Alex_Brown@pap.state.ga.us
2004-Nov-23 18:52 UTC
[Samba] Users being deleted from Domain Users group on Samba BDC during vampire process of migration
I think I'm having a problem during the vampire process. Would someone
tell me why my domain users are being deleted from the Domain Users group
after they are created?
First, the accounts are being created normally...
Creating account: marshah
Creating account: marshab
Creating account: johnp
.
.
.
Creating account: ronniem
Creating account: bobbyr
Creating account: robertk
Creating account: g4400$
Creating account: INFI2292-80$
Creating account: PAP-E06EFL2FLCA$
Creating account: G830-78$
Creating account: COL190GPCTAB-62$
Creating account: PERIA30-63$
Creating account: ROM010IA30-71$
Creating account: DEK480IA30-73$
Group members of Domain Admins:
charliebrown,faxserver,joeblow(primary),vbe(primary),snoopy(primary),epo,xerox,
Group members of Domain Users: PRIMARY$(primary),CONSDEV
$(primary),marshah(primary),marshab(primary),johnp(primary) . . . <snip>
rajg(primary),FIEGATEWAY450-5$(primary),MAC120I2652-8
$(primary),FISGE2000D-2$(primary),DISGE2000D-1$(primary),ADA440GPCTAB-6
$(primary),CJRG450ROG-29$(primary),DAL230GPCTAB-21
$(primary),THO070GPCTAB-65$(primary),CAN300GPCTAB-5
$(primary),ADA440GPCTAB-75$(primary),THO070GPCTAB-7
$(primary),CAN300GPCTAB-4$(primary),DOU400GPCTAB-25
$(primary),CAR540GPCTAB-8$(primary),LAG310GPCTAB-5$(primary),ELL560GPCTAB-2
$(primary),LAG310GPCTAB-12$(primary),ELL560GPCTAB-18
$(primary),LAG310GPCTAB-2$(primary),ELL560GPCTAB-4$(primary),CON360GPCTAB-2
$(primary),LAG310GPTAB-15$(primary),INFGFE2000D-100
$(primary),LAG310GPCTAB-6$(primary),DAH590GPCTAB-6$(primary)
.
.
.
<snip>
Then the users are being deleted . . .
deleting user marshah from group Domain Users
deleting user marshab from group Domain Users
deleting user johnp from group Domain Users
.
.
.
deleting user joyceb from group Domain Users
deleting user lyndae from group Domain Users
deleting user janices from group Domain Users
deleting user mredding from group Domain Users
deleting user darylb from group Domain Users
deleting user deborahm from group Domain Users
deleting user tammyc from group Domain Users
deleting user jeanettb from group Domain Users
deleting user dessiep from group Domain Users
deleting user jennifej from group Domain Users
The users with "(primary)" attached to their name are being deleted.
As
you can see, the Domain Admins group no longer includes jonathanb, ninos or
vbe.
sd1:~# getent group | grep "Domain Admins"
Domain Admins:x:512:charliebrown,faxserver,epo,xerox
There were several hundred domain users but after the migration there are
only a few.
-----------------------------------------------------------------------------------------------------------------------------
Here is my smb.conf.
[global]
unix charset = LOCALE
workgroup = PAP
netbios name = SD1
server string announce version = 4.0
#interfaces = lo
#bind interfaces only = Yes
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
log level = 2
syslog = 0
log file = /var/log/samba/log.%m
max log size = 50
smb ports = 139 445
name resolve order = wins bcast hosts
time server = Yes
printcap name = CUPS
show add printer wizard = No
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u"
"%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
logon script = scripts\SLOGIC.bat
logon path logon drive = X:
domain logons = Yes
domain master = No
preferred master = Yes
ldap delete dn = Yes
ldap suffix = dc=home,dc=us
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
## Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section:
Part B
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=admin,dc=home,dc=us
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
map acl inherit = Yes
printing = cups
printer admin = Administrator, alexb
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
locking = No
[homes]
comment = Home Directories
valid users = %U
read only = No
browseable = No
------------------------------------------------------------------------------------------------------------
Here is my smbldap.conf
SID removed from this intentionally.
# Ex: slaveLDAP=127.0.0.1
slaveLDAP="127.0.0.1"
slavePort="389"
# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
masterLDAP="127.0.0.1"
masterPort="389"
# Use TLS for LDAP
# If set to 1, this option will use start_tls for connection
# (you should also used the port 389)
ldapTLS="0"
# How to verify the server's certificate (none, optional or require)
# see "man Net::LDAP" in start_tls section for more details
verify="require"
# CA certificate
# see "man Net::LDAP" in start_tls section for more details
cafile="/etc/smbldap-tools/ca.pem"
# certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientcert="/etc/smbldap-tools/smbldap-tools.pem"
# key certificate to use to connect to the ldap server
# see "man Net::LDAP" in start_tls section for more details
clientkey="/etc/smbldap-tools/smbldap-tools.key"
# LDAP Suffix
# Ex: suffix=dc=IDEALX,dc=ORG
suffix="dc=home,dc=us"
# Where are stored Users
# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
usersdn="ou=Users,${suffix}"
# Where are stored Computers
# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
computersdn="ou=Computers,${suffix}"
# Where are stored Groups
# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
groupsdn="ou=Groups,${suffix}"
# Where are stored Idmap entries (used if samba is a domain member server)
# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
idmapdn="ou=Idmap,${suffix}"
# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
# Default scope Used
scope="sub"
# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
hash_encrypt="SSHA"
# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"
##############################################################################
#
# Unix Accounts Configuration
#
##############################################################################
# Login defs
# Default Login Shell
# Ex: userLoginShell="/bin/bash"
userLoginShell="/bin/bash"
#userLoginShell="/bin/false"
# Home directory
# Ex: userHome="/home/%U"
userHome="/home/%U"
#userHome="/dev/null"
# Gecos
userGecos="System User"
# Default User (POSIX and Samba) GID
defaultUserGid="513"
# Default Computer (Samba) GID
defaultComputerGid="515"
# Skel dir
skeletonDir="/etc/skel"
# Default password validation time (time in days) Comment the next line if
# you don't want password to be enable for defaultMaxPasswordAge days (be
# careful to the sambaPwdMustChange attribute's value)
defaultMaxPasswordAge="99"
##############################################################################
#
# SAMBA Configuration
#
##############################################################################
# The UNC path to home drives location (%U username substitution)
# Ex: \\My-PDC-netbios-name\homes\%U
# Just set it to a null string if you want to use the smb.conf 'logon
home'
# directive and/or disable roaming profiles
#userSmbHome="\\SD1\homes\%U"
userSmbHome=""
# The UNC path to profiles locations (%U username substitution)
# Ex: \\My-PDC-netbios-name\profiles\%U
# Just set it to a null string if you want to use the smb.conf 'logon
path'
# directive and/or disable roaming profiles
#userProfile="\\SD1\profiles\%U"
userProfile=""
# The default Home Drive Letter mapping
# (will be automatically mapped at logon time if home directory exist)
# Ex: H: for H:
userHomeDrive="X:"
#userHomeDrive=""
# The default user netlogon script name (%U username substitution)
# if not used, will be automatically username.cmd
# make sure script file is edited under dos
# Ex: %U.cmd
# userScript="startup.cmd" # make sure script file is edited under dos
userScript="SLOGIC.bat"
#userScript=""
-------------------------------------------------------------------------------------------------------------------------
And here is my libnss-ldap.conf
host 127.0.0.1
# The distinguished name of the search base.
base dc=home,dc=us
# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3
# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
rootbinddn cn=admin,dc=home,dc=us
nss_base_group ou=Groups,dc=home,dc=us?one
nss_base_hosts ou=Computers,dc=home,dc=us?one
----------------------------------------------------------------------------------------------------------------------
What am I doing wrong?
Thanks for any help you can give.
Alex
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Georgia State Board of Pardons and Paroles
Hi all, I have a question that seems to be an issue when authenticating users for ADS. Before we went to AD we had a 2k domain called Enterprise. Since then we created a domain called Corporated.net and all went well. Now i'm trying to add my samba server to that domain but when users log in with their old accounts (ie. Enterprise\username) the Samba server does not authenticate that user against the DC. How do i let samba know that my CorporateD.net and Enterprise domain users should be authenticated against the same DC? Thanks in advance, R.
Bradley Tate
2004-Nov-30 11:24 UTC
[Samba] Users being deleted from Domain Users group on Samba BDC during vampire process of migration
I'm having the same problem but sadly also have no solution. Any clues I'd be grateful. Cheers, Bradley. Alex_Brown@pap.state.ga.us wrote:>I think I'm having a problem during the vampire process. Would someone >tell me why my domain users are being deleted from the Domain Users group >after they are created? > >First, the accounts are being created normally... > >Creating account: marshah >Creating account: marshab >Creating account: johnp >. >. >. >Creating account: ronniem >Creating account: bobbyr >Creating account: robertk >Creating account: g4400$ >Creating account: INFI2292-80$ >Creating account: PAP-E06EFL2FLCA$ >Creating account: G830-78$ >Creating account: COL190GPCTAB-62$ >Creating account: PERIA30-63$ >Creating account: ROM010IA30-71$ >Creating account: DEK480IA30-73$ >Group members of Domain Admins: >charliebrown,faxserver,joeblow(primary),vbe(primary),snoopy(primary),epo,xerox, >Group members of Domain Users: PRIMARY$(primary),CONSDEV >$(primary),marshah(primary),marshab(primary),johnp(primary) . . . <snip> >rajg(primary),FIEGATEWAY450-5$(primary),MAC120I2652-8 >$(primary),FISGE2000D-2$(primary),DISGE2000D-1$(primary),ADA440GPCTAB-6 >$(primary),CJRG450ROG-29$(primary),DAL230GPCTAB-21 >$(primary),THO070GPCTAB-65$(primary),CAN300GPCTAB-5 >$(primary),ADA440GPCTAB-75$(primary),THO070GPCTAB-7 >$(primary),CAN300GPCTAB-4$(primary),DOU400GPCTAB-25 >$(primary),CAR540GPCTAB-8$(primary),LAG310GPCTAB-5$(primary),ELL560GPCTAB-2 >$(primary),LAG310GPCTAB-12$(primary),ELL560GPCTAB-18 >$(primary),LAG310GPCTAB-2$(primary),ELL560GPCTAB-4$(primary),CON360GPCTAB-2 >$(primary),LAG310GPTAB-15$(primary),INFGFE2000D-100 >$(primary),LAG310GPCTAB-6$(primary),DAH590GPCTAB-6$(primary) >. >. >. ><snip> > >Then the users are being deleted . . . > >deleting user marshah from group Domain Users >deleting user marshab from group Domain Users >deleting user johnp from group Domain Users >. >. >. >deleting user joyceb from group Domain Users >deleting user lyndae from group Domain Users >deleting user janices from group Domain Users >deleting user mredding from group Domain Users >deleting user darylb from group Domain Users >deleting user deborahm from group Domain Users >deleting user tammyc from group Domain Users >deleting user jeanettb from group Domain Users >deleting user dessiep from group Domain Users >deleting user jennifej from group Domain Users > >The users with "(primary)" attached to their name are being deleted. As >you can see, the Domain Admins group no longer includes jonathanb, ninos or >vbe. > >sd1:~# getent group | grep "Domain Admins" >Domain Admins:x:512:charliebrown,faxserver,epo,xerox > >There were several hundred domain users but after the migration there are >only a few. > >----------------------------------------------------------------------------------------------------------------------------- >Here is my smb.conf. > >[global] >unix charset = LOCALE >workgroup = PAP >netbios name = SD1 >server string >announce version = 4.0 >#interfaces = lo >#bind interfaces only = Yes >passdb backend = ldapsam:ldap://127.0.0.1 >username map = /etc/samba/smbusers >log level = 2 >syslog = 0 >log file = /var/log/samba/log.%m >max log size = 50 >smb ports = 139 445 >name resolve order = wins bcast hosts >time server = Yes >printcap name = CUPS >show add printer wizard = No > >add machine script = /usr/local/sbin/smbldap-useradd -w "%u" >add user script = /usr/local/sbin/smbldap-useradd -m "%u" >delete user script = /usr/local/sbin/smbldap-userdel "%u" >add machine script = /usr/local/sbin/smbldap-useradd -w "%u" >add group script = /usr/local/sbin/smbldap-groupadd -p "%g" >delete group script = /usr/local/sbin/smbldap-groupdel "%g" >add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" >delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" >"%g" >set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > >logon script = scripts\SLOGIC.bat >logon path >logon drive = X: >domain logons = Yes >domain master = No >preferred master = Yes >ldap delete dn = Yes >ldap suffix = dc=home,dc=us >ldap machine suffix = ou=Computers >ldap user suffix = ou=Users >ldap group suffix = ou=Groups > >## Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section: >Part B >ldap idmap suffix = ou=Idmap >ldap admin dn = cn=admin,dc=home,dc=us >idmap backend = ldap:ldap://127.0.0.1 >idmap uid = 10000-20000 >idmap gid = 10000-20000 >map acl inherit = Yes >printing = cups >printer admin = Administrator, alexb > >[netlogon] >comment = Network Logon Service >path = /var/lib/samba/netlogon >guest ok = Yes >locking = No > >[homes] >comment = Home Directories >valid users = %U >read only = No >browseable = No > >------------------------------------------------------------------------------------------------------------ >Here is my smbldap.conf > >SID removed from this intentionally. > ># Ex: slaveLDAP=127.0.0.1 >slaveLDAP="127.0.0.1" >slavePort="389" > ># Master LDAP : needed for write operations ># Ex: masterLDAP=127.0.0.1 >masterLDAP="127.0.0.1" >masterPort="389" > ># Use TLS for LDAP ># If set to 1, this option will use start_tls for connection ># (you should also used the port 389) >ldapTLS="0" > ># How to verify the server's certificate (none, optional or require) ># see "man Net::LDAP" in start_tls section for more details >verify="require" > ># CA certificate ># see "man Net::LDAP" in start_tls section for more details >cafile="/etc/smbldap-tools/ca.pem" > ># certificate to use to connect to the ldap server ># see "man Net::LDAP" in start_tls section for more details >clientcert="/etc/smbldap-tools/smbldap-tools.pem" > ># key certificate to use to connect to the ldap server ># see "man Net::LDAP" in start_tls section for more details >clientkey="/etc/smbldap-tools/smbldap-tools.key" > ># LDAP Suffix ># Ex: suffix=dc=IDEALX,dc=ORG >suffix="dc=home,dc=us" > ># Where are stored Users ># Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG" >usersdn="ou=Users,${suffix}" > ># Where are stored Computers ># Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG" >computersdn="ou=Computers,${suffix}" > ># Where are stored Groups ># Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG" >groupsdn="ou=Groups,${suffix}" > ># Where are stored Idmap entries (used if samba is a domain member server) ># Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG" >idmapdn="ou=Idmap,${suffix}" > ># Where to store next uidNumber and gidNumber available >sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" > ># Default scope Used >scope="sub" > ># Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) >hash_encrypt="SSHA" > ># if hash_encrypt is set to CRYPT, you may set a salt format. ># default is "%s", but many systems will generate MD5 hashed ># passwords if you use "$1$%.8s". This parameter is optional! >crypt_salt_format="%s" > >############################################################################## ># ># Unix Accounts Configuration ># >############################################################################## > ># Login defs ># Default Login Shell ># Ex: userLoginShell="/bin/bash" >userLoginShell="/bin/bash" >#userLoginShell="/bin/false" > ># Home directory ># Ex: userHome="/home/%U" >userHome="/home/%U" >#userHome="/dev/null" > ># Gecos >userGecos="System User" > ># Default User (POSIX and Samba) GID >defaultUserGid="513" > ># Default Computer (Samba) GID >defaultComputerGid="515" > ># Skel dir >skeletonDir="/etc/skel" > ># Default password validation time (time in days) Comment the next line if ># you don't want password to be enable for defaultMaxPasswordAge days (be ># careful to the sambaPwdMustChange attribute's value) >defaultMaxPasswordAge="99" > >############################################################################## ># ># SAMBA Configuration ># >############################################################################## > ># The UNC path to home drives location (%U username substitution) ># Ex: \\My-PDC-netbios-name\homes\%U ># Just set it to a null string if you want to use the smb.conf 'logon home' ># directive and/or disable roaming profiles >#userSmbHome="\\SD1\homes\%U" >userSmbHome="" > ># The UNC path to profiles locations (%U username substitution) ># Ex: \\My-PDC-netbios-name\profiles\%U ># Just set it to a null string if you want to use the smb.conf 'logon path' ># directive and/or disable roaming profiles >#userProfile="\\SD1\profiles\%U" >userProfile="" > ># The default Home Drive Letter mapping ># (will be automatically mapped at logon time if home directory exist) ># Ex: H: for H: >userHomeDrive="X:" >#userHomeDrive="" > ># The default user netlogon script name (%U username substitution) ># if not used, will be automatically username.cmd ># make sure script file is edited under dos ># Ex: %U.cmd ># userScript="startup.cmd" # make sure script file is edited under dos >userScript="SLOGIC.bat" >#userScript="" >------------------------------------------------------------------------------------------------------------------------- >And here is my libnss-ldap.conf >host 127.0.0.1 > ># The distinguished name of the search base. >base dc=home,dc=us > ># The LDAP version to use (defaults to 3 ># if supported by client library) >ldap_version 3 > ># The distinguished name to bind to the server with ># if the effective user ID is root. Password is ># stored in /etc/ldap.secret (mode 600) >rootbinddn cn=admin,dc=home,dc=us > >nss_base_group ou=Groups,dc=home,dc=us?one >nss_base_hosts ou=Computers,dc=home,dc=us?one >---------------------------------------------------------------------------------------------------------------------- > >What am I doing wrong? > >Thanks for any help you can give. > >Alex > > > >
Apparently Analagous Threads
- Fw: Users being deleted from Domain Users group on Samba BDC during vampire process of migration
- can't join domain / smbldap-useradd -w machine not working
- Cannot mount users home directories from a samba server
- Problems Migrating password and group info to ldap
- Netlogon, roming profiles in samba(PDC)-ldap