Hello, I am in the process of migrating to passdb backend = ldapsam on debian unstable with the latest 3.0pre samba package. All users have a ldap sambaAccount object which was added by hand after using migrationtools from padl.com. Testing auth with smbclient works fine, however when using samba as a PDC from WinXP I can't log into the domain as I used to when "passdb backend = smbpasswd". However adding the machine to the domain seems to work. I haven't dug very deep into the problem, at this point I am just wondering if there is any known issue with using LDAP and PDC functionalities together? Also in the sambaAccount ldap object I noticed a mandatory "rid" field. What does relative id mean? I populated the rid's with unix id's, is it a good or bad idea? Thanks in advance for your insight, cheers, -- ldm@apartia.org
On Thu, 2002-09-05 at 10:46, Louis-David Mitterrand wrote:> > Hello, > > I am in the process of migrating to > > passdb backend = ldapsam > > on debian unstable with the latest 3.0pre samba package. > > All users have a ldap sambaAccount object which was added by hand after > using migrationtools from padl.com. Testing auth with smbclient works > fine, however when using samba as a PDC from WinXP I can't log into the > domain as I used to when "passdb backend = smbpasswd". However adding > the machine to the domain seems to work.when? during the install or after? you may need to set use spnego= no in your smb.conf (if your use pre18 or earlier) I assume you applied the signorseal reg patch to the clients since you mention that using a different backend works for you.> I haven't dug very deep into the problem, at this point I am just > wondering if there is any known issue with using LDAP and PDC > functionalities together?i'm using this with no problems> > Also in the sambaAccount ldap object I noticed a mandatory "rid" field. > What does relative id mean? I populated the rid's with unix id's, is it > a good or bad idea?a bad idea - i think they're supposed to be unique from unix uid try making them unique (the old formula is 1000+uid*2) here is an entry from my ldap db: dn: uid=lauelab,ou=People,dc=bitc,dc=unh,dc=edu objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: sambaAccount userPassword:: passwd here shadowLastChange: 11715 shadowMax: 99999 loginShell: /bin/bash gidNumber: 100 homeDirectory: /home/lauelab gecos: generic lab user uidNumber: 4491 uid: lauelab pwdLastSet: 1027535857 logonTime: 0 logoffTime: 2147483647 kickoffTime: 2147483647 pwdCanChange: 0 pwdMustChange: 2147483647 displayName: generic lab user cn: generic lab user rid: 9982 primaryGroupID: 1201 lmPassword: lm hash here ntPassword: nt hash here acctFlags: [U ] it was a bit of a hassle getting this set up but i'm pretty happy with the reliablity and ease of adding new applications that authenticate against the common password db. (ie phpgroupware) good luck! brad
On Thu, 5 Sep 2002, Louis-David Mitterrand wrote:> > Hello, > > I am in the process of migrating to > > passdb backend = ldapsam > > on debian unstable with the latest 3.0pre samba package. > > All users have a ldap sambaAccount object which was added by hand after > using migrationtools from padl.com. Testing auth with smbclient works > fine, however when using samba as a PDC from WinXP I can't log into the > domain as I used to when "passdb backend = smbpasswd". However adding > the machine to the domain seems to work. > > I haven't dug very deep into the problem, at this point I am just > wondering if there is any known issue with using LDAP and PDC > functionalities together?Not that I know of.> Also in the sambaAccount ldap object I noticed a mandatory "rid" field. > What does relative id mean? I populated the rid's with unix id's, is it > a good or bad idea?A very bad idea. Use the algorithm (uid*2+1000) to determine the RID for users, or better still, use pdbedit's import/export function to migrate the users - that way you get all this stuff done for free!> Thanks in advance for your insight, cheers, > >-- Andrew Bartlett abartlet@pcug.org.au Manager, Authentication Subsystems, Samba Team abartlet@samba.org Student Network Administrator, Hawker College abartlet@hawkerc.net http://samba.org http://build.samba.org http://hawkerc.net