Hello,
I setting up a new PDC for a new domain using samba 3.2.0
I use LDAP as passwd/idmap backend.
I started from scratch just creating the OU for the
users/groups/machines/idmaps in the ldap directory, + a user used to bind
to ldap.
So from there I started winbind and ran net sam provision, which worked
great.
Now I plan this domain will have a one way trust with one other domain,
and as I start playing with wbinfo to verify the local/builtin groups
appear, I found that wbinfo -t fails to check secret with :
myserver:/usr/local/samba/bin# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret
So, I'm wondering, do I need to create some kind of machine trust account
for the PDC itself, or this reply from wbinfo -t is expected ?
[global]
workgroup = EVENTLAB
netbios name = TLS-SRV-01
server string = Samba for EventLab
interfaces = eth1 lo
bind interfaces only = Yes
hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
socket address = 10.211.254.253
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap suffix = dc=x-files,dc=fr
ldapsam:trusted = Yes
ldapsam:editposix = Yes
time server = Yes
map acl inherit = Yes
nt acl support = Yes
unix charset = UTF-8
# unix password sync = Yes
# passwd chat = *new*password* %n\n*new*password* %n\n *updated*
# pam password change = No
passwd program = /usr/sbin/smbldap-passwd %u
# username map = /etc/samba/username.map
reset on zero vc = Yes
use sendfile = Yes
#
# Logon options
#
domain logons = Yes
logon drive = h:
logon path = \\TLS-SRV-01\Profiles\%U
logon home = \\TLS-SRV-01\%U
logon script = Startup.bat
#
# Printing options
#
load printers = No
#
# Browsing options
#
os level = 65
announce version = 4.9
preferred master = No
domain master = Yes
local master = No
# remote browse sync = 10.212.254.254
# remote announce = 10.212.254.254
#
# WINS and resolver options
#
wins support = Yes
# wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast
#
# Debug options
#
log level = 0
debug timestamp = No
debug prefix timestamp = No
debug hires timestamp = No
debug pid = Yes
debug uid = Yes
#
# Winbind options
#
winbind enum users = Yes
winbind enum groups = Yes
idmap domains = TRUSTEDDOM
idmap config TRUSTEDDOM:backend = ldap
idmap config TRUSTEDDOM:default = Yes
idmap config TRUSTEDDOM:ldap_base_dn ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_url = ldap://localhost/
idmap config TRUSTEDDOM:range = 10000 - 10999
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap alloc config:ldap_url = ldap://localhost/
idmap alloc config:range = 20000 - 20999
template homedir = /home/home/%D/%U
template shell = /bin/false
winbind: rpc only = yes
winbind nested groups = yes
--
Fran?ois Legal
Hello,
I setting up a new PDC for a new domain using samba 3.2.0
I use LDAP as passwd/idmap backend.
I started from scratch just creating the OU for the
users/groups/machines/idmaps in the ldap directory, + a user used to bind
to ldap.
So from there I started winbind and ran net sam provision, which worked
great.
Now I plan this domain will have a one way trust with one other domain,
and as I start playing with wbinfo to verify the local/builtin groups
appear, I found that wbinfo -t fails to check secret with :
myserver:/usr/local/samba/bin# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret
So, I'm wondering, do I need to create some kind of machine trust account
for the PDC itself, or this reply from wbinfo -t is expected ?
[global]
workgroup = EVENTLAB
netbios name = TLS-SRV-01
server string = Samba for EventLab
interfaces = eth1 lo
bind interfaces only = Yes
hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
socket address = 10.211.254.253
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap suffix = dc=x-files,dc=fr
ldapsam:trusted = Yes
ldapsam:editposix = Yes
time server = Yes
map acl inherit = Yes
nt acl support = Yes
unix charset = UTF-8
# unix password sync = Yes
# passwd chat = *new*password* %n\n*new*password* %n\n *updated*
# pam password change = No
passwd program = /usr/sbin/smbldap-passwd %u
# username map = /etc/samba/username.map
reset on zero vc = Yes
use sendfile = Yes
#
# Logon options
#
domain logons = Yes
logon drive = h:
logon path = \\TLS-SRV-01\Profiles\%U
logon home = \\TLS-SRV-01\%U
logon script = Startup.bat
#
# Printing options
#
load printers = No
#
# Browsing options
#
os level = 65
announce version = 4.9
preferred master = No
domain master = Yes
local master = No
# remote browse sync = 10.212.254.254
# remote announce = 10.212.254.254
#
# WINS and resolver options
#
wins support = Yes
# wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast
#
# Debug options
#
log level = 0
debug timestamp = No
debug prefix timestamp = No
debug hires timestamp = No
debug pid = Yes
debug uid = Yes
#
# Winbind options
#
winbind enum users = Yes
winbind enum groups = Yes
idmap domains = TRUSTEDDOM
idmap config TRUSTEDDOM:backend = ldap
idmap config TRUSTEDDOM:default = Yes
idmap config TRUSTEDDOM:ldap_base_dn ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_url = ldap://localhost/
idmap config TRUSTEDDOM:range = 10000 - 10999
idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap alloc config:ldap_url = ldap://localhost/
idmap alloc config:range = 20000 - 20999
template homedir = /home/home/%D/%U
template shell = /bin/false
winbind: rpc only = yes
winbind nested groups = yes
--
Fran?ois Legal
On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:> Hello, > > I setting up a new PDC for a new domain using samba 3.2.0 > I use LDAP as passwd/idmap backend. > > I started from scratch just creating the OU for the > users/groups/machines/idmaps in the ldap directory, + a user used to bind > to ldap. > > So from there I started winbind and ran net sam provision, which worked > great. > Now I plan this domain will have a one way trust with one other domain, > and as I start playing with wbinfo to verify the local/builtin groups > appear, I found that wbinfo -t fails to check secret with : > myserver:/usr/local/samba/bin# wbinfo -t > checking the trust secret via RPC calls failed > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da) > Could not check secret > > So, I'm wondering, do I need to create some kind of machine trust account > for the PDC itself, or this reply from wbinfo -t is expected ?Yes, you need to "join" the machine to itself (the PDC) using net join before winbindd will work in this way on the PDC. Sorry, rather counterintuative I know but the way it works at present. Jeremy.
Maybe Matching Threads
- ldapsam cannot find NT password hash
- krb5_auth: NT_STATUS_NO_LOGON_SERVERS for users from trusted AD domains in samba winbind > 4.2
- ldapsam cannot find NT password hash
- ldapsam cannot find NT password hash
- Problem with Samba-3.0.25rc3 & idmap_ldap (winbind dumps core)