[Samba] trying to prepare to go live this weekend

John H Terpstra jht at samba.org
Sat Dec 20 19:52:45 GMT 2003 

On Sat, 20 Dec 2003, Craig White wrote:

> On Fri, 2003-12-19 at 11:30, John H Terpstra wrote:
> > >  c) turn off logon services (never done this on NT domain controller but
> > > presume that it can be somewhat disabled) - has anyone done anything
> > > down this path?
> >
> > That will work too. Just shut down the Netlogon service.
> >
> ----
> finally, will all the users gone, I was able to get onto the network and
> test these things out. So I got over there this morning and:
> - disabled Network Logon service on NT-SERVER
> - changed smb.conf on Linux /security = user
>                             /domain/local/preferred master = yes
>                             /os level = 34
> - restarted smb service
>
> - user could log on - authenticated by samba/LDAP
> - user couldn't access files/shares/printers on NT-SERVER if their
> username/password didn't exist on NT-SERVER prior

That is expected because NT4 is a PDC and therefore believes it is
authoritative for all authentication. It will not pass the authentication
request through to Samba.

>
> - NT-SERVER 'Event Viewer' showed nothing of failed access

>From it's perspective nothing has failed.

> - NT-SERVER 'Server Manager' lists Samba as PDC and NT-SERVER as
> workstation (not PDC or BDC)

The vampire process registers the Samba server as a BDC. But you have to
update it to PDC. The NT4 PDC still thinks your Samba server is a BDC and
is looking for it to announce itself as such. Since it did not get the
message that says, "Hi, I'm your friendly BDC" it should show a ghosted
connection. ie: Grey icon that looks like any other domain member. The
greyed out icon could show in color, but it will never show as more than a
domain member machine.

> - NT-SERVER User Manager for Domains shows all the accounts for the
> domain, including the accounts that weren't on NT-SERVER domain prior to
> net vampire (obviously talks to Samba server) - it does however
> immediately open dialog - Tag is invalid and complains about that every
> time I try to connect to DOMAIN

Ok. I'd need to see the network traces to see what's going on.

>
> the only clue that I have on this is from /var/log/samba/log.ntserver
>
> [2003/12/20 11:16:20, 0]
> passdb/pdb_ldap.c:ldapsam_search_one_group(1612)
>   ldapsam_search_one_group: Problem during the LDAP search: LDAP error:
> (Insufficient access)smbldap_open: cannot access LDAP when not root..
>
> smbpasswd on that machine can access LDAP but apparently, through
> NT-SERVER, it can't - must be the Administrator<->root mapping yes/no?

You need an Administrator account in LDAP and it must have UNIX uid=0.

>
> smbaccess -w has been run and up to this point, seemed happy.

Look on the bright side: at least something is happy.

> hints?

Ok, above.

> Painters came in to mess up my access today. I'm going to the bookstore
> and see if the Samba 3 book and a suitable LDAP book is available. I'm
> very interested in looking at various slapd.conf examples that might
> give me good ideas before I am committed.

I'd order the painters off site if I knew they would listen. How dare they
get in the way of your enjoyment. :)

- John T.
-- 
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list