User Manager for Domains and LDAP

[Kevin Myer]

Hi,

Though poking and fiddling and manual additions of entries, I've gotten
the majority of NT's "features" working of a Samba PDC (HEAD CVS) with an
LDAP backend (OpenLDAP 1.2.3).  I'll list the few problems I have and see
if anyone can offer suggestions:

1)  I installed NT on a Vmware created virtual machine.  The first time I
logged in, it told me that my password expired today.  However, when I
attempted to change it, it gave me an error (C000000BE or something
close).  Looking in the mail archives, this appears to be a bug that is
known about and someone earlier had replied that it was fixed in the
flatfile code.  It apparently is not fixed in the LDAP lookup code and I'm
a bit green when it comes to looking at C code.  I am not sure if it is a
bug or a missing attribute in a field in my LDAP entry.

Same password change problem occurs with the CTL-ALT-DLT method of
changing passwords.

2)  Perhaps related, when I attempt to use User Manager for Domains from
the abovementioned VM, I can see the groups and users I've added (by hand)
to the LDAP server.  When I select the Adminstrator account, it comes up
and "User Must Change Password at Next Logon", "User Cannot Change
Password" and "Password NEver Expires" are checked.  The last one I set by
adding the "X" to the acctflags - the other two are problematic for some
reason, since they seem to create a circular problem - I need to change my
password but I don't have the permission to do so.  Are there additional
flags to set in the acctflags to make this problem go away or is this a
bug in the LDAP parsing code?  When I attempt to change these, I get the
following, lovely, specfic error (almost as informative as MacOS :)



3)  Basically the same thing happens if I click on the "Groups" icon.  I
show up as being a member of Domain Admins but if I modify that by adding
myself to another group (or even if I do nothing at all) and click OK, I
get the same error message as above.

On the surface, I can't see any differences between using the enumuser,
enumgroups, etc. options in rpcclient on an NT PDC and a Samba PDC so this
has almost got to be something with these acctflags or missing attributes.

4)  The following started appearing after I compiled and attempted to use
the CVS code from sometime Friday, June 11, 1999.  It may have been there
before but I didn't notice it until after that build.  

[1999/06/14 16:47:33, 0] smbd/uid.c:become_root(370)
  ERROR: become root depth is non zero
[1999/06/14 16:47:35, 0] smbd/uid.c:unbecome_root(391)
  ERROR: unbecome root depth is 0
[1999/06/14 16:47:52, 0] smbd/uid.c:become_root(370)
  ERROR: become root depth is non zero
[1999/06/14 16:47:54, 0] smbd/uid.c:unbecome_root(391)
  ERROR: unbecome root depth is 0


On an mostly unrelated note to NTDOM stuff, has anyone come up with a good
mechanism for keeping Samba related LDAP entries in their own hierarchy?
My posix stuff hierarchy is getting a bit messy with Samba stuff and I
would love to move everything Samba related to its own tree.  However, I'm
concerned that since Samba relies on the POSIX stuff as well for user
account info, etc., I might break things if I limit my search in smb.conf
to something like ou=Samba Stuff,dc=elanco,dc=k12,dc=pa,dc=us.  Currently
everything is being stored in ou=People,dc=elanco,dc=k12,dc=pa,dc=us and
that is my LDAP root in smb.conf and it doesn't appear to be a problem
that my UNIX groups, etc. are stored elsewhere because the PAM and NSS
LDAP modules handle those lookups but...

I am more and more enthralled with Samba, the closer I get to replacing NT
with it :)  To me, this is a Linux/UNIX killer app - it essentially with
kill NT servers on my network :) :) :)

Thanks for any tips, pointers, suggestions, etc.

Kevin


-- 
     ~        Kevin M. Myer
    . .       Network/System Administrator
    /V\       ELANCO School District
   // \
  /(   )\
   ^`~'^