Hi !
We're trying to migrate our NT4 PDC into a Samba one.
Our env :
NT4_PDC is in subnet A and also provide WINS service
SAMBA_SRV is in subnet B and is running :
* samba-3.0alpha23
* openldap-2.1.16
* smbldap-tools-0.7 from IDEALX
samba is compiled with --with-ldap --with-ldapsam --with-syslog
openldap is first populated with :
# ldapadd -x -h localhost -D "ROOTDN" -W -f base.ldif
(following SAMBA-LDAP-PDC Howto from IDEALX, for short OU=Users,
OU=Groups, OU=Computers, and the default groups of an NT4 PDC)
smbldap-tools are working, except creating a Workstation account which
exits with :
> ldapadd: update failed: uid=TESTCOMPUTER1$,ou=Computers,dc=O
> ldap_add: Object class violation (65)
> additional info: no structural object class provided
> /usr/local/sbin/smbldap-useradd.pl: error while adding posix account
to machine TESTCOMPUTER1$
Here is the process we follow :
1. samba is first set up as a BDC for our domain
(security=user, domain logons = yes, domain master = no)
2. SAMBA_SRV join OURDOMAIN
# net rpc join -U DOMAINADMIN -w OURDOMAIN
3. We test the vampire possibility with :
# net rpc samdump -U DOMAINADMIN
4. As our backend is ldap, we have to store the ldap admin password in
secrets.tdb
# smbpasswd -w SECRET
Note: as an improvement, I think it would be better to supply the
password after a prompt instead of a command parameter. This will make
it not to be saved in syslog if issued via sudo
5. and finaly, the so long awaited :
# net rpc vampire
We observed that Users|Computers|Groups objects are not stored under the
Users|Computers|Groups OU but just under O even with the "add user
script" correctly set up to the smbldap-tools one. And as the
smbldap-adduser.pl -w failed, I don't think net rpc vampire use the
"add
user script".
As a first test we move a domain member workstation from subnet A to
subnet B, and try to login with a domain users account.
It failed with : (translated from french)
" The system can't open a session on this domain because the
computer's
system account in his principal domain is missing or the password is
incorrect "
Inspecting the ldap attributes of this computer object, we can see
something strange : all computer accounts (seems to) have "ntPassword"
set but not all have "lmPassword" (the computer we use has not)
Any help/idea welcome !
Thanks in advance.
Regards,
-Guillaume-