cbecker001
asked on
Can't add machine trust accounts with Redhat, Samba, LDAP
We have a network where our Windows users authenticate through Samba into LDAP. The PCs run Windows but we don't run Active Directory. I'm the UNIX admin and tasked with solving the following problem:
When things are working correctly, the techs put a PC in place and then go into Windows Control Panel, System and choose Domain, type the correct domain name and machine name and the machine is joined to the domain with a machine trust account. Users can then login to the domain because they get a domain login.
Suddenly, however, whenever the techs put in the correct domain name and machine name and click "join" or whatever they click, they get this message:
"The following error occurred attempting to join the domain "domainname": The user name could not be found."
In our smb.conf file the line that creates the machine trust accounts is the following:
add machine script = /usr/local/maint/useradd-w
The script 'useradd-wrapper.sh' is as follows:
# This simple wrapper around smbldap-useradd invalidates the nscd passwd cache
# after adding a user. Otherwise, Samba can't look up the newly created
# machine account.
/usr/sbin/smbldap-useradd $@
/usr/sbin/nscd -i passwd
When I run '/usr/sbin/smbldap-useradd
usr/sbin/smbldap-useradd -w machinename-1$
The above generates the following error:
Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 244.
The paragraph that includes line 244 is as follows:
{
# as grouprid we use the value of the sambaSID attribute for
# group of gidNumber=$userGidNumber
$group_entry = read_group_entry_gid($user
$userGroupSID = $group_entry->get_value('s
unless ($userGroupSID) {
print "Error: SID not set for unix group $userGidNumber\n";
print "check if your unix group is mapped to an NT group\n";
exit(7);
}
We are running Version: 3.0.33, Release: 3.29.el5_5.1 of Samba. Upgrading is on the "to do" list, but this was working and now stopped so we would like to get this fixed before we are forced into upgrading samba when other upgrades need to be accomplished first.
I may have misused some terms or left some obvious things out because I'm not an expert on any of these, but I use them regularly without having to know the internals in any depth yet.
Any help is much appreciated. I am writing this at 5:43pm on Friday and I'm heading home. I can do a lot of work from home, though, so if you feel like answering on the weekend, I can give you some kind of response.
When things are working correctly, the techs put a PC in place and then go into Windows Control Panel, System and choose Domain, type the correct domain name and machine name and the machine is joined to the domain with a machine trust account. Users can then login to the domain because they get a domain login.
Suddenly, however, whenever the techs put in the correct domain name and machine name and click "join" or whatever they click, they get this message:
"The following error occurred attempting to join the domain "domainname": The user name could not be found."
In our smb.conf file the line that creates the machine trust accounts is the following:
add machine script = /usr/local/maint/useradd-w
The script 'useradd-wrapper.sh' is as follows:
# This simple wrapper around smbldap-useradd invalidates the nscd passwd cache
# after adding a user. Otherwise, Samba can't look up the newly created
# machine account.
/usr/sbin/smbldap-useradd $@
/usr/sbin/nscd -i passwd
When I run '/usr/sbin/smbldap-useradd
usr/sbin/smbldap-useradd -w machinename-1$
The above generates the following error:
Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 244.
The paragraph that includes line 244 is as follows:
{
# as grouprid we use the value of the sambaSID attribute for
# group of gidNumber=$userGidNumber
$group_entry = read_group_entry_gid($user
$userGroupSID = $group_entry->get_value('s
unless ($userGroupSID) {
print "Error: SID not set for unix group $userGidNumber\n";
print "check if your unix group is mapped to an NT group\n";
exit(7);
}
We are running Version: 3.0.33, Release: 3.29.el5_5.1 of Samba. Upgrading is on the "to do" list, but this was working and now stopped so we would like to get this fixed before we are forced into upgrading samba when other upgrades need to be accomplished first.
I may have misused some terms or left some obvious things out because I'm not an expert on any of these, but I use them regularly without having to know the internals in any depth yet.
Any help is much appreciated. I am writing this at 5:43pm on Friday and I'm heading home. I can do a lot of work from home, though, so if you feel like answering on the weekend, I can give you some kind of response.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It turns out that the group that the machine accounts belong to was deleted. I'm restoring from backup and then adding that group back in. I believe that will solve the problem.
I'll post my results afterward
I'll post my results afterward
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
My last comment was the complete solution to the problem
ASKER
First, I didn't configure this file. I'm not saying that to avoid blame, but so you will know that there are probably a lot of questions you may ask about it that I won't know the answer to.
Second, nothing has changed in this file from the time the machine trust account creation process was working to the time it stopped working. The techs remember the previous admin would have to do something with some number/numbers in LDAP (they think) to get things working again.
Your comments are very much appreciated and I will start reading your recommendation as soon as this is posted.
==========================
[global]
# set basic name strings
server string = Hasley
workgroup = EDU_Hasley
netbios name = Hasley
# log level and log file. Samba can use syslog as well, but it's just
# easier not to. Plus, we can separate out log information by user
# (%U) and machine (%m) if we use Samba's internal logging. Samba
# auto-rotates logs when they get bigger than 'max log size' Kb, but
# it only retains one old log and one new one.
#log level = 10
log level = 3
log file = /var/log/samba/%U.%m.log
max log size = 102400
# how to add machine trust accounts to LDAP
add machine script = /usr/local/maint/useradd-w
# only bind to the correct (cluster) IP address; otherwise, we'll broadcast
# this nodes IP address and the SAN IP as master browsers in addition to the
# cluster IP.
bind interfaces only = true
interfaces = 10.1.1.11
# for netlogon (which we don't use)
logon path =
logon home =
logon drive =
# some performance tweaks
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE
# no limit to the number of processes to spawn (which is good, because
# Samba has recently been going crazy and spawning hundreds of processes)
max smbd processes = 0
# basic domain master setup
encrypt passwords = yes
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
security = user
# os level = 33 will make Hasley win any contests to see who is the
# domain master. (There shouldn't be any, but what the hey.)
os level = 33
# where to find the WINS server
wins server = 10.9.1.55
# users in this (LDAP) group will have their smbd processes run as
# root, giving them access to _everything_. They will also be allowed
# to join computers to the domain
admin users = +ntadmin
# LDAP setup -- where to find stuff, etc. At least some earlier
# versions of Samba had a bug that forced machine accounts and user
# accounts to be in the same tree, which is why they're not separated
# out
passdb backend = ldapsam:ldap://ldap.hasley
ldap suffix = o=hasley.edu,o=isp
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=directory manager
ldap ssl = start_tls
# not sure what these do, to be honest
idmap uid = 10000-20000
idmap gid = 10000-20000
# put in place per request by Redhat
blocking locks = no
# guest access is only allowed to webdirs from the web server, and that
# is read-only, so this is not dangerous. If guest access were given to
# another volume, though, it could be, so be wary.
guest account = root
# if someone fails to login, give them a shot at getting guest access
map to guest = Bad Password
# make publichtml symlinks work
unix extensions = no
# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes
# include extra user configuration. For instance, if you wanted to
# turn up the log level for John User, you could create a file called
# 'juser.inc' (or whatever John's username is) and add a 'log level'
# line to it. This include statement has to be here, at the end of
# the [global] section and before any of the shares, so that it can
# override any global configuration directives, but won't be
# considered part of any particular share.
include = /etc/samba/%U.inc
##########################
# HOME DRIVE #
##########################
[home]
comment = Home directories
# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = no
read only = no
browseable = yes
# create the path from the user's home directory, which is populated
# from LDAP
path = %H
# auto-create home and publichtml folders
root preexec = /usr/local/maint/mkhome '%U'
# the permissions of a given folder should be the same as the
# permissions of its parent. This helps preserve permissions for both
# home and publichtml, which should be different
inherit permissions = yes
# default permissions
directory mask = 0700
force directory mode = 0700
create mask = 0600
force create mode = 0600
# make publichtml symlinks work
follow symlinks = yes
wide links = yes
##########################
# MACADMIN WORKAROUND #
##########################
#
[iseedeadpeople]
comment = MacAdmin
guest ok = no
read only = yes
browseable = no
path = %H
##########################
# MISC DRIVE #
##########################
[misc]
comment = misc drive
path = /misc
# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = no
read only = no
browseable = yes
# for some reason, inherit permissions doesn't work on /misc, although
# it should. Set all permissions according to the defaults. When I
# create a new folder for a department, etc., I can set its
# permissions specially, which will allow me to prevent or allow
# anonymous access as necessary.
inherit permissions = no
directory mask = 2775
force directory mode = 2770
create mask = 0664
force create mode = 0660
# allow some more fancy ACL-based controls on files
nt acl support = yes
map acl inherit = yes
inherit acls = yes
# let anyone who has write access to a file change its permissions.
# this is similar to the way DOS/Windows does things
dos filemode = yes
# anyone who can write to a file can change its timestamp (again, to
# mimic DOS/Windows)
dos filetimes = yes
# configuration for full audit plugin, which will let us see all
# accesses and operations on the Misc drive. Currently disabled due
# to high I/O loads caused by it.
#vfs objects = full_audit
full_audit:success = all
full_audit:failure = none
full_audit:facility = LOCAL6
##########################
# WEBDIRS TO WEB SERVER #
##########################
# this saves us from having to run an NFS server
[webdirs-www]
comment = Webdirs to Web Server
path = /webdirs
guest ok = yes
guest only = yes
read only = yes
browseable = no
hosts allow = 10.1.1.28 10.1.1.29 10.1.1.53 10.1.1.78 10.1.1.89
##########################
# WEBDIRS #
##########################
[webdirs]
comment = webdirs
path = /webdirs/univ
# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = 0
read only = no
browseable = yes
# all permissions should be the same on webdirs; don't allow that to
# be overridden, or you're asking for trouble.
inherit permissions = no
directory mask = 0755
force directory mode = 0755
create mask = 0644
force create mode = 0644
# allow some more fancy ACL-based controls on files
nt acl support = yes
map acl inherit = yes
inherit acls = yes
##########################
# LOAD BALANCER CONFIG BACKUP #
##########################
[lbconfig]
comment = Load balancer config backup
path = /var/barracuda
guest ok = no
read only = no
browseable = no
#hosts allow = lb0,lb1
#valid users = barracuda