thr3ads.net - samba - [Samba] Ldap PDC NT4 Redhat 9 domain problems [Oct 2003]

If this information is useful, please help other people find it:
Share via:
Syms.MS@forces.gc.ca
2003-Oct-08 18:19 UTC
[Samba] Ldap PDC NT4 Redhat 9 domain problems

I'm running into some domain problems setting up Windows NT 4.0, Samba 3.0
(from source), OpenLDAP 2.0.27 and RedHat 9.

I can't get a workstation to join the domain: when I attempt to join the
domain from the workstation add machine gui with username and password, I'm
told "The machine account for this computer either does not exist or is
inaccessible"- but the add machine script creates the account successfully
in the ou=Computers container.
>From the log files, you can see the machine account script executing justfine: Samba then attempts to find the newly created machine account and
can't!!

I can access the server through network neighbourhood just fine.  My domain
appears and I can login and mess around with the shares.  The accounts I'm
creating with the idealx perl tools allow my to login into the unix console
with the posix accounts and I can see the users and groups with getent & id.

which brings up two questions:

1/ The standard seems to be to place machine accounts in a separate
ou=Computers/Systems/Machines container, but since the machine name is a
modified user account, how does it find it if it isn't in the
ou=People/users container.

2/ When I use net groupmap to associate RID's with Posix groups, should
these mappings appear in the ou=Idmap container I've created for them?

Here are the details of my config. Any help would be appreciated.

tks

Scott Syms
Halifax, NS Canada

Ldap dif file
++++++++++++++++++++++++++++++++++++++++++++++++++++
# bubbles, can, ca
dn: dc=bubbles,dc=can,dc=ca
objectClass: dcObject
objectClass: organization
dc: bubbles
o: gc

# People, bubbles, can, ca
dn: ou=People,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: People

# Groups, bubbles, can, ca
dn: ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Groups

# Computers, bubbles, can, ca
dn: ou=Computers,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Computers

# Idmap, bubbles, can, ca
dn: ou=Idmap,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Idmap

# Administrator, People, bubbles, can, ca
dn: uid=Administrator,ou=People,dc=bubbles,dc=can,dc=ca
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\testserver\homes
sambaHomeDrive: U:
sambaProfilePath: \\testserver\profiles\
sambaPrimaryGroupSID: S-1-5-21-1675029196-2412627112-2623540412-512
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1065201832
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX

# nobody, People, bubbles, can, ca
dn: uid=nobody,ou=People,dc=bubbles,dc=can,dc=ca
cn: nobody
sn: nobody
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\testserver\homes
sambaHomeDrive: U:
sambaProfilePath: \\testserver\profiles\
sambaPrimaryGroupSID: S-1-5-21-1675029196-2412627112-2623540412-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NU         ]
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-2998
loginShell: /bin/false

# Domain Admins, Groups, bubbles, can, ca
dn: cn=Domain Admins,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-512
sambaGroupType: 2
displayName: Domain Admins

# Domain Users, Groups, bubbles, can, ca
dn: cn=Domain Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-513
sambaGroupType: 2
displayName: Domain Users

# Domain Guests, Groups, bubbles, can, ca
dn: cn=Domain Guests,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users (not implemented yet)

# Administrators, Groups, bubbles, can, ca
dn: cn=Administrators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the
computer/sambaDom
 ainName (not implemented yet)
memberUid: Administrator

# Users, Groups, bubbles, can, ca
dn: cn=Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 545
cn: Users
description: Netbios Domain Ordinary users (not implemented yet)

# Guests, Groups, bubbles, can, ca
dn: cn=Guests,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: Guests
memberUid: nobody
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-546
sambaGroupType: 2
displayName: Guests

# Power Users, Groups, bubbles, can, ca
dn: cn=Power Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 547
cn: Power Users
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-547
sambaGroupType: 2
displayName: Power Users

# Account Operators, Groups, bubbles, can, ca
dn: cn=Account Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-548
sambaGroupType: 2
displayName: Account Operators

# Server Operators, Groups, bubbles, can, ca
dn: cn=Server Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 549
cn: Server Operators
description: Netbios Domain Server Operators (need smb.conf configuration)

# Print Operators, Groups, bubbles, can, ca
dn: cn=Print Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-550
sambaGroupType: 2
displayName: Print Operators

# Backup Operators, Groups, bubbles, can, ca
dn: cn=Backup Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-551
sambaGroupType: 2
displayName: Backup Operators

# Replicator, Groups, bubbles, can, ca
dn: cn=Replicator,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicator
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-552
sambaGroupType: 2
displayName: Replicator

# Domain Computers, Groups, bubbles, can, ca
dn: cn=Domain Computers,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-515
sambaGroupType: 2
displayName: Domain Computers

# CANDOMAIN, bubbles, can, ca
dn: sambaDomainName=CANDOMAIN,dc=bubbles,dc=can,dc=ca
sambaDomainName: CANDOMAIN
sambaSID: S-1-5-21-1675029196-2412627112-2623540412
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain


smb.conf file
++++++++++++++++++++++++++++++++++++++++++++++++++++
[global]
	workgroup = CANDOMAIN
	netbios name = TESTSERVER
	server string = Samba 3.0 ldapsam
	passdb backend = ldapsam:ldap://192.200.10.101
	log level = 100
	max xmit = 65535
	deadtime = 15
	add user script = /usr/sbin/smbldap-useradd.pl -a '%u'
	delete user script = /usr/sbin/smbldap-userdel.pl '%u'
	add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow.pl '%g'|awk '/^gidNumber:/ {print
$2}'
	delete group script = /usr/sbin/smbldap-userdel.pl '%g'
	add user to group script = /usr/sbin/smbldap-groupmod.pl -m '%u'
'%g'
	delete user from group script = /usr/sbin/smbldap-groupmod.pl -x
'%u' '%g'
	set primary group script = /usr/sbin/smbldap-usermod.pl -g '%g'
'%u'
	add machine script = /usr/sbin/smbldap-useradd.pl -w '%u'
	logon script = wkix32.exe
	logon path = \\%N\profiles\%u
	logon drive = L:
	logon home = \\homeserver\%u
	domain logons = Yes
	os level = 50
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	ldap server = 192.200.10.101
	ldap port = 389
	ldap suffix = dc=bubbles,dc=can,dc=ca
	ldap user suffix = ou=People
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Idmap
	ldap machine suffix = ou=Computers
	ldap admin dn = cn=ldapadmin,dc=bubbles,dc=can,dc=ca
	ldap ssl = start tls
	idmap backend = ldapsam:ldap://192.200.10.101
	idmap uid = 10000-20000
	idmap gid = 10000-20000

[netlogon]
	path = /usr/local/samba/lib/netlogon
	write list = Administrator

[profiles]
	path = /home/profiles
	read only = No
	create mask = 0600
	directory mask = 070

[homes]
	comment = Home directory
	read only = No

[webfiles]
	path = /usr/local/apache/htdocs

Script to build the Group mappings
++++++++++++++++++++++++++++++++++++++++++++++++++++
#!/bin/bash
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-512
unixgroup="Domain Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-513
unixgroup="Domain Users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-514
unixgroup="Domain Guest" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-515
unixgroup="Domain Computers" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-516
unixgroup="Domain Controllers" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-517
unixgroup="Domain Certificate Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-518
unixgroup="Domain Schema Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-519
unixgroup="Domain Domain Enterprise Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-520
unixgroup="Domain Policy Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-544
unixgroup="Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-545
unixgroup="users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-546
unixgroup="Guests" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-547
unixgroup="Power
Users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-548
unixgroup="Account Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-549
unixgroup="System Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-550
unixgroup="Print
Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-551
unixgroup="Backup Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-552
unixgroup="Replicator" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-553
unixgroup="RAS
Servers" type=domain
Seemingly Similar Threads

Search for more seemingly similar threads
samba - Oct 2003 - Ldap PDC NT4 Redhat 9 domain problems

[Samba] Ldap PDC NT4 Redhat 9 domain problems

Seemingly Similar Threads

Wisdom of the Ancients
