samba - Apr 2005 - Problem with groups & joining domain.- LDAP

Software list:

FreeBSD 5.3
Samba 3.0.14a
nss_ldap-1.204_5
openldap-client-2.2.19
openldap-server-2.2.23
p5-perl-ldap-0.32.02
pam_ldap-1.7.6
smbldap-tools-0.8.8

samba was configured with the following options. LDAP, Cups, Winbind,
utmp, popt, acl, quotas, msdfs, syslog, without_ADS

I have also tried winbind_nss which I believe is a FreeBSD wrapper
around the linux implentation of winbindd, but it yielded the same
results.

1. ldapadd & ldapserach w/tls is working fine.
2. smbldap-tools work.  smbldap-populate,
smbldap-migrate-unix-accounts/groups work.  smbldap-useradd works.
3. smbpasswd -w has been set.

What fails is joining a machine to the domain.  I get the domain
password is incorrect, the workstation account is created, but with
posix attributes only, no samba attributes.

problems with groups
If I add a group to the local /etc/group file, which I don't think
should have to do, but maybe this is a FreeBSD nsswitch bug?  Can
anyone confirm this?

pw group add domadmins
smbldap-groupadd -a domadmins - adds to ldap fine.
net groupmap modify ntgroup="Domain Admins" unixgroup=domadmins . This
fails with this error message:   and I get the same error message if
the -a omitted from smbldap-groupadd

 passdb/pdb_ldap.c:ldapsam_update_group_mapping_entry(2665)
  ldapsam_update_group_mapping_entry: No group to modify!
Could not update group database

net groupmap list shows all groups that are in LDAP.

What I suspect is that group lookups are failing somehow, but I'm not
sure.   Also If I browse through network neighborhood to the samba PDC
server, I can authenticate with an ordinary user and get the users
home dir.  So Users seem to be working.


Here is my smb.conf, my smblap.conf and my ldap.conf   

serf# testparm -s
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[Profiles]"
Processing section "[printers]"
Loaded services file OK.
# Global parameters
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = IMSDOM
        server string = Samba Server [%v]
        map to guest = Bad User
        passdb backend = ldapsam:ldap://serf.ims-tpa.com
        username map = /usr/local/etc/smbusers
        log level = 5
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 50
        time server = Yes
        deadtime = 10
        printcap name = /etc/printcap
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        logon path = 
        logon drive = T:
        logon home = \\%L\home\%u
        domain logons = Yes
        os level = 33
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=Manager,dc=ims-tpa,dc=com
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Users
        ldap passwd sync = Yes
        ldap suffix = dc=ims-tpa,dc=com
        ldap ssl = start tls
        ldap user suffix = ou=Users
        idmap backend = ldap:ldap://serf.ims-tpa.com
        idmap uid = 1000-20000
        idmap gid = 1000-20000
        winbind separator = ^
        printer admin = "@Print Operators"
        create mask = 0640
        directory mask = 0750
        hosts allow = 192.168.0., 127.
        nt acl support = No
        case sensitive = No
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]
        comment = Home Directories
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /usr/local/samba/netlogon
        guest ok = Yes
        share modes = No

[Profiles]
        path = /usr/local/samba/profiles
        read only = No
        guest ok = Yes
        browseable = No

[printers]
        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No


serf# less /usr/local/etc/smbldap-tools/smbldap.conf 

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $
# $Id: smbldap.conf,v 1.17 2005/01/29 15:00:54 jtournier Exp $

# General Configuration

SID="S-1-5-21-1642798596-2503770835-627191294"
##############################################################################
#
# LDAP Configuration
#
##############################################################################

# Ex: slaveLDAP=127.0.0.1
# slaveLDAP="127.0.0.1"
# slavePort="389"

# Master LDAP : needed for write operations
# Ex: masterLDAP=127.0.0.1
# masterLDAP="127.0.0.1"
masterLDAP="serf.ims-tpa.com"
masterPort="389"

ldapTLS="1"

verify="require"

cafile="/usr/local/certs/cacert.pem"

clientcert=""
clientkey=""

# LDAP Suffix
suffix="dc=ims-tpa,dc=com"

usersdn="ou=Users,${suffix}"

computersdn="ou=Users,${suffix}"

groupsdn="ou=Groups,${suffix}"

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available
sambaUnixIdPooldn="sambaDomainName=IMSDOM,${suffix}"

# Default scope Used
scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.
# default is "%s", but many systems will generate MD5 hashed
# passwords if you use "$1$%.8s". This parameter is optional!
crypt_salt_format="%s"

##############################################################################
# 
# Unix Accounts Configuration
# 
##############################################################################

userLoginShell="/bin/csh"

userHome="/home/%U"

# Gecos
userGecos="System User"

# Default User (POSIX and Samba) GID
defaultUserGid="513"

# Default Computer (Samba) GID
defaultComputerGid="515"

# Skel dir
skeletonDir="/etc/skel"

defaultMaxPasswordAge="99"

##############################################################################
#
# SAMBA Configuration
#
##############################################################################

userSmbHome=""


userHomeDrive="T:"

userScript=""

# mailDomain="ims-tpa.com"

##############################################################################
#
# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
#
##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
# prefer Crypt::SmbHash library
with_smbpasswd="1"
smbpasswd="/usr/bin/smbpasswd"

# Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
# but prefer Crypt:: libraries
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

(END)                    


serf# less /etc/ldap.conf

# @(#)$Id: ldap.conf,v 1.34 2004/09/16 23:32:02 lukeh Exp $


host serf.ims-tpa.com

# The distinguished name of the search base.
base dc=ims-tpa,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
# uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/   
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

loglevel 256
logfile /var/log/ldap.log

# The LDAP version to use (defaults to 3
# if supported by client library)
# ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with. 
# Optional: default is no credential.
# bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
# rootbinddn cn=Manager,dc=ims-tpa,dc=com

# The port.
# Optional: default is 389.
port 389

# The search scope.
scope sub
#scope one
#scope base

# Search timelimit
# timelimit 30

# Bind/connect timelimit
# bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
# bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
# idle_timelimit 3600

# Filter to AND with uid=%s
# pam_filter objectclass=account

# The user ID attribute (defaults to uid)
# pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
# pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
# pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service. 
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change
your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX          base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd       ou=People,
# to append the default base DN but this
# may incur a small performance impact.
# nss_base_passwd       ou=People,dc=ims-tpa,dc=com?one
# nss_base_shadow       ou=People,dc=ims-tpa,dc=com?one
# nss_base_group        ou=Group,dc=ims-tpa,dc=com?one
#nss_base_hosts         ou=Hosts,dc=padl,dc=com?one
#nss_base_services      ou=Services,dc=padl,dc=com?one
#nss_base_networks      ou=Networks,dc=padl,dc=com?one
#nss_base_protocols     ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc           ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers        ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks      ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams    ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases       ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup      ou=Netgroup,dc=padl,dc=com?one

nss_base_passwd ou=Users,dc=ims-tpa,dc=com?sub
nss_base_passwd dc=ims-tpa,dc=com?sub
# nss_base_shadow       dc=ims-tpa,dc=com?sub
nss_base_group  ou=Groups,dc=ims-tpa,dc=com?sub



# attribute/objectclass mapping
# Syntax:
#nss_map_attribute      rfc2307attribute        mapped_attribute
#nss_map_objectclass    rfc2307objectclass      mapped_objectclass

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword


# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl start_tls
# ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is "no"
tls_checkpeer no
TLS_REQCERT allow

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
# tls_cacertfile /etc/ssl/ca.cert
# tls_cacertdir /etc/ssl/certs
# tls_cacertdir /usr/local/certs/demoCA

# tls_cacertfile /usr/local/certs/servercert.pem
# tls_cacertfile /usr/local/certs/cacert.pem
tls_cacert /usr/local/certs/cacert.pem

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
tls_ciphers HIGH:MEDIUM:SSLv2


# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
(END)