mandriva

Ticket #208 (reopened enhancement)

Opened 9 months ago

Last modified 8 months ago

smbpasswd, objectclass, smbldap_tools.pm, smbldap-useradd,smbldap-usermod

Reported by: sasha@tactel.com.ua Assigned to: anonymous
Priority: high Milestone: 2.4.0
Component: python-mmc-samba Version: 2.3.0
Severity: defect Keywords: Problem with adding a computer
Cc:

Description

So problem in way to adding a computer to MMC and/or adding PC to Domain. MMC uses "standard" scheme in plugins/samba/init.py 

...
 user_info = {                                                                                                                                                                                                    
            'objectclass':('account', 'posixAccount', 'top'),
...

and then waits that then PC will join to Domain "smbpasswd -a -m " will modify objectclass and other attributes to meet SAMBA requirements. But smbpasswd doesn't do this! Because computer account MUST already have objectclass sambaSamAccount to able find entry to change. So it look like closed circle. I did the next steps to resolve it 1. Fix in /usr/sbin/smbldap_tools.pm function sub add_posix_machine 

sub add_posix_machine                                                                                                                                                                                                    
{                                                                                                                                                                                                                        
    my ($user,$uid,$gid,$wait) = @_;                                                                                                                                                                                     
    if (!defined $wait) {                                                                                                                                                                                                
        $wait=0;                                                                                                                                                                                                         
    }                                                                                                                                                                                                                    
    # bind to a directory with dn and password                                                                                                                                                                           
    my $add = $ldap->add ( "uid=$user,$config{computersdn}",                                                                                                                                                             
                           attr => [                                                                                                                                                                                     
                                    'objectclass' => ['top', 'person', 'organizationalPerson', 'inetOrgPerson', 'posixAccount'],                                                                                         
                                    #'objectclass' => ['top', 'account', 'posixAccount'],                                                                                                                                
                                    'cn'   => "$user",                                                                                                                                                                   
                                    'sn'   => "$user",                                                                                                                                                                   
                                    'uid'   => "$user",                                                                                                                                                                  
                                    'uidNumber'   => "$uid",                                                                                                                                                             
                                    'gidNumber'   => "$gid",                                                                                                                                                             
                                    'homeDirectory'   => '/dev/null',                                                                                                                                                    
                                    'loginShell'   => '/bin/false',                                                                                                                                                      
                                    'description'   => 'Computer',                                                                                                                                                       
                                    'gecos'   => 'Computer',                                                                                                                                                             
                                    ]                                                                                                                                                                                    
                           );                                                                                                                                                                                            
                                                                                                                                                                                                                         
    $add->code && warn "failed to add entry: ", $add->error ;                                                                                                                                                            
    sleep($wait);                                                                                                                                                                                                        
    return 1;                                                                                                                                                                                                            
}

2. Then moved up function sub add_samba_machine below to sub add_posix_machine , and moved sub add_samba_machine_smbpasswd that was there before (so now functions going that add_posix_machine first, then add_samba_machine and then add_samba_machine_smbpasswd, other code I leave untouched)

Attachments

Change History

04/18/08 19:37:56 changed by sasha@tactel.com.ua

3. After this modification I was able to add PC from terminal with /usr/sbin/smbldap-useradd -awi test3$ and smbpasswd -s test3$ successfully modified it (playing with smbpasswd is just a check). Also 

add machine script = usr/sbin/smbldap-useradd -awi %u

works too. 4. It's time to fix mmc/plugins/samba/init.py Was: 

...
        # creating machine skel                                                                                                                                                                                          
        user_info = {                                                                                                                                                                                                    
            'objectclass':('account', 'posixAccount', 'top'),                                                                                                                                                            
            'uid':uid,                                                                                                                                                                                                   
            'cn':uid,                                                                                                                                                                                                    
            'uidNumber':str(uidNumber),                                                                                                                                                                                  
            'gidNumber': str(gidNumber),                                                                                                                                                                                 
            'gecos':str(comment_UTF8),                                                                                                                                                                                   
            'homeDirectory':'/dev/null',                                                                                                                                                                                 
            'loginShell':'/bin/false'                                                                                                                                                                                    
            }                                                                                                                                                                                                            
                                                                                                                                                                                                                         
        ident = 'uid=' + uid + ',' + self.baseComputersDN                                                                                                                                                                
        attributes=[ (k,v) for k,v in user_info.items() ]                                                                                                                                                                
        self.l.add_s(ident,attributes)                                                                                                                                                                                   
                                                                                                                                                                                                                         
        if not addMachineScript:                                                                                                                                                                                         
            cmd = 'smbpasswd -a -m ' + uid                                                                                                                                                                               
            shProcess = generateBackgroundProcess(cmd)                                                                                                                                                                   
            ret = shProcess.getExitCode()                                                                                                                                                                                
...

Now: 

...
        # creating machine skel                                                                                                                                                                                          
        user_info = {                                                                                                                                                                                                    
            'objectclass':('person' ,'posixAccount', 'top'),                                                                                                                                                            
            'uid':uid,                                                                                                                                                                                                   
            'cn':uid,                                                                                                                                                                                                    
            'sn' :str(comment_UTF8),                                                                                                                                                                                    
            'uidNumber':str(uidNumber),                                                                                                                                                                                  
            'gidNumber': str(gidNumber),                                                                                                                                                                                 
            'gecos':str(comment_UTF8),                                                                                                                                                                                   
            'homeDirectory':'/dev/null',                                                                                                                                                                                 
            'loginShell':'/bin/false'                                                                                                                                                                                    
            }                                                                                                                                                                                                            
                                                                                                                                                                                                                         
        ident = 'uid=' + uid + ',' + self.baseComputersDN                                                                                                                                                                
        attributes=[ (k,v) for k,v in user_info.items() ]                                                                                                                                                                
        self.l.add_s(ident,attributes)                                                                                                                                                                                   
                                                                                                                                                                                                                         
        if not addMachineScript:                                                                                                                                                                                         
#            cmd = 'smbpasswd -a -m ' + uid                                                                                                                                                                              
#            cmd = '/usr/sbin/smbldap-useradd -w ' + uid                                                                                                                                                                 
            cmd = '/usr/sbin/smbldap-usermod -aH "[W          ]" ' + uid                                                                                                                                                 
            shProcess = generateBackgroundProcess(cmd)                                                                                                                                                                   
            ret = shProcess.getExitCode()                                                                                                                                                                                
...

With this modifications I can add Computer account via MMC-Web.

04/18/08 19:39:12 changed by sasha@tactel.com.ua

  • owner changed from cdelfosse to anonymous.
  • status changed from new to assigned.

5. Just to make (MMC) /usr/local/lib/mmc/add_machine_script work "out of the box" I make changes to it. Was: 

mmc.plugins.samba.addMachine(machine, "", True)

Now: 

mmc.plugins.samba.addMachine(machine, "", False)

Now first time I tried to join a Domain from my laptop it fails (because MMC created only skel for me) and after second try I joined to Domain. If I added Computer via MMC-Web I can join after first try.

That's all. It works as expected now. This all because IMHO different distribution of Linux, each company did their changes to configs, scripts. So for MMC to be independent from this - we should implement full sambaSamAccount skel to mmc/plugins/samba/init.py. And add workaround to that part of samba, that allows to join domain in any Linux distribution.

04/18/08 19:42:41 changed by sasha@tactel.com.ua

I did everything using instruction from mds.mandriva.org/content/MMC/install/en/mmc-generic-installation.html and www.howtoforge.com/mandriva-directory-server-on-debian-etch - Howto_for_Debian, so LDAP, NSS, samba configs are correct. Also I used lam.sourceforge.net - LAM to check LDAP attributes and other things.

Server system is CentOS 5.1 i386 samba-3.0.25b-1.el5_1.4 openldap-2.3.27-8.el5_1.3 smbldap-tools-0.9.4-1.el5.rf nss_ldap-253-5.el5

Thank you for doing great software!

04/18/08 19:46:43 changed by sasha@tactel.com.ua

PS. still have in logs this: get_md4pw: Workstation SASHA$: no account in domain

_net_auth2: failed to get machine password for account SASHA$: NT_STATUS_ACCESS_DENIED

pdb_get_group_sid: Failed to find Unix account for sasha$

get_md4pw: Workstation SASHA$: WORKSTATION secure channel requested but not a workstation trust account

_net_auth2: failed to get machine password for account SASHA$: NT_STATUS_NO_TRUST_SAM_ACCOUNT pdb_get_group_sid: Failed to find Unix account for sasha$ _net_auth2: creds_server_check failed. Rejecting auth request from client SASHA machine account SASHA$

pdb_get_group_sid: Failed to find Unix account for sasha$ - is most often.

PPS. Actially Trac don't like my big post and every time I tried to add it - got me an error. This try with small posts works :)

04/21/08 11:43:39 changed by cdelfosse

Hello,

the machine you tried to add to the SAMBA domain is a Windows workstation ? A linux workstation ?

How do you add it to domain: with the MMC web interface ? with the Windows wizard ?

Regards,

04/21/08 12:09:05 changed by anonymous

Both. Tried Linux and Windows workstations (Windows workstations after then adding Linux started to work from console tools, MMC and 'net join'). It doesn't matter in this stage what type of OS are connecting - because requests from any source (console commands, MMC console, 'net join' or add to domain from Windows) must be correctly interpreted by samba/ldap. After all that I did (and describe here)- all things works, computers added.

So first of fall I get console tools worked, then Linux PC with "ner join DOMAIN", then ensure that MMC console workes and after that tried Windows Workstation.

04/22/08 09:07:07 changed by cdelfosse

  • milestone changed from 2.3.1 to 2.4.0.

04/23/08 18:14:13 changed by sasha@tactel.com.ua

  • keywords changed from smbpasswd, objectclass, smbldap_tools.pm, smbldap-useradd,smbldap-usermod to pdb_get_group_sid, Primary Group SID.
  • summary changed from Problem with adding a computer to Fix problem with "pdb_get_group_sid" errors.

Problem with Primary Group SID 

pdb_get_group_sid: Failed to find Unix account for comp$

are finally fixed.

I read carefully http: //www.iallanis.info/smbldap-tools/docs/samba-ldap-howto/ (after then they released new version of smbldap-tools) and add additional line to ldap.conf: 

nss_base_passwd         ou=Computers,dc=domain

So now nss-related stuff looks like 

nss_base_passwd         ou=Users,dc=domain
nss_base_passwd         ou=Computers,dc=domain
nss_base_shadow         ou=Users,dc=domain
nss_base_group          ou=Groups,dc=domain

And output of pdbedit looks like this: 

[root@server1 etc]# pdbedit -Lw comp$ -v
Unix username:        comp$
NT username:          comp$
Account Flags:        [W          ]
User SID:             S-1-5-21-3882935298-3125378829-2517500288-3030
Primary Group SID:    S-1-5-21-3882935298-3125378829-2517500288-515
Full Name:            comp$
Home Directory:       \\sever1\comp_
HomeDir Drive:        H:
Logon Script:         
Profile Path:         
Domain:               TACTEL
Account desc:         Computer
Workstations:         
Munged dial:          
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Wed, 23 Apr 2008 18:55:02 EEST
Password can change:  Wed, 23 Apr 2008 18:55:02 EEST
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

04/24/08 09:25:15 changed by cdelfosse

  • status changed from assigned to closed.
  • resolution set to fixed.

Hello,

I'm happy that you fixed your problems :)

And yes, nss_base_passwd must be set to the LDAP containers that contain the user and computer accounts, else SAMBA won't work. Your ticket #207 is also related to this problem. I will add more information about the NSS/LDAP configuration in the MDS setup doc.

05/12/08 13:24:29 changed by sasha@tactel.com.ua

  • keywords changed from pdb_get_group_sid, Primary Group SID to Problem with adding a computer.
  • status changed from closed to reopened.
  • resolution deleted.
  • summary changed from Fix problem with "pdb_get_group_sid" errors to smbpasswd, objectclass, smbldap_tools.pm, smbldap-useradd,smbldap-usermod.

I reviewed a 2.3.1 release and found same errors as before, so workaround/fix for adding correct entries for a computer are still needed.

Add/Change #208 (smbpasswd, objectclass, smbldap_tools.pm, smbldap-useradd,smbldap-usermod)




Change Properties
Action