Short version:
Why does my domain member server create a sambaDomainName entry in LDAP?
Long Version:
I have created a Domain Member Server for a "NT4 style" Samba domain
with an LDAP backend.
It is a print server, running Winbind (because it solved a group SID
mapping problem and an 'invalid SID' error in syslog), and it works fine
in all other respects, but this:
After joining the domain, the member server creates a sambaDomainName
entry in LDAP that I don't think should be there. It is of the form:
sambaDomainName=HOSTNAME,dc=example,dc=com
... where HOSTNAME is the hostname of the domain member server.
I have Googled this and have come up with some posts to this list:
http://www.google.com/search?q=sambaDomainName+hostname+%22member+server%22
... but none provide an explanation.
Here are some details about my setup (on the domain member server):
First, just to get it out of the way, I created no local users, other
those created by a default RedHat RHEL 5.1 install, such as root,
nobody, etc.
(LDAP, NSS, PAM, Winbind settings created with /usr/sbin/authconfig-tui)
# cat /etc/ldap.conf:
base dc=example,dc=com
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
uri ldap://ldap.example.com
ssl no
pam_password md5
# cat /ets/samba/smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = HOSTNAME
server string = Domain Member Server
security = domain
password server = MYPDC MYBDC
passdb backend = ldapsam:ldap://ldap.deohs.washington.edu
wins support = no
ldap suffix = dc=example,dc=com
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
load printers = yes
printing = cups
printcap name = cups
winbind use default domain = false
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
# cat /etc/pam.d/system-config-samba
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
# cat /etc/pam.d/config-util
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# cat /etc/nsswitch.conf
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.1 (Tikanga)
# uname -a
Linux hostname.example.com 2.6.18-53.1.6.el5 #1 SMP Wed Jan 16 03:56:15
EST 2008 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep 'samba-[0-9]\|ldap-[0-9]\|pam-[0-9]'
openldap-2.3.27-8.el5_1.1
system-config-samba-1.2.39-1.el5
openldap-2.3.27-8.el5_1.1
samba-3.0.25b-1.el5_1.4
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5
The member server was joined to the domain with:
# net rpc join MEMBER -W MYDOMAIN -I MYPDC -U root%S3CR1T
# smbpasswd -w S3CR1T
Thanks, in advance, for any explanation you can provide.
--
Brian High
Jamrock
2008-Jan-30 14:29 UTC
[Samba] Re: Member Server creates sambaDomainName LDAP entry
"Brian High" <high@u.washington.edu> wrote in message news:479A74CB.40309@u.washington.edu...> Short version: > > Why does my domain member server create a sambaDomainName entry in LDAP? > > Long Version: > > I have created a Domain Member Server for a "NT4 style" Samba domain > with an LDAP backend. > > It is a print server, running Winbind (because it solved a group SID > mapping problem and an 'invalid SID' error in syslog), and it works fine > in all other respects, but this: > > After joining the domain, the member server creates a sambaDomainName > entry in LDAP that I don't think should be there. It is of the form: > > sambaDomainName=HOSTNAME,dc=example,dc=com > > ... where HOSTNAME is the hostname of the domain member server. > > I have Googled this and have come up with some posts to this list: >To which LDAP server is your smb.conf file pointing? The one on the member server or the one on the domain controller?
Brian High
2008-Jan-30 21:37 UTC
[Samba] Re: Member Server creates sambaDomainName LDAP entry
On Wed, 30 Jan 2008, Jamrock wrote:> > "Brian High" <high@u.washington.edu> wrote in message > news:479A74CB.40309@u.washington.edu... >> Short version: >> >> Why does my domain member server create a sambaDomainName entry in LDAP?> To which LDAP server is your smb.conf file pointing? The one on the member > server or the one on the domain controller?There is only one LDAP primary (on PDC) and one LDAP secondary (on BDC). The member server has no LDAP server, and only uses LDAP as a client. -- Brian High Systems Administrator Department of Environmental and Occupational Health Sciences
Brian May
2008-Feb-03 04:13 UTC
[Samba] Re: Member Server creates sambaDomainName LDAP entry
>>>>> "Brian" == Brian High <high@u.washington.edu> writes:Brian> After joining the domain, the member server creates a sambaDomainName Brian> entry in LDAP that I don't think should be there. It is of the form: Brian> sambaDomainName=HOSTNAME,dc=example,dc=com I have noticed this myself. At the time I was worried that maybe I had made a mistake somewhere, and the server wasn't properly joined to the domain. However, I couldn't see any evidence of any problems, other then this entry kept re-appearing each time I restarted Samba. Tomorrow I plan to add some more servers, will see if the problem reoccurs. -- Brian May <bam@snoopy.apana.org.au>