EDG System Administration

I have a server running openldap and samba, acting like a windows domain controller. I have had no problems with adding windows 7 computers and users until today. One user could not login and this was the error.

A device attached to the system is not functioning.

Looking in the samba log file, I found this:

[2011/12/13 10:46:26.074452,  1] rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
  _netr_LogonSamLogon: user DOMAIN/user has user sid S-1-5-21-1368477355-3167354948-3261350252-4220
   but group sid S-1-5-21-3639540563-330460068-1655887120-513.
  The conflicting domain portions are not supported for NETLOGON calls

Turns out that I had some users who had the wrong sambaSID and sambaPrimaryGroupSID in their ldap account. After fixing this, the user was able to login without any problems.

Apparently, our WinXP with pGina setup doesn’t look at the SID because these users were not having any problems logging into the XP computers. It was only when moving to Windows7 that the error showed.

Started getting this error in our samba logs and no one could mount a samba drive:

failed to bind to server ldap://server.uchicago.edu with dn="cn=Manager,dc=server,dc=uchicago,dc=edu" 
Error: Server is unwilling to perform unauthenticated bind (DN with no password) disallowed

I had just installed all the updates on the server, so I’m assuming this was related. I know that I ran smbpasswd -W to put the ldap password to use to bind in secrets.tdb. So, I just ran the command again and everything was fine. I guess that one of the updates either changed the format of the file or changed the file itself. Either way, we look to be ok now.

I’m having some very strange problems with ldap and samba. Some users work fine in samba and others not at all. First, I found the /etc/pam.d/system-auth problem again, where the uid must be at least 500 for it to work. I changed that to 200 and it still doesn’t work.

I also found that each time you run authconfig-tui, /etc/pam.d/system-auth-ac gets rewritten and my 200 would go back to a 500. (system-auth is just a symlink to system-auth-ac.) I fixed this by creating system-auth-EDG and linking system-auth to that. The link does not change whenever authconfig is run, so the 200/500 uid problem looks to be solved.

But why am I running authconfig-tui so much? Because I am unable to start ldap on the server when “Use LDAP” is checked under the User Information and the Authentication sections. I uncheck them, then restart ldap successfully, then go back and recheck them. If things are checked, the ldap restart command just hangs, until I press Ctrl-C a few times. Then, it gives me errors like:

Session terminated, killing shell.......killed.
/etc/pki/tls/certs/slapd.pem is not readable by "ldap" [WARNING]
Checking configuration files for slapd: config file testing succeeded [OK]
Starting slapd:  [OK]

But it’s not really started. I have to undo the authconfig stuff, restart again (at which time it restarts in about a second) and then redo the authconfig stuff.

I’ve changed the ldap user to have a login shell and have logged in and read the slapd.pem file without a problem, so I don’t really know why it complains that it can’t be read. And since the ldap user is not in the ldap database, but it /etc/passwd, I don’t understand at all why this is a problem.

I kept getting errors in my smbd.log file when I started samba. They looked like this:

[2007/10/19 13:55:38, 0] smbd/server.c:main(847)
  smbd version 3.0.23c-2.el5.2.0.2 started.
  Copyright Andrew Tridgell and the Samba Team 1992-2006
[2007/10/19 13:55:38, 0] services/services_db.c:svcctl_init_keys(420)
  init_services_keys: key lookup failed! (WERR_ACCESS_DENIED)
[2007/10/19 13:55:38, 0] smbd/server.c:main(960)
  ERROR: failed to setup guest info.

I fixed all these errors by adding this line to my /etc/samba/smb.conf file

       winbind nested groups = no

Now after creating a temporary root user in my ldap database, I can run the following:

[root@server samba]# net rpc rights list -U root
Password:
     SeMachineAccountPrivilege  Add machines to domain
      SeTakeOwnershipPrivilege  Take ownership of files or other objects
             SeBackupPrivilege  Back up files and directories
            SeRestorePrivilege  Restore files and directories
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
       SeDiskOperatorPrivilege  Manage disk shares

Everything is finally working, but it’s not ideal. I basically got here by following the instructions on this page. I created a new user and here is the info from ldap:

# mkh, people, gray.uchicago.edu
dn: uid=mkh,ou=people,dc=gray,dc=uchicago,dc=edu
uid: mkh
cn: Me Help
givenName: Me
sn: Help
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
loginShell: /bin/tcsh
mail: mkh@frodo.uchicago.edu
uidNumber: 2001
gidNumber: 200
homeDirectory: /users/mkh
sambaSID: S-1-5-5004
userPassword:: e2NyeXB0fSQxJFVaZllIVk1ZJGJmZWo1SHB1RVVidHFrRDVraE9JTC8=
sambaNTPassword: 880AAD1DE8956477793C417928DE4C25
sambaLMPassword: CC348B8E03291947AAD3B435B51404EE
sambaAcctFlags: [U         ]

Working down the list, everything is as it was before messing with samba until get to the objectClass: sambaSamAccount line. This object needed to be added for samba to work. This object also requires the sambaSID field. The sambaSID if found by using the same three fields (S-1-5) as the SambaDomainName. The fourth field is found by mulitplying the uidNumber (2001) by 2 (=4002) and adding 1000 to it (=5002).

Even though only sambaSID is required, samba won’t work without the other fields: sambaNTPassword, sambaLMPassword and sambaAcctFlags. I actually never added sambaAcctFlags, it just showed up after I added something else. It is interesting to note though, that originally sambaAcctFlags came up with this value [DU ]. The first ‘D’ meant to disable the samba account. So, even though I had everything set up correctly, it didn’t work because the account was disabled. After I changed it and got rid of the D, everything worked fine.

sambaNTPassword and sambaLMPassword are created by running the mkntpwd command. The source for this command was found in /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/mkntpwd. I ran make in this directory to create the executable. I then linked it to /usr/local/bin.

Now the problem is that LDAP uses the userPassword field to connect, but samba uses the sambaNTPassword. So, if a user changes their password, it’s not going to change the sambaNTPassword and that will not allow the user to use samba to mount the other disks. This is bad. But I think we can work with this. I just have to turn off password changing everywhere and set up a webpage to do this.

Each user needs to have the SambaSamAccount objectClass added and the sambaSID. Here is the ldif file I used to do this:

[root@gray openldap]# more addsamba.ldif 
dn: uid=mheintz,ou=people,dc=gray,dc=uchicago,dc=edu
changetype: modify
add: objectClass
objectClass: sambaSAMAccount
-
changetype: modify
add: sambaSID
sambaSID: S-1-5-5000

Note that the sambaSID is the same first three fields (S-1-5) as the sambaDomainName sambaSID. The last field is found by multiplying the uid by 2 and adding 1000.

Things are still not working, but I have learned this. In smb.conf, the line:

ldap admin dn = cn=Manager,dc=gray,dc=uchicago,dc=edu

will work, as long as the password set in secrets.tdb (done with smbpasswd -p password) is the same as the encrypted one in slapd.conf.

My latest idea is to set samba up as my primary domain controller and then use LDAP for authentication. I’m not sure if this is a good idea or not, but I decided that I wanted to try it.

First things, according to some websites I’ve read, I need to install smbldap-tools. I couldn’t find an rpm for this, but then found that they were included with the samba rpm. Location: /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools. Then, to install them, I need to do the following:

copy the perl scripts to /usr/local/sbin
smbpasswd -w secret to set up ldap admin password in secrets.tdb. (I did this and didn’t use secret)

I need to do something else, but I’m not exactly sure what it is. I’ll add on when I figure it out.

Ok, this is just wrong. I don’t need a primary domain controller. All I want to be able to do is have the windows logons use the linux ldap server for access. And, have the linux samba server use the same ldap server for authentication. A PDC brings up profiles and all that other crap I don’t want to deal with. So, I’m going back to just trying to figure out how to get samba to use the ldap server for authentication.

Now that pGina and ldap are working together, I need to find a way to mount disks automatically when a user logs in. My current samba setup won’t work because it uses our win2000 domain as the password server. I want it to use our ldap server. So, I need to change our samba setup.

The following are notes I took during my attempt to get this all working:

cd /etc/openldap/schema
cp /usr/share/doc/samba-3.0.10/LDAP/samba.schema .
chown ldap.ldap samba.schema
cd ..
vi slapd.conf <---Add line include /etc/openldap/schema/samba.schema /etc/rc.d/init.d/smb restart Since I don't want to screw up my currently running server, I've installed a clean copy of RHEL4 on a new machine, gray. It's ip address is only visible on-campus, so I shouldn't have any problems. On my new machine, I need to set up ldap and samba. Start with LDAP: -Install openldap-servers, which does not get installed by default because I'm not using a server version of RHEL. -Copied the info for slapd.conf and ldap.conf from regular server and added some dummy data with: ldapadd -x -D "cn=Manager,dc=gray,dc=uchicago,dc=edu" -W -f initial.ldif -Edit /etc/pam.d/system-auth -Edit /etc/nsswitch.conf I'm sure I have to restart something to get this to work, but I can't remember what. So, I'll just reboot. After rebooting, I'm unable to login as root, so I goofed something up. I think it's better to run authconfig, than to try to do this manually. So, I'll boot into single-user mode, undo what I did and do that. During authconfig, it insisted that I copy slapd.pem to /etc/openldap/cacerts. I did this, but then when I would try to log in, I'd get an error that it couldn't find group ID 200 or user ID 205. So, I then deleted slapd.pem and took the line referencing it out of slapd.conf.

On the samba server, first run:

net rpc join -S _HOSTNAME_IN_CAPS_ -U Administrator
Note that after the S is not the domain name, it’s the hostname without the domain.

After entering the password, can then start samba.

Here is our smb.conf file:

# Global parameters
[global]
workgroup = DOMAINNAME
security = domain
encrypt passwords = Yes
password server = FQDN of domain computer
dns proxy = No
create mask = 0664
directory mask = 0775
hosts allow = 192.168.100. 127.

[users]
comment = Users’ Directories
path = /net/users/%u
read only = No

[designs]
comment = Designs Directory
path = /net/designs
read only = No

[topusers]
comment = Users’ Directories
path = /net/users
read only = No

Then edit the windows logon script to automatically mount these drives.