Hi.
I had been reading about how to join a samba server to my current PDC
running samba+ldap.
My PDC have a BDC and they are working, I want to add another samba
server and be a domain member server.
The docs off samba had open my mind about the technical stuff but I
still cannot make this thing works.
My OS is Centos 5.6 PDC Samba Version 3.5.4-0.83.el5_7.2
My domain member is centos to 5.7 Version 3.5.4-0.83.el5_7.2
The old book say:
http://www.samba.org/samba/docs/man/Samba-Guide/unixclients.html
step 1:
This is my smb.conf from domain member server:
[global]
workgroup = MYDOMAIN
server string = Develop Server
netbios name = mbx-devel
hosts allow = 192.168.2. 127.
interfaces = eth0 lo0
bind interfaces only = Yes
hosts deny = 0.0.0.0
remote announce = 192.168.2.255
lanman auth = Yes
client lanman auth = Yes
security = DOMAIN
# passwd backend
encrypt passwords = yes
passdb backend = ldapsam:"ldap://192.168.2.24/
ldap://192.168.2.25/"
enable privileges = yes
pam password change= Yes
passwd program = /usr/bin/passwd %u
passwd chat = *New*UNIX*password* %nn
*ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
unix password sync = Yes
password server = 192.168.2.24
# Log options
log level = 10
log file = /var/log/samba/%m.log
max log size = 500
syslog = 1
# Name resolution
name resolve order = wins bcast hosts lmhost
# misc
time server = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
use sendfile = yes
# Dos-Attribute
map hidden = No
map system = No
map archive = No
map read only = No
store dos attributes = Yes
Map to Guest = Bad User
# printers - configured to use CUPS and automatically load them
load printers = No
printcap name
# printing cups options show add printer wizard = No
# LDAP-iConfiguration
ldap ssl = off
ldap passwd sync = Yes
ldap suffix = dc=mydomain,dc=local
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=mydomain,dc=local
idmap backend = ldap:ldap://192.168.2.24 ldap://192.168.2.25
idmap uid = 10000-20000
idmap gid = 10000-20000
# logon options
logon script logon path logon path logon home
logon drive
username map = /etc/samba/smbuser
preferred master = No
wins support = No
wins server = 192.168.2.24
winbind nested groups = Yes
winbind trusted domains only = Yes
winbind use default domain = Yes
winbind separator = +
ea support = Yes
domain logons = No
domain master = No
local master = No
map acl inherit = Yes
unix charset = UTF8
case sensitive = No
Step 2:
Now, the manual say that we need to setup nss_ldap, nsswitch:
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
#hosts: db files nisplus nis dns
hosts: files dns wins
# Example - obey only what nisplus tells us...
#services: nisplus [NOTFOUND=return] files
#networks: nisplus [NOTFOUND=return] files
#protocols: nisplus [NOTFOUND=return] files
#rpc: nisplus [NOTFOUND=return] files
#ethers: nisplus [NOTFOUND=return] files
#netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
Latter ldap client.
/etc/ldap.conf
host 192.168.2.24 192.168.2.25
# The distinguished name of the search base.
base dc=mydomain,dc=local
ldap_version 3
binddn cn=Manager,dc=mueblex,dc=local
bindpw MYPASSWD
port 389
timelimit 120
bind_timelimit 120
bind_policy soft
idle_timelimit 3600
pam_password md5
nss_base_passwd ou=Users,dc=mydomain,dc=local?one
nss_base_shadow ou=Users,dc=mydomain,dc=local?one
nss_base_group ou=Groups,dc=mydomain,dc=local?one
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd,gdm
ssl off
/etc/openldap/ldap
HOST 192.1689.2.24 192.168.2.25
URI ldap://192.168.2.24 ldap://192.168.2.25
BASE dc=mydomain,dc=local
Test:
getent passwd
getent group
works.
>From here, the doc start speaking about slapcat, which is a tool from
openldap-server:
The LDAP directory must have a container object for IDMAP data. There
are several ways you can check that your LDAP database is able to
receive IDMAP information. One of the simplest is to execute:
My client(domain member server) must have this?
step 6:
smbpassword done!!!
setp 7:
net rpc join -S MYPDC-Name -Uroot
done, my PDC show me my domain member server.
Test:
net rpc info -S MyPDC -U root
Enter root's password:
Domain Name: MYDOMAIN
Domain SID: S-1-5-21-805595659-1689854870-1539857752
Sequence number: 1316645662
Num users: 105
Num domain groups: 5
Num local groups: 0
Step 8:
wbinfo --set-auth-user=Administrator%not24get
This functionality was moved to the 'net' utility.
See 'net help setauthuser' for details.
net setauthuser -U root
Enter the auth user's password:
Done, nothing wrong back.
Services:
I got a lot of message went I start smb service that complain about
cups, I was thinking that maybe samba 3.5.x need that service, I got
the service running but nothing change.
winbind running
nmb running
service smb start
Starting SMB services:
As u see the service never return to the shell is like doing
something, never return my shell,
ps -ax | grep smb
Warning: bad syntax, perhaps a bogus '-'? See
/usr/share/doc/procps-3.2.7/FAQ
12707 pts/1 S+ 0:00 /bin/sh /sbin/service smb start
12712 pts/1 S+ 0:00 /bin/sh /etc/init.d/smb start
12715 pts/1 S+ 0:00 /bin/bash -c ulimit -S -c 0 >/dev/null 2>&1
; smbd -D
12716 pts/1 S+ 0:00 smbd -D
12719 pts/0 S+ 0:00 grep smb
If I don't stop the task Ctrl+c I can open another shell and smb
service say is running:
service smb status
smbd (pid 12716) is running...
smbstatus:
lang_tdb_init: /usr/lib/samba/en_US.UTF-8.msg: No such file or directory
sessionid.tdb not initialised
Service pid machine Connected at
-------------------------------------------------------
tdb(unnamed): tdb_open_ex: could not open file
/var/lib/samba/locking.tdb: No such file or directory
Could not open tdb: No such file or directory
/var/lib/samba/locking.tdb not initialised
This is normal if an SMB client has never connected to your server.
This is the last part, my log level is 10 them I got more output.
If I run a pdbedit -L i got this:
he connection to the LDAP server was closed
smb_ldap_setup_connection: ldap://192.168.2.24/ ldap://192.168.2.25/
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://192.168.2.24/
ldap://192.168.2.25/ as "cn=Manager,dc=mydomain,dc=local"
ldap_connect_system: successful connection to the LDAP server
ldap_connect_system: LDAP server does support paged results
The LDAP server is successfully connected
pdb backend ldapsam:"ldap://192.168.2.24/ ldap://192.168.2.25/" has a
valid init
smbldap_search_paged: base => [dc=mydomain,dc=local], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize =>
[1024]
smbldap_search_ext: base => [dc=mydomain,dc=local], filter =>
[(&(uid=*)(objectclass=sambaSamAccount))], scope => [2]
smbldap_search_paged: search was successful
"displayName" not found
"description" not found
sid S-1-5-21-805595659-1689854870-1539857752-1000 does not belong to our domain
Skipping entry uid=root,ou=Users,dc=mydomain,dc=local
"displayName" not found
"description" not found
...
sid S-1-5-21-805595659-1689854870-1539857752-1069 does not belong to our domain
Skipping entry uid=rhernandez,ou=Users,dc=mydomain,dc=local
sid S-1-5-21-805595659-1689854870-1539857752-1070 does not belong to our domain
Skipping entry uid=mbx-debug$,ou=Computers,dc=mydomain,dc=local
sid S-1-5-21-805595659-1689854870-1539857752-1071 does not belong to our domain
Skipping entry uid=mbx-scan1$,ou=Computers,dc=mydomain,dc=local
sid S-1-5-21-805595659-1689854870-1539857752-1074 does not belong to our domain
Skipping entry uid=mbx-devel$,ou=Computers,dc=mydomain,dc=local
My SID:
net getdomainsid
SID for local machine MBX-DEVEL is: S-1-5-21-3297652681-580672025-4178914628
SID for domain MYDOMAIN is: S-1-5-21-805595659-1689854870-1539857752
I have read the logs but don't see any error that could help me.
I miss something?
LIving the dream..
