Samba-TNG-2.6 + OpenLDAP 2.0.7 + Windows 2000 Advanced Server

[Tomas Maly]

I'm trying to get Samba TNG 2.6 (as a PDC), OpenLDAP 2.0.7 (as the
smbpasswd backend), and Windows 2000 Advanced Server (as a client)
working amongst each other with no avail. Details (such as debug output)
are to be sent in a separate email (assuming it is requested, because
the sucker is so long, and besides, I don't know what level of debugging
you may want).  First off, my Samba PDC is named SMB1, and my W2K server
box is called W2KSERV1-ITBETA. My domain is ITBETA.

The steps I go through to get Samba TNG 2.6 installed:
cd /usr/src/samba-tng-2.6 (or whatever name it is)
./configure --with-ldap
(I then edit the Makefile and remove the reference to swat during
default compilation, because gcc complains about "something-sid" (where
"something" is something I cannot quite remember at the moment) not
being defined; so I just turn swat off. If I try to make
bin/realsmbpasswd, it fails too, same error. I notice that there's a
patch in the samba-tng-ldap howto to actually fix it...)
make && make install

On a side note, if I do a ./configure --with-nt5ldap instead, does that
mean I use an alternate schema? (I'm guessing so) I've seen reference to
a microsoft.schema in OpenLDAP 2.x, and I saw it back when I had
OpenLDAP back in gamma stage, but it doesn't appear to come with the
source now. Anyway, is there any requirement to use --with-nt5ldap?
Perhaps I need the newer schema to get it working with W2K (NT 5)?

On another side note, I had to hack the code (whatever files are
--with-ldap specific, that actually call the ldap routines for addition
and modifications) such that if the cn,workstations,smbHome,profile,and
other attributes were null, then it did not add them. If I don't do this
hack, any modifications to existing samba accounts in LDAP cause LDAP to
give an "invalid syntax" because these attributes aren't assigned
values, but their names are mentioned in the ldif file. Please fix this!
=P

I follow the samba-tng-ldap howto to the dot, except how it uses
OpenLDAP 1.2.x. Any way, I get samba.schema (off of somewhere) for
OpenLDAP 2.0.7 installed and modified to work. I add the correct
configuration to smb.conf to use LDAP, and it works fine via tests. I
add all the appropriate groups and users as shown in the samba-tng-ldap
howto.  With samedit,  I do the following to add a user root and a trust
account for the 2000 box I'm trying to join from. I guess root since it
can write to /usr/local/samba/var/locks/ITBETA.SMB1.tdb, which I'm
unsure what it is, please someone clarify it-- All I know is that
whoever I log in as on the 2000 box, I need to have writeable
permissions to that file. I haven't seen any documentation speaking
about actually joining the domain via W2k, so please get this added to
whatever documentation it belongs to! My Samba Unleashed book, which
claims to know how to get W2K working with a Samba PDC, skipped the step
of mentioning what unix priviledges the Administrator account-- whom it
says to log in as on the W2K box for authorization during joining the
domain-- needs.

samedit -S . -U root%
root at .> createuser root -p ####
root at .> createuser W2KSERV1-ITBETA$

It says all is OK. For whatever reason, there is a dn like
"uid=root,dc=domain,dc=com", and also one (as stated by samba-tng-ldap
howto) named "id=root,dc=domain,dc=com". I don't know why the 'id' one
is needed. Can anyone tell me why?

I had previously added a local account (in /etc/passwd) of
W2KSERV1-ITBETA$. BTW, is there the option of having it stored in LDAP
instead? Rather, does samba do a getpwnam(), or does it open /etc/passwd
and parse it? (If the former, nss_ldap would enable it in LDAP)? I take
it that I DON'T append "-j ITBETA" to the second createuser command
because the W2K box will do that for me (when trying to log on to the
domain)? If I decide to put it in there myself, then is the W2K box
considered a part of the domain, and thus I do not need to enter in a
username/password on the W2K side to join it? I've actually tried to do
it all on the Samba side, and it says to do a "use \\\\W2KSERV1-ITBETA
-U localadmin". Does "localadmin" literally mean that, or
"Administrator" (NOT "ITBETA\Administrator", of course)?

I then go onto the W2K server box and set the domain to ITBETA, and
click OK. It asks for a username and password and I put 'root' and
'####' respectively. It sits for about 10 seconds, goes mad with the
disk access (on the Win server), and I notice via the logs on the SMB
server that it successfully logs in and does god knows what with the
pipes (IPC$). I notice that through several tries, either the Windows
machine says that I'm logging in from a computer account (the account
flags say only U, though). On a side note, can someone elaborate what
each symbol in the flags mean? I can somewhat decipher it, but some of
the letters are ambiguous (even when looking at the samedit man page,
looking under the samuserset2 section)? The other tries, it says "remote
procedure call failed". I recall under the RPC failed situations that
I tried it as a user that was not root and did not have write access to
that file I mentioned. One of the log files mentions something about
secret_db unable to be opened and that there may be a possible attack.
I debug the code to the point that I realize that it cannot write to
that file. However, I'll have to look again to see whether it is trying
to read or trying to write to the file (my guess is write).

However, when I was root, it either said I was logging in as a computer
account (only the U flag is distinctly set, I'm sure), or it said the
account did not exist, or the password was wrong. I go on the samba
server and run a "smbclient -L SMB1 -U root%####" and it works a-okay.
So the password is not incorrect. I believe log.smb or log.samr mentions
something about ACCESS_DENIED or USER_DENIED or something. I know it's
an NT (or rather, SMB) error code, though-- it starts with "NT" and ends
with "DENIED". What I need to try is seeing if I can access \\SMB1\IPC$,
but I don't know what the W2K server is trying to do, so I have no clue
how to test that out. Perhaps \\SMB1\IPC$ is not accessible to root. But
ntuid should map to the unix uid 0, and there should be no permissions
issues. However, if I try to access (while still in a "workgroup" named
ITBETA in W2K, versus the domain) from the W2K box any share (such as
\\smb1\root), even if I give username root and password ####, it still
fails. I try to look into /usr/local/samba/var/log.smb with "smbd -D -d
255", and it usually gives more detail why I couldn't log in. I'll check
on that tomorrow. However, if I check all the logs (even -d 255),
I don't see a single bit of info regarding any problems logging in (when
I get one of the remote procedure call failed errors). I see a load of
into regarding IPC$ (pipes). Does anyone know what exactly W2K is trying
to do while joining the domain? Can I guess it's trying to run something
on the Samba machine?

The thing is that I've tried so many things that it's somewhat difficult
to remember what exact situations (such as which user I try to log in as
on W2K while joining the domain), and what response W2K gives me
(whether RPC failed, or account is a computer account, or whether
account does not exist) are occuring. Bear with me, though.

I severely doubt the issue lies in SambaTNG + LDAP, and I'm guessing
either the code is broken (I've seen docs saying it works in 2.5, but
I'm using 2.6, and I'm unsure what's broken now versus before), or
there's some major change in the approach causing me to do some other
steps I don't know of. I'll try to revert to TNG 2.5 with LDAP to see if
that works (I sure hope so, since I have ppl who say it does). If that
doesn't work, I'll try TNG 2.5 without LDAP, although I doubt that would
result in anything. But before that I'll try to re-do all my steps so
I can make more sense of this all (and so all you can too!).

Sorry for all the blabber, I've obviously been jumping in my mind from
spot to spot, but please try and make some sense out of all my mumble.
I spent about 9 hours straight today trying to get all this working.
Thanks!

--
Tomas Maly
IT Systems Administrator
Monta Vista Software -- THE Embedded Linux Experts
tmaly at mvista.com