I've almost got it. I swear I've almost got it (and I've been doing a lot of swearing lately). I re-built my PDC, starting from scratch. I'm not using the editposix extensions anymore - I'm using the smbldap tools as shown (I think) in the Samba by Example. I really really thought I did everything right. Obviously I was wrong. What works - all my workstations and logins. Add/create users, join workstations to domain. Just about everything. The last little item - winbind. I suppose I need to give some vitals: Samba 3.0.28a. Samba PDC - no Windows servers, no BDC's, no member servers. Linux and Windows XP workstations. OpenLDAP backend with combined Unix and Windows users (using LDAP-Account Manager). First question: under this configuration, do I need winbind at all? If the answer is yes, second question: wbinfo -t yields checking the trust secret via RPC calls succeeded wbinfo -u yields Error looking up domain users The logfile log.wb-AMFESLAN.LOCAL has [2008/05/27 12:17:40, 1] rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe \lsarpc fnum 0x7169! logfile log.winbindd-idmap has [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377) Initializing idmap domains [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388) idmap_init: Ignoring domain AMFESLAN.LOCAL I should also mention that I can't add the built-in or local groups using net. partial output of testparm: Processing section "[printers]" Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = AMFESLAN.LOCAL realm = AMFESLAN.LOCAL server string = %h server (Samba, Ubuntu) map to guest = Bad User obey pam restrictions = Yes passdb backend = ldapsam:ldap://localhost pam password change = Yes passwd program = /usr/sbin/smbldap-passwd -u %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated* username map = /etc/samba/smbusers unix password sync = Yes syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 time server = Yes socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480 SO_SNDBUF=20480 add user script = /usr/sbin/smbldap-useradd -m "%u" delete user script = /usr/sbin/smbldap-userdel "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" delete group script = /usr/sbin/smbldap-groupdel "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = logon.cmd logon path = \\%L\profiles\%U\%a logon drive = U: logon home domain logons = Yes os level = 64 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = "cn=admin,dc=amfeslan,dc=local" ldap delete dn = Yes ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=machines,ou=users ldap passwd sync = Yes ldap suffix = dc=amfeslan,dc=local ldap ssl = no ldap user suffix = ou=users panic action = /usr/share/samba/panic-action %d idmap backend = ldap:ldap://127.0.0.1 idmap uid = 10000-20000 idmap gid = 10000-20000 winbind enum users = Yes winbind enum groups = Yes ea support = Yes profile acls = Yes veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/ dos filemode = Yes [printers] comment = All Printers path = /var/spool/samba create mask = 0700 guest ok = Yes printable = Yes browseable = No -- Daniel
no you don't need winbind, i'm using LDAP + samba + NSS_LDAP. paste your net command and the error(s) its giving. Daniel L. Miller wrote:> I've almost got it. I swear I've almost got it (and I've been doing a > lot of swearing lately). > > I re-built my PDC, starting from scratch. I'm not using the editposix > extensions anymore - I'm using the smbldap tools as shown (I think) in > the Samba by Example. > > I really really thought I did everything right. Obviously I was wrong. > > What works - all my workstations and logins. Add/create users, join > workstations to domain. Just about everything. > > The last little item - winbind. > > I suppose I need to give some vitals: > Samba 3.0.28a. > Samba PDC - no Windows servers, no BDC's, no member servers. > Linux and Windows XP workstations. > OpenLDAP backend with combined Unix and Windows users (using > LDAP-Account Manager). > > First question: under this configuration, do I need winbind at all? > > If the answer is yes, second question: > wbinfo -t yields checking the trust secret via RPC calls succeeded > wbinfo -u yields Error looking up domain users > > The logfile log.wb-AMFESLAN.LOCAL has > [2008/05/27 12:17:40, 1] > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625) > cli_pipe_validate_current_pdu: RPC fault code > DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe > \lsarpc fnum 0x7169! > > logfile log.winbindd-idmap has > [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377) > Initializing idmap domains > [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388) > idmap_init: Ignoring domain AMFESLAN.LOCAL > > I should also mention that I can't add the built-in or local groups > using net. > > partial output of testparm: > Processing section "[printers]" > > Loaded services file OK. > Server role: ROLE_DOMAIN_PDC > Press enter to see a dump of your service definitions > > [global] > workgroup = AMFESLAN.LOCAL > realm = AMFESLAN.LOCAL > server string = %h server (Samba, Ubuntu) > map to guest = Bad User > obey pam restrictions = Yes > passdb backend = ldapsam:ldap://localhost > pam password change = Yes > passwd program = /usr/sbin/smbldap-passwd -u %u > passwd chat = *Enter\snew\s*\spassword:* %n\n > *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated* > username map = /etc/samba/smbusers > unix password sync = Yes > syslog = 0 > log file = /var/log/samba/log.%m > max log size = 1000 > time server = Yes > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480 > SO_SNDBUF=20480 > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > add machine script = /usr/sbin/smbldap-useradd -w "%u" > logon script = logon.cmd > logon path = \\%L\profiles\%U\%a > logon drive = U: > logon home > domain logons = Yes > os level = 64 > preferred master = Yes > domain master = Yes > wins support = Yes > ldap admin dn = "cn=admin,dc=amfeslan,dc=local" > ldap delete dn = Yes > ldap group suffix = ou=groups > ldap idmap suffix = ou=idmap > ldap machine suffix = ou=machines,ou=users > ldap passwd sync = Yes > ldap suffix = dc=amfeslan,dc=local > ldap ssl = no > ldap user suffix = ou=users > panic action = /usr/share/samba/panic-action %d > idmap backend = ldap:ldap://127.0.0.1 > idmap uid = 10000-20000 > idmap gid = 10000-20000 > winbind enum users = Yes > winbind enum groups = Yes > ea support = Yes > profile acls = Yes > veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/ > dos filemode = Yes > > [printers] > comment = All Printers > path = /var/spool/samba > create mask = 0700 > guest ok = Yes > printable = Yes > browseable = No >
John H Terpstra wrote:> On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote: > >> I've almost got it. I swear I've almost got it (and I've been doing a >> lot of swearing lately). >> > > Swearing does not help much. :-) > >It does too! I haven't broken a single keyboard!>> I re-built my PDC, starting from scratch. I'm not using the editposix >> extensions anymore - I'm using the smbldap tools as shown (I think) in >> the Samba by Example. >> > > Now that is a really good guide. (Biased opinion of course!) It is a pity that > this book is a little out of date. Someone really should contribute updates > to it I guess. >I'd be delighted to - but at the moment it'd be the blind leading the totally clueless.>> I really really thought I did everything right. Obviously I was wrong. >> > > Ah, you mean you have been learning to swim. A good start to using Samba. >Unfortunately I still splash far too much without making efficient forward progress. I can go sideways really good though!>> First question: under this configuration, do I need winbind at all? >> > > That depends! You can probably get away without winbind. If you do need it, > you should update the configuration since winbindd has changed since Samba > 3.0.20 - the version the book was last updated for. >Something I haven't seen in print yet - so I'll ask the question. WHEN is the appropriate time to use winbind with PDC's and BDC's? If the only (intended) purpose is for member servers and joining Windows NT/2000+ domains - please say so. The 3.2 Using Samba says "...in the majority of cases |winbind| is of primary interest for use with domain member servers (DMSs) and domain member clients (DMCs)." - but that's not quite the same as, "In an exclusively Samba server environment, with a common LDAP backend (replicated or single), winbind offers no additional features and in fact can cause problems. Do NOT use winbind in such a configuration.">> If the answer is yes, second question: >> wbinfo -t yields checking the trust secret via RPC calls succeeded >> wbinfo -u yields Error looking up domain users >> > > It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla > bug no. 5453. > > >> I should also mention that I can't add the built-in or local groups >> using net. >> > > Correct. For that you will need the new winbind configuration syntax - you are > running 3.0.28 aren't you? See man idmap_ldap, or man idmap_tdb. >Now I'm more confused. I'm reviewing those pages - and while I do see some other parameters, they say in their absence they will default to using the ones I've specified. I don't see what I'm missing. I've revised to show: idmap domains = AMFESLAN.LOCAL idmap alloc backend = ldap winbind enum users = Yes winbind enum groups = Yes idmap alloc config:range = 10000-20000 idmap alloc config:ldap_url = ldap://127.0.0.1 idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:range = 10000-20000 idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1 idmap config AMFESLAN.LOCAL:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local idmap config AMFESLAN.LOCAL:backend = ldap idmap config AMFESLAN.LOCAL:default = yes Functionality and error messages remain the same.> I hope that helps. >Helps a lot - but I'm needy and greedy and would still appreciate more of your insight. -- Daniel
OK, payment in advance: :-) :-) :-) Wait a minute, let me change currencies.... _.-'''''-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._____.-' _.-'''''-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._____.-' _.-'''''-._ .' _ _ '. / (o) (o) \ | | | \ / | \ '. .' / '. `'---'` .' '-._____.-' John H Terpstra wrote:>> Something I haven't seen in print yet - so I'll ask the question. WHEN >> is the appropriate time to use winbind with PDC's and BDC's? >> > > Winbind is needed when you have domain member servers, and to deal with SIDs > for users of trusted foreign domains. Winbind is essential for interdomain > trust handling. > > If all your clients are domain members, and you never get clients from trusted > domains on the network, you do not need winbind. You can operate without it > without loss of service, but you will not have use of BUILTIN groups (these > are created and managed by winbind. > >Almost there. Really.... Do I NEED those builtin groups for anything? Do I WANT those builtin groups for anything (besides avoiding those nuisance error messages in my samba logs)? If a couple clients are non-domain members (laptops that periodically plug-in) - but still no trusted domains involved - is there any need for winbind?> First: Do NOT use a domain name that has a '.' in it. That has unexpected > name resolution consequences. A Samab smb.conf workgroup= parameter should > not have a dot in it. > >Ok...now that I've setup everything (again, for the nth time), do I need to reconfigure the server and every client? Or just rename it on the server and the change will automagically propagate? And beyond updating my srv records, will this have other DNS consequences?>> idmap domains = AMFESLAN.LOCAL >> idmap alloc backend = ldap >> winbind enum users = Yes >> winbind enum groups = Yes >> idmap alloc config:range = 10000-20000 >> idmap alloc config:ldap_url = ldap://127.0.0.1 >> idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local >> idmap config AMFESLAN.LOCAL:range = 10000-20000 >> idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1 >> idmap config AMFESLAN.LOCAL:ldap_base_dn >> ou=idmap,dc=amfeslan,dc=local >> idmap config AMFESLAN.LOCAL:backend = ldap >> idmap config AMFESLAN.LOCAL:default = yes >> > > IDMAP is used to allocate unique UID/GID's for users from a trusted domain so > they can access resources in our domain. IDMAP is also used to create > BUILTIN groups. >Ok...that part I get. What I don't get - 1. Is the above config (other than the domain name) correct? 2. How does this config differ from my original one - since the docs say the previous version should have worked? -- Daniel
John H Terpstra wrote:> On Tuesday 27 May 2008 05:45:24 pm Daniel L. Miller wrote: > >> OK, payment in advance: :-) :-) :-) >> >> Wait a minute, let me change currencies.... >> > > Awe .. forget it! ;-) > >I'm assuming my last payment still has me covered - if you need more retainer please let me know.>> >> Almost there. Really.... >> >> Do I NEED those builtin groups for anything? Do I WANT those builtin >> groups for anything (besides avoiding those nuisance error messages in >> my samba logs)? >> > > You do not need them specifically. They can be useful, but they are certainly > not essential. > >I'm still coming up with a good question to ask on this part....> >>> First: Do NOT use a domain name that has a '.' in it. That has >>> unexpected name resolution consequences. A Samab smb.conf workgroup>>> parameter should not have a dot in it. >>> >> Ok...now that I've setup everything (again, for the nth time), do I need >> to reconfigure the server and every client? Or just rename it on the >> server and the change will automagically propagate? >> > > It is safer to re-add your clients to the domain. Even though it is the > domain SID that really matters. If it changes you can reset it to the > original value, there are some operations that are tied to the domain name, > so it is best to readd the clients to the domain. > >Is there a better (read: more efficient, automated, less labor-intensive, more fun, whatever) method to re-add than manually visiting each workstation (either physically or via RDC of some sort), leaving the old domain, and then joining the new one? -- Daniel
Possibly Parallel Threads
- Samba (4.1.17) ldap backend create user failed
- ldap_initialize: Bad parameter to an ldap routine
- Winbind behaviour odd in 3.4.9 and 3.5.6 vs 3.2.14 (Samba domain with Samba member servers)
- Problem: LDAP as idmap backend
- Configuration of idmap_ldap "No backend defined"