[Samba] LDAP PDC problems

Edoardo Causarano edoardocausarano at tin.it
Thu Sep 12 22:23:01 GMT 2002


Buchan Milne wrote:

>> Message: 11
>> Date: Thu, 12 Sep 2002 15:15:30 +0200
>> From: Edoardo Causarano <edoardocausarano at tin.it>
>> To: samba at lists.samba.org
>> Subject: [Samba] LDAP PDC problems
>>
>> Hello there,
>>
>> I'm running 2.2.5 compiled with ACL and LDAP auth. The PDC used to 
>> work flawlessly using smbpasswd but I want to dual boot the 
>> workstations to Linux so I need a centralized LDAP authentication 
>> repository.
>>
>> Once I reinstalled the LDAPized samba I started populating the 
>> directory with the "well-known" identities using the smbldap tools
>
>
> There are better ways of doing this, since AFAICT, the smbldap tools 
> are best suited for setting up from scratch.
>
> You could have used the migration tools to migrate your existing 
> passwd/group/shadow info into LDAP. On Mandrake the scripts are in the 
> openldap-migration pacage.
>
> Then, you should use the import script in the samba source:
> examples/LDAP/import_smbpasswd.pl
> to import the samba accounts from smbpasswd. You should now have all 
> the info you had before.
>
> I still have some issues with smbldap tools (doesn't set 
> objectClass=person, defaults to hard-coding the profile and login 
> script, which kind of defeats the purpose of using LDAP and samba, so 
> they need to be manually removed etc), but haven't gotten around to 
> trying to fix them.
>
>  (bear in mind
>
>> I'm more of a UNIX guy so these MSisms are a bit of a black magic to 
>> me). Following that I started using smbldap-useradd to insert the 
>> users in the domain, chowning their homes to the new UNIX uids and 
>> wile I was at it, moved the profiles to a separate place in the 
>> filesystem (the profile used to be in unix HOME; worked fine but docs 
>> said it gives problems so I followed instructions).
>>
>> The situation is as follows:
>> Users no longer have unix private group, their primary group is 100 
>> (Users) which is default in those tools and logon to the NT4 machines 
>> is ok and attribute mapping is fully turned on (hoped this would cure 
>> the sync briefcase becoming a regular dir after roaming 
>> logoff/login). File/Directory masks are all 0777.
>>
>> I'm experiencing many problem with this configuration so please give 
>> me some hints (documentation pointers if necessary): MS Office keeps 
>> popping up the registration initials/username window as if is had 
>> been run for the first time (often locking up). Printing no longer 
>> works, eg. Acrobat 5 asks to define a default printer before 
>> proceeding but the control panel wizard refuses to run. Outlook 
>> express asks to choose a user profile from an empty list and creation 
>> of a new one fails.
>
>
> Looks like symtoms of not being able to read and write to the 
> registry. The users registry is by default only accessible to them 
> (and probably admins), defined the the SID (I think). Since the rid 
> has changed, you have now prevented all your users from modifying 
> their own registry.
>
>
>> Homes drive mapping no longer works. 
>
>
> Don't know why this would be broken if you fixed the ownership.
>
>> Accounts belonging to Domain Admins group work ok.
>
>
> Since they have rights on their profile, being admins.
>
>>
>> I'm not near the machines ATM, but I suspect it's the primary group 
>> that's @ fault; perhaps it sould be Domain Users. Can you confirm 
>> this or is there something worse @ play?
>
>
> I think the problem is that your rid's have changed. You need to either:
> 1)Delete all the user registries (ntuser.dat in their profile)
> 2)Revert to good backups and undo your uid changes, and reimport your 
> users into LDAP using something besides smbldap tools (ie 
> ldap-migration scripts and the samba import script).
>
> You may also want to read the recent ldap article on 
> http://mandrakesecure.net
>
Yes, sounds reasonable. Unfortunately in my previous configuration uids 
were < 1024. I read that in NT these RIDs are reserved so I just ported 
all users to different UIDs >. Grunt! Anyhow, if I rm -rf all ntuser.dat 
files the machines should regenerate so I'll just do that (ah, a new 
meaning to hacking...) Fortunately we're still in preop stage so I can 
allow myself extended periods of chaos ;-) After all this trouble 
though, *NIX setup migration was a breeze... I knew MS would cause 
trouble ;-)

Ciao,
Edo




More information about the samba mailing list