samba - Mar 2007 - 3.0.23 ldapsam:trusted=yes problem

Hi all!

I've a running Samba PDC (LDAP backend) with windows clients. All the users 
are in the LDAP, including the 'guest' user. All except the
'root' user which
is a regular user. Then change in the smb.conf

ldapsam:trusted = yes
ldapsam:editposix = yes

and noticed some speed-up when listing groups, look file ownerships, and so 
on. But I can't add machines to the domain: neither with the 'root'
user,
neither some users with privileges to join computers.

If I comment the ldapsam:trusted/editposix everything is fine and machines get 
added to teh domain. ?Why? All the users are in the LDAP so ldapsam:trusted 
should work :-?

This is the smb.conf

[global]
### Identificaci?n de la m?quina
    workgroup = ELPABI
    netbios name = kasparov
    server string = PDC - Kasparov
    wins support = yes
    dns proxy = no
    #dns proxy = yes
    name resolve order = wins hosts lmhosts bcast
    time server = yes

### PDC del dominio ELPABI
    domain master = yes
    domain logons = yes
    preferred master = yes
    local master = yes
    os level = 100

# Log. Un log diferente por cada m?quina que conecta
    log file = /var/log/samba/log.%m
    log level = 0
    max log size = 10000
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    utmp = yes

# Verificaci?n de usuarios y seguridad
    # Seguridad
    security = user
    encrypt passwords = true
    template shell = /bin/false
    enable privileges = yes
    obey pam restrictions = yes
    pam password change = no
    # Usuario invitado
    guest account = Invitado
    #guest account = nobody
    map to guest = Never
    # Equivalencia entre usuarios Windows y Linux
     username map = /etc/samba/smbusers
    # S?lo permitimos acceso a miembros de nuestra LAN y la VPN
    hosts deny = all
    hosts allow = 192.168.1.0/24 127.0.0.1/24
    # Dos interfaces de entrada: eth0 y tun0 (VPN)
    interfaces = kasparov/24
    bind interfaces only = yes

# Ajustes recomendados en
# http://us4.samba.org/samba/docs/man/Samba-Guide/secure.html#promisnet
    socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 
IPTOS_LOWDELAY
    #socket address = kasparov.elpagestion.com
    smb ports = 139
    keep alive = 60

### Configuraci?n para que Samba use LDAP
    ldap passwd sync = yes
    ldap delete dn = yes
    ldap suffix = dc=ELPA,dc=BI
    ldap admin dn = cn=samba,ou=DSA,dc=ELPA,dc=BI
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Computers
    ldap idmap suffix = ou=Idmap
    ldap ssl = start_tls
    passdb backend = ldapsam:ldap://kasparov.elpabi/
    idmap backend = ldap:ldap://kasparov.elpabi/

    #ldapsam:trusted = yes
    #ldapsam:editposix = yes

### Ajustes para winbindd
    idmap uid = 10000-20000
    idmap gid = 10000-20000

### Gesti?n de usuarios
    # A?adir/eliminar usuarios, m?quinas grupos
    add user script = /usr/sbin/smbldap-useradd -m -a "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"

### Login en la red
    # Evitamos los perfiles de usuario m?viles de NT/XP
    logon path     logon drive     logon home     logon script = LOGON.BAT

### Sistema de archivos
    # Internacionalizaci?n - p?ginas de c?digos
    dos charset = CP850
    unix charset = ISO8859-15
    preserve case = yes
    short preserve case = yes
    case sensitive = no
    # Permisos por defecto en las carpetas
    create mask = 0640
    directory mask = 0750
    # Emulaci?n de permisos NTFS
    nt acl support = yes
    map acl inherit = yes
    dos filemode = yes
    # Bloqueo de archivos
    strict locking = yes
    oplocks = yes
    # Si un cliente abre un archivo y escribe en ?l autom?ticamente pasa a
    # estado RO a no ser que hagamos un level2 oplocks = no
    level2 oplocks = no
    # Estos archivos no hay que intentar bloquearlos (lock)
    veto oplock files = /*.doc/*.xls/*.mdb/*.pst/
    hide dot files = yes
    #hide unreadable = yes
    veto files = /*.eml/*.nws/*.{*}/
    dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[netlogon]
    comment = Servicio de Logon en la red
    path = /home/samba/netlogon/
    browseable = no
    read only = yes


[ ... some shares ... ]

Thanks
-- 
Asier.

hi,

unfortunately no answer to your question but where did you find this
parameter and what does it do
> ldapsam:editposix = yes
???

thx!


-- 
Michael Gasch
Max Planck Institute for Evolutionary Anthropology
Department of Human Evolution (IT Staff)
Deutscher Platz 6
D-04103 Leipzig
Germany

Phone: 49 (0)341 - 3550 137
       49 (0)341 - 3550 374

Fax:   49 (0)341 - 3550 399

Hi,

On 3/15/07, Asier Barangu?n <abaranguan@elpagestion.com>
wrote:
> Hi all!
>
> I've a running Samba PDC (LDAP backend) with windows clients. All the
users
> are in the LDAP, including the 'guest' user. All except the
'root' user which
> is a regular user. Then change in the smb.conf
>
> ldapsam:trusted = yes
> ldapsam:editposix = yes
>
> and noticed some speed-up when listing groups, look file ownerships, and so
> on. But I can't add machines to the domain: neither with the
'root' user,
> neither some users with privileges to join computers.
>
> If I comment the ldapsam:trusted/editposix everything is fine and machines
get
> added to teh domain. ?Why? All the users are in the LDAP so ldapsam:trusted
> should work :-?
>
IIRC, when you use the editposix flag, samba tries to manage all
user/groups functions and doesn't use the smbldap scripts you've
defnied. But i don't know if this is already finished. Maybe simo can
answer this?

For now, just use ldapsam:trusted, since it will speed things a lot.

-- 
Carlos Eduardo Pedroza Santiviago