[Samba] Replacement pdc samba3 to samba4 nt classic
Harry Jede
walk2sun at arcor.de
Wed Oct 12 13:19:41 UTC 2016
Am Mittwoch, 12. Oktober 2016 schrieben Sie:
> Thanks to your help, earned.
>
> 1. I reinstalled ldap
>
> 2. remove all entries except sambaDomainName
According to your logs, you have had three entries
> 2. smbldap-populate
>
> 3. /usr/local/sbin/smbldap-passwd -s root
>
> 4. net rpc join -S 127.0.0.1 -U root%secret
>
> 5. restore from a backup of users, groups, and computers
>
> 6. now it works as it should
fine
do not forget to recreate the entries in secrets.tdb.
> Yes I too prefer Debian, but by default Ubuntu is in my company.
>
> On 12.10.2016 16:16, Harry Jede via samba wrote:
> > Am Mittwoch, 12. Oktober 2016 schrieben Sie:
> >>> # the structure of your DIT
> >>> # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru
> >>> hasSubordinates=TRUE dn
> >>
> >> root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b
> >> ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn
> >> dn: ou=arkhangelsk,dc=rugion,dc=ru
> >>
> >> dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> >>
> >> dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> >>
> >> dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
> >>
> >> dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru
> >
> > OK,
> > the structure is the same as referred in smb.conf.
> >
> >>> # the registered domains
> >>> # ldapsearch -xLLL -H ldapi:///
> >>> '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
> >>> sambaSID
> >>
> >> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> >> '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
> >> sambaSID No such object (32)
> >
> > BAD,
> > here something like:
> > dn: sambaDomainName=EUROPA,dc=europa,dc=xx
> > sambaDomainName: EUROPA
> > sambaSID: S-1-5-21-3958726613-3318811842-4132420312
> > should be returned, we will fix it later.
> >
> > Later in this mail I have seen that you do not have a
> > defaultsearchbase
> >
> > in openldap frontend. so try this:
> > # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru -s sub
> > '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
> > sambaSID
> >
> >> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> >> '(objectclass=sambasamaccount)' -b ou=arkhangelsk,dc=rugion,dc=ru
> >> sambaacctflags sambaSID
> >> dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> >> sambaAcctFlags: [U ]
> >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500
> >>
> >> dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
> >> sambaAcctFlags: [U ]
> >>
> >> ...
> >
> > You have shortened the output.
> > OK, the only thing I want to see is the domainsid:
> > S-1-5-21-1997676671-1552059010-3109710481
> >
> >>> # the machines and or trust accounts
> >>> # ldapsearch -xLLL -H ldapi:///
> >>> '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
> >>
> >> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> >> '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
> >> No such object (32)
> >
> > (OK),
> > you have not optimized the ldap server, so you do not get
> >
> > any output without searchbase, aka -b <DN>. You may set it in the
> >
> > frontend database. Should look like:
> > # grep -Hri defaultsearch /etc/ldap/slapd.d/*
> > /etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcDefaul
> > tSearchBase: dc=europa,dc=xx
> >
> > DO NOT EDIT cn=config BY HAND. USE THE LDAP* COMMANDS.
> >
> >> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> >> '(&(cn=*$)(objectclass=sambasamaccount))' -b
> >> ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID
> >> dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
> >> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
> >> sambaAcctFlags: [S ]
> >>
> >> ...
> >
> > You have shortened the output again. I am looking for your the
> > domain SID
> >
> > AND for DCs. So do it again, but this time pass a filter:
> > # ldapsearch -xLLL -H ldapi:///
> > '(&(cn=*$)(objectclass=sambasamaccount))' -b
> > ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID |egrep -B3
> > '\[.*S.*\]'
> >
> >>> # ls -l /var/lib/samba/
> >>
> >> root at pdc:~# ls -l /var/lib/samba/
> >> total 1832
> >> -rw------- 1 root root 421888 Oct 7 16:02
> >> account_policy.tdb -rw------- 1 root root 696 Oct 6
> >> 11:24 group_mapping.tdb drwxr-xr-x 10 root root 4096 Oct
> >> 6 11:24 printers drwxr-xr-x 3 root root 4096 Oct 7
> >> 11:10 private -rw------- 1 root root 528384 Oct 6 11:24
> >> registry.tdb -rw------- 1 root root 421888 Oct 6 11:24
> >> share_info.tdb drwxrwx--T 2 root sambashare 4096 Oct 6 11:24
> >> usershares -rw------- 1 root root 32768 Oct 11 11:19
> >> winbindd_cache.tdb -rw-r--r-- 1 root root 421888 Oct 10
> >> 11:48 winbindd_idmap.tdb drwxr-x--- 2 root root 4096 Oct
> >> 11 11:19 winbindd_privileged -rw-r--r-- 1 root root 2496
> >> Oct 12 07:45 wins.dat -rw------- 1 root root 24576 Oct 12
> >> 07:39 wins.tdb
> >
> > BAD,
> > you do not have a secrets.tdb database!!!
> >
> > If you have one, the important records look like:
> >
> > # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2
> > 'IDMAP_LDAP|LDAP_BIND' {
> > key(53) = "SECRETS/GENERIC/IDMAP_LDAP_*/cn=admin,dc=europa,dc=xx"
> > data(6) = "your_secret\00"
> > }
> > --
> > {
> > key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
> > data(6) = "your_secret\00"
> > }
> >
> >
> > The first changes, set the secrets:
> > a) secret for the ldap admin specified in smb.conf:
> > cn=admin,dc=rugion,dc=ru
> >
> > I hope you know it. Whenever you change the secret in ldap, you
> > *must* change it hier.
> >
> > # smbpasswd -W
> >
> > b)
> >
> > ### net IDMAP SECRET <DOMAIN> <secret>
> > <DOMAIN> is the NetBios domain name aka WORKGROUP parameter from
> > smb.conf <SECRET> is the same as above
> > i.e.
> >
> > # net idmap secret CORP.29.RU yourLdapAdminPassword
> >
> >
> > check if both succeeded with:
> > # tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2
> > 'IDMAP_LDAP|LDAP_BIND'
> >
> > if true,
> >
> > set the domainsid:
> > # net setdomainsid S-1-5-21-1997676671-1552059010-3109710481
> >
> > and verify it:
> > # net getdomainsid
> > SID for local machine CAPELLA is:
> > S-1-5-21-3958726613-3318811842-4132420312 SID for domain EUROPA
> > is: S-1-5-21-3958726613-3318811842-4132420312
> >
> > You *must* get two records with the same SID. One for yor PDC and
> > one for the
> >
> > domain.
> >
> > If all is OK, restart samba *and* winbind, or better reboot. But
> > changing password
> >
> > through PAM is still *not configured* . Read further.
> >
> >>> # cat /etc/nsswitch.conf
> >>
> >> root at pdc:~# cat /etc/nsswitch.conf
> >>
> >> ethers: db files
> >> group: compat ldap winbind
> >> hosts: files dns
> >> netgroup: nis
> >> networks: files
> >> passwd: compat ldap winbind
> >> protocols: db files
> >> rpc: db files
> >> services: db files
> >> shadow: compat
> >>
> >>> # cat /etc/pam_ldap.conf |egrep -v '^#|^$'
> >>
> >> root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$'
> >> cat: /etc/pam_ldap.conf: No such file or directory
> >
> > # yours may have:
> > host 127.0.0.1
> > base ou=arkhangelsk,dc=rugion,dc=ru
> > uri ldap://127.0.0.1/
> > ldap_version 3
> > rootbinddn cn=admin,dc=rugion,dc=ru
> > scope sub
> > bind_policy soft
> > pam_password exop
> >
> >> root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$'
> >> host 127.0.0.1
> >> base ou=arkhangelsk,dc=rugion,dc=ru
> >> ldap_version 3
> >> port 389
> >> scope one
> >> timelimit 30
> >> bind_policy soft
> >> idle_timelimit 3600
> >> pam_password md5
> >> nss_base_passwd ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
> >> nss_base_group ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one
> >> nss_base_passwd
> >> ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one nss_base_shadow
> >> ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one nss_connect_policy
> >> persist
> >> nss_paged_results yes
> >> pagesize 1000
> >>
> >>> # ls -l /etc/pam_ldap.secret
> >>
> >> root at pdc:~# ls -l /etc/pam_ldap.secret
> >> ls: cannot access '/etc/pam_ldap.secret': No such file or
> >> directory
> >
> > I am not an ubuntu user, but debian user :-) . Ubuntu is a daughter
> > OS,
> >
> > so it should or may work like debian. So you should have
> > installed
> >
> > and configured libpam-ldap and libnss-ldap. If so:
> > # ' echo -n 'yourLdapAdminPassword' > /etc/pam_ldap.secret
> > # chmod 600 /etc/pam_ldap.secret
> >
> > The rest looks good. I hope you are fine now.
> >
> >>> # cat /etc/pam.d/common-account|egrep -v '^#|^$'
> >>
> >> root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$'
> >> account [success=2 new_authtok_reqd=done default=ignore]
> >> pam_unix.so account [success=1 default=ignore] pam_ldap.so
> >> account requisite pam_deny.so
> >> account required pam_permit.so
> >>
> >>> # cat /etc/pam.d/common-auth|egrep -v '^#|^$'
> >>
> >> root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$'
> >> auth [success=2 default=ignore] pam_unix.so nullok_secure
> >> try_first_pass
> >> auth [success=1 default=ignore] pam_ldap.so use_first_pass
> >> auth requisite pam_deny.so
> >> auth required pam_permit.so
> >>
> >>> # cat /etc/pam.d/common-password|egrep -v '^#|^$'
> >>
> >> root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$'
> >> password requisite pam_cracklib.so
> >> reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4
> >> lcredit=0 ucredit=2 dcredit=1 ocredit=1
> >> password required pam_pwhistory.so
> >> use_authtok enforce_for_root remember=5
> >> password [success=2 default=ignore] pam_unix.so
> >> obscure use_authtok try_first_pass sha512
> >> password [success=1 user_unknown=ignore default=die]
> >> pam_ldap.so use_authtok try_first_pass
> >> password requisite pam_deny.so
> >> password required pam_permit.so
> >>
> >>> # cat /etc/pam.d/common-session|egrep -v '^#|^$'
> >>
> >> root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$'
> >> session [default=1] pam_permit.so
> >> session requisite pam_deny.so
> >> session required pam_permit.so
> >> session optional pam_umask.so
> >> session required pam_unix.so
> >> session optional pam_ldap.so
> >> session optional pam_systemd.so
--
Gruss
Harry Jede
More information about the samba
mailing list