[Samba] New samba server

sgmayo at mail.bloomfield.k12.mo.us sgmayo at mail.bloomfield.k12.mo.us
Wed Jul 29 19:18:45 MDT 2009


sgmayo at mail.bloomfield.k12.mo.us wrote:
>
> sgmayo at mail.bloomfield.k12.mo.us wrote:
>>
>> sgmayo at mail.bloomfield.k12.mo.us wrote:
>>> I did not get this finished last summer, so decided to just wait and do
>>> it this summer.  I have setup my new samba server and was trying to get
>>> some things tweaked to the way that I want them.  I thought that I had
>>> asked this before and that I could do it, but it seems that it does
> not >> work.
>>>
>>> My new server is running as a domain server just like the old.  It has
>>> the same domain name and I change the the SID using net setlocalsid
> to >> the same sid number as my old server.  This new server is in a
> test
>>> environment right now.
>>>
>>> I was hoping that my old machines could just log into this server
>>> without having to get out of the domain and then rejoin it, but that
>>> does not work.  It tells me that the domain is not there until I get
> out >> of the old one and then rejoin the new one.  Is that how it has
> to
>>> work?  I was hoping I would not have to do that if I left the domain
>>> name the same and set the SID on the new server.  I just want to make
>>> sure I am not missing something before I go around to all 400 computers
>>> on campus and have them removed and rejoined to the domain.
>>
>> Mr. Terpstra gave me a bit of help.  I had done nothing to set my
>> domainsid, but after doing the following:
>>
>> net getlocalsid
>> net getdomainsid
>>
>> The values are the same on both the old and the new samba server.  This
>> new server will take the place of my old one.  Right now it is on a
>> network with nothing else on it besides one of my old windows clients.
>> If
>> I remove one of my old clients from the domain and then re-add it, then
>> it
>> logs in just fine.  If I take an old client from my current network and
>> put it on this new network and try to login to the new samba server then
>> it gives me the typical:
>>
>> "Windows cannot connect to the domain either because the domain
>> controller
>> is down or otherwise unavailable, or because your computer account was
>> not
>> found. Please try again later. If this message continues to appear
>> contact
>> your System Administrator for assistance."
>>
>> The name of the Windows machine is business18 so I did an
>> 'smbldap-adduser
>> -w business18$' to make sure the machine account was added in to the
>> directory, but the error was the same.  I even changed the uid of the
>> machine account to match the old one in case that was coming into play.
>>
>> Here is my samba config in case someone sees something that I don't.
>> Which is quite possible since I forget more than I learn it seems. :)
>> I'll be reading on the How-To to see if I can pick anything else up.
>>
>> [global]
>> 	workgroup = BES
>> 	server string = Samba Server Version %v
>> 	netbios name = SCHOOL
>>
>> 	interfaces = lo eth0
>> 	hosts allow = 127. 10.0. 19 2.168.0. localhost
>> 	ldap passwd sync = Yes
>> 	ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us
>> 	ldap suffix = dc=school1,dc=bloomfield.k12.mo.us
>> 	ldap group suffix = ou=Groups
>> 	ldap user suffix = ou=Users
>> 	ldap machine suffix = ou=Computers
>> 	ldap idmap suffix = ou=Users
>> 	add machine script = /usr/sbin/smbldap-useradd -w "%u"
>> 	add user script = /usr/sbin/smbldap-useradd -m "%u"
>> 	ldap delete dn = Yes
>> 	add group script = /usr/sbin/smbldap-groupadd -p "%g"
>> 	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>> 	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>> 	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>
>> 	Dos charset = 850
>> 	Unix charset = ISO8859-1
>>
>>
>> 	log file = /var/log/samba/log.%m
>> 	max log size = 50
>>
>> 	security = user
>> 	passdb backend = ldapsam:ldap://127.0.0.1
>>
>> 	domain master = yes
>> 	domain logons = yes
>>
>> 	local master = yes
>> 	os level = 65
>> 	preferred master = yes
>>
>> 	wins support = yes
>> 	dns proxy = no
>>
>> 	load printers = yes
>> 	cups options = raw
>>
>> [homes]
>> 	comment = Home Directories
>> 	browseable = no
>> 	writable = yes
>>
>> [printers]
>> 	comment = All Printers
>> 	path = /var/spool/samba
>> 	browseable = no
>> 	guest ok = no
>> 	writable = no
>> 	printable = yes
>>
>
> Well, I am getting ready to take the other server offline and put the new
> one in place.  I am planning on just removing all my machines from the
> domain and adding them back in to get everything to work, though I would
> prefer not to do this.
>
> I am just not sure where else to look.  Thought I would post one last
> time.  I figure that most of this comes from me not knowing a lot about
> ldap and how samba interacts with it.  I am still learning.
>
> The passwords on the new server are different than the old.  Does that
> have any affect on it?  Do the passwords have to be the same when it comes
> to the new machine being added in?  I did not think that would matter, but
> maybe it does.  If it does then that would mean taht the XP machines
> somehow saved the password that was used when the machine joined the
> domain.
>
> Thanks for any info.  I'll play with this some tonight, but if I don't
> figure it out, I'll just do as I planned and remove all mahcines from the
> domain and add them back in.

I have messed with this for another 3 hours and have searched everything
that I know to search on the net.  Found lots of good hints, but nothing
has worked.  I was going to maybe try to slapcat just one computer account
and then slapadd it back in to see if that would work and if it would then
I would do all computer accounts.

For some reason there is no '-a' version on my old server even though the
manpage shows slapcat(8C) on both servers.  I did a slap cat and just
deleted everything down to and past the computers entry, but then noticed
the creatorsName and the modifiersName.

Those are both:
cn: Manager, dc=old-server-name,dc=org

My new server has a different name, so when I slapadd this back in, is
that going to cause problems?

I know that is more of an ldap question, but thought someone could
enlighten me on it here.  If I could just get this server to accept
computers without removing/re-adding to the domain, it would save me a
world of time.

thanks again.

-- 
Scott Mayo - System Administrator
Bloomfield Schools
PH: 573-568-5669  FA: 573-568-4565

Question: Because it reverses the logical flow of conversation.
Answer: Why is putting a reply at the top of the message frowned upon?



More information about the samba mailing list