samba - Jan 2004 - My story installing Samba-LDAP PDC (it has a happy ending)

OK.

I am starting to believe that Samba 3.0.x is not stable.
At least, the documentation for Samba as PDC with OpenLDAP backend (which is
what I have been trying to do for four days) is crap.
All the documentation for 3.0.x is mixed with 2.2.x. Most documents start as
instructions for 3.0.x but put a lot of information that doesn't apply to
3.0.x, but 2.2.x.
People in the mailing list sometimes give answers that apply to 2.2.x.
Some people tell me there is a bug that prevents the use of ou=Computers for
machine accounts. Some people say they have no problems.
Some people say I have to have Administrator with uid=0, some people tell me
it must not be 0.
Everyone says smbldap-tools work great, but they always give me strange
errors.

I'm starting again, this time with 3.0.2pre1.


I'm going to use Samba-HOWTO-Collection.pdf as the main guide for general
samba configuration and
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html for LDAP configuration
(even though I know they have errors regarding 3.0.x).

I'm running SuSE 9.0 on an x86 machine. I have my openldap server running
without problem. At the moment is has no samba information except the
inclusion of the samba.schema in the slapd.conf.
I'm using the JXplorer tool to add/modify/delete directory information.
My LDAP base is dc=ica,dc=luz,dc=ve.
The server is listening without SSL (port 389) on interface 127.0.0.1
(localhost) interface and listening LDAPS (with SSL, port 636) on all
interfaces (I know this is deprecated in favor of StartTLS, but this
configuration works well for me).


1. Samba 3.0.1 compiled and installed without problems with the following
commands:

./configure --prefix=/opt/samba-3.0.2pre1 --with-ldap --with-quotas 
--with-winbind --with-libsmbclient --with-fhs --with-smbmount

make

make install

2. The first step is configuring the smb.conf file.
I read the documentation and I think I understand most parts of it.
The only example in Section 5.3 (Domain Control  Example Configuration) is
for a tdbsam backend, which I am not interested in. I use a similar
configuration, configuration but using information from Section 11.4.4
(Account Information Databases - ldapsam) and previous experience.

My first version of smb.conf is:
--------START smb.conf----------
[global]
#Only allow hosts in my network
hosts allow = 172.17.6.0/255.255.255.0
netbios name = BOA
workgroup = ICALUZ
security = user
encrypt passwords = yes
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
unix charset = "ISO-8859-1"

os level = 33

ldap suffix = dc=ica,dc=luz,dc=ve
ldap admin dn = "cn=Manager,dc=ica,dc=luz,dc=ve"

idmap backend = ldap:ldap://localhost
idmap gid = 10000-20000
idmap uid = 10000-20000
ldap idmap suffix = ou=Idmap

passdb backend = ldapsam:ldap://localhost
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=Personas
ldap group suffix = ou=Grupos
ldap machine suffix = ou=Personas
#ldap machine suffix = ou=Computadoras
#ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap filter = (uid=%u)

logon path = \\%N\profiles\%u
logon drive = H:
logon home = \\homeserver\%u\winprofile
#logon home = \\%N\%u
logon script = logon.cmd

#logging
log level = 2
log file = /var/lib/samba/%m.log

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = domadmin

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0644
directory mask = 0755

[test]
path=/tmp
writeable=yes
public=yes
--------END smb.conf----------
Differences with respect to the documentation:
hosts allow: only computers from my network can connect to the server.
The order of some directives is changed because I like it better this way.
It aparently doesn't matter (if there is a mistake, please corerct me).

unix charset: My native language is Spanish and it is common to have files
with accented letters. The smb-ldap3-howto (which is from Spain) recommends
using CP850, but it did not work for me. ISO-8859-1 works great.

ldap ssl: I do not use SSL because the LDAP server is in the same machine as
samba.

ldap machine suffix: The documentation (Ssmba Howto Collection - SHC) says
one should
use ou=Computers (ou=Computadoras in spanish). I have this commented and am
using ou=Personas (equivalent to ou=People) since a lot of people say there
is a bug in Samba 3.0.x that prevents it from searching ou=Computers tree.
I do not know if this is fixed in Samba 3.0.2pre1,I'll test that later if
everything else goes fine.

ldap filter: the documentation (example 11.4.1 in SHC) says one should use
(&(uid=%u)(objectclass=sambaSamAccount)), but I found out in previous
installations that it doesn't work, at least when you use smbpasswd -a,
because at that time entries do not have the sambaSamAccount class and are
filtered out. ldap filter =&(uid=%u) workd for me last time so that's
what
I'm using.

I do not yet understand what Idmap does. I read it maps Unix group and user
IDs ti Windows user and group SIDs. I am somewhat confused because
instructions also say a tool called net groupmap should be used to map unix
groups to windows groups. Someone please clarify.
I put some entries for it because if it is going to store information I
prefer that it does so in the LDAP directory.

There are a few differences in the netlogon and profiles shares. I used
domadmin instead of ntadmin for write list of netlogon and used different
masks in profiles.

I'm using logon home = \\homeserver\%u\winprofile, but this isn't goiun
to
work because I haven't configured a homserver server. I'll correct this
when everything else works OK.

2. The SHC say I should add the following entries:
- The organization. I added it.

- A directory manager (dn: cn=Manager). I didn't add this because it is
created automatically by OpenLDAP.

-Groups, People and Computers organizational units. I added these.

-An admin entry for each of the previously created ou's. I didn't add
these
because I am going to administer the entries using the cn=Manager.

3. The SHC says I should use the following command so it can access the LDAP
server.

     smbpasswd -w <password>

I did this whithout problems.
>From this point on all the LDAP related information in SHC applies to Samba
2.2.x.
It talks about sambaSamAccount, but all described parameters apply to the
Samba 2.2.x sambaAccount. So I switch to SLH.

4. The first relevant thing I find is that there are some Ldap basic entries
(also with posixAccount).
SLH says:
"In the [SAMBA_3_0] and [HEAD] only a few basic entries are required:
nobody
and administrator BUT an account with uidNumber=0 (root or administrator)
MUST ?be present if you need add XP/W2K ws. The reason: an administrative
account is demanded in the ws side in the join process, and that account
must have a uidNumber=0 in the unix world.

Remember that in the ldapsam backend the rid mapping is algorthmic based:
rid='2*uidNumber+1000' and primaryGroup='2*uidNumber+100+1', so
a root or
any administrative account must have a rid of 1000, and a sambaSID like:


sambaSID: S-1-5-21-298858960-1863792627-3661451959-1000
 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-1001


The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins
group (rid=512).
"
What I interpret from this is that I have to create three posixAccounts
(root, Administrator and nobody, although it seems root and nobody might
have been enough) and an NT administrative group. Both root and
administrator have to belong to the administrative group. There are no
instructions at this point on how to create the groups. They appear later.

There are other things that are not clear.

I have read (and it appears later in SLH) that three Samba (NT) groups must
be created: "Domain Admins", "Domain Users" and "Domain
Guests" and that
these groups should have rid's 512, 513 and 514 respectively. To map the
groups, SLH says the following commands should be used:

        net groupmap add rid=514 ntgroup="Domain Guests"
unixgroup=nobody
        net groupmap add rid=513 ntgroup="Domain Users"
unixgroup=users
        net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup=admins

There is another thing that is not clear. The (LDIF) entries appear with all
samba attributes set, but it is not clear how they must be set, but I know
they are set with smbpasswd -a.
The example that comes with SLH says the following about the three accounts:
Administrator:
uidNumber: 506   --- I asume this can be any number not equal to 0
gidNumber: 0   --- maybe because the posixGroup 0 should be previosly mapped
to sambaGroup rid 512, althogh this is not written anywhere. Is this true?
sambaSID: a number that ends with 500 (I really don't know if this is truly
necessary, but it DOES NOT come from the formula given above).
sambaPrimaryGroupSID: must end with 512 (to indicate it belongs to the
Domain Admins group, I assume).
sambaAcctFlags [UX         ]  -- user account and password doesn't expire

nobody:
uidNumber: 99   --- I asume this can be any number not equal to 0
gidNumber:99   --- Idem
sambaSID: a number that ends with 501 (I don't know if this is necessary,
but it DOES NOT come from the formula given above).
sambaPrimaryGroupSID: must end with 514 (to indicate it belongs to the
Domain Guests group, I assume).
sambaAcctFlags [UX         ]  -- user account and password doesn't expire

root:
uidNumber: not shown, but I assume 0
gidNumber:Idem
sambaSID: a number that ends with 1000 (I don't know if this necessary, but
it comes from the formula given above).
sambaPrimaryGroupSID: must end with 1001 (I don't know if this is either
necessary or correct, but it comes from from the formula above, unless it
is wrong and it is 1001 instead of the strange value 100+1).
sambaAcctFlags [U          ]  -- user account

The last time I followed the instructions and created the users first I did
not get the right values for sambaPrimaryGroupSID (I got the expected
values using the formulas). This time I decided to first create the groups,
do the mappings and then create the users.
To create the groups I first create the following posixGroups entries in the
LDAP directory:

dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: users
description: Local Unix group
gidNumber: 100

dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: domadmin
description: Local Unix group
gidNumber: 0

dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: nobody
description: Local Unix group
gidNumber: 65533

I mapped the groups to samba groups with the following commands:



I added the following LDAP entries:
        net groupmap add rid=514 ntgroup="Domain Guests"
unixgroup=nobody
        net groupmap add rid=513 ntgroup="Domain Users"
unixgroup=users
        net groupmap add rid=512 ntgroup="Domain Admins"
unixgroup=domadmin

All commands worked successfully. Now the group entries look like this:

dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: users
description: Local Unix group
displayName: Domain Users
gidNumber: 100
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-513

dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: domadmin
description: Local Unix group
displayName: Domain Admins
gidNumber: 0
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-512

dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: nobody
description: Local Unix group
displayName: Domain Guests
gidNumber: 65533
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-514

They look good, I think.

Now I'm going to add the users.
I put these entries in the directory:

dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: root
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sn: root
uid: root
uidNumber: 0

dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: nobody
gidNumber: 65533
homeDirectory: /dev/null
loginShell: /dev/null
sn: nobody
uid: nobody
uidNumber: 65533

dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: Administrator
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sn: Administrator
uid: Administrator
uidNumber: 506

dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Borra
gidNumber: 100
homeDirectory: /home/borra
loginShell: /bin/bash
shadowExpire: -1
shadowFlag: 7100670
shadowInactive: -1
shadowLastChange: 11762
shadowMax: 99999
shadowMin: -1
shadowWarning: -1
sn: Borra
uid: borra
uidNumber: 1010
userPassword:: Ym9ycmE
The borra user is a normal (test) user.


5. At this point the SLH discusses some steps I already did:
  - group mapping
  - configuring smb.conf, which I already configured not exactly like SLH
says because there are things that I know don't work for me.
  - smbpasswd -w <passwd>

6. The next step in SLH is "Starting and stopping the samba server". I
will
do that after I add samba attributes to users in the directory.

7. The next step in SLH is "Adding accounts with smbpasswd".
SLH says that smbpasswd "makes all the ldap stuff for you, from the
scratch" (even though the first step about configuring accounts shows ldap
entries them with all samba attributes).
SLH says to add users "./bin/smbpasswd -a <user> -D 256" and to
add machines
"./bin/smbpasswd? -m -a <ws_name>$ -D 256".

Of course this doesn't add users to LDAP directory, but adds samba
attributes to existing users in the directory.
I ran successfully the following commands:
smbpasswd?-a root
smbpasswd -a Administrator
smbpasswd -a nobody

Now the entries in the directory look like this:

dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
cn: borra
displayName: borra
gidNumber: 100
homeDirectory: /home/borra
loginShell: /bin/bash
sambaAcctFlags: [U          ]
sambaLMPassword: 9C66ABD24F833796AAD3B435B51404EE
sambaNTPassword: B481BD80DA6D4E289F47611E924D5A3C
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-513
sambaPwdCanChange: 1074126298
sambaPwdLastSet: 1074126298
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-3020
shadowExpire: -1
shadowFlag: 7100670
shadowInactive: -1
shadowLastChange: 11762
shadowMax: 99999
shadowMin: -1
shadowWarning: -1
sn: Romero
uid: borra
uidNumber: 1010
userPassword:: Ym9ycmE
dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: nobody
displayName: nobody
gidNumber: 99
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: C95F11D5EBB770D2AAD3B435B51404EE
sambaNTPassword: 3A1F23F3A6E96E48C4D256A557BF7C9F
sambaPwdCanChange: 1074126257
sambaPwdLastSet: 1074126257
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-501
sn: nobody
uid: nobody
uidNumber: 1000

dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Administrator
displayName: Administrator
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: 6A98EB0FB88A449CBE6FABFD825BCA61
sambaNTPassword: D144986C6122B1B1654BA39932465528
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512
sambaPwdCanChange: 1074126020
sambaPwdLastSet: 1074126020
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-2012
sn: Administrator
uid: Administrator
uidNumber: 506

dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: root
displayName: root
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: D480EA9533C500D4AAD3B435B51404EE
sambaNTPassword: 329153F560EB329C0E1DEEA55E88A1E9
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512
sambaPwdCanChange: 1074126010
sambaPwdLastSet: 1074126010
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-1000
sn: root
uid: root
uidNumber: 0

Everithing looks more or less good. I do not know if it is OK, but at least
Administrator and root do have the 512 in the sambaPrimaryGroupSID
attribute. The user nobody had no value in sambaPrimaryGroupSID. I do not
know whay, but I do not care much because that's nobody.

7. At this point I start samba simply running smbd and nmbd.
The log says:
[2004/01/14 20:40:23, 2] lib/interface.c:add_interface(79)
  added interface ip=172.17.6.2 bcast=172.17.255.255 nmask=255.255.0.0
[2004/01/14 20:40:23, 0] smbd/server.c:main(781)
  standard input is not a socket, assuming -D option
[2004/01/14 20:40:23, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2004/01/14 20:40:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/01/14 20:40:23, 2] smbd/server.c:open_sockets_smbd(318)
  waiting for a connection

It seems OK.

8. Before doing the next step in SLH, I will try to mount the test share
using smbmount from an external unix machine and from a windows machine
using the test user borra.
      smbmount //boa/test mnt -o username=borra

I tried the same command from the server I am configuring and it worked
great.
BTW, boa is the name of the server I am configuring (I think I never said
that).
>From windows it worked well too.
Accented letters worked well in both environments.

9. The next step is what has never worked for me. "Joining workstations
(NT,
W2K, XP) to the Samba domain".
SLH says:
 "Basically you need cover these steps to add (join) a windows NT/W2K/XP to
the domain:
in the PDC samba server create an account for the machine
one entry in the /etc/passwd or equivalent (nsswitch...) for the
machine_name$-ended
 one basic entry in the ldap previous to call to the smbpasswd
 one full entry in the ldap withsmbpasswd -a -m <machine_name>$
 in the MS workstation, if is a XP or W2K you need set in the registry:
SignOrSeal to "0" in the MS workstation you need join to the domain
ASAP
via:"
 blah blah...
I interpret this as sayng that I need to add an enrty in both /etc/passwd
and the LDAP server. This is absurd to me. If I'm using LDAP, that's the
only place where it makes sense to me to add the machine account.
Maybe I'm wrong. Maybe the reason of ou=Computers not working is because
Samba needs to see the machine as users and, since nss_ldap is configured
to search users only in ou=People then the only other way for it to see
them as users is adding them to /etc/password. Maybe this is also wrong.
Of course this instructions are incomplete because everywhere I see it is
required to have a value for "add machine script" in smb.conf.

I have read (probably in the mailing list) that the SignOrSeal change is not
required in Samba 3.0.x. This maybe possible.
I have also read that W2K and WinXP do not support manual creation of the
account.
Since the machine I want to add is W2K I will try to join it automatically
to the domain.

My first attempt will be with the server configuration as it is. It failed,
as was expected.

I see that smbldap-tools work well for most people in the list and they use
that as the command to run in "add machine script". I downloaded thos
tools
(version 0.8.2) and they do not work. No matter what I do, I always get the
same kind of error:

failed to perform search; No such object at /root/smbldap-tools-0.8.2/
smbldap_tools.pm line 156, <DATA> line 283.
failed to add entry: referral missing at ./smbldap-useradd.pl line 251,
<DATA> line 283.
No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 180,
<DATA> line 283.

I configured the smbldap_tools.pm correctly (at least that is what I think).
I installed every possible perl package that comes with SuSE 9 (including
one called perl-ldap or something like that).
I gave up with those tools. I do not like them anyway because they say they
do not support shadowAccount and I intend to use shadowAccount.
These tools look like they perform the combind work of ldapadd (or
ldapmodidy, etc.) and smbpasswd. I have no problems adding LDAP entries
manually, especially with JXplorer and later using smbpasswd to set samba
attributes, so I will not use these tools.

Since SLH redirects me to SHC. I go to Chapter 7 "Domain Membership".
It explains some thing I think I understand, but all specific to a tdbsam
backend.

I first explains manual creation of machine accounts using useradd and
smbpasswd -a -m.
I think I would have no problem first adding posixAcocunt info ni LDAP and
then using smbpasswd -a -m.

Then SHC goes to a section called "On-the-Fly Creation of Machine Trust
Accounts".
SHC says:
" The second (and recommended) way of creating Machine Trust Accounts is
simply to allow the Samba server to create them as needed when the client
is joined to the domain.

Since each Samba Machine Trust Account requires a corresponding UNIX
account, a method for automatically creating the UNIX account is usually
supplied; this requires configuration of the add machine script option in
smb.conf. This method is not required, however, corresponding UNIX accounts
may also be created manually. "

As I understand it, the add machine account only requires adding the
posixAccount information and not the samba account information. I assume
then that samba automatically executes "smbpasswd -a -m
<machine>".

The example (not using LDAP) could not be clearer:
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u

Since "corresponding UNIX accounts may also be created manually" I
will add
a machine account entry manually to the LDAP server and then try to join
the W2K machine automatically to the domain.

The  first problem I face is what to use as gidNumber. The example uses 100,
which is usually a user group id. I checked Table 12.1 in SHC and there is
a non-essential group called "Domain Computers" with RID=515. Since I
couldn't find a specific gidNumber to use in this circumstance, I will
create a domcomputers posix group mapped to Samba RID 515 and use the
corresponding gidNumber for the machine account.
After the operation "net groupmap list" shows:
Domain Users (S-1-5-21-893857118-1575030141-3707423182-513) -> users
Domain Admins (S-1-5-21-893857118-1575030141-3707423182-512) -> root
Domain Guests (S-1-5-21-893857118-1575030141-3707423182-514) -> nobody
Domain Computers (S-1-5-21-893857118-1575030141-3707423182-515) ->
domcomputers

I added the following entry to the LDAP server:
dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
cn: machorro$
description: test machine
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
uid: machorro$
uidNumber: 2000

Now I will try to join it to the domain.
I am using the root account since I read that an account with uidNumber=0 is
required for this operation.

IT WORKED!!!!!!!! IT WORKED!!!!!!!!!!
machorro said: "Bienvenido al dominio ICALUZ", that is "Welcome
to ICALUZ
domain".
I really thought it was not going to work.

The machorro$ LDAP entry now is:
dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
objectClass: sambaSamAccount
cn: machorro$
description: test machine
displayName: machorro$
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [W          ]
sambaLMPassword: 104BB6F47FAC1C3C8154FBC2F211C5B1
sambaNTPassword: FBC80084DF2D1D4B223A643F74611420
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-515
sambaPwdCanChange: 1074130590
sambaPwdLastSet: 1074130590
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-5000
uid: machorro$
uidNumber: 2000


I logged in in machorro and it only complained about not being able to
create the profile on the server, but that is because i have
logon home = \\homeserver\%u\winprofile
And homeserver doesn't exist. It used a local profile and everything else
was fine.

Well, now I have nothing else to do. Simply add more users and more
machines.

Wait. I will now try to put the machine account under the ou=Computers tree,
just to see what happens.
The first thing I'll try will be moving the machorro$ account to the
ou=Computadoras subtree and changing the smb.conf "ldap machine
suffix"
entry to ou=Computadoras.
I turned off machorro and stopped samba.
Now I moved the machorro account to ou=Computadoras (which is very easy with
JXplorer).
Then i start samba (smbd and nmbd) and turn on machorro.
I could log in withou problems. Interesting.
Now I will try to add another machine to the domain.
I first added the following entry to the LDAP server:
dn: uid=titanic$,ou=Computadoras,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
cn: titanic$
description: test machine
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
uid: titanic$
uidNumber: 2001

When I tried to join titanic to the domain, but I got the following error:
    "the user name could not be found."

I suppose this happens when samba does the equivalent to smbpasswd -a -m.
Bud luck.
But at least I can add W2K machines to the domain.
I am very happy.

I apologize for calling crap the Samba documentation. It was of great help,
but it certainly needs improvement. And I hope the ou=Computers bug is
fixed soon.

I expect this story could help others trying to do the same I am doing. The
next battle will be configuring a BDC, but that will be another day.

Regards,
VS

-- 
Fuera Ch?vez

On Wed, 2004-01-14 at 19:13, Vegeta wrote:
> I expect this story could help others trying to do the same I am doing. The
> next battle will be configuring a BDC, but that will be another day.
> 
--
The truth is, with 3.0.0 on RH AS 3, I got it running, ldap backend,
with a BDC and master/slave LDAP servers. It was hard.

The documentation in the How-to is sufficient. But it seems more like an
extended man page than a how-to. The problem is that there are so many
different ways these tools are used that there is absolutely no way the
documentation can have the exact instructions for what you are trying to
set up.

John is apparently writing a book of example setups - which might be
what you are looking for.

The truth of the matter regarding machine accounts and LDAP (probably
for the other backends as well) is that even with 2.x.x samba, machine
accounts were located in the same data tree with the users. You
certainly can tell smbldap-tools and samba and nsswitch.conf to put
computer accounts in ou=Computers,dc=domain,dc=org but when it comes
time that the OS needs to verify their existence/passwords/trust - they
aren't gonna be found.

I don't know when it will be fixed to track with what would be our
expectations...perhaps one of the developers will clue us in.

In the meantime, your post - though well intentioned was way too long to
actually seriously consider digesting.

Craig

On Wed, 14 Jan 2004 22:13:11 -0400
Vegeta <lord.vegeta@ica.luz.ve> wrote:

Hi, tks for sharing. Better post in some web page so other can find it as
reference. In fact, I was going to make 'working' and clean
documentation to make samba work with ldap backend. I've try it many times
and last week it seems i make a great movement, all features i've tested
works!!.

However this week I've been try to create same environment but it only work
once, so i can not claim that my setup will work any time (weird, eh?:-)

The key for adding machine trust (manualy or "on the fly") is in :
ldap filter = (uid=%u)

It also make ldap log 'pretty' :

filter="(&(uid=TBIRD$)(objectClass=sambaSamAccount))" 

not like before :

filter="(&(&(uid=administrator)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"

 
But I need some clarification from samba team (Jerry?) whether we can use this
filter without breaking any other functions or not, because they must be has
strong reason using default filter.

However, this filter *solved* most of my problem, thanks!


For id map stuff, imo it did not necessary when not using winbind, since
there's already clear mapping between unix uid and sid.

For administartor account, you need to have sid 500 and groupsid 512, this is
what we have in NT (try using pwdump).

I'll try ou=computer and several other combination also (ie. base
ou=site,dc=dom,dc=com) and let you know. Btw, 'drop in' replacement of
existing NT domain is works for me (without needing to rejoin ws and using users
old password).


--beast

Hello,

I've looked at your post at samba mailing list.

Same as you are, I am having a nightmare making a windows 2000 pro to
logon to my domain.

But unlike you, smbldap-tools worked fine-ish for me. They have
populated the database with initial users,groups and created computer
entry. The setup works fine for shares/workgroup. But I can't make it
connect to my pdc. By the way, I am running Debian unstable with samba
3.0.1 and ldap 2.1.23.

By following your experience, i've managed to resolve some of the issues
while i was trying to logon to my domain.

Initially, looking at the ldap logs, windows was trying to search for
entries that where not found in the ldap. Like pid 501, which is ment to
be a guest account, and few other things.

But after correcting these issues, ldap finds all the entries, but still
gives me Logon Failure: unknown username or bad password.

But looking at samba logs, I don't see any errors. This is the output of
the slapd when I atempt to logon to domain:

--------
Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
IP=192.168.77.7:38423 (IP=0.0.0.0:389)
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
dn="cn=root,dc=arhont,dc=com" method=128
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97 err=0 textJan 15
14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
attr=sambaDomainName sambaNextRid sambaNextUserRid sambaNextGroupRid
sambaSID sambaAlgorithmicRidBase objectClass
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT tag=101
err=0 nentries=1 textJan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH
base="dc=arhont,dc=com" scope=2
filter="(&(uid=root)(objectClass=sambaSamAccount))"
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid uidNumber
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial
Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT tag=101
err=0 nentries=1 textJan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 closed

-------

and this is the example of my smb.conf

#LDAP Support for samba 3+
passdb backend          = ldapsam:ldap://whale.core.arhont.com
ldap admin dn           = "cn=root,dc=arhont,dc=com"
idmap backend           = ldap:ldap://whale.core.arhont.com
ldap suffix             = dc=arhont,dc=com
ldap machine suffix     = ou=computers
ldap user suffix        = ou=users

#ldap ssl       = off
#ldap user suffix       = "ou=users,dc=arhont,dc=com"

##Default LDAP FILTER
#ldap filter    = "(&(uid=%u)(objectClass=SambaSamAccount))"
ldap filter     = "(uid=%u)"

ldap delete dn          = no
#ldap password sync     = yes


In addition, you have mentioned that the win2k registry has to be
changed. I've looked at the registry key on my workstation, and it was
already 0, from the default install. Is it normal, as i've read in few
places that it has to be changed. but my one was already 0 from the
initial installation.

Do you have any suggestions, what might be going wrong? I am already at
my third day trying to integrate samba/ldap. What a nighmare!

Thanks in advance for any help )



-- 
Andrei Mikhailovsky

On Thursday 15 January 2004 10:32, you wrote:
> Hello Vegeta,
>
> I've looked at your post at samba mailing list.
>
> Same as you are, I am having a nightmare making a windows 2000
> pro to logon to my domain.
>
> But unlike you, smbldap-tools worked fine-ish for me. They
> have populated the database with initial users,groups and
> created computer entry. The setup works fine for
> shares/workgroup. But I can't make it connect to my pdc. By
> the way, I am running Debian unstable with samba 3.0.1 and
> ldap 2.1.23.
>
> By following your experience, i've managed to resolve some of
> the issues while i was trying to logon to my domain.
>
> Initially, looking at the ldap logs, windows was trying to
> search for entries that where not found in the ldap. Like pid
> 501, which is ment to be a guest account, and few other
> things.
>
> But after correcting these issues, ldap finds all the entries,
> but still gives me Logon Failure: unknown username or bad
> password.
There are two solutions. 

One is to use
   ldap machine suffix = ou=People
instead of 
   ldap  machine suffix= ou=Computers
This will probably work.

A better solution that allows storing computer accounts in 
ou=Computers requires changing the ldap.conf file.
This is not a Samba file, but an OpenLdap file (I assume you are 
using OpenLDAP).

In the ldap.conf file of the LDAP server use:
scope sub
nss_base_passwd  dc=arhont,dc=com
nss_base_shadow  dc=arhont,dc=com

instead of the more traditional
scope one
nss_base_passwd  ou=People,dc=arhont,dc=com
nss_base_shadow  ou=People,dc=arhont,dc=com

The reason for the 
  "unknown username or bad password"
message is that Samba tries to find the machine as a "user" 
listed by NSS (as when you use "getent passwd").
When you have nss configured with "scope one"? and 
"nss_base_passwd ou=People,dc=arhont,dc=com" the only users samba 
sees are the accounts in ou=People (without looking any 
subtrees).

When you use "scope sub" and "nss_base_passwd
dc=arhont,dc=com"
samba can see all users in all subtrees of "dc=arhont,dc=com".

Regarding changes in the registry, they are not necessary in 
Samba 3.0.x. Some documentation I read talks about this, but 
only applies to Samba 2.2.x. I could join W2K machines to the 
domain without making any registry modifications.


>
> But looking at samba logs, I don't see any errors. This is the
> output of the slapd when I atempt to logon to domain:
>
> --------
> Jan 15 14:07:23 whale slapd[24434]: conn=5 fd=19 ACCEPT from
> IP=192.168.77.7:38423 (IP=0.0.0.0:389)
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
> dn="cn=root,dc=arhont,dc=com" method=128
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 BIND
> dn="cn=root,dc=arhont,dc=com" mech=simple ssf=0
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=0 RESULT tag=97
> err=0 text= Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1
> SRCH
> base="dc=arhont,dc=com" scope=2
> filter="(&(objectClass=sambaDomain)(sambaDomainName=ARHONT))"
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SRCH
> attr=sambaDomainName sambaNextRid sambaNextUserRid
> sambaNextGroupRid sambaSID sambaAlgorithmicRidBase objectClass
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text> Jan 15 14:07:23 whale slapd[24434]:
conn=5 op=2 SRCH
> base="dc=arhont,dc=com" scope=2
> filter="(&(uid=root)(objectClass=sambaSamAccount))"
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet
> sambaPwdCanChange sambaPwdMustChange sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID
> sambaLMPassword sambaNTPassword sambaDomainName objectClass
> sambaAcctFlags sambaMungedDial
> Jan 15 14:07:23 whale slapd[24434]: conn=5 op=2 SEARCH RESULT
> tag=101 err=0 nentries=1 text> Jan 15 14:07:23 whale slapd[24434]:
conn=5 fd=19 closed
>
> -------
>
> and this is the example of my smb.conf
>
> #LDAP Support for samba 3+
> passdb backend          = ldapsam:ldap://whale.core.arhont.com
> ldap admin dn           = "cn=root,dc=arhont,dc=com"
> idmap backend           = ldap:ldap://whale.core.arhont.com
> ldap suffix             = dc=arhont,dc=com
> ldap machine suffix     = ou=computers
> ldap user suffix        = ou=users
>
> #ldap ssl       = off
> #ldap user suffix       = "ou=users,dc=arhont,dc=com"
>
> ##Default LDAP FILTER
> #ldap filter    = "(&(uid=%u)(objectClass=SambaSamAccount))"
> ldap filter     = "(uid=%u)"
>
> ldap delete dn          = no
> #ldap password sync     = yes
>
>
> In addition, you have mentioned that the win2k registry has to
> be changed. I've looked at the registry key on my workstation,
> and it was already 0, from the default install. Is it normal,
> as i've read in few places that it has to be changed. but my
> one was already 0 from the initial installation.
>
> Do you have any suggestions, what might be going wrong? I am
> already at my third day trying to integrate samba/ldap. What a
> nighmare!
>
> Thanks in advance for any help )

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, 15 Jan 2004, Beast wrote:
> But I need some clarification from samba team (Jerry?) whether we can
> use this filter without breaking any other functions or not, because
> they must be has strong reason using default filter.
My opinion is that the 'ldap filter' option in smb.conf should never be
set.  There are 2 many different LDAP searches now being done (group
mapping, users, etc...) and we don't use that option consistently
internally anyways.  Best to leave it alone IMO.




cheers, jerry
  ----------------------------------------------------------------------
  Hewlett-Packard            ------------------------- http://www.hp.com
  SAMBA Team                 ---------------------- http://www.samba.org
  GnuPG Key                  ---- http://www.plainjoe.org/gpg_public.asc
  "If we're adding to the noise, turn off this song" --Switchfoot
(2003)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFADfNuIR7qMdg1EfYRAoAcAKCHGbzbettI2RNipUFIXxZ0sbYmBQCgzye3
3mG3mlLvte0OBC91lZuXtPE=6Qs+
-----END PGP SIGNATURE-----

hi.

I Failed when try to mapping (create) samba (NT) group

#net groupmap add rid=513 ntgroup="Domain Guests" unixgroup=nobody
adding entry for group Domain Guests failed!


# ldapsearch -x -h localhost -b "cn=nobody,ou=Groups,dc=mra,dc=net"
# extended LDIF
#
# LDAPv3
# base <cn=nobody,ou=Groups,dc=mra,dc=net> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# nobody, Groups, mra.net
dn: cn=nobody,ou=Groups,dc=mra,dc=net
objectClass: posixGroup
objectClass: top
cn: nobody
description: Local Unix group
gidNumber: 65533

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

please help me...

regards
reza