I appear to have successfully join my Linux domain member to the Windows AD
Domain, yeah!
All tests described in the wiki worked, plus additionally ntlm_auth to verify a
domain user's password. Now, I want to change the domain user's
password. I
tried:
samba-tool user setpassword myuser
but got:
ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not open file
/var/lib/samba/private/sam.ldb: No such file or directory
Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory
Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' with backend
'tdb':
Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or
directory
ERROR(ldb): uncaught exception - Unable to open tdb
'/var/lib/samba/private/sam.ldb': No such file or directory
File "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py",
line 186,
in _run
return self.run(*args, **kwargs)
File "/usr/lib64/python3.9/site-packages/samba/netcmd/user.py", line
1054, in
run
samdb = SamDB(url=H, session_info=system_session(),
File "/usr/lib64/python3.9/site-packages/samba/samdb.py", line 70,
in __init__
super(SamDB, self).__init__(url=url, lp=lp, modules_dir=modules_dir,
File "/usr/lib64/python3.9/site-packages/samba/__init__.py", line
114, in
__init__
self.connect(url, flags, options)
File "/usr/lib64/python3.9/site-packages/samba/samdb.py", line 86,
in connect
super(SamDB, self).connect(url=url, flags=flags,
Is this because I cannot change an AD password from a domain member? Do I first
need to map the domain Administrator account to the local root account? (which I
did not do and wasn't going to do unless I needed to).
Thanks --Mark
On Sun, 10 Dec 2023 17:30:00 -0500 Mark Foley via samba <samba at lists.samba.org> wrote:> I appear to have successfully join my Linux domain member to the > Windows AD Domain, yeah! > > All tests described in the wiki worked, plus additionally ntlm_auth > to verify a domain user's password. Now, I want to change the domain > user's password. I tried: > > samba-tool user setpassword myuser > > but got: > > ltdb: tdb(/var/lib/samba/private/sam.ldb): tdb_open_ex: could not > open file /var/lib/samba/private/sam.ldb: No such file or directory > > Unable to open tdb '/var/lib/samba/private/sam.ldb': No such file or > directory Failed to connect to 'tdb:///var/lib/samba/private/sam.ldb' > with backend 'tdb': Unable to open tdb > '/var/lib/samba/private/sam.ldb': No such file or directory > ERROR(ldb): uncaught exception - Unable to open tdb > '/var/lib/samba/private/sam.ldb': No such file or directory File > "/usr/lib64/python3.9/site-packages/samba/netcmd/__init__.py", line > 186, in _run return self.run(*args, **kwargs) > File "/usr/lib64/python3.9/site-packages/samba/netcmd/user.py", > line 1054, in run > samdb = SamDB(url=H, session_info=system_session(), > File "/usr/lib64/python3.9/site-packages/samba/samdb.py", line 70, > in __init__ super(SamDB, self).__init__(url=url, lp=lp, > modules_dir=modules_dir, File > "/usr/lib64/python3.9/site-packages/samba/__init__.py", line 114, in > __init__ self.connect(url, flags, options) > File "/usr/lib64/python3.9/site-packages/samba/samdb.py", line 86, > in connect super(SamDB, self).connect(url=url, flags=flags, > > Is this because I cannot change an AD password from a domain member? > Do I first need to map the domain Administrator account to the local > root account? (which I did not do and wasn't going to do unless I > needed to). > > Thanks --Mark >Lets start with the obvious thing, there isn't a /var/lib/samba/private/sam.ldb file on a Unix domain member, so that is why you are getting that error. You need to tell samba-tool where your DC is, you also need to use a member of Domain Admins to make the change, something like this: samba-tool user setpassword myuser -H ldap://dc1 -Urowland You should be prompted for the new password (twice), then the password for the member of Domain Admins, which should lead to 'Changed password OK' Rowland
On Sun Dec 10 05:49:43 2023 Rowland Penny via samba <samba at lists.samba.org> wrote: (regarding idmap backends)> The 'ad' backend: > This is only required if you need the rfc2307 attributes for different > Unix home directories and login shells. It also requires that you use > and populate the rfc2307 uidNumber & gidNumber attributes for users & > groups that you require to be visible on Unix. > > The 'rid' backend: > This backend does not require any alterations to AD. It calculates the > user & group Unix IDs from the user or group RID. If you use the same > basic smb.conf on all Samba Unix domain members, you will always get > the same Unix ID. You are limited to Unix home directory path and login > shell which by default are set to /home/%D/%U and /bin/false , though > they can be changed by setting the relevant parameters in smb.conf , > for instanceNow that I've successfully provisioned a new Samba AD/DC, I need to join Windows 10 workstations to the new domain. A couple of questions: 1) I've provisioned with the SAMBA_INTERNAL DNS backend. In our current domain, workstations are allocated static IPs and so are devices like printers. Do I assume correctly that dhcpd will continue to work on the new DC? Will the SAMBA_INTERNAL DNS pick up new devices I add to /etc/dhcpd.conf? I used to be able to remove obsolete devices by editing the zome files. Can I do something similar with the SAMBA_INTERNAL DNS backend? 2) I used the 'rid' backend to join a Linux domain member to a Windows DC. Now I'm doing the reverse, joining a Windows 10 domain member to the new Samba DC. I did provision the Samba DC with --use-rfc2307. Does that mean I should join with the 'ad' backend for the new Windows member? If so, must I then "populate the rfc2307 uidNumber & gidNumber attributes for users & groups that [I] require to be visible on Unix"? The old/current DC does have uid/gidNumbers for users and groups. The old/current system had two samba shares accessible by domain users using their domain credentials: "Redirected Folders" on the AD/DC, and a shared folder shared by a Linux domain member / file server. Both directories had the domain uid and gid number set on the files. I'll be doing these shares for the new domain (except I may not put the "Redirected Folders' on the domain controller). When setting up the old/current DC, I added each user to the domain using the Windows "Active Directory Computers and Users" Administrative tool. With that, I entered both uidNumber and gidNumber for each user. This time, I'm going to try using the ForensiT tool to migrate the users (which may not work with Samba, but we'll see). In short, does what I want to do with users, Samba file server shares, etc. mean I should use the 'ad' backend instead of the 'rid' backend when joining Windows domain members? Note that actual home directories and login shells are irrelevant as the domain users are only on Windows and there are no domain users accessing from the Linux members (except for the administrator). Thanks --Mark