Flatfender
2005-Apr-13 21:20 UTC
[Samba] PDC Problems(winbind, joining domain, net groupmap, etc), FreeBSD 5.3, LDAP
Goal: Have Samba operate as a PDC using LDAP as its passwd backend. Be able to have W2K servers as member servers. Note: I have not posted any .conf files, because I not sure what files would be relavent in seeing. Since somethings are working and somethings are not. Software list: Samba 3.0.12 nss_ldap-1.204_5 openldap-client-2.2.19 openldap-server-2.2.23 p5-perl-ldap-0.32.02 pam_ldap-1.7.6 smbldap-tools-0.8.8 What works: Openldap seems to be working fine, and I can use SSH & IMAP with LDAP user credentials. ldapsearch work with starttls. smbldap scripts from idealx seem to work(also with starttls). smbldap-populate worked fine. as well as smbldap-useradd. If I browse network neigborhood with a w2k client I can authenticate to a users home share that is in LDAP. What doesn't work: wbinfo -g shows: BUILTIN^administrators BUILTIN^account operators BUILTIN^print operators BUILTIN^backup operators BUILTIN^replicators I would have expected it to show the domain name instead of BUILTIN, which makes me think the ldap lookup is failing wbinfo -u shows: Error looking up domain users Also when I try to join a W2K Pro worksation to the domain using the root account/password it fails with the username cannot be found error message. But the add machine script partially works. smbldap-useradd -w adds the posix attributes to the ldap directory but the samba attributes are missing. I have workstations being added to the ou=computer section in ldap, and I have my ldap.conf and nss_ldap.con set to point to a level above ou=Users and ou=computers for the passwd side of things so that they should be properly found when descending the ldap tree. trying to add or modify group mappings with net groupmap add or net groupmap modify fails. Since getent isn't implemented in FreeBSD, I am using " pw group show -a " and "pw user show -a" This enumerates local files but nothing from LDAP. One thing I have noticed about the idealx smbldap scripts is that they will write a partial record to ldap even if part of the script fails. Also, I thought I read at one point that the nsswitch implementation in FreeBSD is missing some components so user and groups still need to be in local /etc/group & /etc/passwd files. Can anyone confirm the status of this? I think I am a little unsure of how to handle both unix and nt groups in an ldap implementation. If anyone has any ideas on where to begin trouble shooting this, I would appreciate it. Thank You, Matt