samba - Feb 2007 - problems with samba bdc user/group lookups

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am trying to get a samba setup with with a pdc/bdc configuration. The
backend information stores are openldap ( for passdb and idmap )

I have followed the instructions in the Samba Guide and the
documentation provided with the smbldap-tools package.

Samba version: 3.0.24
smbldap-tools: Using the version included in samba (
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )

I can join machines to the domain. If I do a getent passwd from either
of the two servers, I get the requisite information ( and it looks valid
). I have nsswitch pulling the information from ldap on both systems.

Layout:

fdsclient: pdc
fdsclient2: bdc
fdsmaster: openldap 2.2.13
OS on all systems is CentOS 4, mostly up to date on patches ( as of a
few days ago )
All three systems are being run from within vmware - not sure it really
matters here.

- From the pdc, if I run the command "net rpc user -U root%pass", I
get
back the three currently-configured users. If I use the same command
from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get
the requisite information.

when I log into a windows machine ( joined to the domain ) and browse
the shares on both pdc and bdc, I get mixed results in file/dir
ownership. The files/dirs on the pdc report the domain\user values. If I
 look at the permissions of a share on the bdc, I get "Unix user \
*user*" instead of the domain\user.

Below is the smb.conf configuration for the pdc:

[global]
        workgroup = BILSCH.LOCAL
        server string = Samba Server %v
        security = user
        passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
        idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
        passwd program
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
        passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
        passwd chat debug = Yes
        passwd chat timeout = 5
        enable privileges = yes
        username map = /etc/samba/smbusers
        log level = 3
        log file = /var/log/samba/%m.log
        max log size = 100000
        time server = Yes
        deadtime = 10
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        printcap name = cups
        add user script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m
"%u"
        add group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
"%g"
        add user to group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
"%u" "%g"
        delete user from group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
"%u" "%g"
        set primary group script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
'%g' '%u'
        add machine script
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w
"%u"
        logon script = logon.bat
        logon path = \\fdsclient\profiles\%U
        logon drive = H:
        name resolve order = wins bcast hosts
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        local master = Yes
        wins support = Yes
        #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
        ldap admin dn = cn=Manager,dc=bilsch,dc=local
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Users,ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=bilsch,dc=local
        ldap ssl = start tls
        ldap user suffix = ou=Users
        #idmap uid = 15000-20000
        #idmap gid = 15000-20000
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        create mask = 0640
        directory mask = 0750
        case sensitive = No
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        null passwords = yes
        encrypt passwords = yes

smb.conf from the bdc:

[global]
        workgroup = BILSCH.LOCAL
        server string = Samba Server %v
        security = domain
        password server = fdsclient.bilsch.local
        log level = 4
        log file = /var/log/samba/%m.log
        enable privileges = yes
        max log size = 50
        os level = 0
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        local master = No
        domain master = No
        preferred master = No
        dns proxy = No
        cups options = raw
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind separator = +
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template shell = /bin/false
        winbind use default domain = Yes
        nt acl support = yes
        map acl inherit = yes

net rpc info output:

( pdc )
root@fdsclient:/var/log/samba# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644069
Num users: 3
Num domain groups: 4
Num local groups: 0

( bdc )
root@fdsclient2:/# net rpc info -U root%*pass*
Domain Name: BILSCH.LOCAL
Domain SID: S-1-5-21-3786926362-4055794989-769170274
Sequence number: 1171644046
Num users: 3
Num domain groups: 4
Num local groups: 0

root@fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274

root@fdsclient2:/# net getdomainsid -U root%*pass*
SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274

with smbclient, accessing a share on the bdc, with showacls on:

FILENAME:\vmware-config0
MODE:D
SIZE:0
MTIME:Mon Feb 12 10:06:32 2007
revision: 1
type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
DACL
        ACL     Num ACEs:       3       revision:       2
        ---
        ACE
                type: ACCESS ALLOWED (0) flags: 0
                Specific bits: 0x1ff
                Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
                SID: S-1-22-1-0

        ACE
                type: ACCESS ALLOWED (0) flags: 0
                Specific bits: 0xa9
                Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
                SID: S-1-22-2-0

        ACE
                type: ACCESS ALLOWED (0) flags: 0
                Specific bits: 0xa9
                Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
READ_CONTROL_ACCESS
                SID: S-1-1-0

        Owner SID:      S-1-22-1-0
        Parent SID:     S-1-22-2-0

Anyone have ideas on what I am doing wrong here?

- --

Bill Schwanitz

An eye for an eye makes the whole world blind.
   - Mahatma Gandhi
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iD8DBQFF1ecDujRCu3O+ziARAt3/AJwL1DHkwwbqXSLnfbc3Q0F4d+lt/ACeMh2p
H9SKBYB8SagEX9+pDe0xVwQ=oi20
-----END PGP SIGNATURE-----

I believe your errors primarily lie in your BDC configuration.
See 
http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id304335
for minimum requirements.

Bill Schwanitz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> I am trying to get a samba setup with with a pdc/bdc configuration. The
> backend information stores are openldap ( for passdb and idmap )
>
> I have followed the instructions in the Samba Guide and the
> documentation provided with the smbldap-tools package.
>
> Samba version: 3.0.24
> smbldap-tools: Using the version included in samba (
> /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 )
>
> I can join machines to the domain. If I do a getent passwd from either
> of the two servers, I get the requisite information ( and it looks valid
> ). I have nsswitch pulling the information from ldap on both systems.
>
> Layout:
>
> fdsclient: pdc
> fdsclient2: bdc
> fdsmaster: openldap 2.2.13
> OS on all systems is CentOS 4, mostly up to date on patches ( as of a
> few days ago )
> All three systems are being run from within vmware - not sure it really
> matters here.
>
> - From the pdc, if I run the command "net rpc user -U root%pass",
I get
> back the three currently-configured users. If I use the same command
> from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc,
I get
> the requisite information.
>
> when I log into a windows machine ( joined to the domain ) and browse
> the shares on both pdc and bdc, I get mixed results in file/dir
> ownership. The files/dirs on the pdc report the domain\user values. If I
>  look at the permissions of a share on the bdc, I get "Unix user \
> *user*" instead of the domain\user.
>
> Below is the smb.conf configuration for the pdc:
>
> [global]
>         workgroup = BILSCH.LOCAL
>         server string = Samba Server %v
>         security = user
>         passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/
>         idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/
>         passwd program >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u
>         passwd chat = "Changing password for*\nNew password*"
%n\n
> "*Retype new password*" %n\n"
>         passwd chat debug = Yes
>         passwd chat timeout = 5
>         enable privileges = yes
>         username map = /etc/samba/smbusers
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 100000
>         time server = Yes
>         deadtime = 10
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = cups
>         add user script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m
"%u"
>         add group script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p
> "%g"
>         add user to group script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m
> "%u" "%g"
>         delete user from group script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x
> "%u" "%g"
>         set primary group script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g
> '%g' '%u'
>         add machine script >
/usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd -w
"%u"
>         logon script = logon.bat
>         logon path = \\fdsclient\profiles\%U
>         logon drive = H:
>         name resolve order = wins bcast hosts
>         domain logons = Yes
>         os level = 255
>         preferred master = Yes
>         domain master = Yes
>         local master = Yes
>         wins support = Yes
>         #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local
>         ldap admin dn = cn=Manager,dc=bilsch,dc=local
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=Idmap
>         ldap machine suffix = ou=Users,ou=Computers
>         ldap passwd sync = Yes
>         ldap suffix = dc=bilsch,dc=local
>         ldap ssl = start tls
>         ldap user suffix = ou=Users
>         #idmap uid = 15000-20000
>         #idmap gid = 15000-20000
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind use default domain = Yes
>         create mask = 0640
>         directory mask = 0750
>         case sensitive = No
>         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>         null passwords = yes
>         encrypt passwords = yes
>
> smb.conf from the bdc:
>
> [global]
>         workgroup = BILSCH.LOCAL
>         server string = Samba Server %v
>         security = domain
>         password server = fdsclient.bilsch.local
>         log level = 4
>         log file = /var/log/samba/%m.log
>         enable privileges = yes
>         max log size = 50
>         os level = 0
>         time server = Yes
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         load printers = No
>         local master = No
>         domain master = No
>         preferred master = No
>         dns proxy = No
>         cups options = raw
>         winbind enum users = Yes
>         winbind enum groups = Yes
>         winbind separator = +
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         template shell = /bin/false
>         winbind use default domain = Yes
>         nt acl support = yes
>         map acl inherit = yes
>
> net rpc info output:
>
> ( pdc )
> root@fdsclient:/var/log/samba# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644069
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
>
> ( bdc )
> root@fdsclient2:/# net rpc info -U root%*pass*
> Domain Name: BILSCH.LOCAL
> Domain SID: S-1-5-21-3786926362-4055794989-769170274
> Sequence number: 1171644046
> Num users: 3
> Num domain groups: 4
> Num local groups: 0
>
> root@fdsclient:/var/log/samba# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
>
> root@fdsclient2:/# net getdomainsid -U root%*pass*
> SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123
> SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274
>
> with smbclient, accessing a share on the bdc, with showacls on:
>
> FILENAME:\vmware-config0
> MODE:D
> SIZE:0
> MTIME:Mon Feb 12 10:06:32 2007
> revision: 1
> type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE
> DACL
>         ACL     Num ACEs:       3       revision:       2
>         ---
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0x1ff
>                 Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS
> WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS
>                 SID: S-1-22-1-0
>
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0xa9
>                 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
>                 SID: S-1-22-2-0
>
>         ACE
>                 type: ACCESS ALLOWED (0) flags: 0
>                 Specific bits: 0xa9
>                 Permissions: 0x1200a9: SYNCHRONIZE_ACCESS
> READ_CONTROL_ACCESS
>                 SID: S-1-1-0
>
>         Owner SID:      S-1-22-1-0
>         Parent SID:     S-1-22-2-0
>
> Anyone have ideas on what I am doing wrong here?
>
> - --
>
> Bill Schwanitz
>
> An eye for an eye makes the whole world blind.
>    - Mahatma Gandhi
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
>
> iD8DBQFF1ecDujRCu3O+ziARAt3/AJwL1DHkwwbqXSLnfbc3Q0F4d+lt/ACeMh2p
> H9SKBYB8SagEX9+pDe0xVwQ> =oi20
> -----END PGP SIGNATURE-----
>