Solved

Can't add machine trust accounts with Redhat, Samba, LDAP

Posted on 2011-02-18
5
1,051 Views
Last Modified: 2012-05-11
We have a network where our Windows users authenticate through Samba into LDAP.  The PCs run Windows but we don't run Active Directory.  I'm the UNIX admin and tasked with solving the following problem:  

When things are working correctly, the techs put a PC in place and then go into Windows Control Panel, System and choose Domain, type the correct domain name and machine name and the machine is joined to the domain with a machine trust account.  Users can then login to the domain because they get a domain login.

Suddenly, however, whenever the techs put in the correct domain name and machine name and click "join" or whatever they click, they get this message:  

"The following error occurred attempting to join the domain "domainname":  The user name could not be found."

In our smb.conf file the line that creates the machine trust accounts is the following:

     add machine script = /usr/local/maint/useradd-wrapper.sh -w '%m'

The script 'useradd-wrapper.sh' is as follows:

# This simple wrapper around smbldap-useradd invalidates the nscd passwd cache
# after adding a user.  Otherwise, Samba can't look up the newly created
# machine account.
     /usr/sbin/smbldap-useradd $@
     /usr/sbin/nscd -i passwd

When I run '/usr/sbin/smbldap-useradd' by itself I run it like the following (because it is the same as how the smb.conf file would call it):
     usr/sbin/smbldap-useradd  -w  machinename-1$

The above generates the following error:

    Can't call method "get_value" on an undefined value at /usr/sbin/smbldap-useradd line 244.

The paragraph that includes line 244 is as follows:

{
    # as grouprid we use the value of the sambaSID attribute for
    # group of gidNumber=$userGidNumber
    $group_entry = read_group_entry_gid($userGidNumber);
    $userGroupSID = $group_entry->get_value('sambaSID');        #Line 244
    unless ($userGroupSID) {
        print "Error: SID not set for unix group $userGidNumber\n";
        print "check if your unix group is mapped to an NT group\n";
        exit(7);
}

We are running Version: 3.0.33, Release: 3.29.el5_5.1 of Samba.  Upgrading is on the "to do" list, but this was working and now stopped so we would like to get this fixed before we are forced into upgrading samba when other upgrades need to be accomplished first.

I may have misused some terms or left some obvious things out because I'm not an expert on any of these, but I use them regularly without having to know the internals in any depth yet.

Any help is much appreciated.  I am writing this at 5:43pm on Friday and I'm heading home.  I can do a lot of work from home, though, so if you feel like answering on the weekend, I can give you some kind of response.
0
Comment
Question by:cbecker001
  • 4
5 Comments
 
LVL 27

Assisted Solution

by:Nopius
Nopius earned 500 total points
ID: 34934091
Please post your smb.conf. I should check is your samba also a PDC (WinNT). Only then you may add machines and join domain.

LDAP user authentication is not enough. Samba server should act as NT4 style PDC (it can't be AD controller).
Start reading from here: http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-pdc.html

Regards,
Arty
0
 

Author Comment

by:cbecker001
ID: 34935304
Thanks, Arty.  I'm going to post the smb.conf below but I need to mention a couple things:

First, I didn't configure this file.  I'm not saying that to avoid blame, but so you will know that there are probably a lot of questions you may ask about it that I won't know the answer to.

Second, nothing has changed in this file from the time the machine trust account creation process was working to the time it stopped working.  The techs remember the previous admin would have to do something with some number/numbers in LDAP (they think) to get things working again.

Your comments are very much appreciated and I will start reading your recommendation as soon as this is posted.

===============================  [smb.conf]  ==================================
[global]

# set basic name strings
server string = Hasley
workgroup = EDU_Hasley
netbios name = Hasley

# log level and log file.  Samba can use syslog as well, but it's just
# easier not to.  Plus, we can separate out log information by user
# (%U) and machine (%m) if we use Samba's internal logging.  Samba
# auto-rotates logs when they get bigger than 'max log size' Kb, but
# it only retains one old log and one new one.
#log level = 10
log level = 3
log file = /var/log/samba/%U.%m.log
max log size = 102400

# how to add machine trust accounts to LDAP
add machine script = /usr/local/maint/useradd-wrapper.sh -w '%m'

# only bind to the correct (cluster) IP address; otherwise, we'll broadcast
# this nodes IP address and the SAN IP as master browsers in addition to the
# cluster IP.
bind interfaces only = true
interfaces = 10.1.1.11

# for netlogon (which we don't use)
logon path =
logon home =
logon drive =

# some performance tweaks
socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE

# no limit to the number of processes to spawn (which is good, because
# Samba has recently been going crazy and spawning hundreds of processes)
max smbd processes = 0

# basic domain master setup

encrypt passwords = yes
domain logons = yes
domain master = yes
local master = yes
preferred master = yes
security = user
# os level = 33 will make Hasley win any contests to see who is the
# domain master.  (There shouldn't be any, but what the hey.)
os level = 33

# where to find the WINS server
wins server = 10.9.1.55

# users in this (LDAP) group will have their smbd processes run as
# root, giving them access to _everything_.  They will also be allowed
# to join computers to the domain
admin users = +ntadmin

# LDAP setup -- where to find stuff, etc.  At least some earlier
# versions of Samba had a bug that forced machine accounts and user
# accounts to be in the same tree, which is why they're not separated
# out
passdb backend = ldapsam:ldap://ldap.hasley.edu
ldap suffix = o=hasley.edu,o=isp
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=directory manager
ldap ssl = start_tls

# not sure what these do, to be honest
idmap uid = 10000-20000
idmap gid = 10000-20000

# put in place per request by Redhat
blocking locks = no

# guest access is only allowed to webdirs from the web server, and that
# is read-only, so this is not dangerous.  If guest access were given to
# another volume, though, it could be, so be wary.
guest account = root

# if someone fails to login, give them a shot at getting guest access
map to guest = Bad Password

# make publichtml symlinks work
unix extensions = no

# disable printing
load printers = no
printing = bsd
printcap name = /dev/null
disable spoolss = yes

# include extra user configuration.  For instance, if you wanted to
# turn up the log level for John User, you could create a file called
# 'juser.inc' (or whatever John's username is) and add a 'log level'
# line to it.  This include statement has to be here, at the end of
# the [global] section and before any of the shares, so that it can
# override any global configuration directives, but won't be
# considered part of any particular share.
include = /etc/samba/%U.inc

##################################
#           HOME DRIVE           #
##################################
[home]
comment = Home directories

# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = no
read only = no
browseable = yes

# create the path from the user's home directory, which is populated
# from LDAP
path = %H

# auto-create home and publichtml folders
root preexec = /usr/local/maint/mkhome '%U'

# the permissions of a given folder should be the same as the
# permissions of its parent.  This helps preserve permissions for both
# home and publichtml, which should be different
inherit permissions = yes

# default permissions
directory mask = 0700
force directory mode = 0700
create mask = 0600
force create mode = 0600

# make publichtml symlinks work
follow symlinks = yes
wide links = yes

##################################
#          MACADMIN WORKAROUND   #
##################################
#

[iseedeadpeople]
comment = MacAdmin
guest ok = no
read only = yes
browseable = no
path = %H

##################################
#           MISC DRIVE           #
##################################
[misc]
comment = misc drive
path = /misc

# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = no
read only = no
browseable = yes

# for some reason, inherit permissions doesn't work on /misc, although
# it should.  Set all permissions according to the defaults.  When I
# create a new folder for a department, etc., I can set its
# permissions specially, which will allow me to prevent or allow
# anonymous access as necessary.
inherit permissions = no
directory mask = 2775
force directory mode = 2770
create mask = 0664
force create mode = 0660

# allow some more fancy ACL-based controls on files
nt acl support = yes
map acl inherit = yes
inherit acls = yes

# let anyone who has write access to a file change its permissions.
# this is similar to the way DOS/Windows does things
dos filemode = yes

# anyone who can write to a file can change its timestamp (again, to
# mimic DOS/Windows)
dos filetimes = yes

# configuration for full audit plugin, which will let us see all
# accesses and operations on the Misc drive.  Currently disabled due
# to high I/O loads caused by it.
#vfs objects = full_audit

full_audit:success = all
full_audit:failure = none
full_audit:facility = LOCAL6

##################################
#      WEBDIRS TO WEB SERVER     #
##################################

# this saves us from having to run an NFS server
[webdirs-www]
comment = Webdirs to Web Server
path = /webdirs
guest ok = yes
guest only = yes
read only = yes
browseable = no
hosts allow = 10.1.1.28 10.1.1.29 10.1.1.53 10.1.1.78 10.1.1.89

#################################
#            WEBDIRS            #
#################################

[webdirs]
comment = webdirs
path = /webdirs/univ

# basic config: don't allow guest access, allow write, show this
# volume in a volume listing of this machine
guest ok = 0
read only = no
browseable = yes

# all permissions should be the same on webdirs; don't allow that to
# be overridden, or you're asking for trouble.
inherit permissions = no
directory mask = 0755
force directory mode = 0755
create mask = 0644
force create mode = 0644

# allow some more fancy ACL-based controls on files
nt acl support = yes
map acl inherit = yes
inherit acls = yes


##################################
#   LOAD BALANCER CONFIG BACKUP  #
##################################
[lbconfig]
comment = Load balancer config backup
path = /var/barracuda
guest ok = no
read only = no
browseable = no

#hosts allow = lb0,lb1
#valid users = barracuda
0
 

Author Comment

by:cbecker001
ID: 34944028
It turns out that the group that the machine accounts belong to was deleted.  I'm restoring from backup and then adding that group back in.  I believe that will solve the problem.  

I'll post my results afterward
0
 

Accepted Solution

by:
cbecker001 earned 0 total points
ID: 34962177
All that needed to be done was to add the machine trust account group back and use the appropriate field values to allow Samba to work with LDAP.  After creating the group, the additional key fields were:

objectClass              sambaGroupMapping
sambaGroupType   2
SambaSID                Can be multiple values--just search for this online for an explanation

Once this was done, the machines were added successfully to the domain.
0
 

Author Closing Comment

by:cbecker001
ID: 34995397
My last comment was the complete solution to the problem
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Little introduction about CP: CP is a command on linux that use to copy files and folder from one location to another location. Example usage of CP as follow: cp /myfoder /pathto/destination/folder/ cp abc.tar.gz /pathto/destination/folder/ab…
The purpose of this article is to demonstrate how we can use conditional statements using Python.
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now