-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I am trying to get a samba setup with with a pdc/bdc configuration. The
backend information stores are openldap ( for passdb and idmap )
I have followed the instructions in the Samba Guide and the
documentation provided with the smbldap-tools package.
Samba version: 3.0.24
smbldap-tools: Using the version included in samba (
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )
I can join machines to the domain. If I do a getent passwd from either
of the two servers, I get the requisite information ( and it looks valid
). I have nsswitch pulling the information from ldap on both systems.
Layout:
fdsclient: pdc
fdsclient2: bdc
fdsmaster: openldap 2.2.13
OS on all systems is CentOS 4, mostly up to date on patches ( as of a
few days ago )
All three systems are being run from within vmware - not sure it really
matters here.
- From the pdc, if I run the command "net rpc user -U root%pass", I
get
back the three currently-configured users. If I use the same command
from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get
the requisite information.
when I log into a windows machine ( joined to the domain ) and browse
the shares on both pdc and bdc, I get mixed results in file/dir
ownership. The files/dirs on the pdc report the domain\user values. If I
look at the permissions of a share on the bdc, I get "Unix user \
*user*" instead of the domain\user.
Below is the smb.conf configuration for the pdc:
[global]
workgroup = BILSCH.LOCAL
server string = Samba Server %v
security = user
passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
passwd program
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
passwd chat debug = Yes
passwd chat timeout = 5
enable privileges = yes
username map = /etc/samba/smbusers
log level = 3
log file = /var/log/samba/%m.log
max log size = 100000
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
printcap name = cups
add user script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m
"%u"
add group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
"%g"
add user to group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
"%u" "%g"
delete user from group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
"%u" "%g"
set primary group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
'%g' '%u'
add machine script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w
"%u"
logon script = logon.bat
logon path = \\fdsclient\profiles\%U
logon drive = H:
name resolve order = wins bcast hosts
domain logons = Yes
os level = 255
preferred master = Yes
domain master = Yes
local master = Yes
wins support = Yes
#ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
ldap admin dn = cn=Manager,dc=bilsch,dc=local
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Users,ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=bilsch,dc=local
ldap ssl = start tls
ldap user suffix = ou=Users
#idmap uid = 15000-20000
#idmap gid = 15000-20000
winbind enum users = Yes
winbind enum groups = Yes
winbind use default domain = Yes
create mask = 0640
directory mask = 0750
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
null passwords = yes
encrypt passwords = yes
smb.conf from the bdc:
[global]
workgroup = BILSCH.LOCAL
server string = Samba Server %v
security = domain
password server = fdsclient.bilsch.local
log level = 4
log file = /var/log/samba/%m.log
enable privileges = yes
max log size = 50
os level = 0
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
load printers = No
local master = No
domain master = No
preferred master = No
dns proxy = No
cups options = raw
winbind enum users = Yes
winbind enum groups = Yes
winbind separator = +
idmap uid = 10000-20000
idmap gid = 10000-20000
template shell = /bin/false
winbind use default domain = Yes
nt acl support = yes
map acl inherit = yes
net rpc info output:
( pdc )
root@fdsclient:/var/log/samba# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644069
Num users: 3
Num domain groups: 4
Num local groups: 0
( bdc )
root@fdsclient2:/# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644046
Num users: 3
Num domain groups: 4
Num local groups: 0
root@fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
root@fdsclient2:/# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
with smbclient, accessing a share on the bdc, with showacls on:
FILENAME:\vmware-config0
MODE:D
SIZE:0
MTIME:Mon Feb 12 10:06:32 2007
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
ACL Num ACEs: 3 revision: 2
---
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0x1ff
Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
SID: S-1-22-1-0
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0xa9
Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
SID: S-1-22-2-0
ACE
type: ACCESS ALLOWED (0) flags: 0
Specific bits: 0xa9
Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
SID: S-1-1-0
Owner SID: S-1-22-1-0
Parent SID: S-1-22-2-0
Anyone have ideas on what I am doing wrong here?
- --
Bill Schwanitz
An eye for an eye makes the whole world blind.
- Mahatma Gandhi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iD8DBQFF1ecDujRCu3O+ziARAt3/AJwL1DHkwwbqXSLnfbc3Q0F4d+lt/ACeMh2p
H9SKBYB8SagEX9+pDe0xVwQ=oi20
-----END PGP SIGNATURE-----
Dale Schroeder
2007-Feb-16 18:53 UTC
ham,[Spam] [Samba] problems with samba bdc user/group lookups
I believe your errors primarily lie in your BDC configuration. See http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id304335 for minimum requirements. Bill Schwanitz wrote:> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > I am trying to get a samba setup with with a pdc/bdc configuration. The > backend information stores are openldap ( for passdb and idmap ) > > I have followed the instructions in the Samba Guide and the > documentation provided with the smbldap-tools package. > > Samba version: 3.0.24 > smbldap-tools: Using the version included in samba ( > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 ) > > I can join machines to the domain. If I do a getent passwd from either > of the two servers, I get the requisite information ( and it looks valid > ). I have nsswitch pulling the information from ldap on both systems. > > Layout: > > fdsclient: pdc > fdsclient2: bdc > fdsmaster: openldap 2.2.13 > OS on all systems is CentOS 4, mostly up to date on patches ( as of a > few days ago ) > All three systems are being run from within vmware - not sure it really > matters here. > > - From the pdc, if I run the command "net rpc user -U root%pass", I get > back the three currently-configured users. If I use the same command > from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get > the requisite information. > > when I log into a windows machine ( joined to the domain ) and browse > the shares on both pdc and bdc, I get mixed results in file/dir > ownership. The files/dirs on the pdc report the domain\user values. If I > look at the permissions of a share on the bdc, I get "Unix user \ > *user*" instead of the domain\user. > > Below is the smb.conf configuration for the pdc: > > [global] > workgroup = BILSCH.LOCAL > server string = Samba Server %v > security = user > passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/ > idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/ > passwd program > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u > passwd chat = "Changing password for*\nNew password*" %n\n > "*Retype new password*" %n\n" > passwd chat debug = Yes > passwd chat timeout = 5 > enable privileges = yes > username map = /etc/samba/smbusers > log level = 3 > log file = /var/log/samba/%m.log > max log size = 100000 > time server = Yes > deadtime = 10 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = cups > add user script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m "%u" > add group script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p > "%g" > add user to group script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m > "%u" "%g" > delete user from group script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x > "%u" "%g" > set primary group script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g > '%g' '%u' > add machine script > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w "%u" > logon script = logon.bat > logon path = \\fdsclient\profiles\%U > logon drive = H: > name resolve order = wins bcast hosts > domain logons = Yes > os level = 255 > preferred master = Yes > domain master = Yes > local master = Yes > wins support = Yes > #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local > ldap admin dn = cn=Manager,dc=bilsch,dc=local > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Users,ou=Computers > ldap passwd sync = Yes > ldap suffix = dc=bilsch,dc=local > ldap ssl = start tls > ldap user suffix = ou=Users > #idmap uid = 15000-20000 > #idmap gid = 15000-20000 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > create mask = 0640 > directory mask = 0750 > case sensitive = No > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > null passwords = yes > encrypt passwords = yes > > smb.conf from the bdc: > > [global] > workgroup = BILSCH.LOCAL > server string = Samba Server %v > security = domain > password server = fdsclient.bilsch.local > log level = 4 > log file = /var/log/samba/%m.log > enable privileges = yes > max log size = 50 > os level = 0 > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > local master = No > domain master = No > preferred master = No > dns proxy = No > cups options = raw > winbind enum users = Yes > winbind enum groups = Yes > winbind separator = + > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/false > winbind use default domain = Yes > nt acl support = yes > map acl inherit = yes > > net rpc info output: > > ( pdc ) > root@fdsclient:/var/log/samba# net rpc info -U root%*pass* > Domain Name: BILSCH.LOCAL > Domain SID: S-1-5-21-3786926362-4055794989-769170274 > Sequence number: 1171644069 > Num users: 3 > Num domain groups: 4 > Num local groups: 0 > > ( bdc ) > root@fdsclient2:/# net rpc info -U root%*pass* > Domain Name: BILSCH.LOCAL > Domain SID: S-1-5-21-3786926362-4055794989-769170274 > Sequence number: 1171644046 > Num users: 3 > Num domain groups: 4 > Num local groups: 0 > > root@fdsclient:/var/log/samba# net getdomainsid -U root%*pass* > SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274 > SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274 > > root@fdsclient2:/# net getdomainsid -U root%*pass* > SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123 > SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274 > > with smbclient, accessing a share on the bdc, with showacls on: > > FILENAME:\vmware-config0 > MODE:D > SIZE:0 > MTIME:Mon Feb 12 10:06:32 2007 > revision: 1 > type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE > DACL > ACL Num ACEs: 3 revision: 2 > --- > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0x1ff > Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS > WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS > SID: S-1-22-1-0 > > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0xa9 > Permissions: 0x1200a9: SYNCHRONIZE_ACCESS > READ_CONTROL_ACCESS > SID: S-1-22-2-0 > > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0xa9 > Permissions: 0x1200a9: SYNCHRONIZE_ACCESS > READ_CONTROL_ACCESS > SID: S-1-1-0 > > Owner SID: S-1-22-1-0 > Parent SID: S-1-22-2-0 > > Anyone have ideas on what I am doing wrong here? > > - -- > > Bill Schwanitz > > An eye for an eye makes the whole world blind. > - Mahatma Gandhi > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.6 (GNU/Linux) > Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org > > iD8DBQFF1ecDujRCu3O+ziARAt3/AJwL1DHkwwbqXSLnfbc3Q0F4d+lt/ACeMh2p > H9SKBYB8SagEX9+pDe0xVwQ> =oi20 > -----END PGP SIGNATURE----- >