I've almost got it. I swear I've almost got it (and I've been doing
a
lot of swearing lately).
I re-built my PDC, starting from scratch. I'm not using the editposix
extensions anymore - I'm using the smbldap tools as shown (I think) in
the Samba by Example.
I really really thought I did everything right. Obviously I was wrong.
What works - all my workstations and logins. Add/create users, join
workstations to domain. Just about everything.
The last little item - winbind.
I suppose I need to give some vitals:
Samba 3.0.28a.
Samba PDC - no Windows servers, no BDC's, no member servers.
Linux and Windows XP workstations.
OpenLDAP backend with combined Unix and Windows users (using
LDAP-Account Manager).
First question: under this configuration, do I need winbind at all?
If the answer is yes, second question:
wbinfo -t yields checking the trust secret via RPC calls succeeded
wbinfo -u yields Error looking up domain users
The logfile log.wb-AMFESLAN.LOCAL has
[2008/05/27 12:17:40, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe
\lsarpc fnum 0x7169!
logfile log.winbindd-idmap has
[2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388)
idmap_init: Ignoring domain AMFESLAN.LOCAL
I should also mention that I can't add the built-in or local groups
using net.
partial output of testparm:
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
workgroup = AMFESLAN.LOCAL
realm = AMFESLAN.LOCAL
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://localhost
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated*
username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480
SO_SNDBUF=20480
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.cmd
logon path = \\%L\profiles\%U\%a
logon drive = U:
logon home domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = "cn=admin,dc=amfeslan,dc=local"
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=machines,ou=users
ldap passwd sync = Yes
ldap suffix = dc=amfeslan,dc=local
ldap ssl = no
ldap user suffix = ou=users
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
ea support = Yes
profile acls = Yes
veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/
dos filemode = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
--
Daniel
no you don't need winbind, i'm using LDAP + samba + NSS_LDAP. paste your net command and the error(s) its giving. Daniel L. Miller wrote:> I've almost got it. I swear I've almost got it (and I've been doing a > lot of swearing lately). > > I re-built my PDC, starting from scratch. I'm not using the editposix > extensions anymore - I'm using the smbldap tools as shown (I think) in > the Samba by Example. > > I really really thought I did everything right. Obviously I was wrong. > > What works - all my workstations and logins. Add/create users, join > workstations to domain. Just about everything. > > The last little item - winbind. > > I suppose I need to give some vitals: > Samba 3.0.28a. > Samba PDC - no Windows servers, no BDC's, no member servers. > Linux and Windows XP workstations. > OpenLDAP backend with combined Unix and Windows users (using > LDAP-Account Manager). > > First question: under this configuration, do I need winbind at all? > > If the answer is yes, second question: > wbinfo -t yields checking the trust secret via RPC calls succeeded > wbinfo -u yields Error looking up domain users > > The logfile log.wb-AMFESLAN.LOCAL has > [2008/05/27 12:17:40, 1] > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) > cli_pipe_validate_current_pdu: RPC fault code > DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe > \lsarpc fnum 0x7169! > > logfile log.winbindd-idmap has > [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377) > Initializing idmap domains > [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388) > idmap_init: Ignoring domain AMFESLAN.LOCAL > > I should also mention that I can't add the built-in or local groups > using net. > > partial output of testparm: > Processing section "[printers]" > > Loaded services file OK. > Server role: ROLE_DOMAIN_PDC > Press enter to see a dump of your service definitions > > [global] > workgroup = AMFESLAN.LOCAL > realm = AMFESLAN.LOCAL > server string = %h server (Samba, Ubuntu) > map to guest = Bad User > obey pam restrictions = Yes > passdb backend = ldapsam:ldap://localhost > pam password change = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated* > username map = /etc/samba/smbusers > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > time server = Yes > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480 > SO_SNDBUF=20480 > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > logon script = logon.cmd > logon path = \\%L\profiles\%U\%a > logon drive = U: > logon home > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = "cn=admin,dc=amfeslan,dc=local" > ldap delete dn = Yes > ldap group suffix = ou=groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=machines,ou=users > ldap passwd sync = Yes > ldap suffix = dc=amfeslan,dc=local > ldap ssl = no > ldap user suffix = ou=users > panic action = /usr/share/samba/panic-action %d > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = Yes > winbind enum groups = Yes > ea support = Yes > profile acls = Yes > veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/ > dos filemode = Yes > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > guest ok = Yes > printable = Yes > browseable = No >
John H Terpstra wrote:> On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote: > >> I've almost got it. I swear I've almost got it (and I've been doing a >> lot of swearing lately). >> > > Swearing does not help much. :-) > >It does too! I haven't broken a single keyboard!>> I re-built my PDC, starting from scratch. I'm not using the editposix >> extensions anymore - I'm using the smbldap tools as shown (I think) in >> the Samba by Example. >> > > Now that is a really good guide. (Biased opinion of course!) It is a pity that > this book is a little out of date. Someone really should contribute updates > to it I guess. >I'd be delighted to - but at the moment it'd be the blind leading the totally clueless.>> I really really thought I did everything right. Obviously I was wrong. >> > > Ah, you mean you have been learning to swim. A good start to using Samba. >Unfortunately I still splash far too much without making efficient forward progress. I can go sideways really good though!>> First question: under this configuration, do I need winbind at all? >> > > That depends! You can probably get away without winbind. If you do need it, > you should update the configuration since winbindd has changed since Samba > 3.0.20 - the version the book was last updated for. >Something I haven't seen in print yet - so I'll ask the question. WHEN is the appropriate time to use winbind with PDC's and BDC's? If the only (intended) purpose is for member servers and joining Windows NT/2000+ domains - please say so. The 3.2 Using Samba says "...in the majority of cases |winbind| is of primary interest for use with domain member servers (DMSs) and domain member clients (DMCs)." - but that's not quite the same as, "In an exclusively Samba server environment, with a common LDAP backend (replicated or single), winbind offers no additional features and in fact can cause problems. Do NOT use winbind in such a configuration.">> If the answer is yes, second question: >> wbinfo -t yields checking the trust secret via RPC calls succeeded >> wbinfo -u yields Error looking up domain users >> > > It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla > bug no. 5453. > > >> I should also mention that I can't add the built-in or local groups >> using net. >> > > Correct. For that you will need the new winbind configuration syntax - you are > running 3.0.28 aren't you? See man idmap_ldap, or man idmap_tdb. >Now I'm more confused. I'm reviewing those pages - and while I do see some other parameters, they say in their absence they will default to using the ones I've specified. I don't see what I'm missing. I've revised to show: idmap domains = AMFESLAN.LOCAL idmap alloc backend = ldap winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 10000-20000 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:range = 10000-20000 idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1 idmap config AMFESLAN.LOCAL:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:backend = ldap idmap config AMFESLAN.LOCAL:default = yes Functionality and error messages remain the same.> I hope that helps. >Helps a lot - but I'm needy and greedy and would still appreciate more of your insight. -- Daniel
OK, payment in advance: :-) :-) :-)
Wait a minute, let me change currencies....
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
_.-'''''-._
.' _ _ '.
/ (o) (o) \
| |
| \ / |
\ '. .' /
'. `'---'` .'
'-._____.-'
John H Terpstra wrote:
>> Something I haven't seen in print yet - so I'll ask the
question. WHEN
>> is the appropriate time to use winbind with PDC's and BDC's?
>>
>
> Winbind is needed when you have domain member servers, and to deal with
SIDs
> for users of trusted foreign domains. Winbind is essential for interdomain
> trust handling.
>
> If all your clients are domain members, and you never get clients from
trusted
> domains on the network, you do not need winbind. You can operate without
it
> without loss of service, but you will not have use of BUILTIN groups (these
> are created and managed by winbind.
>
>
Almost there. Really....
Do I NEED those builtin groups for anything? Do I WANT those builtin
groups for anything (besides avoiding those nuisance error messages in
my samba logs)?
If a couple clients are non-domain members (laptops that periodically
plug-in) - but still no trusted domains involved - is there any need for
winbind?> First: Do NOT use a domain name that has a '.' in it. That has
unexpected
> name resolution consequences. A Samab smb.conf workgroup= parameter should
> not have a dot in it.
>
>
Ok...now that I've setup everything (again, for the nth time), do I need
to reconfigure the server and every client? Or just rename it on the
server and the change will automagically propagate?
And beyond updating my srv records, will this have other DNS
consequences?>> idmap domains = AMFESLAN.LOCAL
>> idmap alloc backend = ldap
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> idmap alloc config:range = 10000-20000
>> idmap alloc config:ldap_url = ldap://127.0.0.1
>> idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
>> idmap config AMFESLAN.LOCAL:range = 10000-20000
>> idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
>> idmap config AMFESLAN.LOCAL:ldap_base_dn >>
ou=idmap,dc=amfeslan,dc=local
>> idmap config AMFESLAN.LOCAL:backend = ldap
>> idmap config AMFESLAN.LOCAL:default = yes
>>
>
> IDMAP is used to allocate unique UID/GID's for users from a trusted
domain so
> they can access resources in our domain. IDMAP is also used to create
> BUILTIN groups.
>
Ok...that part I get. What I don't get -
1. Is the above config (other than the domain name) correct?
2. How does this config differ from my original one - since the docs
say the previous version should have worked?
--
Daniel
John H Terpstra wrote:> On Tuesday 27 May 2008 05:45:24 pm Daniel L. Miller wrote: > >> OK, payment in advance: :-) :-) :-) >> >> Wait a minute, let me change currencies.... >> > > Awe .. forget it! ;-) > >I'm assuming my last payment still has me covered - if you need more retainer please let me know.>> >> Almost there. Really.... >> >> Do I NEED those builtin groups for anything? Do I WANT those builtin >> groups for anything (besides avoiding those nuisance error messages in >> my samba logs)? >> > > You do not need them specifically. They can be useful, but they are certainly > not essential. > >I'm still coming up with a good question to ask on this part....> >>> First: Do NOT use a domain name that has a '.' in it. That has >>> unexpected name resolution consequences. A Samab smb.conf workgroup>>> parameter should not have a dot in it. >>> >> Ok...now that I've setup everything (again, for the nth time), do I need >> to reconfigure the server and every client? Or just rename it on the >> server and the change will automagically propagate? >> > > It is safer to re-add your clients to the domain. Even though it is the > domain SID that really matters. If it changes you can reset it to the > original value, there are some operations that are tied to the domain name, > so it is best to readd the clients to the domain. > >Is there a better (read: more efficient, automated, less labor-intensive, more fun, whatever) method to re-add than manually visiting each workstation (either physically or via RDC of some sort), leaving the old domain, and then joining the new one? -- Daniel
Reasonably Related Threads
- Samba (4.1.17) ldap backend create user failed
- ldap_initialize: Bad parameter to an ldap routine
- Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)
- Problem: LDAP as idmap backend
- Configuration of idmap_ldap "No backend defined"