[Samba] LDAP PDC problems

Buchan Milne bgmilne at cae.co.za
Thu Sep 12 17:21:00 GMT 2002

> Message: 11
> Date: Thu, 12 Sep 2002 15:15:30 +0200
> From: Edoardo Causarano <edoardocausarano at tin.it>
> To: samba at lists.samba.org
> Subject: [Samba] LDAP PDC problems
> Hello there,
> I'm running 2.2.5 compiled with ACL and LDAP auth. The PDC used to work 
> flawlessly using smbpasswd but I want to dual boot the workstations to 
> Linux so I need a centralized LDAP authentication repository.
> Once I reinstalled the LDAPized samba I started populating the directory 
> with the "well-known" identities using the smbldap tools

There are better ways of doing this, since AFAICT, the smbldap tools are 
best suited for setting up from scratch.

You could have used the migration tools to migrate your existing 
passwd/group/shadow info into LDAP. On Mandrake the scripts are in the 
openldap-migration pacage.

Then, you should use the import script in the samba source:
to import the samba accounts from smbpasswd. You should now have all the 
info you had before.

I still have some issues with smbldap tools (doesn't set 
objectClass=person, defaults to hard-coding the profile and login 
script, which kind of defeats the purpose of using LDAP and samba, so 
they need to be manually removed etc), but haven't gotten around to 
trying to fix them.

  (bear in mind
> I'm more of a UNIX guy so these MSisms are a bit of a black magic to 
> me). Following that I started using smbldap-useradd to insert the users 
> in the domain, chowning their homes to the new UNIX uids and wile I was 
> at it, moved the profiles to a separate place in the filesystem (the 
> profile used to be in unix HOME; worked fine but docs said it gives 
> problems so I followed instructions).
> The situation is as follows:
> Users no longer have unix private group, their primary group is 100 
> (Users) which is default in those tools and logon to the NT4 machines is 
> ok and attribute mapping is fully turned on (hoped this would cure the 
> sync briefcase becoming a regular dir after roaming logoff/login). 
> File/Directory masks are all 0777.
> I'm experiencing many problem with this configuration so please give me 
> some hints (documentation pointers if necessary): MS Office keeps 
> popping up the registration initials/username window as if is had been 
> run for the first time (often locking up). Printing no longer works, eg. 
> Acrobat 5 asks to define a default printer before proceeding but the 
> control panel wizard refuses to run. Outlook express asks to choose a 
> user profile from an empty list and creation of a new one fails.

Looks like symtoms of not being able to read and write to the registry. 
The users registry is by default only accessible to them (and probably 
admins), defined the the SID (I think). Since the rid has changed, you 
have now prevented all your users from modifying their own registry.

> Homes 
> drive mapping no longer works. 

Don't know why this would be broken if you fixed the ownership.

> Accounts belonging to Domain Admins group 
> work ok.

Since they have rights on their profile, being admins.

> I'm not near the machines ATM, but I suspect it's the primary group 
> that's @ fault; perhaps it sould be Domain Users. Can you confirm this 
> or is there something worse @ play?

I think the problem is that your rid's have changed. You need to either:
1)Delete all the user registries (ntuser.dat in their profile)
2)Revert to good backups and undo your uid changes, and reimport your 
users into LDAP using something besides smbldap tools (ie ldap-migration 
scripts and the samba import script).

You may also want to read the recent ldap article on 

|----------------Registered Linux User #182071-----------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list