Archive for the ‘pGina’ Category

I have a server running openldap and samba, acting like a windows domain controller. I have had no problems with adding windows 7 computers and users until today. One user could not login and this was the error.

A device attached to the system is not functioning.

Looking in the samba log file, I found this:

[2011/12/13 10:46:26.074452,  1] rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
  _netr_LogonSamLogon: user DOMAIN/user has user sid S-1-5-21-1368477355-3167354948-3261350252-4220
   but group sid S-1-5-21-3639540563-330460068-1655887120-513.
  The conflicting domain portions are not supported for NETLOGON calls

Turns out that I had some users who had the wrong sambaSID and sambaPrimaryGroupSID in their ldap account. After fixing this, the user was able to login without any problems.

Apparently, our WinXP with pGina setup doesn’t look at the SID because these users were not having any problems logging into the XP computers. It was only when moving to Windows7 that the error showed.

Posted by maryh on December 13, 2011 at 5:41 pm under Ldap, pGina, Samba.
Comments Off on A Device Attached to the System is Not Functioning.

Started getting this error in our samba logs and no one could mount a samba drive:

failed to bind to server ldap://server.uchicago.edu with dn="cn=Manager,dc=server,dc=uchicago,dc=edu" 
Error: Server is unwilling to perform unauthenticated bind (DN with no password) disallowed

I had just installed all the updates on the server, so I’m assuming this was related. I know that I ran smbpasswd -W to put the ldap password to use to bind in secrets.tdb. So, I just ran the command again and everything was fine. I guess that one of the updates either changed the format of the file or changed the file itself. Either way, we look to be ok now.

Posted by maryh on January 28, 2008 at 11:57 am under Installation, Ldap, pGina, Samba, Server.
Comments Off on Server is unwilling to perform unauthenticated bind (DN with no password) disallowed.

When users log in to our windows domain, a number of disks are automatically mounted. I wanted to change it so that the location of “My Documents” was also changed to their directory on the server. I did it by adding the following lines to my logon.vbs script.

UserName = objEnv("USERNAME")
set Shell = CreateObject("WScript.Shell")
Shell.RegWrite "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal","\\SERVER\data\users\%UserName%","REG_EXPAND_SZ"

That did it. I probably should also change everything that would usually be in c:\documents and settings\user to \\SERVER\data\users\user. But, since I’m hoping to retire the XP domain soon, I don’t want to spend time on something that will soon change again.

Posted by maryh on October 12, 2007 at 1:25 pm under pGina, Server, Software.
Comments Off on Changing Location of My Documents in Startup Script.

After thinking a long time about our setup, and playing around with Win2003 server, I figured out that I was making things harder on myself than they should be. My goal is to have a single ldap server that handles all of our user authentication. This ldap server will be running openldap on a redhat linux machine. I’ve already figured out how to set up ldap, that info is in other posts.

My current setup uses a win2000 server along with a linux machine to set up all the disks. I was thinking that I should get another win server to replace the one I currently use. But on this new one, I’d put a TB worth of disks. I’d then set up active directory to use the openldap server for authentication. The problem is, I couldn’t find any information on doing this. All the pages I found were for using the active directory machine as the ldap server. I’m not familiar enough with windows to be comforable with that setup. I don’t know what to back up, what files are important, etc. So, I’d rather have the ldap server on a linux machine where I can easily dump all the info in the database for a backup.

I also was not liking win2003 server at all. Like Vista, it seems to want to control access to many things and make it hard to turn this access control off. After becoming frustrated because I couldn’t surf to a website to download a driver, I decided to not use it, if possible.

I had the solution the entire time, but didn’t realize it. pGINA does exactly this. It lets me set the openldap server in linux and then mount windows disks without any problems. This is exactly what I want it to do. Now, I just have to mount the linux disks as well, but since this will authenticate against the ldap server which is running on the same machine, I don’t anticipate any problems.

The last step, where I do think I’ll have problems, is getting dovecot to work with the ldap server. In the past, I couldn’t get this to work. But I’m hoping now that I’ll be able to get it figured out.

Posted by maryh on July 23, 2007 at 3:37 pm under Ldap, pGina.
Comments Off on Ldap, pGina, etc..

Everything is finally working, but it’s not ideal. I basically got here by following the instructions on this page. I created a new user and here is the info from ldap:

# mkh, people, gray.uchicago.edu
dn: uid=mkh,ou=people,dc=gray,dc=uchicago,dc=edu
uid: mkh
cn: Me Help
givenName: Me
sn: Help
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
loginShell: /bin/tcsh
mail: mkh@frodo.uchicago.edu
uidNumber: 2001
gidNumber: 200
homeDirectory: /users/mkh
sambaSID: S-1-5-5004
userPassword:: e2NyeXB0fSQxJFVaZllIVk1ZJGJmZWo1SHB1RVVidHFrRDVraE9JTC8=
sambaNTPassword: 880AAD1DE8956477793C417928DE4C25
sambaLMPassword: CC348B8E03291947AAD3B435B51404EE
sambaAcctFlags: [U         ]

Working down the list, everything is as it was before messing with samba until get to the objectClass: sambaSamAccount line. This object needed to be added for samba to work. This object also requires the sambaSID field. The sambaSID if found by using the same three fields (S-1-5) as the SambaDomainName. The fourth field is found by mulitplying the uidNumber (2001) by 2 (=4002) and adding 1000 to it (=5002).

Even though only sambaSID is required, samba won’t work without the other fields: sambaNTPassword, sambaLMPassword and sambaAcctFlags. I actually never added sambaAcctFlags, it just showed up after I added something else. It is interesting to note though, that originally sambaAcctFlags came up with this value [DU ]. The first ‘D’ meant to disable the samba account. So, even though I had everything set up correctly, it didn’t work because the account was disabled. After I changed it and got rid of the D, everything worked fine.

sambaNTPassword and sambaLMPassword are created by running the mkntpwd command. The source for this command was found in /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/mkntpwd. I ran make in this directory to create the executable. I then linked it to /usr/local/bin.

Now the problem is that LDAP uses the userPassword field to connect, but samba uses the sambaNTPassword. So, if a user changes their password, it’s not going to change the sambaNTPassword and that will not allow the user to use samba to mount the other disks. This is bad. But I think we can work with this. I just have to turn off password changing everywhere and set up a webpage to do this.

Posted by maryh on May 2, 2007 at 1:55 pm under Ldap, pGina, Samba, Server.
Comments Off on Samba, LDAP and pGina All Working.

Now that pGina and ldap are working together, I need to find a way to mount disks automatically when a user logs in. My current samba setup won’t work because it uses our win2000 domain as the password server. I want it to use our ldap server. So, I need to change our samba setup.

The following are notes I took during my attempt to get this all working:

cd /etc/openldap/schema
cp /usr/share/doc/samba-3.0.10/LDAP/samba.schema .
chown ldap.ldap samba.schema
cd ..
vi slapd.conf <---Add line include /etc/openldap/schema/samba.schema /etc/rc.d/init.d/smb restart Since I don't want to screw up my currently running server, I've installed a clean copy of RHEL4 on a new machine, gray. It's ip address is only visible on-campus, so I shouldn't have any problems. On my new machine, I need to set up ldap and samba. Start with LDAP: -Install openldap-servers, which does not get installed by default because I'm not using a server version of RHEL. -Copied the info for slapd.conf and ldap.conf from regular server and added some dummy data with: ldapadd -x -D "cn=Manager,dc=gray,dc=uchicago,dc=edu" -W -f initial.ldif -Edit /etc/pam.d/system-auth -Edit /etc/nsswitch.conf I'm sure I have to restart something to get this to work, but I can't remember what. So, I'll just reboot. After rebooting, I'm unable to login as root, so I goofed something up. I think it's better to run authconfig, than to try to do this manually. So, I'll boot into single-user mode, undo what I did and do that. During authconfig, it insisted that I copy slapd.pem to /etc/openldap/cacerts. I did this, but then when I would try to log in, I'd get an error that it couldn't find group ID 200 or user ID 205. So, I then deleted slapd.pem and took the line referencing it out of slapd.conf.

Posted by maryh on April 25, 2007 at 10:23 am under Ldap, pGina, Samba.
Comments Off on Samba, Ldap and pGina–Mounting Disks.

The ultimate goal is to have one place to create logins and have them be valid on all machines, linux, mac or windows. Ldap takes care of this for linux (and mac, I think). I’ve just installed a program called pGina that allows ldap to work for windows as well. In the test in parallels on my mac laptop, it worked fine. The only problem was in mounting the samba drives, but I think I’ll be able to work with that.

Posted by maryh on April 25, 2007 at 8:40 am under Ldap, pGina, Server, Software.
Comments Off on pGina and ldap.