jonlists
2003-Nov-06 21:24 UTC
[Samba] clarify issues on joining Samba PDC, machines, RIDs,
I'm running into issues trying to configure a server to be a Samba PDC in a small network that contains only Win2k/XP workstations. This will be going into an environment where there are no Windows server. There is a pre-existing Samba server that will be replaced, but it'll be easier to recreate user accounts than attempt migration (there were no machine accounts). Due to time/budget - we're not integrating this one with LDAP. We'll be sticking with smbpasswd. I'd like clarification on some things: - I did the net groupmap add commands, attempting to map a unix-created group - ntadmin - to the "Domain Admins" group. However, when i do a groupmap list, I get a double listing for the group, as is shown below. Domain Admins (S-1-5-21-4140922544-3110978470-4188555357-2005) -> ntadmin Domain Admins (S-1-5-21-4140922544-3110978470-4188555357-512) -> -1 I assume this will cause problems when attempting to join machines to the domain, as one or the other SID will be recognized as a member of domain admins. Am I correct, and if so, how do I fix this? - If someone goes in and deletes the unix user - say "jimmy" without using pdbedit or the samba tools, pdbedit later complains that "jimmy" no longer exists, but will not allow me to delete him using "pdbedit -r". How can I clean this up so that "jimmy" can be fixed - I'm not finding any info on how to rebuild or fix the samba information. (Administration of this system will be turned over to someone else, and I need to be sure I can help them fix if they do this). Thanks for any info Jon Johnston Creative Business Solutions IBM, Lotus, Microsoft Consultants http://www.cbsol.com 952-544-1108
John H Terpstra
2003-Nov-06 22:00 UTC
[Samba] clarify issues on joining Samba PDC, machines, RIDs,
On Thu, 6 Nov 2003, jonlists wrote:> I'm running into issues trying to configure a server to be a Samba PDC in > a small network that contains only Win2k/XP workstations. This will be > going into an environment where there are no Windows server. There is a > pre-existing Samba server that will be replaced, but it'll be easier to > recreate user accounts than attempt migration (there were no machine > accounts). > > Due to time/budget - we're not integrating this one with LDAP. We'll be > sticking with smbpasswd. I'd like clarification on some things: > > - I did the net groupmap add commands, attempting to map a unix-created > group - ntadmin - to the "Domain Admins" group. However, when i do a > groupmap list, I get a double listing for the group, as is shown below. > > Domain Admins (S-1-5-21-4140922544-3110978470-4188555357-2005) -> ntadmin > Domain Admins (S-1-5-21-4140922544-3110978470-4188555357-512) -> -1 > > I assume this will cause problems when attempting to join machines to the > domain, as one or the other SID will be recognized as a member of domain > admins. > > Am I correct, and if so, how do I fix this?Correct. You just hosed things here. To fix: net groupmap delete ntgroup="Domain Admins" net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin> > - If someone goes in and deletes the unix user - say "jimmy" without using > pdbedit or the samba tools, pdbedit later complains that "jimmy" no longer > exists, but will not allow me to delete him using "pdbedit -r". How can I > clean this up so that "jimmy" can be fixed - I'm not finding any info on > how to rebuild or fix the samba information. (Administration of this > system will be turned over to someone else, and I need to be sure I can > help them fix if they do this).Add to your smb.conf [globals] passdb backend = tdbsam smbpasswd Run: pdbedit -i tdbsam -e smbpasswd Edit your the smbpasswd file to remove the dead entries. Remove the passdb.tdb file. Run: pdbedit -i smbpasswd -e tdbsam Edit smb.conf to have: passdb backend = tdbsam Delete the smbpasswd file. Done. - John T. -- John H Terpstra Email: jht@samba.org