samba - Sep 2016 - Failed to find sambaDomain object to get sambaAlgorithmicRidBase

I didn't use smbldap-populate. I used ldif files to add groups to LDAP with
ldapadd.

You have rather good questions, NT4 or AD style, I don't know.  I am a Unix
guy with very few knowledge in Windows stuff and I try to stay away from it
as much as I can. I have been asked to setup a new LDAP directory with
Samba passwords stored in this LDAP directory.

I base my work on an actual LDAP and Samba server that is working in our
environment.  This server as role ROLE_STANDALONE.  I also use recipe found
on Internet.

If you can point me to a recipe for an AD DC, I will try it. But what is
the actual difference between both?

I also seriously think about splitting LDAP and samba, no integration at
all between both.

Thanks,


On Fri, Sep 30, 2016 at 8:22 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 30 Sep 2016 08:17:23 -0400
> Bernard Fay <bernard.fay at gmail.com> wrote:
>
> > As suggested I added the two lines below and restarted smb.
> > server role = classic primary domain controller
> > domain master = yes
> >
> >
> > [root at CTSFILE01 samba]# testparm -sn| head -32
> > Load smb config files from /etc/samba/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[homes]"
> > Processing section "[software]"
> > Processing section "[tftp]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_PDC
> >
> > # Global parameters
> > [global]
> >     workgroup = CTS
> >     server string = CTS File Server 01 - Samba version %v
> >     interfaces = lo eth0
> >     server role = classic primary domain controller
> >     security = USER
> >     passdb backend = ldapsam:ldap://ctsldap01/
> >     log file = /var/log/samba/log.%m
> >     max log size = 50
> >     load printers = No
> >     printcap name = /dev/null
> >     disable spoolss = Yes
> >     add user script = /sbin/smbldap-useradd -m "%u"
> >     add group script = /sbin/smbldap-groupadd -p "%g"
> >     add user to group script = /sbin/smbldap-groupmod -m
"%u" "%g"
> >     delete user from group script = /sbin/smbldap-groupmod -x
"%u"
> > "%g" set primary group script = /sbin/smbldap-usermod -g
"%g" "%u"
> >     add machine script = /sbin/smbldap-useradd -w "%u"
> >     domain master = Yes
> >     ldap admin dn = cn=Manager,dc=cts,dc=com
> >     ldap delete dn = Yes
> >     ldap group suffix = ou=Groups
> >     ldap machine suffix = ou=Computers
> >     ldap passwd sync = yes
> >     ldap suffix = "dc=cts,dc=com"
> >     ldap ssl = no
> >     ldap user suffix = ou=Users
> >     idmap config * : backend = tdb
> >     printing = bsd
> >
> >
> > No more perl error, which is a good thing, I think but...
> >
> > smbldap-usermod -a bernard.fay
> > Warning: sambaPrimaryGroupSID could not be set beacuse group of user
> > bernard.fay is not a mapped Domain group!
> > To get a list of groups mapped to Domain groups, use "net
groupmap
> > list" on a Domain member machine.
> >
> >
> > net groupmap list
> > It returns nothing then I modified the group Administrators to add a
> > SID as I think is the problem:
> >
> > smbldap-groupmod -a Administrators
> >
> >
> > Then one more time I try to add the object class sambaSAMAccount:
> > [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay
> > Error: Account for user bernard.fay already _is_ a Samba account!
> > Omit option -a!
> >
> >
> > What??? Now have the objectClass sambaSAMAccount even before
> > modifying it wit smbldap-usermod???  Mystery or there is something I
> > don't understand???
> >
> > ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com"
objectClass
> > ...
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: sambaSamAccount
> >
> >
> > I retried "net groupmap list":
> >
> > [root at CTSFILE01 samba]# net groupmap list
> > Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001)
> > -> Administrators
> >
> > ok, let's define a password with smbldap-passwd... everything ok
with
> > that.
> >
> > Sounds good so far.... let's try to map the home share from a
Windows
> > 7 machine.
> >
> > BANG!!! In Windows Explorer when I try to map a samba share drive:
> > "the mapped network drive could not be created because the
following
> > error has occured:
> > The security ID structure is invalid."
> >
> >
> > pdbedit -L
> > No builtin backend found, trying to load plugin
> > Module 'ldapsam' loaded
> > smbldap_search_domain_info: Searching
> > for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))]
> > smbldap_open_connection: connection opened
> > sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not
> > belong to our domain
> >
> >
> >
> > What is going on again.....
> >
> >
>
> I think what is going on is that you ran 'smbldap-populate' against
> something that wasn't a PDC.
>
> Can I ask why you are trying to create a new NT4-style PDC ?
>
> Wouldn't you be better creating an AD DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

On Fri, 30 Sep 2016 08:50:20 -0400
Bernard Fay via samba <samba at lists.samba.org> wrote:
> I didn't use smbldap-populate. I used ldif files to add groups to
> LDAP with ldapadd.
> 
> You have rather good questions, NT4 or AD style, I don't know.  I am
> a Unix guy with very few knowledge in Windows stuff and I try to stay
> away from it as much as I can. I have been asked to setup a new LDAP
> directory with Samba passwords stored in this LDAP directory.
> 
> I base my work on an actual LDAP and Samba server that is working in
> our environment.  This server as role ROLE_STANDALONE.  I also use
> recipe found on Internet.
> 
> If you can point me to a recipe for an AD DC, I will try it. But what
> is the actual difference between both?
> 
> I also seriously think about splitting LDAP and samba, no integration
> at all between both.
> 
> Thanks,
> 
> 
OK, brief history of windows and sharing data:

First there was dos, virtually standalone computers, then came windows.
This had better file sharing capabilities, but you needed to create the
same users and groups on all computers, so didn't scale well if you had 
a large amount of computers, this was know a workgroup.
 
This lead to the NT4-style domains, where authentication was
centralised on a PDC, you could also have a BDC in case of PDC failure.
This was better, but still had problems.

Finally Active Directory was created, with this, all DCs are equal, you
can have SSO and is what microsoft now expects windows machines to
connect to.

As to which Samba setup to use, it would help to know if your users
are already members of an AD domain, if not, what is your basic setup ?

Rowland

The users are not part of an existing AD domain.  The setup is rather
simple, I have to migrate all the users in a new environment.  We need to
centralized authentication, the reason of LDAP, and access shares from our
Windows workstation.  I hope I am clear enough regarding our setup.


On Fri, Sep 30, 2016 at 9:26 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:
> On Fri, 30 Sep 2016 08:50:20 -0400
> Bernard Fay via samba <samba at lists.samba.org> wrote:
>
> > I didn't use smbldap-populate. I used ldif files to add groups to
> > LDAP with ldapadd.
> >
> > You have rather good questions, NT4 or AD style, I don't know.  I
am
> > a Unix guy with very few knowledge in Windows stuff and I try to stay
> > away from it as much as I can. I have been asked to setup a new LDAP
> > directory with Samba passwords stored in this LDAP directory.
> >
> > I base my work on an actual LDAP and Samba server that is working in
> > our environment.  This server as role ROLE_STANDALONE.  I also use
> > recipe found on Internet.
> >
> > If you can point me to a recipe for an AD DC, I will try it. But what
> > is the actual difference between both?
> >
> > I also seriously think about splitting LDAP and samba, no integration
> > at all between both.
> >
> > Thanks,
> >
> >
>
> OK, brief history of windows and sharing data:
>
> First there was dos, virtually standalone computers, then came windows.
> This had better file sharing capabilities, but you needed to create the
> same users and groups on all computers, so didn't scale well if you had
> a large amount of computers, this was know a workgroup.
>
> This lead to the NT4-style domains, where authentication was
> centralised on a PDC, you could also have a BDC in case of PDC failure.
> This was better, but still had problems.
>
> Finally Active Directory was created, with this, all DCs are equal, you
> can have SSO and is what microsoft now expects windows machines to
> connect to.
>
> As to which Samba setup to use, it would help to know if your users
> are already members of an AD domain, if not, what is your basic setup ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>