Hi Forum
Wiedermal habe ich ein Problem mit meinem BDC, da ich Gestern Abend mal wieder Zeit hatte den zu testen. ICh hatte den PDC erstmal gestoppt dann den BDC angemacht, dann versuchte ich mich mit einem Windows PC Anzumelden, wo leider nicht ging.
Im Log des BDC habe ich das gefunden:
ldapslave smbd[4492]: _net_auth2: creds_server_check failed. Rejecting auth request from client testpc machine account testpc$
verstehe ich das richtig das er keine berechtigung hatte?
mein BDC ist so aufgebaut:
testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[startpage]"
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions
smb.conf
[global]
workgroup = test
server string = Samba
map to guest = Bad User
passdb backend = ldapsam:ldap://ldapslave.test.intern
log level = 3
log file = /var/log/samba/%U.log
debug uid = Yes
smb ports = 139
deadtime = 120
printcap name = /etc/printcap
logon script = logon.bat
logon path = \\192.168.22.2\profiles\.msprofile
logon drive = H:
logon home = \\192.168.22.2\%U\.9xprofile
domain logons = Yes
os level = 90
preferred master = No
local master = No
domain master = No
ldap admin dn = cn=manager,dc=test,dc=intern
ldap group suffix = ou=groups
ldap machine suffix = ou=hosts
ldap passwd sync = Yes
ldap suffix = dc=test,dc=intern
ldap ssl = no
ldap user suffix = ou=users
usershare allow guests = Yes
cups options = raw
hide files = /?esktop.ini/ntuser.ini
oplocks = No
level2 oplocks = No
[netlogon]
comment = NLService
path = /var/lib/samba/netlogon
write list = @root, domainadm
guest ok = Yes
browseable = No
[startpage]
comment = startpage share
path = /data/samba/share/startpage
write list = @root, domainadm
guest ok = Yes
browseable = No
Die Benutzer daten bekommt er vom LDAP
slapt.conf
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
#TLSCertificateFile /etc/ssl/zertifikate/ldapcert.pem
#TLSCertificateKeyFile /etc/ssl/zertifikate/ldapkey.pem
#TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSVerifyClient allow
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
include /etc/openldap/acl.conf
# no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=test,dc=intern"
checkpoint 1024 5
cachesize 10000
rootdn "cn=manager,dc=test,dc=intern"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}6GNuoBPmgvr2H1bOHLGrXA==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
index sambaSID eq
index sambaGroupType eq
index sambaSIDList eq
index memberUid eq
index Uid eq
index gidNumber eq
index member eq
index cn eq
index displayName eq
index uidNumber eq
index sambaDomainName eq
updatedn "cn=manager,dc=test,dc=intern"
updateref "ldap://192.168.22.1:389"
acl.conf
access to dn.base=""
by * read
access to dn.base="cn=subSchema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to dn.subtree="ou=adressbuch,dc=test,dc=intern"
by users write
by * read
access to dn.subtree="ou=users,dc=test,dc=intern"
by self write
by dn="uid=testuser,ou=users,dc=test,dc=intern"
by * read
access to dn.subtree="ou=groups,dc=test,dc=intern"
by * read
access to dn.sub="ou=hosts,dc=test,dc=intern"
by * auth
by self write
Die Benutzer Daten habe ich vom PDC per
ldapadd -x -D "cn=manager,dc=test,dc=intern" -W -f master.ldif
eingespielt, der slurpd läuft auch und updatet die DB
nun weis ich einfach nimmer weiter was ich wieder für ein mist gebaut habe
P.S. mein Ziel ist einfach, wenn der PDC ausfällt, sollte dann der BDC einspringt und die Aufgaben des PDC übernehmen.
Danke für Support und hilfe
MFG Flippa
Wiedermal habe ich ein Problem mit meinem BDC, da ich Gestern Abend mal wieder Zeit hatte den zu testen. ICh hatte den PDC erstmal gestoppt dann den BDC angemacht, dann versuchte ich mich mit einem Windows PC Anzumelden, wo leider nicht ging.
Im Log des BDC habe ich das gefunden:
ldapslave smbd[4492]: _net_auth2: creds_server_check failed. Rejecting auth request from client testpc machine account testpc$
verstehe ich das richtig das er keine berechtigung hatte?
mein BDC ist so aufgebaut:
testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Processing section "[startpage]"
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions
smb.conf
[global]
workgroup = test
server string = Samba
map to guest = Bad User
passdb backend = ldapsam:ldap://ldapslave.test.intern
log level = 3
log file = /var/log/samba/%U.log
debug uid = Yes
smb ports = 139
deadtime = 120
printcap name = /etc/printcap
logon script = logon.bat
logon path = \\192.168.22.2\profiles\.msprofile
logon drive = H:
logon home = \\192.168.22.2\%U\.9xprofile
domain logons = Yes
os level = 90
preferred master = No
local master = No
domain master = No
ldap admin dn = cn=manager,dc=test,dc=intern
ldap group suffix = ou=groups
ldap machine suffix = ou=hosts
ldap passwd sync = Yes
ldap suffix = dc=test,dc=intern
ldap ssl = no
ldap user suffix = ou=users
usershare allow guests = Yes
cups options = raw
hide files = /?esktop.ini/ntuser.ini
oplocks = No
level2 oplocks = No
[netlogon]
comment = NLService
path = /var/lib/samba/netlogon
write list = @root, domainadm
guest ok = Yes
browseable = No
[startpage]
comment = startpage share
path = /data/samba/share/startpage
write list = @root, domainadm
guest ok = Yes
browseable = No
Die Benutzer daten bekommt er vom LDAP
slapt.conf
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
# Load dynamic backend modules:
modulepath /usr/lib/openldap/modules
# moduleload back_ldap.la
# moduleload back_meta.la
# moduleload back_monitor.la
# moduleload back_perl.la
#TLSCertificateFile /etc/ssl/zertifikate/ldapcert.pem
#TLSCertificateKeyFile /etc/ssl/zertifikate/ldapkey.pem
#TLSCACertificateFile /etc/ssl/zertifikate/demoCA/cacert.pem
#TLSCipherSuite HIGH:MEDIUM:+SSLv2
#TLSVerifyClient allow
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access to user password
# Allow anonymous users to authenticate
# Allow read access to everything else
# Directives needed to implement policy:
include /etc/openldap/acl.conf
# no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database bdb
suffix "dc=test,dc=intern"
checkpoint 1024 5
cachesize 10000
rootdn "cn=manager,dc=test,dc=intern"
# Cleartext passwords, especially for the rootdn, should
# be avoid. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw {MD5}6GNuoBPmgvr2H1bOHLGrXA==
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain
index objectClass eq
index sambaSID eq
index sambaGroupType eq
index sambaSIDList eq
index memberUid eq
index Uid eq
index gidNumber eq
index member eq
index cn eq
index displayName eq
index uidNumber eq
index sambaDomainName eq
updatedn "cn=manager,dc=test,dc=intern"
updateref "ldap://192.168.22.1:389"
acl.conf
access to dn.base=""
by * read
access to dn.base="cn=subSchema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to dn.subtree="ou=adressbuch,dc=test,dc=intern"
by users write
by * read
access to dn.subtree="ou=users,dc=test,dc=intern"
by self write
by dn="uid=testuser,ou=users,dc=test,dc=intern"
by * read
access to dn.subtree="ou=groups,dc=test,dc=intern"
by * read
access to dn.sub="ou=hosts,dc=test,dc=intern"
by * auth
by self write
Die Benutzer Daten habe ich vom PDC per
ldapadd -x -D "cn=manager,dc=test,dc=intern" -W -f master.ldif
eingespielt, der slurpd läuft auch und updatet die DB
nun weis ich einfach nimmer weiter was ich wieder für ein mist gebaut habe
P.S. mein Ziel ist einfach, wenn der PDC ausfällt, sollte dann der BDC einspringt und die Aufgaben des PDC übernehmen.
Danke für Support und hilfe
MFG Flippa