Hi,
I'm new here and I've got a problem. OK this is evident.
Running OpenSuSE 13.1 as SAMBA4-PDC with openLdap-backend. All from SuSE Repos.
Works fine except joining a Windows-Client to the domain. This means also no
shared-profiles.
I'm able to use the shares from the PDC on the windows-clients. User- and
group-permissions are working.
smb.conf:
[global]
workgroup = BIH
name resolve order = bcast host lmhosts wins
dns forwarder = xxx.xxx.xxx.xxx
log file = /var/log/samba/log.%m
max log size = 50
debug level = 10
debug pid = Yes
bind interfaces only = yes
passdb backend = ldapsam:ldap://gen.hhi.hamburg.de
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = Yes
add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.rb %m$
domain logons = Yes
domain master = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap user suffix = ou=Users
local master = Yes
os level = 65
preferred master = Yes
security = user
usershare max shares = 100
wins support = Yes
idmap backend = ldap:ldap://gen.hhi.hamburg.de
ldap suffix = dc=hhi,dc=hamburg,dc=de
ldap admin dn = cn=Administrator,dc=hhi,dc=hamburg,dc=de
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
...
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
[public]
comment = public samba folder
guest ok = Yes
inherit acls = Yes
path = /home/samba/public
read only = Yes
Communication between PDC and Ldaps-Server works. Samba passwords from the users
are used properly.
Machine-account was added from as Ldif from an old and still working Samba 3
server, because smbladp is not in the SuSE-Repos. Adduser creates
machine-accounts only in /etc/passwd and shadow, not in the ldap.
bremen.ldif:
# bremen$, Machines,hhi.hamburg.de
dn: uid=bremen$,ou=Machines,dc=hhi,dc=hamburg,dc=de
sambaLMPassword: XXXXXXXXXXXXXXXXXX
sambaPrimaryGroupSID: S-1-5-21-XXXXXXXXXXXXXXXX-1201
givenName: bremen
objectClass: top
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: sambaSamAccount
userPassword:: XXXXXXXXXXXXXXXXXXXXX
uid: bremen$
uidNumber: 1002
cn: bremen
sambaPwdLastSet: 1401797671
loginShell: /bin/bash
sambaAcctFlags: [U ]
gidNumber: 100
sambaPwdMustChange: 2147483647
sambaNTPassword: XXXXXXXXXXXXXXXXXX
sambaPwdCanChange: 1401797671
sambaSID: S-1-5-21-XXXXXXXXXXXXXXXXXX-3004
homeDirectory: /dev/null
sn: machine
Trying to join leads to a error message about an existing account.
If the ldap-entry is deleted, the client complains that this account didn't
exist in the domain.
So, they are talking with each other
Wireshark shows all involved machines communicating
/var/log/samba/log.bremen ends with:
[2014/06/13 16:12:30.005919, 10, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:2499(smbd_smb2_request_done_ex)
smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[4] dyn[no:0] at
../source3/smbd/smb2_sesssetup.c:793
[2014/06/13 16:12:30.005955, 10, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
smb2_set_operation_credit: requested 1, charge 1, granted 1, current
possible/max 482/512, total granted/max/low/range 31/8192/41/31
[2014/06/13 16:12:30.006589, 10, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at
../source3/smbd/smb2_server.c:3293
[2014/06/13 16:12:30.006660, 4, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/06/13 16:12:30.006694, 5, pid=48495, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/06/13 16:12:30.006723, 5, pid=48495, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:528(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/06/13 16:12:30.006774, 5, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2014/06/13 16:12:30.006812, 4, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/sec_ctx.c:316(set_sec_ctx)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/06/13 16:12:30.006842, 5, pid=48495, effective(0, 0), real(0, 0)]
../libcli/security/security_token.c:53(security_token_debug)
Security token: (NULL)
[2014/06/13 16:12:30.006870, 5, pid=48495, effective(0, 0), real(0, 0)]
../source3/auth/token_util.c:528(debug_unix_user_token)
UNIX token of user 0
Primary group is 0 and contains 0 supplementary groups
[2014/06/13 16:12:30.006913, 5, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/uid.c:425(smbd_change_to_root_user)
change_to_root_user: now uid=(0,0) gid=(0,0)
[2014/06/13 16:12:30.006953, 5, pid=48495, effective(0, 0), real(0, 0)]
../source3/lib/messages.c:340(messaging_deregister)
Deregistering messaging pointer for type 1536 - private_data=0x7f5a2f0fdc30
[2014/06/13 16:12:30.007051, 3, pid=48495, effective(0, 0), real(0, 0)]
../source3/smbd/server_exit.c:212(exit_server_common)
Server exit (NT_STATUS_CONNECTION_RESET)
He just said bye.
I can't find any report, that samba 4 isr running as a PDC with
openldap-Backend and allowing windows-clients to join and use roaming-profiles.
Did anyone figure out how to do?
As far as I understood, only AD-Server are needig the samba-internal ldap
Any help would be fantastic.
Ciao
