David Markey
2009-Jan-21 00:28 UTC
[Samba] Issue with file server (Non-Domain Controller) authenticating off the same LDAP as the PDC
Hi, Samba version 3.2-test(from git) I have a PDC(CS Domain) called kerry with an openldap backend, I have a file server that i want to authenticate off the same ldap as the PDC but i dont want it to be a BDC. This machine is called offaly. I would have thought that this would work pretty smoothly if i just configure domain logons = no. But then the file server generates it own SID and doesnt use the SID for the CS domain and creates its own account policies. Is there any way to have domain logons=yes but not act as a BDC or is it possible for to have domain logons=no and conform to the SID and account policies for the CS Domain. More info, When Domain Logons = no then it generates this in LDAP: dn: sambaDomainName=OFFALY,dc=cs,dc=dit,dc=ie sambaDomainName: OFFALY sambaSID: S-1-5-21-1810654286-1445949878-2619355827 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: 1db04188-79bc-102d-8b3c-bff53cf5d285 creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090118145748Z sambaMinPwdLength: 5 sambaPwdHistoryLength: 0 sambaLogonToChgPwd: 0 sambaMaxPwdAge: -1 sambaMinPwdAge: 0 sambaLockoutDuration: 30 sambaLockoutObservationWindow: 30 sambaLockoutThreshold: 0 sambaForceLogoff: -1 sambaRefuseMachinePwdChange: 0 But it should i want it to use the CS domain one namely: dn: sambaDomainName=CS,dc=cs,dc=dit,dc=ie sambaAlgorithmicRidBase: 1000 sambaNextUserRid: 1000 structuralObjectClass: sambaDomain entryUUID: cf6b1632-7886-102d-88b4-cdd5ec2918da creatorsName: cn=admin,dc=cs,dc=dit,dc=ie createTimestamp: 20090117020342Z sambaRefuseMachinePwdChange: 0 gidNumber: 1000 sambaDomainName: CS sambaSID: S-1-5-21-162219125-2768231107-2725269179 objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaLockoutDuration: 10 sambaLockoutObservationWindow: 10 sambaLockoutThreshold: 5 sambaMinPwdLength: 5 sambaPwdHistoryLength: 5 sambaLogonToChgPwd: 0 sambaMaxPwdAge: 7776000 sambaMinPwdAge: 0 sambaForceLogoff: -1 uidNumber: 1009 sambaNextRid: 1002 Any Ideas? Thanks David
Dale Schroeder
2009-Jan-21 18:38 UTC
[Samba] Issue with file server (Non-Domain Controller) authenticating off the same LDAP as the PDC
See if this is what you want: http://us1.samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap Hope it helps. Dale David Markey wrote:> Hi, > > > Samba version 3.2-test(from git) > > I have a PDC(CS Domain) called kerry with an openldap backend, I have a > file server that i want to authenticate off the same ldap as the PDC but > i dont want it to be a BDC. This machine is called offaly. > > > I would have thought that this would work pretty smoothly if i just > configure domain logons = no. > > But then the file server generates it own SID and doesnt use the SID for the CS > domain and creates its own account policies. > > Is there any way to have domain logons=yes but not act as a BDC or is it > possible for to have domain logons=no and conform to the SID and account > policies for the CS Domain. > > More info, > > When Domain Logons = no then it generates this in LDAP: > > > dn: sambaDomainName=OFFALY,dc=cs,dc=dit,dc=ie > sambaDomainName: OFFALY > sambaSID: S-1-5-21-1810654286-1445949878-2619355827 > sambaAlgorithmicRidBase: 1000 > objectClass: sambaDomain > sambaNextUserRid: 1000 > structuralObjectClass: sambaDomain > entryUUID: 1db04188-79bc-102d-8b3c-bff53cf5d285 > creatorsName: cn=admin,dc=cs,dc=dit,dc=ie > createTimestamp: 20090118145748Z > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 0 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: -1 > sambaMinPwdAge: 0 > sambaLockoutDuration: 30 > sambaLockoutObservationWindow: 30 > sambaLockoutThreshold: 0 > sambaForceLogoff: -1 > sambaRefuseMachinePwdChange: 0 > > > But it should i want it to use the CS domain one namely: > > dn: sambaDomainName=CS,dc=cs,dc=dit,dc=ie > sambaAlgorithmicRidBase: 1000 > sambaNextUserRid: 1000 > structuralObjectClass: sambaDomain > entryUUID: cf6b1632-7886-102d-88b4-cdd5ec2918da > creatorsName: cn=admin,dc=cs,dc=dit,dc=ie > createTimestamp: 20090117020342Z > sambaRefuseMachinePwdChange: 0 > gidNumber: 1000 > sambaDomainName: CS > sambaSID: S-1-5-21-162219125-2768231107-2725269179 > objectClass: top > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaLockoutDuration: 10 > sambaLockoutObservationWindow: 10 > sambaLockoutThreshold: 5 > sambaMinPwdLength: 5 > sambaPwdHistoryLength: 5 > sambaLogonToChgPwd: 0 > sambaMaxPwdAge: 7776000 > sambaMinPwdAge: 0 > sambaForceLogoff: -1 > uidNumber: 1009 > sambaNextRid: 1002 > > > Any Ideas? > > Thanks > > David > > > >