On Mon, 2004-08-02 at 18:15, William Jojo wrote:> I have Samba 3.0.4 with LDAP, *no* winbind running on AIX 5.2.
>
>
> My workstation joined the domain!!! woohoo! But before I get too excited,
> I still have a fundamental issue to overcome. Please read on...
>
>
> Ok, I know what the following snippet means now!
>
>
> [2004/08/02 07:53:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
> init_sam_from_ldap: Entry found for user: CRP4$
> [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
> Home server: hvdev
> [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
> Home server: hvdev
> [2004/08/02 07:53:47, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/08/02 07:53:47, 5]
> rpc_parse/parse_samr.c:init_samr_r_lookup_names(4709)
> init_samr_r_lookup_names
> [2004/08/02 07:53:47, 5] rpc_server/srv_samr_nt.c:_samr_lookup_names(1445)
> _samr_lookup_names: 1445
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_debug(82)
> 000000 samr_io_r_lookup_names
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
> 0000 num_rids1: 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
> 0004 ptr_rids : 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
> 0008 num_types1: 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
> 000c ptr_types : 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
> 0010 status: NT_STATUS_NONE_MAPPED
> [2004/08/02 07:53:47, 5] rpc_server/srv_pipe.c:api_rpcTNP(1575)
> api_rpcTNP: called samr successfully
>
>
> It means that the SID portion of sambaSID attribute of the machine account
> in LDAP did not match the server's (no really, I did it on purpose).
>
>
> Perhaps I should explain further what I'm trying to do here. I have one
> big LDAP server. It has all the posix/samba accounts for everyone on
> campus. I've created all the LDAP entries programmatically including
the
> IDMAP entries.
>
> The idea is to have one LDAP database support up to 7 domains at this
> point. There are several operational and political reasons for this number
> of domains. I think I understand now that IDMAP only provides consistency
> to the uid/gid mappings - NOT a way to make a DC believe that a
> machine/user belongs to a domain.
>
> When the sambaSamAccount entry for CRP4$ had it's sambaSID value set to
an
> arbitrary SID value (preserving the algorithmic RID) it refused to join as
> shown by the aforementioned log dump. When I altered the entry to be
> consistent with the PDC's SID, it joined without batting an eye.
>
> Is there a way to have the workstation join any domain regardless of
it's
> sambaSID value for the sambaSamAccount? Or am I trying to do too much
> with one DIT?
>
> The other reason I ask is that we allow users to cross domains with
> different roaming profiles preserving the same authentication info from a
> single smbpasswd database shared over NFS *today*. In LDAP, this is going
> to become much more complicated for me, is it not?
>
> This could be really bad since we have 19306 records in our smbpasswd
we'd
> like to move to LDAP, but preserve the single password "feature"
we've
> enjoyed for so long.
>
>
> If the Samba guru's have any ideas how to overcome this, I would be
deeply
> grateful. Or, do I owe my server an apology? ;)
Hmm, what about solving this with domain trusts?
I'm not sure if that would work, but it might.
Tarjei
>
>
>
> Bill