From: Arvid Requate on
Hello,

on Mon, 07 Dec 2009 01:13:19 -0800 Eric Woltermann posted:
> for some weeks now I am trying to set up Samba4 (alpha9) with an OpenLDAP
2.4.17 backend as an AD PDC for my XP/7 clients. It was working for some time
with Samba's integrated LDAP facility, however I could not figure out how to
use this database e.g. to authenticate my IMAP users against (bind-dn, port
etc.). OpenLDAP was compiled from source using --enable-modules=yes
and --enable-overlays=yes. Provisioning samba using the command line
>
>
setup/provision --ldap-backend-type=openldap --slapd-path="/usr/sbin/slapd" --username=samba-admin --realm=localdomain --domain=Heimnetz --server-role='domain
controller' --adminpass=somepass
>
> ran through, although there were errors about slapd (id2entry.bdb not found,
NT_STATUS_UNEXPECTED_NETWORK_ERROR, slapd unable to start). Afterwards, slapd
and samba start fine, I can join machines to the domain "Heimnetz" (DNS is
also working properly), login using the "administrator" account and have a
look at the AD via dsa.msc. Was is NOT working is the creation of new users.
Doing that in dsa.msc failes with an error message about password policies,
but this is probably not yet implemented, right? Going the
howto-way, "<source-dir>/setup/newuser blah" prompts for a password, displays
messages about skipping the loading of schema, naming context details and
domain details, and then failes with the following error message:
>
> _ldb.LdbError: (32, 'objectclass: Cannot add
CN=blah,CN=Users,DC=localdomain, parent does not exist!')

Alpha10 showed the same problem. Looking into the code you can see that it
accepts options to pass credentials. Providing the 'LDAP Admin User' name and
password from the output of the provision command helps, although the
AssertionError looks a bit discouaging at first sight:

debiantest:~# newuser --username=samba-admin --password=$ldapadminpass demo1
New Password:
Traceback (most recent call last):
File "/usr/local/samba/sbin/newuser", line 69, in <module>
samdb.newuser(username, opts.unixname, password,
force_password_change_at_next_login_req=opts.must_change_at_next_login)
File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line
133, in newuser
force_password_change_at_next_login_req)
File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line
172, in setpassword
assert(len(res) == 1)
AssertionError

The user object has been created anyway, but it is still unactive:

debiantest:~# smbclient //localhost/netlogon -Udemo1%S4password
Connection to \\localhost\netlogon failed - NT_STATUS_LOGON_FAILURE

Using windows dsa.msc to create the user, I got a NT_STATUS_ACCOUNT_DISABLED
instead. You can enable the account by running setup/setpassword (or
setup/enableaccount).

Regards,
Arvid

--
Arvid Requate
Open Source Software Engineer

Univention GmbH
Linux for your business
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax : +49 421 22232-99

requate(a)univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
From: Arvid Requate on
Hello,

sorry for the misquoted post. This one might be easier to read.

on Mon, 07 Dec 2009 01:13:19 -0800 Eric Woltermann posted:
> for some weeks now I am trying to set up Samba4 (alpha9) with an OpenLDAP
> 2.4.17 backend as an AD PDC for my XP/7 clients.
> [...]
> Was is NOT working is the creation of new users.
> Doing that in dsa.msc failes with an error message about password policies,
> but this is probably not yet implemented, right? Going the
> howto-way, "<source-dir>/setup/newuser blah" prompts for a password,
> displays messages about skipping the loading of schema, naming context
> details and domain details, and then failes with the following error
> message:
>
> _ldb.LdbError: (32, 'objectclass: Cannot add
> CN=blah,CN=Users,DC=localdomain, parent does not exist!')

Alpha10 showed the same problem. Looking into the code you can see that it
accepts options to pass credentials. Providing the 'LDAP Admin User' name and
password from the output of the provision command helps, although the
AssertionError looks a bit discouaging at first sight:

debiantest:~# newuser --username=samba-admin --password=$ldapadminpass demo1
New Password:
Traceback (most recent call last):
  File "/usr/local/samba/sbin/newuser", line 69, in <module>
    samdb.newuser(username, opts.unixname, password,
force_password_change_at_next_login_req=opts.must_change_at_next_login)
  File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line
133, in newuser
    force_password_change_at_next_login_req)
  File "/usr/local/samba/lib/python2.5/site-packages/samba/samdb.py", line
172, in setpassword
    assert(len(res) == 1)
AssertionError

The user object has been created anyway, but it is still inactive:

debiantest:~# smbclient //localhost/netlogon -Udemo1%S4password
Connection to \\localhost\netlogon failed - NT_STATUS_LOGON_FAILURE

Using windows dsa.msc to create the user, I got a NT_STATUS_ACCOUNT_DISABLED
instead, trying to access netlogon. You can enable the account by running
setup/setpassword (or setup/enableaccount).

Regards,
Arvid

--
Arvid Requate
Open Source Software Engineer

Univention GmbH
Linux for your business
Mary-Somerville-Str.1
28359 Bremen
Tel. : +49 421 22232-0
Fax : +49 421 22232-99

requate(a)univention.de
http://www.univention.de

Geschäftsführer: Peter H. Ganten
HRB 20755 Amtsgericht Bremen
Steuer-Nr.: 71-597-02876
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba