Gavrilov Aleksey
2016-Oct-12 04:58 UTC
[Samba] Replacement pdc samba3 to samba4 nt classic
On 11.10.2016 17:22, Harry Jede via samba wrote:> Am Dienstag, 11. Oktober 2016 schrieben Sie: >> On 11.10.2016 13:52, Harry Jede via samba wrote: >>> On 10:43:49 wrote Gavrilov Aleksey via samba: >>> Until now, you have destroyed your domain. >>> Is the ldap directory on localhost in production or is this pc in a >>> test lab? >> a copy of the old server ldap >> >>>> How do I introduce a new PDC in a domain? >>> Only *one* PDC per domain is allowed! But one may have dozens of >>> BDCs and member servers. So, do you have a working PDC? >> I do not have a working pdc now >> >>> Or should the new machine replace an old PDC? >> yes,it's replacement >> >>> What ldap server are in use? Which version? >> slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed] >> >> >> file system is damaged on the old server >> I was able to restore some files >> have backups for the old server >> >> I'm trying to make a change of PDC > OK, let us try to restore. > > You may post the following in a private mail. > Post the out of those commands to give us some infos: > > # the structure of your DIT > # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru hasSubordinates=TRUE dnroot at pdc:~# ldapsearch -xLLL -H ldapi:/// -b ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn dn: ou=arkhangelsk,dc=rugion,dc=ru dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru> # the registered domains > # ldapsearch -xLLL -H ldapi:/// '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSIDroot at pdc:~# ldapsearch -xLLL -H ldapi:/// '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID No such object (32) root at pdc:~# ldapsearch -xLLL -H ldapi:/// '(objectclass=sambasamaccount)' -b ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaAcctFlags: [U ] sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500 dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001 sambaAcctFlags: [U ] dn: uid=udina,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1110 sambaAcctFlags: [U ] dn: uid=bakova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1007 sambaAcctFlags: [U ] dn: uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-1997676671-1552059010-3109710481-501 dn: uid=semakov,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1020 sambaAcctFlags: [U ] dn: uid=voronin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1129 sambaAcctFlags: [U ] dn: uid=chirkova,ou=users,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1062 sambaAcctFlags: [U ] ...> > # the machines and or trust accounts > # ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSIDroot at pdc:~# ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID No such object (32) root at pdc:~# ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' -b ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015 sambaAcctFlags: [S ] dn: uid=wolf$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1025 sambaAcctFlags: [W ] dn: uid=29get$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1086 sambaAcctFlags: [W ] ...> # ls -l /var/lib/samba/root at pdc:~# ls -l /var/lib/samba/ total 1832 -rw------- 1 root root 421888 Oct 7 16:02 account_policy.tdb -rw------- 1 root root 696 Oct 6 11:24 group_mapping.tdb drwxr-xr-x 10 root root 4096 Oct 6 11:24 printers drwxr-xr-x 3 root root 4096 Oct 7 11:10 private -rw------- 1 root root 528384 Oct 6 11:24 registry.tdb -rw------- 1 root root 421888 Oct 6 11:24 share_info.tdb drwxrwx--T 2 root sambashare 4096 Oct 6 11:24 usershares -rw------- 1 root root 32768 Oct 11 11:19 winbindd_cache.tdb -rw-r--r-- 1 root root 421888 Oct 10 11:48 winbindd_idmap.tdb drwxr-x--- 2 root root 4096 Oct 11 11:19 winbindd_privileged -rw-r--r-- 1 root root 2496 Oct 12 07:45 wins.dat -rw------- 1 root root 24576 Oct 12 07:39 wins.tdb> > # cat /etc/nsswitch.confroot at pdc:~# cat /etc/nsswitch.conf ethers: db files group: compat ldap winbind hosts: files dns netgroup: nis networks: files passwd: compat ldap winbind protocols: db files rpc: db files services: db files shadow: compat> # cat /etc/pam_ldap.conf |egrep -v '^#|^$'root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$' cat: /etc/pam_ldap.conf: No such file or directory root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$' host 127.0.0.1 base ou=arkhangelsk,dc=rugion,dc=ru ldap_version 3 port 389 scope one timelimit 30 bind_policy soft idle_timelimit 3600 pam_password md5 nss_base_passwd ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one nss_base_group ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one nss_base_passwd ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one nss_base_shadow ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one nss_connect_policy persist nss_paged_results yes pagesize 1000> > # ls -l /etc/pam_ldap.secretroot at pdc:~# ls -l /etc/pam_ldap.secret ls: cannot access '/etc/pam_ldap.secret': No such file or directory> # cat /etc/pam.d/common-account|egrep -v '^#|^$'root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$' account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so> # cat /etc/pam.d/common-auth|egrep -v '^#|^$'root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$' auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so> # cat /etc/pam.d/common-password|egrep -v '^#|^$'root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$' password requisite pam_cracklib.so reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4 lcredit=0 ucredit=2 dcredit=1 ocredit=1 password required pam_pwhistory.so use_authtok enforce_for_root remember=5 password [success=2 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so> > # cat /etc/pam.d/common-session|egrep -v '^#|^$'root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$' session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_unix.so session optional pam_ldap.so session optional pam_systemd.so -- Sincerely, Gavrilov Aleksey System Administrator Ltd. "Hearst Shkulev Digital Rugion" tel .: 8 (351) 729-94-90, ext. 345 mob. +7 999 581 7934 gavrilov at info74.ru Chelyabinsk, st. Lesoparkovaya , 6, office 308
Am Mittwoch, 12. Oktober 2016 schrieben Sie:> > # the structure of your DIT > > # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru > > hasSubordinates=TRUE dn > > root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b > ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn > dn: ou=arkhangelsk,dc=rugion,dc=ru > > dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru > > dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru > > dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru > > dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ruOK, the structure is the same as referred in smb.conf.> > # the registered domains > > # ldapsearch -xLLL -H ldapi:/// > > '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName > > sambaSID > > root at pdc:~# ldapsearch -xLLL -H ldapi:/// > '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName > sambaSID No such object (32)BAD, here something like: dn: sambaDomainName=EUROPA,dc=europa,dc=xx sambaDomainName: EUROPA sambaSID: S-1-5-21-3958726613-3318811842-4132420312 should be returned, we will fix it later. Later in this mail I have seen that you do not have a defaultsearchbase in openldap frontend. so try this: # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru -s sub '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName sambaSID> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > '(objectclass=sambasamaccount)' -b ou=arkhangelsk,dc=rugion,dc=ru > sambaacctflags sambaSID > dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru > sambaAcctFlags: [U ] > sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500 > > dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru > sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001 > sambaAcctFlags: [U ] > > ...You have shortened the output. OK, the only thing I want to see is the domainsid: S-1-5-21-1997676671-1552059010-3109710481> > # the machines and or trust accounts > > # ldapsearch -xLLL -H ldapi:/// > > '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID > > root at pdc:~# ldapsearch -xLLL -H ldapi:/// > '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID > No such object (32)(OK), you have not optimized the ldap server, so you do not get any output without searchbase, aka -b <DN>. You may set it in the frontend database. Should look like: # grep -Hri defaultsearch /etc/ldap/slapd.d/* /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcDefaultSearchBase: dc=europa,dc=xx DO NOT EDIT cn=config BY HAND. USE THE LDAP* COMMANDS.> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > '(&(cn=*$)(objectclass=sambasamaccount))' -b > ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID > dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru > sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015 > sambaAcctFlags: [S ] > > ...You have shortened the output again. I am looking for your the domain SID AND for DCs. So do it again, but this time pass a filter: # ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' -b ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID |egrep -B3 '\[.*S.*\]'> > # ls -l /var/lib/samba/ > > root at pdc:~# ls -l /var/lib/samba/ > total 1832 > -rw------- 1 root root 421888 Oct 7 16:02 account_policy.tdb > -rw------- 1 root root 696 Oct 6 11:24 group_mapping.tdb > drwxr-xr-x 10 root root 4096 Oct 6 11:24 printers > drwxr-xr-x 3 root root 4096 Oct 7 11:10 private > -rw------- 1 root root 528384 Oct 6 11:24 registry.tdb > -rw------- 1 root root 421888 Oct 6 11:24 share_info.tdb > drwxrwx--T 2 root sambashare 4096 Oct 6 11:24 usershares > -rw------- 1 root root 32768 Oct 11 11:19 winbindd_cache.tdb > -rw-r--r-- 1 root root 421888 Oct 10 11:48 winbindd_idmap.tdb > drwxr-x--- 2 root root 4096 Oct 11 11:19 winbindd_privileged > -rw-r--r-- 1 root root 2496 Oct 12 07:45 wins.dat > -rw------- 1 root root 24576 Oct 12 07:39 wins.tdbBAD, you do not have a secrets.tdb database!!! If you have one, the important records look like: # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 'IDMAP_LDAP|LDAP_BIND' { key(53) = "SECRETS/GENERIC/IDMAP_LDAP_*/cn=admin,dc=europa,dc=xx" data(6) = "your_secret\00" } -- { key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx" data(6) = "your_secret\00" } The first changes, set the secrets: a) secret for the ldap admin specified in smb.conf: cn=admin,dc=rugion,dc=ru I hope you know it. Whenever you change the secret in ldap, you *must* change it hier. # smbpasswd -W b) ### net IDMAP SECRET <DOMAIN> <secret> <DOMAIN> is the NetBios domain name aka WORKGROUP parameter from smb.conf <SECRET> is the same as above i.e. # net idmap secret CORP.29.RU yourLdapAdminPassword check if both succeeded with: # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 'IDMAP_LDAP|LDAP_BIND' if true, set the domainsid: # net setdomainsid S-1-5-21-1997676671-1552059010-3109710481 and verify it: # net getdomainsid SID for local machine CAPELLA is: S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA is: S-1-5-21-3958726613-3318811842-4132420312 You *must* get two records with the same SID. One for yor PDC and one for the domain. If all is OK, restart samba *and* winbind, or better reboot. But changing password through PAM is still *not configured* . Read further.> > # cat /etc/nsswitch.conf > > root at pdc:~# cat /etc/nsswitch.conf > > ethers: db files > group: compat ldap winbind > hosts: files dns > netgroup: nis > networks: files > passwd: compat ldap winbind > protocols: db files > rpc: db files > services: db files > shadow: compat > > > # cat /etc/pam_ldap.conf |egrep -v '^#|^$' > > root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$' > cat: /etc/pam_ldap.conf: No such file or directory# yours may have: host 127.0.0.1 base ou=arkhangelsk,dc=rugion,dc=ru uri ldap://127.0.0.1/ ldap_version 3 rootbinddn cn=admin,dc=rugion,dc=ru scope sub bind_policy soft pam_password exop> root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$' > host 127.0.0.1 > base ou=arkhangelsk,dc=rugion,dc=ru > ldap_version 3 > port 389 > scope one > timelimit 30 > bind_policy soft > idle_timelimit 3600 > pam_password md5 > nss_base_passwd ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one > nss_base_group ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one > nss_base_passwd ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one > nss_base_shadow ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one > nss_connect_policy persist > nss_paged_results yes > pagesize 1000 > > > # ls -l /etc/pam_ldap.secret > > root at pdc:~# ls -l /etc/pam_ldap.secret > ls: cannot access '/etc/pam_ldap.secret': No such file or directoryI am not an ubuntu user, but debian user :-) . Ubuntu is a daughter OS, so it should or may work like debian. So you should have installed and configured libpam-ldap and libnss-ldap. If so: # ' echo -n 'yourLdapAdminPassword' > /etc/pam_ldap.secret # chmod 600 /etc/pam_ldap.secret The rest looks good. I hope you are fine now.> > # cat /etc/pam.d/common-account|egrep -v '^#|^$' > > root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$' > account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so > account [success=1 default=ignore] pam_ldap.so > account requisite pam_deny.so > account required pam_permit.so > > > # cat /etc/pam.d/common-auth|egrep -v '^#|^$' > > root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$' > auth [success=2 default=ignore] pam_unix.so nullok_secure > try_first_pass > auth [success=1 default=ignore] pam_ldap.so use_first_pass > auth requisite pam_deny.so > auth required pam_permit.so > > > # cat /etc/pam.d/common-password|egrep -v '^#|^$' > > root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$' > password requisite pam_cracklib.so > reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4 > lcredit=0 ucredit=2 dcredit=1 ocredit=1 > password required pam_pwhistory.so > use_authtok enforce_for_root remember=5 > password [success=2 default=ignore] pam_unix.so obscure > use_authtok try_first_pass sha512 > password [success=1 user_unknown=ignore default=die] > pam_ldap.so use_authtok try_first_pass > password requisite pam_deny.so > password required pam_permit.so > > > # cat /etc/pam.d/common-session|egrep -v '^#|^$' > > root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$' > session [default=1] pam_permit.so > session requisite pam_deny.so > session required pam_permit.so > session optional pam_umask.so > session required pam_unix.so > session optional pam_ldap.so > session optional pam_systemd.so-- Gruss Harry Jede
Am Mittwoch, 12. Oktober 2016 schrieben Sie:> Thanks to your help, earned. > > 1. I reinstalled ldap > > 2. remove all entries except sambaDomainNameAccording to your logs, you have had three entries> 2. smbldap-populate > > 3. /usr/local/sbin/smbldap-passwd -s root > > 4. net rpc join -S 127.0.0.1 -U root%secret > > 5. restore from a backup of users, groups, and computers > > 6. now it works as it shouldfine do not forget to recreate the entries in secrets.tdb.> Yes I too prefer Debian, but by default Ubuntu is in my company. > > On 12.10.2016 16:16, Harry Jede via samba wrote: > > Am Mittwoch, 12. Oktober 2016 schrieben Sie: > >>> # the structure of your DIT > >>> # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru > >>> hasSubordinates=TRUE dn > >> > >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b > >> ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn > >> dn: ou=arkhangelsk,dc=rugion,dc=ru > >> > >> dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru > >> > >> dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru > >> > >> dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru > >> > >> dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru > > > > OK, > > the structure is the same as referred in smb.conf. > > > >>> # the registered domains > >>> # ldapsearch -xLLL -H ldapi:/// > >>> '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName > >>> sambaSID > >> > >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > >> '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName > >> sambaSID No such object (32) > > > > BAD, > > here something like: > > dn: sambaDomainName=EUROPA,dc=europa,dc=xx > > sambaDomainName: EUROPA > > sambaSID: S-1-5-21-3958726613-3318811842-4132420312 > > should be returned, we will fix it later. > > > > Later in this mail I have seen that you do not have a > > defaultsearchbase > > > > in openldap frontend. so try this: > > # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru -s sub > > '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName > > sambaSID > > > >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > >> '(objectclass=sambasamaccount)' -b ou=arkhangelsk,dc=rugion,dc=ru > >> sambaacctflags sambaSID > >> dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru > >> sambaAcctFlags: [U ] > >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500 > >> > >> dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru > >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001 > >> sambaAcctFlags: [U ] > >> > >> ... > > > > You have shortened the output. > > OK, the only thing I want to see is the domainsid: > > S-1-5-21-1997676671-1552059010-3109710481 > > > >>> # the machines and or trust accounts > >>> # ldapsearch -xLLL -H ldapi:/// > >>> '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID > >> > >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > >> '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID > >> No such object (32) > > > > (OK), > > you have not optimized the ldap server, so you do not get > > > > any output without searchbase, aka -b <DN>. You may set it in the > > > > frontend database. Should look like: > > # grep -Hri defaultsearch /etc/ldap/slapd.d/* > > /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcDefaul > > tSearchBase: dc=europa,dc=xx > > > > DO NOT EDIT cn=config BY HAND. USE THE LDAP* COMMANDS. > > > >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// > >> '(&(cn=*$)(objectclass=sambasamaccount))' -b > >> ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID > >> dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru > >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015 > >> sambaAcctFlags: [S ] > >> > >> ... > > > > You have shortened the output again. I am looking for your the > > domain SID > > > > AND for DCs. So do it again, but this time pass a filter: > > # ldapsearch -xLLL -H ldapi:/// > > '(&(cn=*$)(objectclass=sambasamaccount))' -b > > ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID |egrep -B3 > > '\[.*S.*\]' > > > >>> # ls -l /var/lib/samba/ > >> > >> root at pdc:~# ls -l /var/lib/samba/ > >> total 1832 > >> -rw------- 1 root root 421888 Oct 7 16:02 > >> account_policy.tdb -rw------- 1 root root 696 Oct 6 > >> 11:24 group_mapping.tdb drwxr-xr-x 10 root root 4096 Oct > >> 6 11:24 printers drwxr-xr-x 3 root root 4096 Oct 7 > >> 11:10 private -rw------- 1 root root 528384 Oct 6 11:24 > >> registry.tdb -rw------- 1 root root 421888 Oct 6 11:24 > >> share_info.tdb drwxrwx--T 2 root sambashare 4096 Oct 6 11:24 > >> usershares -rw------- 1 root root 32768 Oct 11 11:19 > >> winbindd_cache.tdb -rw-r--r-- 1 root root 421888 Oct 10 > >> 11:48 winbindd_idmap.tdb drwxr-x--- 2 root root 4096 Oct > >> 11 11:19 winbindd_privileged -rw-r--r-- 1 root root 2496 > >> Oct 12 07:45 wins.dat -rw------- 1 root root 24576 Oct 12 > >> 07:39 wins.tdb > > > > BAD, > > you do not have a secrets.tdb database!!! > > > > If you have one, the important records look like: > > > > # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 > > 'IDMAP_LDAP|LDAP_BIND' { > > key(53) = "SECRETS/GENERIC/IDMAP_LDAP_*/cn=admin,dc=europa,dc=xx" > > data(6) = "your_secret\00" > > } > > -- > > { > > key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx" > > data(6) = "your_secret\00" > > } > > > > > > The first changes, set the secrets: > > a) secret for the ldap admin specified in smb.conf: > > cn=admin,dc=rugion,dc=ru > > > > I hope you know it. Whenever you change the secret in ldap, you > > *must* change it hier. > > > > # smbpasswd -W > > > > b) > > > > ### net IDMAP SECRET <DOMAIN> <secret> > > <DOMAIN> is the NetBios domain name aka WORKGROUP parameter from > > smb.conf <SECRET> is the same as above > > i.e. > > > > # net idmap secret CORP.29.RU yourLdapAdminPassword > > > > > > check if both succeeded with: > > # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 > > 'IDMAP_LDAP|LDAP_BIND' > > > > if true, > > > > set the domainsid: > > # net setdomainsid S-1-5-21-1997676671-1552059010-3109710481 > > > > and verify it: > > # net getdomainsid > > SID for local machine CAPELLA is: > > S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA > > is: S-1-5-21-3958726613-3318811842-4132420312 > > > > You *must* get two records with the same SID. One for yor PDC and > > one for the > > > > domain. > > > > If all is OK, restart samba *and* winbind, or better reboot. But > > changing password > > > > through PAM is still *not configured* . Read further. > > > >>> # cat /etc/nsswitch.conf > >> > >> root at pdc:~# cat /etc/nsswitch.conf > >> > >> ethers: db files > >> group: compat ldap winbind > >> hosts: files dns > >> netgroup: nis > >> networks: files > >> passwd: compat ldap winbind > >> protocols: db files > >> rpc: db files > >> services: db files > >> shadow: compat > >> > >>> # cat /etc/pam_ldap.conf |egrep -v '^#|^$' > >> > >> root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$' > >> cat: /etc/pam_ldap.conf: No such file or directory > > > > # yours may have: > > host 127.0.0.1 > > base ou=arkhangelsk,dc=rugion,dc=ru > > uri ldap://127.0.0.1/ > > ldap_version 3 > > rootbinddn cn=admin,dc=rugion,dc=ru > > scope sub > > bind_policy soft > > pam_password exop > > > >> root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$' > >> host 127.0.0.1 > >> base ou=arkhangelsk,dc=rugion,dc=ru > >> ldap_version 3 > >> port 389 > >> scope one > >> timelimit 30 > >> bind_policy soft > >> idle_timelimit 3600 > >> pam_password md5 > >> nss_base_passwd ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one > >> nss_base_group ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one > >> nss_base_passwd > >> ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one nss_base_shadow > >> ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one nss_connect_policy > >> persist > >> nss_paged_results yes > >> pagesize 1000 > >> > >>> # ls -l /etc/pam_ldap.secret > >> > >> root at pdc:~# ls -l /etc/pam_ldap.secret > >> ls: cannot access '/etc/pam_ldap.secret': No such file or > >> directory > > > > I am not an ubuntu user, but debian user :-) . Ubuntu is a daughter > > OS, > > > > so it should or may work like debian. So you should have > > installed > > > > and configured libpam-ldap and libnss-ldap. If so: > > # ' echo -n 'yourLdapAdminPassword' > /etc/pam_ldap.secret > > # chmod 600 /etc/pam_ldap.secret > > > > The rest looks good. I hope you are fine now. > > > >>> # cat /etc/pam.d/common-account|egrep -v '^#|^$' > >> > >> root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$' > >> account [success=2 new_authtok_reqd=done default=ignore] > >> pam_unix.so account [success=1 default=ignore] pam_ldap.so > >> account requisite pam_deny.so > >> account required pam_permit.so > >> > >>> # cat /etc/pam.d/common-auth|egrep -v '^#|^$' > >> > >> root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$' > >> auth [success=2 default=ignore] pam_unix.so nullok_secure > >> try_first_pass > >> auth [success=1 default=ignore] pam_ldap.so use_first_pass > >> auth requisite pam_deny.so > >> auth required pam_permit.so > >> > >>> # cat /etc/pam.d/common-password|egrep -v '^#|^$' > >> > >> root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$' > >> password requisite pam_cracklib.so > >> reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4 > >> lcredit=0 ucredit=2 dcredit=1 ocredit=1 > >> password required pam_pwhistory.so > >> use_authtok enforce_for_root remember=5 > >> password [success=2 default=ignore] pam_unix.so > >> obscure use_authtok try_first_pass sha512 > >> password [success=1 user_unknown=ignore default=die] > >> pam_ldap.so use_authtok try_first_pass > >> password requisite pam_deny.so > >> password required pam_permit.so > >> > >>> # cat /etc/pam.d/common-session|egrep -v '^#|^$' > >> > >> root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$' > >> session [default=1] pam_permit.so > >> session requisite pam_deny.so > >> session required pam_permit.so > >> session optional pam_umask.so > >> session required pam_unix.so > >> session optional pam_ldap.so > >> session optional pam_systemd.so-- Gruss Harry Jede