James MacLean
2005-Feb-19 02:53 UTC
[Samba] PDC with NSVSD/smbpasswd ok, but MySQL backend not quite
Hi Folks, Samba-3.0.11. . Using /etc/passwd, /etc/group, smbpasswd - everything in the PDC world seems fine. . Using /etc/passwd, /etc/group, MySQL backend - I can join the domain but get an error about not being able to find a domain controller when I try to login to the domain with an mysql user. Logging in as root is ok, but likely that is because I use both mysql and smbpasswd backends. . Using the new NSS http://fssos.sourceforge.net/ works ok if I use smbpasswd. . Once I switch to NSVS(NSS) and MySQL, I can not log any new users in, but, if I log in as user who originally got in by being in smbpasswd but has since been deleted from smbpasswd, I can continue to login successfully if they exist in the MySQL. . net rpc group info <smbpasswd user> gives all group info from /etc/group. . net rpc group info <mysql only user> shows none of the groups they belong to regardless of there existance in /etc/passwd Long story short... I can only get a new user logged into a PC via the domain for their first time if they have an entry in smbpasswd. After that, being in the MySQL backend appears to be enough. I can pass along configs if needed, but since it works accept for the mysql change I didn't want to confuse the problem. I don't see the NSS/NSVS being any influence, but wanted to show how the solution was meant to fit together :). Is this a known limitation in the MySQL backend or more likely, am I setting something up incorrectly? thanks, JES
James MacLean
2005-Feb-20 03:57 UTC
[Samba] PDC with NSVSD/smbpasswd ok, but MySQL backend not quite
James MacLean wrote:> Hi Folks, > > Samba-3.0.11. > > . Using /etc/passwd, /etc/group, smbpasswd - everything in the PDC > world seems fine. > > . Using /etc/passwd, /etc/group, MySQL backend - I can join the domain > but get an error about not being able to find a domain controller when > I try to login to the domain with an mysql user. Logging in as root is > ok, but likely that is because I use both mysql and smbpasswd backends. > > . Using the new NSS http://fssos.sourceforge.net/ works ok if I use > smbpasswd. > > . Once I switch to NSVS(NSS) and MySQL, I can not log any new users > in, but, if I log in as user who originally got in by being in > smbpasswd but has since been deleted from smbpasswd, I can continue to > login successfully if they exist in the MySQL. > > . net rpc group info <smbpasswd user> gives all group info from > /etc/group. > . net rpc group info <mysql only user> shows none of the groups they > belong to regardless of there existance in /etc/passwd > > Long story short... I can only get a new user logged into a PC via the > domain for their first time if they have an entry in smbpasswd. After > that, being in the MySQL backend appears to be enough. > > I can pass along configs if needed, but since it works accept for the > mysql change I didn't want to confuse the problem. I don't see the > NSS/NSVS being any influence, but wanted to show how the solution was > meant to fit together :). > > Is this a known limitation in the MySQL backend or more likely, am I > setting something up incorrectly? > > thanks, > JESI am getting there :). I now have : . The MySQL user table from examples/pdb/mysql/mysql.dump loaded from a file of users/passwords. . The new NSS (FSSOS-NSVS) uses it to get the UID. . Samba uses it for the MySQL backend - no smbpasswd backend. . Using "net rpc rights" I was able to have a non-root user used to join a computer to a domain . Log into the domain with users from the MySQL database. The gotcha that was occurring above was that the SIDs I had been importing were not constructed from this Samba's local SID : net getlocalsid I then in haste had the wrong domain in the domain field, so one has to remember that :). To change my localsid I did some drastic things : 1. rm /etc/samba/secrets.tdb 2. rm -f /var/lock/samba 3. mkdir /var/lock/samba 4. net setlocalsid <newsid> 5. Check they are ok with "net groupmap list" But 'twas a new install so I did not mind. I also added the administrator account -500 as described at the bottom of http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html and mapped "Domain Users/Domain Admins/Domain guests/Administrators" to local unix accounts, which I verified with "net rpc user info <someone>" in the groups. But I now see that the NT tool usrmgr has a problem looking that user accounts. The users all show up, but when I try to expand any I get : The following error occurred accessing the properties of the user <user> The stub received bad data. The user properties can not be viewed or edited at this time. Any advice :)? JES