samba - Aug 2004 - adding users to smb pdc smb3 backend

hi guys,
wondering if someone could point me in the right direction.
im wanting to setup a smb3 PDC with an LDAP backend.  both LDAP and SMB
are now operating correctly (I have copied the conf file at end).
I have been able to set up account containers as per 'the offical samba3
howto reference guide'  and i am able to search via ldapsearch.  my
problem comes when i try to add users via smbpasswd.  first i am
creating a local linux user and assigning it a group then when i use
smbpasswd -a to create a smb user i get the following error even though
as seen the entry appears to have been copied to the LDAP backend.

I am pretty sure this has something to do with linking linux and smb
groups via the net groupmap command.  but i cant seem to get net group
ADD to add a group in the first place to map?

anyway any help would be appreciated

shaun



[root@tony openldap-2.2.13]# smbpasswd -a ian
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user ian:
Internal (implementation specific) error
        entry modify failed
ldapsam_add_sam_account: failed to modify/add user with uid = ian (dn
uid=ian,ou=employees,dc=cytopia,dc=com)
Failed to add entry for user ian.
Failed to modify password entry for user ian

####entry created in ldap########

dn: uid=ian,ou=employees,dc=cytopia,dc=com
uid: ian
sambaSID: S-1-5-21-3995496493-1773488642-876406942-2012
sambaPrimaryGroupSID: S-1-5-21-3995496493-1773488642-876406942-2013
displayName: ian phillips
sambaPwdCanChange: 1092123003
sambaPwdMustChange: 2147483647
sambaLMPassword: C50858A30F319CA193E28745B8BF4BA6
sambaNTPassword: 566A42297505E082A6FF6F8BC037C947
sambaPwdLastSet: 1092123003
sambaAcctFlags: [U          ]
objectClass: sambaSamAccount
objectClass: account
structuralObjectClass: account
entryUUID: d6f27818-7eea-1028-91bb-dd2331af51ac
creatorsName: cn=Manager,dc=cytopia,dc=com
createTimestamp: 20040810073003Z
entryCSN: 2004081007:30:03Z#0x0001#0#0000
modifiersName: cn=Manager,dc=cytopia,dc=com
modifyTimestamp: 20040810073003Z




###smb.conf exert#########

# Scripts for file (passwd, smbpasswd) backend:
add user script = /usr/sbin/useradd -m %u
delete user script = /usr/sbin/userdel -r  %u
add user to group script = /usr/sbin/usermod -G %g %u
#delete user from group script = /usr/bin/gpasswd -d '%u' '%g'
; set primary group script = /usr/sbin/usermod -g '%g' '%u'
#add group script = /usr/sbin/groupadd %g
delete group script = /usr/sbin/groupdel %g

# Scripts for LDAP backend (assumes nss_ldap is in use on the domain
controller,
# and needs configuration in smbldap_conf.pm
;add user script = /usr/share/samba/scripts/smbldap-useradd.pl '%u'
; delete user script = /usr/share/samba/scripts/smbldap-userdel.pl '%u'
; add user to group script /usr/share/samba/scripts/smbldap-groupmod.pl -m
'%u' '%g'
; delete user from group script /usr/share/samba/scripts/smbldap-groupmod.pl -x
'%u' '%g'
; set primary group script = /usr/share/samba/scripts/smbldap-usermod.pl
-g '%g' '%u'
add group script = /usr/share/samba/scripts/smbldap-groupadd.pl '%g'
&&
/usr/share/samba/scripts/smbldap-groupshow.pl %g|awk '/^gidNumber:/
{print $2}'
; delete group script = /usr/share/samba/scripts/smbldap-userdel.pl '%g'


# The add machine script is use by a samba server configured as a domain
# controller to add local machine accounts when adding machines to the
domain.
# The script must work from the command line when replacing the macros,
# or the operation will fail. Check that groups exist if forcing a
group.
# Script for domain controller for adding machines:
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null \ -g
machines %u


# Script for domain controller for adding machines:
add machine script = /usr/sbin/useradd -s /bin/false -d /dev/null \ -g
machines %u
# Script for domain controller with LDAP backend for adding machines
(please
# configure in /etc/samba/smbldap_conf.pm first):
; add machine script = /usr/share/samba/scripts/smbldap-useradd.pl -w -d
/dev/null -g machines -c 'Machine Account' -s /bin/false %u

# Domain groups:
# Domain groups are now configured by using the 'net groupmap' tool

# Samba Password Database configuration:
# Samba now has runtime-configurable password database backends.
Multiple
# passdb backends may be used, but users will only be added to the first
one
# Default:
passdb backend = ldapsam:ldap://localhost
# TDB backen with fallback to smbpasswd and guest
; passdb backend = tdbsam smbpasswd guest
# LDAP with fallback to smbpasswd guest
# Enable SSL by using an ldaps url, or enable tls with 'ldap ssl' below.
; passdb backend = ldapsam:ldaps://ldap.mydomain.com smbpasswd guest
# Use the samba2 LDAP schema:
; passdb backend = ldapsam_compat:ldaps://ldap.mydomain.com smbpasswd
guest

# Idmap settings:
# Idmap backend to use:
idmap backend = ldap:ldap://ldap.localhost

# This is a range of unix user-id's that samba will map non-unix RIDs
to,
# such as when using Winbind
; idmap uid = 10000-20000
; idmap gid = 10000-20000

# LDAP configuration for Domain Controlling:
# The account (dn) that samba uses to access the LDAP server
# This account needs to have write access to the LDAP tree
# You will need to give samba the password for this dn, by
# running 'smbpasswd -w mypassword'
; ldap admin dn = cn=root,dc=mydomain,dc=com
ldap ssl = no
# start_tls should run on 389, but samba defaults incorrectly to 636
; ldap port = 389
ldap suffix = dc=cytopia,dc=com
# Seperate suffixes are available for machines, users, groups, and
idmap, if
; ldap suffix appears first, it is appended to the specific suffix.
# Example for a unix-ish directory layout:
ldap machine suffix = ou=computers
ldap user suffix = ou=employees
ldap group suffix = ou=groups
ldap idmap suffix = ou=employees
ldap admin dn = cn=Manager,dc=cytopia,dc=com
ldap passwd sync = Yes

###########slapd.conf###############
include /usr/share/openldap/schema/core.schema
include /usr/share/openldap/schema/cosine.schema
include /usr/share/openldap/schema/inetorgperson.schema
include /usr/share/openldap/schema/nis.schema
include /usr/share/openldap/schema/samba.schema


pidfile         /var/run/ldap/slapd.pid
argsfile        /var/run/ldap/slapd.args

# logging
loglevel -1

#######################################################################
# database definitions
#######################################################################

database        bdb
suffix          "dc=cytopia,dc=com"
#suffix         "o=My Organization Name,c=US"
rootdn          "cn=Manager,dc=cytopia,dc=com"
#rootdn         "cn=Manager,o=My Organization Name,c=US"

# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          secret
# service AN


# The database directory MUST exist prior to running slapd AND
# should only be accessable by the slapd/tools. Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain
index   objectClass                             eq
index   cn                                      pres,sub,eq
index   sn                                      pres,sub,eq
index   uid                                     pres,sub,eq
index   displayname                             pres,sub,eq
index   uidnumber                               eq
index   gidnumber                               eq
index   memberUid                               eq
index   sambaSID                                eq
index   sambaPrimaryGroupSID                    eq
index   sambaDomainName                         eq
index   default                                 sub
#index  objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
# samba searches on sid
#index  sambaSID                                eq

# Basic ACL (deprecated in favour of ACLs in
/etc/openldap/slapd.access.conf)
#access to attr=userPassword
#        by self write
#        by anonymous auth
#        by dn="uid=root,ou=People,dc=example,dc=com" write
#        by * none

access to *
        by * read
        by * write