zentyal or in between them?
tried it on a fresh xp sp3 vm ... no firewall, no av on both ???

accessing the shares works fine with the username/password
Code: [Select]
\\192.168.1.x\testshare
xp somehow does not recognize the user as a domain admin/administrator
everything seems to work though if i do an ldap search

smbldap-groupshow "Administrators"
Code: [Select]
dn: cn=Administrators,ou=Groups,dc=ldap,dc=server
cn: Administrators
gidNumber: 544
objectClass: posixGroup,sambaGroupMapping,eboxGroup
memberUid: user1,user2
displayName: Administrators
sambaGroupType: 5
sambaSID: S-1-1-12-123

smbldap-groupshow "Domain Admins"
Code: [Select]
dn: cn=Domain Admins,ou=Groups,dc=ldap,dc=server
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup,sambaGroupMapping,eboxGroup
memberUid: user1,user2
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-1-12-1234567890-1234567-123456789-123
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 18, 2010, 04:38:22 pm
well off to bed ...

here's the latest log
/var/log/samba/client-winxp1
Code: [Select]
[2010/11/18 23:32:39,  0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account CLIENT-WINXP1$: NT_STATUS_ACCESS_DENIED
[2010/11/18 23:32:51,  0] lib/util_sock.c:539(read_fd_with_timeout)
[2010/11/18 23:32:51,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  read_fd_with_timeout: client 0.0.0.0 read error = Connection reset by peer.
[2010/11/18 23:33:40,  0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
  get_md4pw: Workstation CLIENT-WINXP1$: no account in domain
[2010/11/18 23:33:40,  0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
  _netr_ServerAuthenticate3: failed to get machine password for account CLIENT-WINXP1$: NT_STATUS_ACCESS_DENIED

ldapsearch
Code: [Select]
# CLIENT-WINXP1$, Computers, ldap.server
dn: uid=CLIENT-WINXP1$,ou=Computers,dc=ldap,dc=server
objectClass: top
objectClass: account
objectClass: posixAccount
cn: CLIENT-WINXP1$
uid: CLIENT-WINXP1$
uidNumber: 2022
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 19, 2010, 11:41:25 am
hmmm ... guess it still is buggy ... no upgrades yet for me then :-\

C:\Windows\debug\NetSetup.log
Code: [Select]
11/19 18:29:24 -----------------------------------------------------------------
11/19 18:29:24 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:24 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:24 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:33 -----------------------------------------------------------------
11/19 18:29:33 NetpDoDomainJoin
11/19 18:29:33 NetpMachineValidToJoin: 'CLIENT-WINXP1'
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpMachineValidToJoin: status: 0x0
11/19 18:29:33 NetpJoinDomain
11/19 18:29:33 Machine: CLIENT-WINXP1
11/19 18:29:33 Domain: DOMAIN
11/19 18:29:33 MachineAccountOU: (NULL)
11/19 18:29:33 Account: DOMAIN\user1
11/19 18:29:33 Options: 0x25
11/19 18:29:33 OS Version: 5.1
11/19 18:29:33 Build number: 2600
11/19 18:29:33 ServicePack: Service Pack 3
11/19 18:29:33 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:33 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:33 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:33 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
11/19 18:29:33 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
11/19 18:29:33 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
11/19 18:29:33 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
11/19 18:29:33 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:33 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:33 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 Failed to validate machine account for CLIENT-WINXP1 against \\PDCSERVER: 0xc000006d
11/19 18:29:34 NetpJoinDomain: w9x: status of validating account: 0x52e
11/19 18:29:34 NetpJoinDomain: initiaing a rollback due to earlier errors
11/19 18:29:34 NetpLsaOpenSecret: status: 0x0
11/19 18:29:34 NetpJoinDomain: rollback: status of deleting secret: 0x0
11/19 18:29:34 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
11/19 18:29:34 NetpDoDomainJoin: status: 0x52e
11/19 18:29:34 -----------------------------------------------------------------
11/19 18:29:34 NetpDoDomainJoin
11/19 18:29:34 NetpMachineValidToJoin: 'CLIENT-WINXP1'
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpMachineValidToJoin: status: 0x0
11/19 18:29:34 NetpJoinDomain
11/19 18:29:34 Machine: CLIENT-WINXP1
11/19 18:29:34 Domain: DOMAIN
11/19 18:29:34 MachineAccountOU: (NULL)
11/19 18:29:34 Account: DOMAIN\user1
11/19 18:29:34 Options: 0x27
11/19 18:29:34 OS Version: 5.1
11/19 18:29:34 Build number: 2600
11/19 18:29:34 ServicePack: Service Pack 3
11/19 18:29:34 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
11/19 18:29:34 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
11/19 18:29:34 NetpValidateName: name 'DOMAIN' is valid for type 3
11/19 18:29:34 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
11/19 18:29:34 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
11/19 18:29:34 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
11/19 18:29:34 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
11/19 18:29:34 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 NetpGetLsaPrimaryDomain: status: 0x0
11/19 18:29:34 NetpLsaOpenSecret: status: 0xc0000034
11/19 18:29:34 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDCSERVER' for 'CLIENT-WINXP1$' failed: 0x5
11/19 18:29:34 NetpJoinDomain: status of creating account: 0x5
11/19 18:29:34 NetpJoinDomain: initiaing a rollback due to earlier errors
11/19 18:29:34 NetpLsaOpenSecret: status: 0x0
11/19 18:29:34 NetpJoinDomain: rollback: status of deleting secret: 0x0
11/19 18:29:34 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
11/19 18:29:34 NetpDoDomainJoin: status: 0x5

Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: trustbyte on November 19, 2010, 11:44:13 am
loginShell: /bin/false

Shouldn´t have a viable shell? Or it is not related with the documentation??

# Set a valid shell like 'bash' in "Users and Groups -> LDAP Settings"
# The above change will only affect the users we create from now on.



Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 19, 2010, 11:50:11 am
loginShell: /bin/false

Shouldn´t have a viable shell? Or it is not related with the documentation??

# Set a valid shell like 'bash' in "Users and Groups -> LDAP Settings"
# The above change will only affect the users we create from now on.
Hmmm ... the /bin/false was default for adding the machine account. I did the machine adding manually.

If you setup LDAP & Samba manually with a different distribution you need to add the machine account. You probably didn't do this when you had yours working right?
Code: [Select]
smbldap-useradd -w client-winxp
edit: I found a site that said to add a -i option in addmachine script of smb.conf but it always reverted to the default when I restart it. So I did this again manually but still failed
Code: [Select]
smbldap-useradd -i -w client-winxp
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: trustbyte on November 19, 2010, 12:09:56 pm
Quote
You probably didn't do this when you had yours working right?
Code: [Select]
smbldap-useradd -w client-winxp

Nope, nothing like that.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 19, 2010, 12:15:55 pm
Yeah this thing is supposed to work OOB  ::)

Anyway, I'll try to go with your "ALL-IN-ONE" box design. Will just change my logon scripts to bind the other file server shares.

more overtime work for me without pay :o

edit: nvm ... lol
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: mburillo on November 19, 2010, 09:58:52 pm
Quote
more overtime work for me without pay

Actually, the idea of the subscription + support is to save the sysadmin time and avoid risks
in production deployments. In the webpage and the official offering we clearly state
that the free version is meant for testing environments. If you put the community version of Zentyal
in a production environment is under your own criteria and risk.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on November 20, 2010, 05:04:43 am
Actually, the idea of the subscription + support is to save the sysadmin time and avoid risks
in production deployments. In the webpage and the official offering we clearly state
that the free version is meant for testing environments. If you put the community version of Zentyal
in a production environment is under your own criteria and risk.
I still do have this version 2 on VM for testing. Borked my server with 1.4 when I upgraded from 1.2 so I learned my lesson from that.

US$255 subscription + US$645 support per year? Which I would probably use 1-2x in a year? Thanks but I'll just stick with 1.4 in the meantime.

I don't know about the others here but personally I think it would be nice to have a working distribution in exchange for all the BUG TESTING we are doing for you.

Isn't that the concept of having a community version? We tell you the problem, you fix it, and charge other people for it.

You get something ... we get something too.  ;)
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: javivazquez on November 20, 2010, 07:33:36 pm
I don't know about the others here but personally I think it would be nice to have a working distribution in exchange for all the BUG TESTING we are doing for you.

Isn't that the concept of having a community version? We tell you the problem, you fix it, and charge other people for it.

You get something ... we get something too.  ;)

There are thousands of Zentyal 2.0 servers working out there, in many industries, from high schools and universities to finance companies. A few of them are even published in our website:
http://www.zentyal.com/en/products/success/

We much appreciate the support and collaboration of our community, it's huge and supportive.  Zentyal Server couldn't have reached 250.000 downloads in the last 12 months (almost 1.000 downloads/day in average last 3 months by the way) without your help: supporting others with doubts, finding bugs, translating Zentyal UI to dozens of different languages...

On the other hand, as any other open source company, we offer products and services around our open source product Zentyal Server: subscriptions, add-ons, tech support, consultancy and training.

However, I would like to stress that there is not such a community version of Zentyal Server, there is only once source public code repository. If we strongly recommend subscriptions for servers in production is because of:
* First, the quality assurance (QA) for updates.
As you know, we depend on third-party open source modules included with Ubuntu Server. Sometimes, getting updates directly from Ubuntu repositories breaks Zentyal Server, so we make sure that our paying customers get their updates from our quality-assured-packages repository.
* Secondly, the different services included with them: alerts, reports, monitoring, remote administration, etc.
* And finally, tech support is only eligible in case you have a subscription.

In summary, eboxbuggy, we sincerely thank you by your help finding bugs. As you will understand, we are much interested in continuously improving Zentyal Server, because that's the same software our customers rely on.

The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: pgarcia on November 21, 2010, 09:03:55 pm
==> /var/log/samba/servidor <==
[2010/11/19 17:09:40,  1] smbd/service.c:676(make_connection_snum)
  create_connection_server_info failed: NT_STATUS_ACCESS_DENIED


I have this same issues with PDC and Windows 2003.

I hope some one can resolve it.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: Sam Graf on November 22, 2010, 08:25:44 am
In summary, eboxbuggy, we sincerely thank you by your help finding bugs. As you will understand, we are much interested in continuously improving Zentyal Server, because that's the same software our customers rely on.

The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)

Please keep in mind that some of us may just be (legitimately?) confused about what direction Zentyal is moving in, and what to expect from the project. In particular, nachico's comments (http://forum.zentyal.org/index.php?topic=4554.0) have caused me some confusion about how things work; not the comments themselves, but how things have unfolded since they were published.

I certainly appreciate the great patience that the Zentyal staff show toward the community here. At the same time, perhaps things are not as clear to us as they are to those inside the project. Things are always clearer to those in-the-know than to those who aren't. :)
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: pgarcia on November 25, 2010, 06:49:42 pm
I have notify my issue here with more info and logs: http://trac.ebox-platform.com/ticket/2542

I hope someone can help us.

Thanks
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: javivazquez on November 26, 2010, 01:16:54 am
The only point is that our paying customers have the priority on deciding what bugs are fixed first (and sometimes which new features are developed also), what might delay other stuff reported by the community, but take for granted that every bug will be squashed eventually ;-)

Please keep in mind that some of us may just be (legitimately?) confused about what direction Zentyal is moving in, and what to expect from the project. In particular, nachico's comments (http://forum.zentyal.org/index.php?topic=4554.0) have caused me some confusion about how things work; not the comments themselves, but how things have unfolded since they were published.

I certainly appreciate the great patience that the Zentyal staff show toward the community here. At the same time, perhaps things are not as clear to us as they are to those inside the project. Things are always clearer to those in-the-know than to those who aren't. :)

Sam, sorry for the late reply, I hadn't seen your comment until now.

Regarding to the nachico's comment in August, the Localization Team was launched and quite a few guys joined it, what has much improved the number of languages totally (or almost) translated. In the future, we hope to launch similar groups for e.g. beta-testing.

The rest of the current work on Zentyal Server (from development to marketing, etc.) is mainly done by Zentyal staff, and the community helps as commented: supporting others with doubts, finding bugs, ... It's true, we couldn't be here without you guys.

Finally, our paying customers have priority on bugfixing or some new features, just because of the business relation.

In case my post doesn't reply all your doubts, please feel free to ask further.  I much appreciate to know your thoughts.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: Sam Graf on November 26, 2010, 06:09:56 pm
I don't have doubts, just to be clear, just confusion. :)

Perhaps part of the problem is just how I'm reading nachico's announcement. You and I are clearly reading it differently :) . But it's not my purpose to debate nachico's intent, only to point out that the community and the staff apparently can see sentences like, "But we believe that more people, not just the employees of one single company, should have the chance to get involved in the project and have the right to assume responsibilities, give their opinion and help taking decisions" very differently. :)

So I just ask that Zentyal staff take that into account as we in the community respond to Zentyal as an open source project and product. I'm not trying to say that the community understanding is the right understanding, only that I think there is some room for us to be legitimately confused about the big picture and the details (so that we can know clearly what our testing experience should look like).

For example, to tell potential customers testing Zentyal that bugs they've run across are not as important to fix as the bugs found by existing customers could be sending the wrong message, People most likely are assuming that what they download to test should work exactly as advertised over the short term. To more or less say that the public download can be expected to have bugs and that fixing them may be low priority not only seems to me contrary to the spirit of nachico's announcement (according to my reading :) ), but also to good salesmanship :) .

All just my humble opinion, of course. :)
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: bamalam on November 26, 2010, 11:05:57 pm
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.

The solution starts by using a user created in Zentyal for the username and password in joining the domain. This user must have the following for PDC/File Sharing - Administration rights and I had User Account: Enabled

This didn't work initially and then I gave this user a working shell and not the nologin one that eboxbuggy appears to have as mentioned in a post above. This should normally be done by having the Default Shell: bash. Also the Enable PAM was ticked. Using bash for this account means that it can issue commands so this is very logical. Note that it is possible to modify this for an existing user by altering the loginShell value for the user in the LDAP database using the ldap_modify command from a superuser shell.

Note that the errors in the original post about "endpoint termination" and so on are irrelevant. This was not causing the problem and are still there afterwards even though the shares and other features work. The PC used for testing was wirelessly connected - maybe that had something to do with it.

In any case - there is no need to fiddle with setting up users for each PC connected - that is why it wasn't built into Zentyal! Let's not assume it is buggy - sure documentation could be expanded on (Wiki needed) but I have been very impressed with my evaluation of Zentyal so far. It is full of terrific ideas and well presented.

bamalam
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: nachico on November 28, 2010, 10:08:18 pm
Hi Sam,

I don't have doubts, just to be clear, just confusion. :)

Perhaps part of the problem is just how I'm reading nachico's announcement. You and I are clearly reading it differently :) . But it's not my purpose to debate nachico's intent, only to point out that the community and the staff apparently can see sentences like, "But we believe that more people, not just the employees of one single company, should have the chance to get involved in the project and have the right to assume responsibilities, give their opinion and help taking decisions" very differently. :)

I don't see the announcement I made as confusing: it is our goal to open up much more to the community and to move to a community-based development model. And we have carried out every single promise that was included in that announce: we have launched the localization team, assigning responsibility over the management of the translation to members of the community who are not employees of our company. We have set a series of rules to manage the different language groups and the whole translation team in a similar manner as it is handled in other communities. And we are planning to continue with the following team and continue opening up.

Maybe the confusion came from the fact that you expected it to be a faster process. So did we. We expected to receive a more general support to the idea, and even some excitement, but as you can see my announcement had zero responses. We got some pretty good volunteers for the translation team but only after leading the whole process and being very proactive, so the natural conclusion we drew was that we have to invest a great effort before we can finally have a community-based development model. So, unfortunately we will open up slower than expected, with the available energy after having invested the time we need in keeping improving the project and being economically sustainable.

So I just ask that Zentyal staff take that into account as we in the community respond to Zentyal as an open source project and product. I'm not trying to say that the community understanding is the right understanding, only that I think there is some room for us to be legitimately confused about the big picture and the details (so that we can know clearly what our testing experience should look like).

I am very open to any question you want to ask anytime you feel confused about our decisions. In fact, I would be delighted to answer such questions in the forum :-)

For example, to tell potential customers testing Zentyal that bugs they've run across are not as important to fix as the bugs found by existing customers could be sending the wrong message, People most likely are assuming that what they download to test should work exactly as advertised over the short term. To more or less say that the public download can be expected to have bugs and that fixing them may be low priority not only seems to me contrary to the spirit of nachico's announcement (according to my reading :) ), but also to good salesmanship :) .

Well, I don't think that's what Javi meant. We take great care of every bug that is reported and we are eventually going to fix them all. But concerning priorities, when we have to choose between investing our efforts in fixing a bug that helps improve the product and fixing a bug that helps improve the product and the economical sustainability of the project, it is a no-brainer that we should focus first in the later before solving the former, right? Obviously, we are open to get help in debugging or receiving patches and those are very valid (and welcome) ways to accelerate the fixing of a bug.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: Sam Graf on November 29, 2010, 12:13:39 am
I don't see the announcement I made as confusing: it is our goal to open up much more to the community and to move to a community-based development model.

As I mentioned earlier, the announcement seems straightforward enough. Where I get confused is in the implementation. The differences between Ubuntu as a project and Zentyal as a project are as instructive as the similarities.

But it's not my place or especially my desire to "argue" this further. Economic sustainability is, of course, a two-way street. Those of us in the SMB market using Zentyal in testing environments (and perhaps desperately trying to prove something one way or another to management) are testing not just a product, but also an idea: the long-term economic viability of Linux-driven solutions in general in our market space, and Zentyal in particular as an instance of that kind of solution.

In the end, we all work within the information and resources and priorities we have. Thanks to all for the excellent responses; I appreciate them much. :)
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: pgarcia on November 30, 2010, 10:40:34 am
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.

The solution starts by using a user created in Zentyal for the username and password in joining the domain. This user must have the following for PDC/File Sharing - Administration rights and I had User Account: Enabled

First, I have the problem with Samba PDC Slave and i cant get it run.

I added some users with  Administration rights and User Account: Enabled

This didn't work initially and then I gave this user a working shell and not the nologin one that eboxbuggy appears to have as mentioned in a post above. This should normally be done by having the Default Shell: bash. Also the Enable PAM was ticked. Using bash for this account means that it can issue commands so this is very logical. Note that it is possible to modify this for an existing user by altering the loginShell value for the user in the LDAP database using the ldap_modify command from a superuser shell.
bamalam


Also I have tried with some  Default Shell: bash, rbash and nologin without  result.
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: pgarcia on December 01, 2010, 01:37:41 am
I experimented with a stand alone master PDC and a slave PDC with a clean installation, the master PDC have worked but the slave has made the same mistake I've reported previously.

Any idea??

Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: bamalam on December 01, 2010, 09:59:43 pm
pgarcia

Note that the one thing I forgot to mention above is that I did an update of the Zentyal components so that they are the latest available. There are updates available for an installed 2.0-2 system.

I've gone through the ticket you raised on this problem (now at http://trac.zentyal.org/ticket/2542 (http://trac.zentyal.org/ticket/2542)) but I still don't understand your setup. Do you want to have one server as a PDC master (a windows 2003 box?) and another as a Samba PDC slave (known as a Backup Domain controller - BDC)? Is the BDC combined with the LDAP master or is this another server?

Note that a Samba PDC is only designed to work with a Samba BDC and mixing things with a Windows PDC is likely to be complicated and may not work. See the options here:
     http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html)
If you want redundancy the better option might be to have two Zentyal servers one as Samba PDC/LDAP master and the other as Samba BDC/LDAP slave.

Note that the script that adds the client PC (or machine as it is known in LDAP) is called smbldap-useradd according to your smb.conf file but it has no reference that I can see:
     http://manpages.ubuntu.com/manpages/lucid/en/man8/smbldap-useradd.8.html (http://manpages.ubuntu.com/manpages/lucid/en/man8/smbldap-useradd.8.html)
to a separate host. Presumably if you wanted to set LDAP as a separate server you would have to equip the Samba PDC as an LDAP client with a connection pointing to the ldaps port of the LDAP master.

Note that the only experience I have is with one server that is an LDAP master and Samba PDC master combined.

bamalam
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on December 02, 2010, 05:50:30 am
Potential Fix to the Problem

I had the same problem as eboxbuggy but with a LDAP master and Samba PDC master configuration - note that the heading on this post says Samba PDC Slave. I was getting Access denied as well but my first mistake was using a regular Linux login with superuser privileges.
.

Thanks for the info bamalam ... will try this one out with a new install. I upgraded my old installation and it somehow borked everything on my LDAP Master. Will post the bugs in a new thread.  ;D

Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: eboxbuggy on December 02, 2010, 07:57:58 am
Well it looks like it still doesn't work bamalam ...  ???

Edited the admin users, and created new ones with PAM ENABLED, gave them /bin/bash login shell. Tried /bin/sh too but that didn't work either.

Still getting ACCESS DENIED
Code: [Select]
12/02 14:57:43 NetpDoDomainJoin
12/02 14:57:43 NetpMachineValidToJoin: 'XPTEST'
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpMachineValidToJoin: status: 0x0
12/02 14:57:43 NetpJoinDomain
12/02 14:57:43 Machine: XPTEST
12/02 14:57:43 Domain: DOMAIN
12/02 14:57:43 MachineAccountOU: (NULL)
12/02 14:57:43 Account: DOMAIN\admin1
12/02 14:57:43 Options: 0x27
12/02 14:57:43 OS Version: 5.1
12/02 14:57:43 Build number: 2600
12/02 14:57:43 ServicePack: Service Pack 3
12/02 14:57:43 NetpValidateName: checking to see if 'DOMAIN' is valid as type 3 name
12/02 14:57:43 NetpCheckDomainNameIsValid [ Exists ] for 'DOMAIN' returned 0x0
12/02 14:57:43 NetpValidateName: name 'DOMAIN' is valid for type 3
12/02 14:57:43 NetpDsGetDcName: trying to find DC in domain 'DOMAIN', flags: 0x1020
12/02 14:57:43 NetpDsGetDcName: found DC '\\PDCSERVER' in the specified domain
12/02 14:57:43 NetpJoinDomain: status of connecting to dc '\\PDCSERVER': 0x0
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDCSERVER'
12/02 14:57:43 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0
12/02 14:57:43 NetpLsaOpenSecret: status: 0xc0000034
12/02 14:57:43 NetpGetLsaPrimaryDomain: status: 0x0
12/02 14:57:43 NetpLsaOpenSecret: status: 0xc0000034
12/02 14:57:43 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDCSERVER' for 'XPTEST$' failed: 0x5
12/02 14:57:43 NetpJoinDomain: status of creating account: 0x5
12/02 14:57:43 NetpJoinDomain: initiaing a rollback due to earlier errors
12/02 14:57:43 NetpLsaOpenSecret: status: 0x0
12/02 14:57:43 NetpJoinDomain: rollback: status of deleting secret: 0x0
12/02 14:57:43 NetpJoinDomain: status of disconnecting from '\\PDCSERVER': 0x0
12/02 14:57:43 NetpDoDomainJoin: status: 0x5
Title: Re: LDAP Master/Samba PDC Slave + WinXP SP3 = Access Denied
Post by: pgarcia on December 02, 2010, 10:20:37 am
pgarcia

Note that the one thing I forgot to mention above is that I did an update of the Zentyal components so that they are the latest available. There are updates available for an installed 2.0-2 system.

I've gone through the ticket you raised on this problem (now at http://trac.zentyal.org/ticket/2542 (http://trac.zentyal.org/ticket/2542)) but I still don't understand your setup. Do you want to have one server as a PDC master (a windows 2003 box?) and another as a Samba PDC slave (known as a Backup Domain controller - BDC)? Is the BDC combined with the LDAP master or is this another server?

Note that a Samba PDC is only designed to work with a Samba BDC and mixing things with a Windows PDC is likely to be complicated and may not work. See the options here:
     http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html)
If you want redundancy the better option might be to have two Zentyal servers one as Samba PDC/LDAP master and the other as Samba BDC/LDAP slave.

Note that the script that adds the client PC (or machine as it is known in LDAP) is called smbldap-useradd according to your smb.conf file but it has no reference that I can see:
     http://manpages.ubuntu.com/manpages/lucid/en/man8/smbldap-useradd.8.html (http://manpages.ubuntu.com/manpages/lucid/en/man8/smbldap-useradd.8.html)
to a separate host. Presumably if you wanted to set LDAP as a separate server you would have to equip the Samba PDC as an LDAP client with a connection pointing to the ldaps port of the LDAP master.

Note that the only experience I have is with one server that is an LDAP master and Samba PDC master combined.

bamalam

Sonrry i think i mixed some terms.

I have master LDAP (without PDC, not sharing files ) and the second one is Slave LDAP/Samba PDC with sharing files and domain controller.

I use the last version of File Sharing 2.0.5 and the Users and Groups 2.0.7

Thanks for help us
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: eboxbuggy on December 02, 2010, 10:33:19 am
got the same error ...

use 1.4 dude lol  :P domain logins work perfectly with our setup
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 02, 2010, 11:07:22 am
got the same error ...

use 1.4 dude lol  :P domain logins work perfectly with our setup

I have more features  working on 2.0 .. i can't downgrande my system.
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: bamalam on December 02, 2010, 11:34:56 am
eboxbuggy

Sorry it is not working out. Did you update your 2.0 installation? I used aptitude from the command prompt to do the upgrade of package information and then did the update from the Zentyal web interface.

It still sounds like an admin rights issue. Just to confirm if that is the problem could you please show a section of your LDAP output. This is done by using the slapcat -l <ldif out filename> from the command prompt. We need to see the ou=Computer entry and that should indicate that the Domain Admins are the ones with permission so show the Domain Admins entry and then show the entry for the user that you are using to add in the computer. Please post logs from the server as well not just from the PC.

pgarcia
I can't understand why you have the setup the way you outline - it doesn't make sense if you have two servers available why not make one the Samba/LDAP master and the other as the backup for the Samba as well as the LDAP. If you want to configure things this way there are clues in the Samba HOWTO that I referenced in a previous post. If you still want to keep things as they are though there are clues as to how you would set things up in this as well - note the idmap backend and passdb backend entries the smb.conf file for some of the examples. Always remember that Zentyal makes use of templates so you don't normally edit config files. I'm not near my server at the moment so I can't tell if there is a a Zentyal system is set up the right way for backup servers.

bamalam
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 02, 2010, 03:53:40 pm
eboxbuggy

Sorry it is not working out. Did you update your 2.0 installation? I used aptitude from the command prompt to do the upgrade of package information and then did the update from the Zentyal web interface.

It still sounds like an admin rights issue. Just to confirm if that is the problem could you please show a section of your LDAP output. This is done by using the slapcat -l <ldif out filename> from the command prompt. We need to see the ou=Computer entry and that should indicate that the Domain Admins are the ones with permission so show the Domain Admins entry and then show the entry for the user that you are using to add in the computer. Please post logs from the server as well not just from the PC.

Yes i have updated to the last version.

Here I have posted all the logs and config: http://trac.zentyal.org/ticket/2542

Code: [Select]
Computers, server02
dn: ou=Computers,dc=server02
ou: Computers
objectClass: organizationalUnit

# Idmap, server02
dn: ou=Idmap,dc=server02
ou: Idmap
objectClass: organizationalUnit

# servidor$, Computers, server02
dn: uid=servidor$,ou=Computers,dc=server02
objectClass: top
objectClass: account
objectClass: posixAccount
cn: servidor$
uid: servidor$
uidNumber: 2114
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

# casa$, Computers, server02
dn: uid=casa$,ou=Computers,dc=server02
objectClass: top
objectClass: account
objectClass: posixAccount
cn: casa$
uid: casa$
uidNumber: 2115
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
-------------------------------
....
# Domain Admins, Groups, server02
dn: cn=Domain Admins,ou=Groups,dc=server02
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: admin_dominios
memberUid: dominios
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-5-21-3818554400-921237426-3143208535-512

eboxbuggy
pgarcia
I can't understand why you have the setup the way you outline - it doesn't make sense if you have two servers available why not make one the Samba/LDAP master and the other as the backup for the Samba as well as the LDAP. If you want to configure things this way there are clues in the Samba HOWTO that I referenced in a previous post. If you still want to keep things as they are though there are clues as to how you would set things up in this as well - note the idmap backend and passdb backend entries the smb.conf file for some of the examples. Always remember that Zentyal makes use of templates so you don't normally edit config files. I'm not near my server at the moment so I can't tell if there is a a Zentyal system is set up the right way for backup servers.

bamalam


I have a setup more complex with more slaves and in differents locations so I use one like master ldap and the others like slave/samba pdc


thanks



Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: bamalam on December 03, 2010, 12:59:08 pm
pgarcia

The advice on configuration of Samba with different arrangements of LDAP is shown at:
    http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2566941 (http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id2566941)
Note what it has to say about joining a PC using a LDAP slave server. You have to use a LDAP master. For this reason you need to add LDAP master address on the Samba server. So in the smb.conf file as mentioned in my last post and in the document referenced, you need the references to your LDAP master:
Code: [Select]
passdb backend = ldapsam:"ldaps://master ldaps://slave"
idmap backend = ldap:"ldaps://master ldaps://slave"

Where you replace the master and slave in the above with the IP addresses of your LDAP servers. If the master LDAP server is not a Zentyal one you need to consider whether the ou references like Groups and Users match those that the Zentyal Samba server needs (for example __USERS__ reference).

bamalam
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: eboxbuggy on December 04, 2010, 07:57:35 am
eboxbuggy

Sorry it is not working out. Did you update your 2.0 installation? I used aptitude from the command prompt to do the upgrade of package information and then did the update from the Zentyal web interface.
Yes I did all upgrades both on GUI and CLI

It still sounds like an admin rights issue. Just to confirm if that is the problem could you please show a section of your LDAP output. This is done by using the slapcat -l <ldif out filename> from the command prompt. We need to see the ou=Computer entry and that should indicate that the Domain Admins are the ones with permission so show the Domain Admins entry and then show the entry for the user that you are using to add in the computer. Please post logs from the server as well not just from the PC.
Yes it seems the XP Workstations do not recognize the users as "DOMAIN ADMINS". Aside from this I think one of the reasons why it doesn't work is that LDAP refuses to create the "CLIENT WORKSTATION (winxp-client$). Manually adding these do not work smbldap-useradd -w -i computer-name

COMPUTERS
Quote
# Computers, ldap.server
dn: ou=Computers,dc=ldap,dc=server
ou: Computers
objectClass: organizationalUnit
DOMAIN ADMIN
Quote
# Domain Admins, Groups, ldap.server
dn: cn=Domain Admins,ou=Groups,dc=ldap,dc=server
cn: Domain Admins
gidNumber: 512
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: user1
memberUid: user2
displayName: Domain Admins
sambaGroupType: 2
sambaSID: S-1-1-12-1234567890-123456789-1234567890-512
ADMINISTRATOR
Quote
# Administrators, Groups, ldap.server
dn: cn=Administrators,ou=Groups,dc=ldap,dc=server
cn: Administrators
gidNumber: 544
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: user1
memberUid: user2
displayName: Administrators
sambaGroupType: 5
sambaSID: S-1-1-12-544
USER1
Quote
# user1, Users, ldap.server
dn: uid=user1,ou=Users,dc=ldap,dc=server
cn: XP Admin
uid: user1
sn: Admin
loginShell: /bin/bash
uidNumber: 2003
gidNumber: 1901
homeDirectory: /home/user1
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: passwordHolder
objectClass: sambaSamAccount
eboxSha1Password: {SHA}/4UYBy6LjMknx5sbDaoVkBTVLmA=
eboxMd5Password: {MD5}c8jbnP1BLrmCG+YIFd7wtA==
eboxLmPassword: DC5926EC70745A46AAD3B435B51404EE
eboxNtPassword: 6AF7AC71414E614500FE2F3E353BC37A
eboxDigestPassword: {MD5}IyoSB7+tJk/gzG2A1R/PqQ==
eboxRealmPassword: {MD5}232a1207bfad264fe0cc6d80d51fcfa9
givenName: XP
sambaProfilePath: \\SERVER\profiles\user1
sambaHomePath: \\SERVER\homes\user1
sambaSID: S-1-1-12-1234567788990-123456789-1234567890-5006
sambaPrimaryGroupSID: S-1-1-12-1234567890-123456789-1234567890-513
sambaPwdMustChange: 2147483647
sambaPwdLastSet: 1291280759
sambaKickoffTime: 2147483647
sambaPasswordHistory: 00000000000000000000000000000000000000000000000000000000
sambaAcctFlags:
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaPwdCanChange: 0
USERS GROUP
Quote
# Domain Users, Groups, ldap.server
dn: cn=Domain Users,ou=Groups,dc=ldap,dc=server
cn: Domain Users
gidNumber: 513
objectClass: posixGroup
objectClass: sambaGroupMapping
objectClass: eboxGroup
memberUid: user1
memberUid: user2
displayName: Domain Users
sambaGroupType: 2
sambaSID: S-1-1-12-1234567890-123456789-1234567890-513
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: eboxbuggy on December 04, 2010, 08:18:18 am
tail -n 20 /var/log/syslog
Code: [Select]
Dec  4 15:14:16 PDCSERVER smbd_audit: user1|192.168.1.x|disconnect|ok|IPC$
Dec  4 15:14:16 PDCSERVER slapd[2623]: connection_read(13): no connection!
Dec  4 15:14:16 PDCSERVER slapd[2623]: connection_read(13): no connection!
Dec  4 15:14:17 PDCSERVER slapd[2623]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: last message repeated 2 times
Dec  4 15:14:17 PDCSERVER slapd[2623]: <= bdb_equality_candidates: (sambaSID) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (memberUid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uniqueMember) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uniqueMember) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2623]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2623]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2623]: last message repeated 5 times
Dec  4 15:14:17 PDCSERVER smbd_audit: user1|192.168.1.x|connect|ok|IPC$
Dec  4 15:14:17 PDCSERVER slapd[2623]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER slapd[2599]: <= bdb_equality_candidates: (uid) not indexed
Dec  4 15:14:17 PDCSERVER smbd_audit: user1|192.168.1.x|disconnect|ok|IPC$
Dec  4 15:14:17 PDCSERVER slapd[2623]: connection_read(13): no connection!
tail /var/log/messages
Code: [Select]
Dec  4 15:14:16 PDCSERVER smbd_audit: user1|192.168.1.x|connect|ok|IPC$
Dec  4 15:14:16 PDCSERVER smbd_audit: user11|192.168.1.x|disconnect|ok|IPC$
Dec  4 15:14:17 PDCSERVER smbd_audit: user11|192.168.1.x|connect|ok|IPC$
Dec  4 15:14:17 PDCSERVER  smbd_audit: user1|192.168.1.x|disconnect|ok|IPC$
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: eboxbuggy on December 04, 2010, 08:26:47 am
At least pgarcia you have your computers created in LDAP. servidor$ and casa$ ... any computer name I make does not get added.

I made two of the XP VM computer names "servidor" and "casa" LOL didn't work either ... probably since mi ordenador no entiende español LOL ;D

edit: used google translate
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: bamalam on December 07, 2010, 08:13:14 pm
pgarcia
Did you try my suggestions? Note that I would not recommend that you have a $ character in any server name. The $ is used by Samba/Windows itself.

eboxbuggy
Looking at your LDAP output the thing I find strange is the parts of the dn that are currently:
    dc=ldap,dc=server
because these should be more typically (where it is only a local system and not accessible from the internet):
    dc=<server-name>,dc=<site-name>,dc=local
where for example my <server-name> is tim-z1 and <site-name> is cmc

The server-name corresponds with my hostname.

Where this is causing you problems is in the entry in your user for sambaProfilePath and sambaHomePath:
Code: [Select]
sambaProfilePath: \\SERVER\profiles\user1
sambaHomePath: \\SERVER\homes\user1
which should be your server-name so in my case it reads:
Code: [Select]
sambaProfilePath: \\tim-z1\profiles\user1
sambaHomePath: \\tim-z1\homes\user1

Looking through your logs there are errors where PDCSERVER is referred to so at some time this is what you had instead of SERVER at some stage. Note that in Linux/Unix, case is important and you shouold use lower case for names. There is a displayName field in LDAP which is usually the upper case name of the computer with a $ at the end which is automatically there when the PC is added successfully to the domain. I suggest if changing the profile paths above doesn't work that you consider a fresh install.

bamalam
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 08, 2010, 03:35:04 pm
At least pgarcia you have your computers created in LDAP. servidor$ and casa$ ... any computer name I make does not get added.

I made two of the XP VM computer names "servidor" and "casa" LOL didn't work either ... probably since mi ordenador no entiende español LOL ;D

edit: used google translate

jajajja, nice try!!
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 08, 2010, 03:37:51 pm
pgarcia
Did you try my suggestions? Note that I would not recommend that you have a $ character in any server name. The $ is used by Samba/Windows itself.

eboxbuggy
Looking at your LDAP output the thing I find strange is the parts of the dn that are currently:
    dc=ldap,dc=server
because these should be more typically (where it is only a local system and not accessible from the internet):
    dc=<server-name>,dc=<site-name>,dc=local
where for example my <server-name> is tim-z1 and <site-name> is cmc

The server-name corresponds with my hostname.

Where this is causing you problems is in the entry in your user for sambaProfilePath and sambaHomePath:
Code: [Select]
sambaProfilePath: \\SERVER\profiles\user1
sambaHomePath: \\SERVER\homes\user1
which should be your server-name so in my case it reads:
Code: [Select]
sambaProfilePath: \\tim-z1\profiles\user1
sambaHomePath: \\tim-z1\homes\user1

Looking through your logs there are errors where PDCSERVER is referred to so at some time this is what you had instead of SERVER at some stage. Note that in Linux/Unix, case is important and you shouold use lower case for names. There is a displayName field in LDAP which is usually the upper case name of the computer with a $ at the end which is automatically there when the PC is added successfully to the domain. I suggest if changing the profile paths above doesn't work that you consider a fresh install.

bamalam


I spent several days off, because Z is stressing me too. In a moment I will prove what I am told

thanks
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 08, 2010, 05:51:40 pm
pgarcia
Did you try my suggestions? Note that I would not recommend that you have a $ character in any server name. The $ is used by Samba/Windows itself.


Hi all,

I've tried but still gives me the same error

Code: [Select]
==> casa <==
[2010/12/08 17:40:32,  0] lib/util_sock.c:738(write_data)
[2010/12/08 17:40:32,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2010/12/08 17:40:32,  0] smbd/process.c:62(srv_send_smb)
  Error writing 4 bytes to client. -1. (Transport endpoint is not connected)

The character $ is a error of copy/paste from console, I dont have this character on my server name

Here I have a attached log of "messages", "smbd" , "casa" and "192.168.1.131"  : http://trac.zentyal.org/attachment/ticket/2542/error_pdc.txt (http://trac.zentyal.org/attachment/ticket/2542/error_pdc.txt)
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: bamalam on December 08, 2010, 09:29:56 pm
pgarcia

Sorry I have only come across this now, but have you seen:
   http://trac.zentyal.org/wiki/Document/HowTo/EBoxMasterSlaveSetup (http://trac.zentyal.org/wiki/Document/HowTo/EBoxMasterSlaveSetup)
particularly the section referred to as Slave. I can see why eboxbuggy used that term in the title of this topic now. I don't know if it is fully relevant to version 2.0 of Zentyal but looking at my firewall I see that LDAP connections are not allowed thru by default. It would need to be enabled, at least for internal networks. The other thing to remember is to have the slave LDAP synchronised to the master after the master is set up - should be checkable using an output (from slapcat) of the LDAP db from each server and comparing them. Another thing to remember is that the use of ldaps protocol that I suggested may complicate things so perhaps ldap should be used as the connection protocol (although not secure) because as you can see from my everything in one server, it is used internally:
Code: [Select]
adminuser@tim-z1:~$ netstat -ta |grep ldap
tcp        0      0 *:ldap                  *:*                     LISTEN
tcp        0      0 *:ldaps                 *:*                     LISTEN
tcp        0      0 localhost:ldap          localhost:35582         ESTABLISHED
tcp        0      0 localhost:35582         localhost:ldap          ESTABLISHED
tcp        0      0 localhost:ldap          localhost:36043         ESTABLISHED
tcp        0      0 localhost:36043         localhost:ldap          ESTABLISHED
tcp6       0      0 [::]:ldap               [::]:*                  LISTEN
tcp6       0      0 [::]:ldaps              [::]:*                  LISTEN
adminuser@tim-z1:~$
See if you can see the connections between your master and slave LDAP servers using a command similar to the above to prove that the links are there.

It might be helpful if you provide more log information. Look for relevant lines at the tail of the messages log and/or syslog. Also what sort of error is reported in the PC logs at C:\Windows\Debug where the relevant file should be netlogon. See the sort of error output that eboxbuggy provides.

As to the other endpoint errors appearing - here are my logs around the time of my first successful join of a domain on 2010/11/26:
Code: [Select]
[2010/11/18 23:21:18,  0] lib/util_sock.c:738(write_data)
[2010/11/18 23:21:18,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2010/11/18 23:21:18,  0] smbd/process.c:62(srv_send_smb)
  Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2010/11/26 19:51:46,  0] lib/util_sock.c:738(write_data)
[2010/11/26 19:51:46,  0] lib/util_sock.c:1491(get_peer_addr_internal)
  getpeername failed. Error was Transport endpoint is not connected
  write_data: write failure in writing to client 0.0.0.0. Error Connection reset by peer
[2010/11/26 19:51:46,  0] smbd/process.c:62(srv_send_smb)
  Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
[2010/11/26 19:51:48,  1] smbd/service.c:1063(make_connection_snum)
  laurence-f1 (192.168.192.224) connect to service profiles initially as user bamalam (uid=0, gid=1901) (pid 4083)
[2010/11/26 19:51:48,  1] smbd/service.c:1063(make_connection_snum)
  laurence-f1 (192.168.192.224) connect to service netlogon initially as user bamalam (uid=2002, gid=1901) (pid 4083)
[2010/11/26 19:51:53,  1] smbd/service.c:1063(make_connection_snum)
  laurence-f1 (192.168.192.224) connect to service bamalam initially as user bamalam (uid=2002, gid=1901) (pid 4083)
[2010/11/26 19:51:59,  1] smbd/service.c:1240(close_cnum)
  laurence-f1 (192.168.192.224) closed connection to service profiles
[2010/11/26 19:51:59,  1] smbd/service.c:1240(close_cnum)
  laurence-f1 (192.168.192.224) closed connection to service netlogon
[2010/11/26 19:51:59,  1] smbd/service.c:1240(close_cnum)
  laurence-f1 (192.168.192.224) closed connection to service bamalam
[2010/11/26 19:52:06,  1] smbd/service.c:1063(make_connection_snum)
  laurence-f1 (192.168.192.224) connect to service bamalam initially as user bamalam (uid=2002, gid=1901) (pid 4083)
[2010/11/26 19:52:06,  1] smbd/service.c:1063(make_connection_snum)
  laurence-f1 (192.168.192.224) connect to service netlogon initially as user bamalam (uid=2002, gid=1901) (pid 4083)
[2010/11/26 19:54:47,  0] printing/print_cups.c:103(cups_connect)
  Unable to connect to CUPS server localhost:631 - Connection refused

You can see that some of the same endpoint errors don't seem to have made a difference to a successful outcome.

Finally as brought to my attention by the problems of eboxbuggy,  the sambaProfilePath and sambaHomePath should be correct and the samba server reachable from the LDAP servers.
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: bamalam on December 08, 2010, 09:59:26 pm
eboxbuggy

Sorry, I seemed to have let my understanding of the type of setup that you have slip with references that I made in my last post to you. I'm working from the handicap of working on an all-in-one server. Your edit to the very first post showing the IP addresses helps clarify things.

A lot of what I said in my last post to pgarcia above still applies to you. The most important thing is this link:
   http://trac.zentyal.org/wiki/Document/HowTo/EBoxMasterSlaveSetup (http://trac.zentyal.org/wiki/Document/HowTo/EBoxMasterSlaveSetup)
particularly the section referred to as Slave.  As I said, I don't know if it is fully relevant to version 2.0 of Zentyal but looking at my firewall I see that LDAP connections are not allowed thru by default. So check out the firewall rules and check the links and so on with netstat. Also check that you can resolve the host name for the Samba server referred to in sambaProfilePath and sambaHomePath using at least a ping.

bamalam
Title: Re: LDAP Master + Samba PDC Slave + WinXP SP3 Client = Access Denied
Post by: pgarcia on December 16, 2010, 09:59:13 am
Hi all,

It works! I think with the latest security updates and ubuntu zentyal has been fixed.

My setup is the same as the last post.

Thanks for helping bamalam and eboxbuggy. I'm sure we will continue helping us in this forum.