Greetings!
I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far
I am able to do the folowing:
1. Using USRMGR,EXE to administrating users and groups.
2. Adding Windows 2000, XP workstation on the fly.
3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to.
4. LDAP autheticate unix accounts.
However, I am not able to to the following:
1. Cannot joint an NT machine (SP6a) into the domwin. It keeps
saying that "the Machine account is not available or not accessible"
even
if I manually added the machine account manually using "smbldap-useradd
NT$".
2. Cannot use SRVMGR.EXE to add machine to domain. It complains
"Access Denied", though I can do other things like change the
permission
of a share etc."
3. Cannot join an existing domain after I configure it as a BDC
with the PDC's SID. It complains "Failed to setup BDC creds".
It looks like the communication between samba and openldap is OK since I
can managing user/group with USRMGR.EXE. However, a few questions puzzles
me:
1. In what situtation do I need People group as the group for
machines?
2. Should the PDC itself be in the ldap backend database?
3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log
in to the dmain anymore. It said "User does not exist".
Here are the specs of my setup:
Fedora 2 (kernel 2.6.5-1.358)
samba-3.0.3-5
openldap-2.1.29-1
smbldap-tools-0.8.5-1.1.fc2.dag
########### /etc/samba/smb.conf #########################
[global]
workgroup = ab
netbios name = pdc
username map = /etc/samba/smbusers
admin users= @"Domain Admins"
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
time server = Yes
mangling method = hash2
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=ab,dc=com
ldap suffix = dc=ab,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
##################### /etc/openldap/slap.conf
################################
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/slapd.pid
database ldbm
suffix "dc=ab,dc=com"
rootdn "cn=Manager,dc=ab,dc=com"
rootpw some secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
##################### /etc/smbldap-tools/smbldap.conf
################################
SID="S-1-5-21-324808091-3910462042-2848579765"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=ab,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/tcsh"
userHome="/u/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
userSmbHome="\\pdc\%U"
userProfile=""
userHomeDrive="H:"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
######################## /etc/ldap.conf ################################
#
host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwd ou=Users,dc=ab,dc=com?one
# nss_base_shadow ou=Users,dc=ab,dc=com?one
# nss_base_group ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5
--- Kang Sun
> 1. In what situtation do I need People group as the group for >machines? > >Always. Until they fix the bug/design issue that is.> 2. Should the PDC itself be in the ldap backend database? > >I haven't found a good reason that it 'has' to in my tests.> 3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log >in to the dmain anymore. It said "User does not exist". > >Can you expand on this a bit more? From what you've said (which isn't much) it almost sounds like you didn't have ldap working as the posix auth system before you layered on samba.>Here are the specs of my setup: > Fedora 2 (kernel 2.6.5-1.358) > samba-3.0.3-5 > openldap-2.1.29-1 > smbldap-tools-0.8.5-1.1.fc2.dag > >########### /etc/samba/smb.conf ######################### >[global] > workgroup = ab > netbios name = pdc > username map = /etc/samba/smbusers > admin users= @"Domain Admins" > server string = Samba Server %v > security = user > encrypt passwords = Yes > min passwd length = 3 > obey pam restrictions = No > ldap passwd sync = Yes > time server = Yes > mangling method = hash2 > > domain logons = Yes > os level = 65 > preferred master = Yes > domain master = Yes > wins support = Yes > passdb backend = ldapsam:ldap://127.0.0.1/ > ldap admin dn = cn=Manager,dc=ab,dc=com > ldap suffix = dc=ab,dc=com > ldap group suffix = ou=Groups > ldap user suffix = ou=Users > ldap machine suffix = ou=Computers > ldap idmap suffix = ou=Users > ldap ssl = no > add user script = /usr/sbin/smbldap-useradd -m "%u" > ldap delete dn = Yes > delete user script = /usr/sbin/smbldap-userdel "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" >"%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > preserve case = yes > short preserve case = yes > case sensitive = no > >[homes] > comment = repertoire de %U, %u > read only = No > create mask = 0644 > directory mask = 0775 > browseable = No > >[netlogon] > path = /home/netlogon/ > browseable = No > read only = yes > >[profiles] > path = /home/profiles > read only = no > create mask = 0600 > directory mask = 0700 > browseable = No > guest ok = Yes > profile acls = yes > csc policy = disable > # next line is a great way to secure the profiles > force user = %U > # next line allows administrator to access all profiles > valid users = %U "Domain Admins" > >##################### /etc/openldap/slap.conf >################################ ># >include /etc/openldap/schema/core.schema >include /etc/openldap/schema/cosine.schema >include /etc/openldap/schema/inetorgperson.schema >include /etc/openldap/schema/nis.schema >include /etc/openldap/schema/redhat/autofs.schema >include /etc/openldap/schema/samba.schema > >allow bind_v2 >pidfile /var/run/slapd.pid > >database ldbm >suffix "dc=ab,dc=com" >rootdn "cn=Manager,dc=ab,dc=com" >rootpw some secret > >directory /var/lib/ldap > >index objectClass eq,pres >index ou,cn,mail,surname,givenname eq,pres,sub >index uidNumber,gidNumber,loginShell eq,pres >index uid,memberUid eq,pres,sub >index nisMapName,nisMapEntry eq,pres,sub > >##################### /etc/smbldap-tools/smbldap.conf >################################ > >SID="S-1-5-21-324808091-3910462042-2848579765" > >slaveLDAP="127.0.0.1" >slavePort="389" >masterLDAP="127.0.0.1" >masterPort="389" > >ldapTLS="0" > >suffix="dc=ab,dc=com" >usersdn="ou=Users,${suffix}" >computersdn="ou=Computers,${suffix}" >groupsdn="ou=Groups,${suffix}" >idmapdn="ou=Idmap,${suffix}" >sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" > >scope="sub" >hash_encrypt="SSHA" >crypt_salt_format="%s" > >userLoginShell="/bin/tcsh" >userHome="/u/%U" >userGecos="System User" >defaultUserGid="513" >defaultComputerGid="515" >skeletonDir="/etc/skel" > >userSmbHome="\\pdc\%U" >userProfile="" >userHomeDrive="H:" > >with_smbpasswd="0" >smbpasswd="/usr/bin/smbpasswd" > >######################## /etc/ldap.conf ################################ ># >host 127.0.0.1 >base dc=ab,dc=com ># nss_base_passwd ou=Users,dc=ab,dc=com?one ># nss_base_shadow ou=Users,dc=ab,dc=com?one ># nss_base_group ou=Group,dc=ab,dc=com?one >ssl no >pam_password md5 > >--- Kang Sun > > > > >-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 | Subject: | [Samba] Samba/LDAP/PDC Questions | From: | ksun@ABINITIO.COM | Date: | Mon, 19 Jul 2004 21:10:29 +0000 (UTC) | To: | samba@lists.samba.org | | Greetings! | | I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far | I am able to do the folowing: | 1. Using USRMGR,EXE to administrating users and groups. | 2. Adding Windows 2000, XP workstation on the fly. | 3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to. | 4. LDAP autheticate unix accounts. | | However, I am not able to to the following: | 1. Cannot joint an NT machine (SP6a) into the domwin. It keeps | saying that "the Machine account is not available or not accessible" even | if I manually added the machine account manually using "smbldap-useradd | NT$". | 2. Cannot use SRVMGR.EXE to add machine to domain. It complains | "Access Denied", though I can do other things like change the permission | of a share etc." | 3. Cannot join an existing domain after I configure it as a BDC | with the PDC's SID. It complains "Failed to setup BDC creds". | | It looks like the communication between samba and openldap is OK since I | can managing user/group with USRMGR.EXE. However, a few questions puzzles | me: | 1. In what situtation do I need People group as the group for | machines? In the case where you use: nss_base_passwd ou=Users,dc=ab,dc=com?one If you use: nss_base_passwd dc=ab,dc=com?sub then you can have machine accounts anywhere you like under dc=ab,dc=com Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.Eng RHCE (803004789010797) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA/lscrJK6UGDSBKcRAlmKAJ4z1HLpysdmbleQbv3+lW7IHblOvACeJ5nn FSzpemqu+CZdgaFGwhmXNII=tlrI -----END PGP SIGNATURE-----
I'm not at all experienced with the vampire command, but I believe it is supposed to bring passwords over. Perhaps someone can interject here who does know what they're talking about??? (note: bringing back on list from an accidental, i suspect, pm) Kang Sun wrote:> > Hello Paul, > > I have questions on migration. Some other people like Eric > Bennet and Mike Brodbelt posted the similar questions. But I cannot > find a definite answer to this question: would vampiring using > samba/ldap/smbldap-tools actually migrates passwords at all? > > If the "add user/machine script" from smb.conf is the only > tool vampiring process is calling, it certainly won't create password. > Below are the conversation between me and Mike. I hope you can help us. > > -- Kang > > Kang Sun wrote: > > Hello Mike, > > > > I did similar things and have similar problems. > > I looked at the ldap database, the migration did nothing but get all the > > names of users and machines. > > If the smbldap-* scripts are the only things vampire process is > calling, I > > don't see how would it would get anything else. > > Agreed, although when migrating with a tdbsam backend, the vampire > process will populate the tdbsam with NT passwords and suchlike, but > also runs the useradd scripts to add the posix users, so I thought that > there may be some other data that Samba puts into LDAP directly, not via > invoking the scripts. > > The documentation from John Terpstra's book (available online at > http://de.samba.org/samba/docs/man/Samba-Guide/migration.html#id2549828) > suggests that the process should work with an LDAP backend, but I'm > currently at a loss to see howm and I'm unable to replicate this, even > on a test network, with various versions of the Idealx smbldap-tools. It > doesn't appear to work as advertised at the moment. > > > After vampiring, > > > > 1. All the computer accounts and user accounts (posixAccount as > well) are > > created just like being created by by smbldap-useradd, with the default > > parameters as defined in the smbldap.conf or smbldap_config.pm, eg, > > profiles, logon scripts, etc, user name, etc. > > Yes, this seems to work when run from the command line. Vampiring seems > to throw up some errors that I've not tracked down yet though. > > > 2. Users lost its domain membership. Every user accounts are now > belonging > > to "Domain Users" group. No one in "Domain Admins" group except > > Administrator. > > > > The migration process must have done more than just calling these > > smbldap-tools scripts, but I just don't see the effect. > > > > What do you see if you do > > smbldap-usershow <userid> or <machinename>$ ? > > # smbldap-usershow detritus > dn: uid=rwind,ou=People,dc=acu,dc=ac,dc=uk > objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSAMAccount > cn: rwind > sn: rwind > uid: rwind > uidNumber: 1006 > gidNumber: 513 > homeDirectory: /home/rwind > loginShell: /bin/bash > gecos: System User > description: System User > userPassword: {crypt}x > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > displayName: System User > sambaAcctFlags: [UX] > sambaSID: S-1-5-21-2704678572-2069052080-1039482078-3012 > sambaLMPassword: XXX > sambaPrimaryGroupSID: S-1-5-21-2704678572-2069052080-1039482078-513 > sambaProfilePath: \\TALITHA\profiles\rwind > sambaHomePath: \\TALITHA\home\rwind > sambaHomeDrive: M: > sambaNTPassword: XXX > > # smbldap-usershow "quirm$" > dn: uid=quirm$,ou=Computers,dc=acu,dc=ac,dc=uk > objectClass: top,inetOrgPerson,posixAccount > cn: quirm$ > sn: quirm$ > uid: quirm$ > uidNumber: 1013 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > > > or smbldap-groupshow <groupid> ? > > # smbldap-groupshow "Domain Admins" > dn: cn=Domain Admins,ou=Groups,dc=acu,dc=ac,dc=uk > objectClass: posixGroup,sambaGroupMapping > gidNumber: 512 > cn: Domain Admins > memberUid: Administrator > description: Netbios Domain Administrators > sambaSID: S-1-5-21-2704678572-2069052080-1039482078-512 > sambaGroupType: 2 > displayName: Domain Admins > > > So all that seems to have worked. It's just that some of the information > hasn't migrated across, and in the context of a transparent migration > off the NT4 server, the information that hasn't propagated is a > showstopper. Despite reading all the docs I can lay hands on, I still > can't see why, and the vampire process is not transparent to me - the > docs just assume it'll work completely or not at all - there's nothing > to tell one how to try and troubleshoot it if it half works, which is > what's happening for me. > > Mike. > > ForwardSourceID:NT00009A52 > > "Eric J Bennett" <eric.bennett@itouch.com.au> wrote in message > news:<40FB1140.6020103@itouch.com.au>... > > Hi all, > > > > I'm really lost here, I do net rpc vampire and it works perfectly for > > user accounts (sets NTLM pass etc) and creates machine accounts, but > > fails to allocate their password hashes, I think it's calling the > > smbldap-useradd utility to add accounts for machines, but I don't see > > why this would make the hashes transfer for users but not machines? > > > > Any help much appreciated. > > > > Regards > > Eric Bennett > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: http://lists.samba.org/mailman/listinfo/samba > > > ForwardSourceID:NT00009A72-- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto: pgienger@ae-solutions.com