CentOS 5.x Samba Domain Controller With LDAP Backend - Page 2

Setting up remote administration of the ldap directory

Edit /etc/php.ini and make sure memory_limit is set to at least 32 MB:

memory_limit = 32M

Last I checked, the version of phpldapadmin available via yum is broken, so we'll get the latest & extract it: Go To http://sourceforge.net/project/showfiles.php?group_id=61828&package_id=177751 & download the latest version. In my case that resulted in the following commands, your package may be newer:

mkdir /var/www/html/samba && cd /var/www/html/samba
wget http://softlayer.dl.sourceforge.net/sourceforge/phpldapadmin/phpldapadmin-1.1.0.7.tar.gz
tar zxf phpldapadmin-1.1.0.7.tar.gz
ln -s phpldapadmin-1.1.0.7 pla
cp pla/config/config.php.example pla/config/config.php

Now edit ./pla/config/config.php and uncommment the following line:

$config->custom->jpeg['tmpdir'] = "/tmp";

 

Make newly setup software available

service httpd restart
chkconfig httpd on

Edit /etc/sysconfig/iptables and copy & modify line about ssh (--dport 22 -j ACCEPT), and right after it, add (assuming your CentOS install produced the default iptables file):

#Allow Https://
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
#Allow samba:
-A RH-Firewall-1-INPUT -m multiport -p udp --dport 137,138 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m multiport -p tcp --dport 139,445 -j ACCEPT

Now open your webbrowser and visit https://192.168.0.5/samba/pla/ and login with Username cn=root,dc=DOMAINNAME & your password. You should be able to look around and see some junk.

 

Integrate ldap and Samba

mv /etc/samba/smb.conf /etc/samba/smb.conf.dist
cp /usr/share/doc/smbldap-tools-0.9.5/smb.conf /etc/samba/smb.conf

Edit /etc/samba/smb.conf to your likings, the default ldap part should be fine.
Under [global], you will need to add these three settings not there by default:

ldap ssl = off
nt acl support = yes

socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 SO_KEEPALIVE

cp /usr/share/doc/smbldap-tools-0.9.5/smbldap.conf /etc/smbldap-tools/smbldap.conf
net getlocalsid

Note, net getlocalsid will error a bunch until the end, because you haven't fully configured samba yet -- but will produce the sid you need for the next step.

Edit /etc/smbldap-tools/smbldap.conf and insert sid, domain, etc, all throughout the file till the end.

Edit /etc/smbldap-tools/smbldap_bind.conf and change both applicable lines, change "secret" to your password.

chmod 644 /etc/smbldap-tools/smbldap.conf
chmod 600 /etc/smbldap-tools/smbldap_bind.conf
authconfig-tui

Check that the output from authconfig-tui contains:

[ ] Local authorization is sufficient

Now test your samba config:

testparm

smbpasswd -w YOUR_ROOT_LDAP_PASS_HERE
smbldap-populate

smbldap-populate will ask for the password, enter it.

 

Start the LDAP Samba installation up

/etc/init.d/smb start
chkconfig smb on

Add users/groups, correlate between unix and ldap:

useradd user1
smbldap-useradd -a -G 'Domain Users' -m -s /bin/bash -d /home/user2 -F "" -P user1

Get a picture of the UNIX groups that aren't there yet that LDAP assumes:

net groupmap list

Output is something like:

Domain Admins (S-1-5-21-990788473-1556064292-4137819756-512) -> domain_admins
Domain Users (S-1-5-21-990788473-1556064292-4137819756-513) -> domain_users
Domain Guests (S-1-5-21-990788473-1556064292-4137819756-514) -> 514
Domain Computers (S-1-5-21-990788473-1556064292-4137819756-515) -> 515
Administrators (S-1-5-32-544) -> 544
Account Operators (S-1-5-32-548) -> 548
Print Operators (S-1-5-32-550) -> 550
Backup Operators (S-1-5-32-551) -> 551
Replicators (S-1-5-32-552) -> 552

Add correlating groups to unix, using the suggested GIDs:

groupadd -g 514 samba_domain_guests
groupadd -g 515 samba_domain_computers
groupadd -g 544 samba_administrator
groupadd -g 548 samba_account_operators
groupadd -g 550 samba_print_operators
groupadd -g 551 samba_backup_operators
groupadd -g 552 samba_replicators

If you want to add a non-built-in group to LDAP/Samba, say for controlling which users can write/read files on a share, and have it determine that by groups:

smbldap-groupadd -a "People In Our Office"

Then get the output from net groupmap list again and correlate the newly created group # just like last time, adding the group to the unix system:

groupadd -g 1001 samba_people_in_our_office

Add users to LDAP groups via the web interface, then correlate in unix:

usermod -a -G UNIX_GROUP_NAME UNIX_USERNAME

Also add computer accounts to unix, using the group "samba_domain_computers" from above, and where your allowed computer names end with a "$":

useradd -M -g 515 -s /bin/false officecomp1$

Last, but certainly not neccessary, you may want to turn off the unneccesary services CentOS runs by default. I determined that I, specifically, don't need any of the following. You might be different, so look them up before you turn them off:

chkconfig ntpd off
chkconfig bluetooth off
chkconfig xinetd off
chkconfig smartd off
chkconfig yum-updatesd off
chkconfig rpcidmapd off
chkconfig rpcgssd off
chkconfig restorecond off
chkconfig portmap off
chkconfig pcscd off
chkconfig nfslock off
chkconfig mcstrans off
chkconfig mdmonitor off
chkconfig irqbalance off
chkconfig kudzu off
chkconfig ip6tables off
chkconfig hidd off
chkconfig gpm off
chkconfig haldaemon off
chkconfig autofs off
chkconfig avahi-daemon off
service ntpd stop
service bluetooth stop
service xinetd stop
service smartd stop
service yum-updatesd stop
service rpcidmapd stop
service rpcgssd stop
service restorecond stop
service portmap stop
service pcscd stop
service nfslock stop
service mcstrans stop
service mdmonitor stop
service irqbalance stop
service kudzu stop
service ip6tables stop
service hidd stop
service gpm stop
service haldaemon stop
service autofs stop
service avahi-daemon stop

(Optional) Upgrade Samba so Windows 7 computers can join the domain

Make sure ldap ssl = off is set in /etc/samba/smb.conf, as this wasn't required for the CentOS distro version of Samba to run properly, but will be required once we upgrade (3.0.x vs 3.3.x, which supports Windows 7).

We will get the newer samba RPMs built for CentOS from Sernet:

cd /etc/yum.repos.d/
wget http://ftp.sernet.de/pub/samba/3.3/centos/5/sernet-samba.repo
yum update

Your samba packages will update from the Sernet repo.
Since the upgrade, our CentOS service for samba disappeared; let's re-add it:

chkconfig --add smb
chkconfig smb on

Now add the Windows 7 computer to Unix (assuming your domain computers' group name is "samba_domain_computers"):

useradd -M -g `cat /etc/group|grep samba_domain_computers|cut -d: -f3` -s /bin/false win7-computername$
usermod -a -G samba_domain_computers win7-computername$

Now join your Windows 7 PC to the domain using this official Samba mini guide:
http://wiki.samba.org/index.php/Windows7

Share this page:

64 Comment(s)

Add comment

Comments

From: at: 2009-12-07 05:22:12

as "pierre73" suggest below, read more closely.

dn: dc=kaldom.local

and

dn: cn=root,dc=kaldom.local

 need to be:

dn: dc=kaldom,dc=local

dn: cn=root,dc=kaldom,dc=local

From: Fabrício Lima at: 2010-01-14 20:34:52

#domain -> domain.com

dn: dc=domain,dc=com
objectclass: dcObject
objectclass: organization
o: Domain Server
dc: domain

dn: cn=root,dc=domain,dc=com
objectclass: organizationalRole
cn: root

From: mike@Philippines at: 2009-12-11 02:10:28

Hi!

I followed the instructions above. But, somehow i'm stuck like them...

 

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit.com
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

 

I already installed Centos 3 times  (from the scratch) but still i'm stuck on this section.

 

Please help.. :(

From: AlittleHelp at: 2009-12-14 21:48:16

Hi,

This is how your setup is currently configured.

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit.com
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

Should be setup like this.

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit
dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

Hope that helps you out, DC should just be HIT not HIT.Com

From: Snacho at: 2010-01-23 06:00:04

I figured it out... there must a blank line between dn entries. So the right form is:

dn: dc=hit,dc=com
objectclass: dcObject
objectclass: organization
o: hit.com
dc: hit


dn: cn=root,dc=hit,dc=com
objectclass: organizationalRole
cn: root

From: at: 2010-03-04 15:44:52

this is my file init.ldif

dn: dc=dominio,dc=com
objectclass: dcObject
objectclass: organization
o: PDC
dc: dominio
dn: cn=admin,dc=dominio,dc=com
objectclass: organizationalRole
cn: admin

when i run

# slapadd -l /etc/openldap/init.ldif

get the following error

str2entry: entry -l has multiple DNs "dc=dominio,dc=com" and "cn=admin,dc=dominio,dc=com"

slapadd: could not parse entry ( line=9 )

 

help!!!

From: at: 2010-03-11 16:58:15

check the reply right above you???

"there must a blank line between dn entries."

From: Ken Han at: 2010-03-16 01:13:26

Please put a blank line after "dc: dominio " and "cn: admin" and try.

 

--------------------------------------------------

dn: dc=dominio,dc=com
objectclass: dcObject
objectclass: organization
o: PDC
dc: dominio


dn: cn=admin,dc=dominio,dc=com
objectclass: organizationalRole
cn: admin

 

--------------------------------------------------

From: ken at: 2010-04-02 02:11:24

i have the same problem :|

i tried to do follow this: http://www.howtoforge.com/centos-5.x-samba-domain-controller-with-ldap-backend

From: Anonymous at: 2010-06-08 14:43:48

Put a blank line before the dn: cn=admin,dc=dominio,dc=com line, otherwise slapadd thinks the entire block is one ldif entry when you really have two.

From: Gene Poole at: 2010-04-21 21:27:48

Here's my ldif:

 [root@jpdsys3 ~]# cat /etc/openldap/init.ldif
dn: dc=jpdesignsinc,dc=com
objectclass: dcObject
objectclass: organization
o: jpdesignsinc
dc: jpdesignsinc

dn: cn=root,dc=jpdesignsinc,dc=com
objectclass: organizationalRole
cn: root

The message I'm getting is:

 [root@jpdsys3 ~]# slapadd -l /etc/openldap/init.ldif
slapadd: line 6: database (dc=jpdesignsinc) not configured to hold "dc=jpdesignsinc,dc=com"
slapadd: line 6: database (dc=jpdesignsinc) not configured to hold "dc=jpdesignsinc,dc=com"
[root@jpdsys3 ~]#

From: Anonymous at: 2009-12-30 18:52:45

I have this problem.

 I have exactly same init.ldif file as in tutorial.

 any help?

Thanks!

 slapadd -l /etc/openldap/init.ldif

<rootpw> can only be set when rootdn is under suffix

 slapadd: bad configuration file!

From: pierre73 at: 2009-11-18 10:18:53

You should pay attention to line spacing among LDAP entries in init.ldif.

The following init.ldif file worked for me:

dn: dc=EXAMPLE,dc=COM
objectclass: dcObject
objectclass: organization
o: EXAMPLE
dc: EXAMPLE

dn: cn=root,dc=EXAMPLE,dc=COM
objectclass: organizationalRole
cn: root

Cheers,

From: atul at: 2010-02-25 09:09:48

Thanks mate it worked... i was gettingthe error message below str2entry: entry -1 has multiple DNs "dc=logicalsteps,dc=net" and "cn=root,dc=logicalsteps,dc=net"
slapadd: could not parse entry (line=9)
 

fixed it by following ur suggestion.

 My init.ldif looks like this. I have added line number for reference

 

  1 dn: dc=domainname,dc=net
  2 objectclass: dcObject
  3 objectclass: organization
  4 o: domainname
  5 dc: domainname
  6
  7 dn: cn=root,dc=domainname,dc=net
  8 objectclass: organizationalRole
  9 cn: root

From: tsakf at: 2009-11-07 20:02:22

I liked the article very much, so it's already added to my library.


 

From: Anonymous at: 2009-11-16 12:41:49

I get the error:

[root@linuxdc openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=kaldom.local" and "cn=root,dc=kaldom.local"
slapadd: could not parse entry (line=9)

I have also tried with your example, and gets the answer.

My ldif file is as follows:

dn: dc=kaldom.local
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: kaldom.local
dn: cn=root,dc=kaldom.local
objectclass: organizationalRole
cn: root

Some help here would be very appreciated.

From: Oscar Soares at: 2010-04-30 12:47:42

Hello boss,

You need an space throw lines 5 and 6, like this:

dn: dc=kaldom.local
objectclass: dcObject
objectclass: organization
o: CentOS Directory Server
dc: kaldom.local


dn: cn=root,dc=kaldom.local
objectclass: organizationalRole
cn: root

 

Thats all...Ozkr

From: at: 2009-11-13 07:05:22

[root@centos openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=example,dc=com" and "cn=admin,dc=example,dc=com"
slapadd: could not parse entry (line=9)

 

I'm stuck here. Please advise.

From: at: 2009-11-13 17:06:55

What does your /etc/openldap/init.ldif look like?

From: Anonymous at: 2009-11-15 15:52:48

I have a same problem.

 I have exactly same init.ldif file as in tutorial.

 any help?

Thanks! H.

From: nani at: 2010-01-15 05:43:10

Great tutorial.Needs explanation on smb.conf, logon scripts adding users via ldap admin that will help more.

 Thank you a lot.You made my life simpler. 

 

From: Anonymous at: 2010-02-10 16:03:35

Thanks, New Tuto en Frech for CentOS 5.4 :

http://reazy64.blogspot.com/

From: David Gonzalez at: 2010-07-08 19:29:41

Hey there, this tutorial is great, in fact howtoforge rocks, I've learned so much by reading here.

 Although I've stup my Samba to vbe PDC and works, when I try to implement instructions to use LDAP, at this step:

<code> slapadd -l /etc/openldap/init.ldif </code>

 I get

<code>

[root@dbserver samba]# slapadd -l /etc/openldap/init.ldif
bdb(dc=DGHVOIP,dc=lan): no absolute path for the current directory: No such file or directory
bdb_db_open: Database cannot be opened, err 2. Restore from backup!
bdb(dc=DGHVOIP,dc=lan): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem
bdb(dc=DGHVOIP,dc=lan): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: txn_checkpoint failed: Invalid argument (22)
backend_startup_one: bi_db_open failed! (2)
slap_startup failed
</code>

Dinda stuck here as server won't start or anything, I followed the tutorial but as you see I changed EXAMPLE for dc=DGHVOIP,dc=lan

Again GREAT tutorial.

Any hints would be appreciated.

Thanks

From: at: 2010-07-09 15:55:17

Thank you for this great Howto, I got it working finally.

However, there is now a big modification for CentOS 5.5 (maybe other releases, I don't know): you must not use the samba package, but the samba3x package. If samba is already installed, erase it and all its related packets and install samba3x.

Cheers !

From: rdevries at: 2010-08-27 19:40:30

can someone update the procedure with the samba3x info?

Trying to do a fresh install of Centos 5.5 and make it into the PDC

thanks

From: Anonymous at: 2010-08-16 20:44:33

I am attempting to make an LDAP Samba PDC for one of our groups here at the workplace. My hang up is when I follow the tutorial above I run into some issues.

I understand the structure, sort of, but when I try and extend it to my network, I get all sort of errors. My domain is the following: *.la.asu.edu and of course I have a server set up with its own domain name, lets call is domaincontroller. So my FQDN is: domaincontroller.la.asu.edu. Now, in the set up I would assume the following configuration would work:

[init.ldif]:

dn: dc=la,dc=asu,dc=edu
objectclass: dcObject
objectclass: organization
o: PGG Domain Controller
dc: la.asu.edu

dn: cn=root,dc=la,dc=asu,dc=edu
objectclass: organizationalRole
cn: root

However, it doesn't like that dc: la.asu.edu line. I see in the example that is should just be dc: la, but shouldn't this be the FQDN? I guess I'm having trouble understanding how to set up the config files for a PDC that will run on the domain *.la.asu.edu. Can anyone clear this up for me? I don't have a simple example.com domain, so this is where my problem lies. When I try and run the slapadd it complains about the dc: la.asu.edu line, if I chage it to simply, dc: la, slapadd works, but then when I try to start the ldap service, I get a warning and ldap won't start.

Any help? Thanks so much and also for the great tutorial!

 

From: Anonymous at: 2010-08-26 12:16:29

it doesn't work. my init.ldif file's configuration is:

 

 dn: dc=youngasia,dc=tv
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: youngasia
dn: cn=root,dc=youngasia,dc=tv
objectClass: organizationalRole
cn: root
~                                                                               
~                 

ERROR is:

str2entry: entry -1 has multiple DNs "dc=youngasia,dc=tv" and "cn=root,dc=youngasia,dc=tv"
slapadd: could not parse entry (line=9)

If anyone can pls help me:

 

From: Anonymous at: 2010-08-27 22:04:20

All -

 I'm starting to understand a lot more about LDAP. I would suggest that anyone who wants to implement a good solid PDC using Samba with an LDAP backend, first learn what LDAP is all about. Out of all the tutorials, including this one, I have seen, not much information is given about LDAP's inner workings. Go get yourself an LDAP book or better yet find one of the LinuxCBT tutorial videos on setting up LDAP. This is really the biggest part of the implementation and understanding it well will give you an edge on getting a PDC in the works. It will also give you a better background for troubleshooting and setting up nicer features to your PDC.

From: ryanez at: 2010-10-11 23:16:00

meant to post this awhile back, not sure if everyone gets the same issue, but after running the yum installs on the first step. Some JCode and Map8, Strings, etc perl mods are needed for smbldap-tools.

If anyone experiences that you can make sure all the RPM are installed before smbldap-tools by doing :

yum install openldap openldap-clients openldap-servers nss_ldap samba samba-client httpd openssl mod_ssl mysql mysql-server php php-xml php-ldap php-mysql php-pdo php-cli php-common perl-LDAP smbldap-tools perl-Digest-SHA1 perl-Digest-SHA perl-Unicode-String perl-Unicode-Map8 perl-Unicode-Map perl-Unicode-MapUTF8 perl-Jcode screen systat dstat
 

the last three packages are for my monitoring the servers. Hope this helps any one.

From: istvan550 at: 2011-02-26 13:35:29

Hi. I'm trying to work thru this tutorial and I'm getting stuck here. I'm using Centos5.5

---------------------------------------------------------------------------------------------------

 [root@myserver1 ~]# rpm -Uvh ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/3.0/PLD/noarch/RPMS/smbldap-tools-0.9.5-1.noarch.rpm
Retrieving ftp://ftp.pbone.net/mirror/ftp.pld-linux.org/dists/3.0/PLD/noarch/RPMS/smbldap-tools-0.9.5-1.noarch.rpm
warning: /var/tmp/rpm-xfer.1kSnFL: Header V3 DSA signature: NOKEY, key ID e4f1bc2d
error: Failed dependencies:
        /usr/share/perl5/vendor_perl is needed by smbldap-tools-0.9.5-1.noarch
        perl(Crypt::SmbHash) is needed by smbldap-tools-0.9.5-1.noarch
        perl(Unicode::MapUTF8) is needed by smbldap-tools-0.9.5-1.noarch
        rpmlib(PayloadIsLzma) <= 4.4.6-1 is needed by smbldap-tools-0.9.5-1.noarch

-------------------------------------------------------------------------------------------------

This may be an easy fix but I'm a newbie. I have found some of the dependencies but not sure
which versions to install. Thank you. 

From: istvan550 at: 2011-02-26 14:29:21

I was able to find most of the dependencies needed but the 2 below got me stumped.

I'm  installing "smbldap-tools-0.9.5-1.noarch.rpm"

 error: Failed dependencies:
        /usr/share/perl5/vendor_perl is needed by smbldap-tools-0.9.5-1.noarch
        rpmlib(PayloadIsLzma) <= 4.4.6-1 is needed by smbldap-tools-0.9.5-1.noarch

 

Thanks for any help or direction.

From: at: 2011-01-14 08:10:14

I have managed create "ldif"

then i got stuck here when run "service ldap start'

 [root@homeshare openldap]# service ldap start
Checking configuration files for slapd:  bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slap_startup failed (test would succeed using the -u switch)
                                                           [FAILED]
stale lock files may be present in /var/lib/ldap           [WARNING]

 

Any idea why i cannot start the service?

Cheers,

From: MoChaMan at: 2011-07-18 21:29:20

you might try rechecking the ownership and permissions on /var/lib/ldap and the files within . If you run 'chmod -R 600 /var/lib/ldap ' , for instance , you will prevent access to that directory since the directory must have 755 permissions even if the files have 600 permissions . This is easy to miss and actually cost me a couple of hours running 'strace / db_recover / chcon / etc.' when the solution was much easier . My correct directory listing is below .

 

[~] # ll /var/lib/ldap

total 88040

drwxr-xr-x  2 ldap ldap      4096 Jul 18 16:43 .

drwxr-xr-x 31 root root      4096 Jul 18 16:47 ..

-rw-------  1 ldap ldap      2048 Jul 18 17:18 alock

-rw-------  1 ldap ldap      8192 Jul 18 16:43 cn.bdb

-rw-------  1 ldap ldap     24576 Jul 18 17:18 __db.001

-rw-------  1 ldap ldap 104857600 Jul 18 17:18 __db.002

-rw-------  1 ldap ldap 335552512 Jul 18 17:18 __db.003

-rw-------  1 ldap ldap   2359296 Jul 18 17:18 __db.004

-rw-------  1 ldap ldap    557056 Jul 18 17:18 __db.005

-rw-------  1 ldap ldap     24576 Jul 18 17:18 __db.006

-rw-------  1 ldap ldap       921 Jul 18 16:34 DB_CONFIG

-rw-------  1 ldap ldap      8192 Jul 18 16:43 dn2id.bdb

-rw-------  1 ldap ldap     32768 Jul 18 16:43 id2entry.bdb

-rw-------  1 ldap ldap  10485760 Jul 18 16:43 log.0000000001

-rw-------  1 ldap ldap      8192 Jul 18 16:43 objectClass.bdb

[~] # 

From: Rob Daglish at: 2011-08-01 13:06:37

Hi,

Thanks for an excellent howto. Just a small point of clarification though:

 When setting up the init.ldif, I misunderstood the way that domains were created, so dived straight in with dc=location1,dc=company,dc=local, which meant I then struggled to create dc=location2,dc=company,dc=local, as I couldn't browse dc=company,dc=local or dc=local as I hadn't created them.

 Once I realised my mistake, I removed all the files from /var/lib/ldap and started again with a fresh init.ldif file, creating dc=local, then dc=company,dc=local, and finally dc=location1,dc=company,dc=local and dc=location2,dc=company,dc=local.

I know it's a small point, but for people like me coming from MS where AD will automatically create all the containers necessary, it took a little bit of figuring out.  Oh, and I managed to remiport all of the data I'd already input by doing slapcat -l /tmp/mydata.ldif and then doing a slapadd -l /tmp/mydata.ldif once I'd created dc= local and dc=company,dc=local.

 Now I've just got to master replication across servers!

From: mice at: 2009-11-18 08:16:33


[root@samba openldap]# slapadd -l /etc/openldap/init.ldif
str2entry: entry -1 has multiple DNs "dc=mice" and "cn=root,dc=mice"
slapadd: could not parse entry (line=9)

anybody same me ?

From: Anonymous at: 2010-01-13 17:56:29

try

o: CentOS Directory Server

dc:  mice

From: snapfla at: 2010-03-24 04:05:17

Thank you for publishing this howto!

A couple hints that may help people:

  1. This may be too late for the former poster, but... Make sure a newline is between records in your init.ldif file:
  2. dn: dc=example,dc=com
    objectclass: dcObject
    objectclass: organization
    o: CentOS Directory Server
    dc: example
            <leave a space here>
    dn: cn=root,dc=example,dc=com
    objectclass: organizationalRole
    cn: root

     

  3. If you aren't using TLS/SSL, make sure you set the following in your /etc/smbldap-tools/smbldap.conf file:
    • ldapTLS="0"
    • ldapSSL="0"
    • verify="none"

     

  4. I got an error about the following line being invalid, so you can just comment this out in /etc/samba/smb.conf:
    • #min passwd length = 3

     

  5. In general, when you are instructed to add config variables to a file, make sure you check the file first and just change the config variable if it's already there.  I'm not sure how it will behave when two variables are present with conflicting values.  In my case, the "socket options" and "nt acl support" variables were already present in the /etc/samba/smb.conf file.
  6.  

  7. If you choose "cn=root,dc=example,dc=com" as your admin, make sure references to "cn=Manager,dc=example,dc=com" are changed to use root.  There are a few different files referencing this:
    • /etc/openldap/slapd.conf
    • /etc/openldap/init.ldif
    • /etc/samba/smb.conf

 

Again, I'm not criticizing the author, but I ran into these "snags" and I wanted to try and help others avoid the same problems.

Thank you for a concise, well put together howto!

-snapfla

From: at: 2010-03-24 20:51:50

Thanks for your comments and tips!  I will see about integrating them into the HowTo, along with a picture of smb.conf

From: Anonymous at: 2010-05-07 16:58:55

hi

i ha probleme with   smbldap-populate
can any one help me please


[root@mbis-server ~]# smbldap-populate
Populating LDAP directory for domain MBIS-GROUP (S-1-5-21-799153913-2964028359-2795995528)
(using builtin directory structure)

entry dc=mbis-algerie,dc=com already exist.
adding new entry: ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 3.
adding new entry: ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 4.
adding new entry: ou=Computers,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 5.
adding new entry: ou=Idmap,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 6.
adding new entry: uid=root,ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 7.
adding new entry: uid=nobody,ou=Users,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 8.
adding new entry: cn=Domain Admins,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 9.
adding new entry: cn=Domain Users,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 10.
adding new entry: cn=Domain Guests,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 11.
adding new entry: cn=Domain Computers,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 12.
adding new entry: cn=Administrators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 16.
adding new entry: cn=Account Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 18.
adding new entry: cn=Print Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 19.
adding new entry: cn=Backup Operators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 20.
adding new entry: cn=Replicators,ou=Groups,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 21.
adding new entry: sambaDomainName=MBIS-GROUP,dc=mbis-algerie,dc=com
failed to add entry: modifications require authentication at /usr/sbin/smbldap-populate line 498, <GEN1> line 21.

Please provide a password for the domain root:
/usr/sbin/smbldap-passwd: user root doesn't exist

From: Alex at: 2010-05-17 14:08:58

I had the exact same error and found a solution.

You probably (as I have ) used the default in ldapadmin (e.g. cn=Manager,dc=yourdomain,dc=com)

in /etc/smbldap-tools/smbldap_bind.conf:

provide the proper config for the masterDN and masterPw like so:

masterDN="cn=Manager,dc=yourdomain,dc=com

masterPw="pa$$w0rd"

 

Now smbldap-populate runs without error.

 

From: Luciano Pontes at: 2010-06-10 23:45:42

Please, send-me the smb.conf file...

From: Anonymous at: 2010-06-25 15:03:45

I can't join any client, even XP.

Please help

From: Anonymous at: 2010-09-16 10:31:02

Me too.

Configure all correctly.

But no windows clients can join.

From: at: 2010-09-25 08:31:38

You need to say your system to allow auth again ldap...

vim /etc/nsswitch.conf

passwd:     files ldap
shadow:     files ldap
group:      files ldap
  
 

 

From: Null at: 2012-09-20 19:47:54

First I want to thank you for the tutorial

second, I've as people above, I've a great problem to connect my clients hosts to the "samba_ldap PDC", and the error message of "winxp" is always user cannot be fount, knowing that I have executed your last recommendation.

knowing also that every thing is working properly, even the client host names are added automatically to the directory information tree. but no login to the domain.

your help on this please.

thanks in advance.

From: itsme at: 2011-04-20 11:41:00

Even i configured correctly ,, I can access samba , but not able to join computers.

From: at: 2011-09-27 13:38:55

I am also stuck with joining PCs with Domain... still no luck.. please help us all..

From: Neil Schneider at: 2011-04-14 21:06:21

It fails for me. I've been trying to get the smbldap-populate to run. Doesn't prompt for a password and it fails with the following error:

Please provide a password for the domain root:

Use of uninitialized value in string at /usr/lib/perl/vendor_perl/5.8.8/smbldap_tools.pm line 348.

/usr/sbin/smldap-passswd: user root doesn't exist. 

I use ldapsearch to make sure that the user root is in the ldap tree, I wiped the ldap databases, started all over and ran through the instructions again, in fact three times, and I'm stuck on this part of the howto, and can't proceed. I'm going looking for a samba ldif file that I can just read in. 

I hate when this happens.

From: Kyle at: 2012-01-15 19:11:41

I think the issue might be the cn=manager. When I changed it to cn=root, with the right password it worked properly - nowhere have I seen anyone suggest that...

/etc/smbldap-tools/smbldap_bind.conf:

slaveDN="cn=root,dc=DOMAIN"
slavePw="pa$$word"
masterDN="cn=root,dc=DOMAIN"
masterPw="passwd"

From: sujit at: 2012-04-26 14:22:43

change the value of  /etc/smbldap-tools/smbldap.conf 

masterLDAP="localhostname.domainname"

 

check now. 

From: Anonymous at: 2012-06-21 09:51:52

I am stuck at 

 [root@dc1 smbldap-tools]# smbldap-populate

Use of uninitialized value in substitution (s///) at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 154, <CONFIGFILE> line 3.

Use of uninitialized value in substitution (s///) at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 154, <CONFIGFILE> line 13.

Can't exec "/usr/bin/netx": No such file or directory at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 246.

Failed to get SID from Samba net command at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 250.

Compilation failed in require at /usr/sbin/smbldap-populate line 30.

BEGIN failed--compilation aborted at /usr/sbin/smbldap-populate line 30.

From: Harshad at: 2010-03-03 11:42:51

Executing smbldap-populate command as per stated above, following error occurs

"erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: Connection refused) at /usr/sbin//smbldap_tools.pm line 322"

Can you please suggest solution for this

//my smbldap.conf file

# $Source: $
# $Id: smbldap.conf,v 1.18 2005/05/27 14:28:47 jtournier Exp $
#
# smbldap-tools.conf : Q & D configuration file for smbldap-tools

#  This code was developped by IDEALX (http://IDEALX.org/) and
#  contributors (their names can be found in the CONTRIBUTORS file).
#
#                 Copyright (C) 2001-2002 IDEALX
#
#  This program is free software; you can redistribute it and/or
#  modify it under the terms of the GNU General Public License
#  as published by the Free Software Foundation; either version 2
#  of the License, or (at your option) any later version.
#
#  This program is distributed in the hope that it will be useful,
#  but WITHOUT ANY WARRANTY; without even the implied warranty of
#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#  GNU General Public License for more details.
#
#  You should have received a copy of the GNU General Public License
#  along with this program; if not, write to the Free Software
#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
#  USA.

#  Purpose :
#       . be the configuration file for all smbldap-tools scripts

##############################################################################
#
# General Configuration
#
##############################################################################

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3963180848-190588318-1689166184"

# Domain name the Samba server is in charged.
# If not defined, parameter is taking from smb.conf configuration file
# Ex: sambaDomain="IDEALX-NT"
sambaDomain="PDC-SRV"

##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch
# Samba with the dual-head patch from IDEALX. If not using this patch
# just use the same server for slaveLDAP and masterLDAP.
# Those two servers declarations can also be used when you have
# . one master LDAP server where all writing operations must be done
# . one slave LDAP server where all reading operations must be done
#   (typically a replication directory)

# Slave LDAP server
# Ex: slaveLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
#slaveLDAP="ldap.iallanis.info"

# Slave LDAP port
# If not defined, parameter is set to "389"
#slavePort="389"

# Master LDAP server: needed for write operations
# Ex: masterLDAP=127.0.0.1
# If not defined, parameter is set to "127.0.0.1"
masterLDAP="ldap.harh.com"

# Master LDAP port
# If not defined, parameter is set to "389"
#masterPort="389"
masterPort="389"

# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
# If not defined, parameter is set to "0"
ldapTLS="1"

# Use SSL for LDAP
# If set to 1, this option will use SSL for connection
# (standard port for ldaps is 636)
# If not defined, parameter is set to "0"
ldapSSL="0"

# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"

# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.iallanis.info.pem"

# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.iallanis.info.key"

# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=harh,dc=com"

# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for usersdn
usersdn="ou=Users,${suffix}"

# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for computersdn
computersdn="ou=Computers,${suffix}"

# Where are stored Groups
# Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)
# Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
# Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available for new users and groups
# If not defined, entries are stored in sambaDomainName object.
# Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
# Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################

# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"

# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"

# Default mode used for user homeDirectory
userHomeDirectoryMode="700"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="45"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

# The UNC path to home drives location (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon home'
# directive and/or disable roaming profiles
# Ex: userSmbHome="\\PDC-SMB3\%U"
userSmbHome="\\PDC-SRV\%U"

# The UNC path to profiles locations (%U username substitution)
# Just set it to a null string if you want to use the smb.conf 'logon path'
# directive and/or disable roaming profiles
# Ex: userProfile="\\PDC-SMB3\profiles\%U"
userProfile="\\PDC-SRV\profiles\%U"

# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: userHomeDrive="H:"
userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: userScript="startup.cmd" # make sure script file is edited under dos
userScript="logon.bat"

# Domain appended to the users "mail"-attribute
# when smbldap-useradd -M is used
# Ex: mailDomain="idealx.com"
mailDomain="harh.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="1"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="1"
slappasswd="/usr/sbin/slappasswd"

# comment out the following line to get rid of the default banner
# no_banner="1"

//My smbldap_bind.conf file

 ############################
# Credential Configuration #
############################
# Notes: you can specify two differents configuration if you use a
# master ldap for writing access and a slave ldap server for reading access
# By default, we will use the same DN (so it will work for standard Samba
# release)
#slaveDN="cn=Manager,dc=iallanis,dc=info"
#slavePw="secret"
masterDN="cn=root,dc=harh,dc=com"
masterPw="{SSHA}t8TQ6dmgClsyXobAWe+VvOeDnup0RyuW"

//My Slapd.conf file

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema
include        /etc/openldap/schema/samba.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral    ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile    /var/run/openldap/slapd.args

# Load dynamic backend modules:
# modulepath    /usr/lib/openldap

# modules available in openldap-servers-overlays RPM package:
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client software
# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#    Require integrity protection (prevent hijacking)
#    Require 112-bit (3DES or better) encryption for updates
#    Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

# Sample access control policy:
#    Root DSE: allow anyone to read it
#    Subschema (sub)entry DSE: allow anyone to read it
#    Other DSEs:
#        Allow self write access
#        Allow authenticated users read access
#        Allow anonymous users to authenticate
#    Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#    by self write
#    by users read
#    by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# ldbm and/or bdb database definitions
#######################################################################

database    bdb
suffix        "dc=harh,dc=com"
rootdn        "cn=root,dc=harh,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw        {SSHA}t8TQ6dmgClsyXobAWe+VvOeDnup0RyuW
password-hash    {SSHA}
# rootpw        {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory    /var/lib/ldap

# Indices to maintain for this database
index cn,sn,uid,displayname        pres,sub,eq
index uidNumber,gidNumber        eq
index sambaSID                 eq
index sambaPrimaryGroupSID         eq
index sambaDomainName             eq
index objectClass             pres,eq
index default                 sub
#index objectClass                       eq,pres
#index ou,cn,mail,surname,givenname      eq,pres,sub
#index uidNumber,gidNumber,loginShell    eq,pres
#index uid,memberUid                     eq,pres,sub
#index nisMapName,nisMapEntry            eq,pres,sub

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM
 

From: walterwn at: 2010-06-29 08:08:27

the services no start:

#service smb start 

#service ldap start

and 

#smbldap-populate

 problem fix  :)

From: ambicapathy at: 2011-07-26 19:08:09

The ldap and smb service restart didnt resolve the problem...

still i am getting  the same error.

 

erreur LDAP: Can't contact master ldap server for writing (IO::Socket::INET: connect: No route to host) at /usr/sbin//smbldap_tools.pm line 322

 

Please help me with this.

From: Ashish Awasthi at: 2010-04-26 10:15:18

Hello !!!!!! How would I come to know what is my password. The password that I generated using slappasswd command is in encrypted mode so how will I know my real password.Please help........

From: Anonymous at: 2010-07-29 15:30:40

slappasswd ask for a password. The password you type in is your password :-). The hash which was created is the password which you typed in encryped in a one way hash.

From: Patrick Peres at: 2010-07-06 12:39:01

hi,

 I try config my server but the server show me this error

 [root@srvapp01 samba]# smbldap-populate

Populating LDAP directory for domain DOMSMB (S-1-5-21-723961999-3622360822-1265576354)

(using builtin directory structure)


Could not start_tls: Operations error at /usr/sbin//smbldap_tools.pm line 341.

 congratulations for this post.

 Tks 

 Patrick

From: at: 2010-12-10 11:04:21

in  /etc/smbldap-tools/smbldap.conf set ldapTLS="0"

From: mirmit at: 2010-07-21 11:56:41

In order to startover with a fresh ldap database, I found the following solution:

 stop the ldap server:

 service ldap stop

delete all datbase file

rm -f /var/lib/ldap/*

restart server 

service ldap start

you can the repopulate the database

smbldap-populate

From: Anonymous at: 2011-05-26 09:22:11

I have the same problem, and i still have it depiste have do the solution.

Someone can help please?

From: Boss at: 2010-08-05 10:55:51

Hi, 

Able to connect the WinXP & 7  with out any issue, not able to connect the linux clients

 

Please help me to add/connect a linux client pc into the ldap+samba domain...

From: Anonymous at: 2011-03-13 14:29:21

Need help plz

I have a problem when i run the command net groupmap list

 [root@localhost samba]# net groupmap list
[2011/03/14 16:17:54, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(3107)
  ldapsam_setsamgrent: LDAP search failed: No such object
[2011/03/14 16:17:54, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(3179)
  ldapsam_enum_group_mapping: Unable to open passdb

 

output of slapcat

dn: dc=ines
objectClass: dcObject
objectClass: organization
o: CentOS Directory Server
dc: ines
structuralObjectClass: organization
entryUUID: da44fbe6-e291-102f-8e9c-29d89cefd736
creatorsName: cn=root,dc=ines
modifiersName: cn=root,dc=ines
createTimestamp: 20110314141944Z
modifyTimestamp: 20110314141944Z
entryCSN: 20110314141944Z#000000#00#000000

dn: cn=root,dc=ines
objectClass: organizationalRole
cn: root
structuralObjectClass: organizationalRole
entryUUID: da464a50-e291-102f-8e9d-29d89cefd736
creatorsName: cn=root,dc=ines
modifiersName: cn=root,dc=ines
createTimestamp: 20110314141944Z
modifyTimestamp: 20110314141944Z

From: at: 2011-07-01 17:35:38

window XP /system/properties/computer name, when trying to setup the network id through the network identification wizard, I can enter the user info and click next.  When I enter the computer name and computer domain I am asked to enter the name & password of an account with permissions to join the domain.  I get a message your computer could not be joined to the domain because the following error has occurred,  the user's password must be changed before logging on the first time.  What do you do?

From: Anonymous at: 2012-10-02 07:44:22

"You should be able to look around and see some junk."

Nope.  I can't seem to log in.  I can cut and paste the rootdn and password to my heart's content, but I can't seem to log in .  

 To make matters worse, I know not the slightest how to even begin to debug the problem I'm having.  I can forward along the custom kickstart I've been building as I go.

 "If you need help, please use our forum"

 ... which requires YET ANOTHER login and YET ANOTHER username.  I don't need my comments posted.  I just need help to figure out where I've fallen off the tracks.  I'm just about at my wit's end, and a cheap imitation of usenet where messages seem to expire like mayflies isn't going to help! ;-)   Can you help?