thr3ads.net - samba - [Samba] Trouble with moving to a domain [Dec 2006]

If this information is useful, please help other people find it:
Share via:

Daniel Davidson

2006-Dec-01 20:31 UTC

[Samba] Trouble with moving to a domain

I have been using samba with LDAP for a couple of years now (upgraded
from 2 to 3) and have never needed to make the server behave like a PDC.
Now we have a new project, and I need to get that fired up.

I have attempted to follow the directions in a couple of walkthroughs to
no avail.  My problem seems to be coming from mapping the windows group
names to a linux group name and/or adding the domain member to the ldap
database.  

Here is the error I am getting:

[root@file-server samba]# net -d2 groupmap add rid=512 ntgroup="Domain
Admins" unixgroup=cnrg
[2006/12/01 14:00:22, 2] lib/interface.c:add_interface(79)
  added interface ip=128.174.124.12 bcast=128.174.127.255
nmask=255.255.252.0
[2006/12/01 14:00:22, 2] lib/smbldap.c:smbldap_search_domain_info(1373)
  Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=IGB))]
[2006/12/01 14:00:22, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2006/12/01 14:00:23, 0]
passdb/pdb_ldap.c:ldapsam_add_group_mapping_entry(2330)
  ldapsam_add_group_mapping_entry: failed to add group 102 error: ?_
(Internal (implementation specific) error)
adding entry for group Domain Admins failed!
[2006/12/01 14:00:23, 2] utils/net.c:main(859)
  return code = -1


And the smb.conf global section:
[global]
	workgroup = igb
	netbios name = IGB-FILE-SERVER
	server string = Samba Server
	passdb backend = ldapsam:ldap://auth.igb.uiuc.edu
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	domain logons = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = cn=ldapadmin,dc=igb,dc=uiuc,dc=edu
	ldap group suffix = ou=group
	ldap suffix = dc=igb,dc=uiuc,dc=edu
	ldap ssl = on
	ldap user suffix = ou=People
	ldap machine suffix =  ou=computer
	cups options = raw

	add machine script
= /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd -w
	preferred master = Yes
	domain master = Yes
	
	password server = None
	idmap uid = 16777216-33554431
	idmap gid = 16777216-33554431
	template shell = /bin/false
	username map = /etc/samba/smbusers
	winbind use default domain = no

and what I think are the appropriate ldap entries:
# igb.uiuc.edu
dn: dc=igb,dc=uiuc,dc=edu
dc: igb
objectClass: dcObject
objectClass: organizationalUnit
ou: igb dot uiuc dot edu

# People, igb.uiuc.edu
dn: ou=People,dc=igb,dc=uiuc,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: People

# group, igb.uiuc.edu
dn: ou=group,dc=igb,dc=uiuc,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: group

# computer, igb.uiuc.edu
dn: ou=computer,dc=igb,dc=uiuc,dc=edu
objectClass: top
objectClass: organizationalUnit
ou: computer

# cnrg, group, igb.uiuc.edu
dn: cn=cnrg,ou=group,dc=igb,dc=uiuc,dc=edu
cn: cnrg
objectClass: posixGroup
gidNumber: 102
description: Computer and Network Resource Group
memberUid: danield

# danield, People, igb.uiuc.edu
dn: uid=danield,ou=People,dc=igb,dc=uiuc,dc=edu
uid: danield
cn: Daniel Davidson
mail: danield@igb.uiuc.edu
uidNumber: 600
gidNumber: 600
homeDirectory: /home/a-m/danield
gecos: Daniel Davidson
sambaSID: S-1-5-21-3679620730-2824407525-958489067-600
sambaLMPassword: barf
sambaNTPassword: barf
loginShell: /bin/bash
sn: Davidson
givenName: Daniel
objectClass: inetOrgPerson
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount

I thank anyone in advance who can give me a hand,

Dan

Tim Boneko

2006-Dec-03 20:41 UTC

head link

[Samba] Trouble with moving to a domain

Hi Daniel,

Daniel Davidson schrieb:
> I have attempted to follow the directions in a couple of walkthroughs to
> no avail.  My problem seems to be coming from mapping the windows group
> names to a linux group name and/or adding the domain member to the ldap
> database.  
> 
> Here is the error I am getting:
> 
> [root@file-server samba]# net -d2 groupmap add rid=512 ntgroup="Domain
> Admins" unixgroup=cnrg

I guess you are using the smbldap- tools. If so, what does

	smbldap-groupshow "Domain Admins"

say?
I had similar problems in mapping my group names and helped myself by
redirecting the group names with the smbldap- tools.
"smbldap-groupmod"
was very helpful. This is my output of

kiste:/etc/bind# net groupmap list
Domain Admins (S-1-5-21-4175331462-3411459466-2109793049-512) -> domain
Domain Users (S-1-5-21-4175331462-3411459466-2109793049-513) -> users
Domain Guests (S-1-5-21-4175331462-3411459466-2109793049-514) -> Domain
Guests
Domain Computers (S-1-5-21-4175331462-3411459466-2109793049-515) -> Machines
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

I created the groups "domain" and "users" with
smbldap-groupadd and the
respective RIDs.

	timbo

samba - Dec 2006 - Trouble with moving to a domain

[Samba] Trouble with moving to a domain

[Samba] Trouble with moving to a domain