[Samba] LDAP PDC problems
Edoardo Causarano
edoardocausarano at tin.it
Thu Sep 12 22:23:01 GMT 2002
Buchan Milne wrote:
>> Message: 11
>> Date: Thu, 12 Sep 2002 15:15:30 +0200
>> From: Edoardo Causarano <edoardocausarano at tin.it>
>> To: samba at lists.samba.org
>> Subject: [Samba] LDAP PDC problems
>>
>> Hello there,
>>
>> I'm running 2.2.5 compiled with ACL and LDAP auth. The PDC used to
>> work flawlessly using smbpasswd but I want to dual boot the
>> workstations to Linux so I need a centralized LDAP authentication
>> repository.
>>
>> Once I reinstalled the LDAPized samba I started populating the
>> directory with the "well-known" identities using the smbldap tools
>
>
> There are better ways of doing this, since AFAICT, the smbldap tools
> are best suited for setting up from scratch.
>
> You could have used the migration tools to migrate your existing
> passwd/group/shadow info into LDAP. On Mandrake the scripts are in the
> openldap-migration pacage.
>
> Then, you should use the import script in the samba source:
> examples/LDAP/import_smbpasswd.pl
> to import the samba accounts from smbpasswd. You should now have all
> the info you had before.
>
> I still have some issues with smbldap tools (doesn't set
> objectClass=person, defaults to hard-coding the profile and login
> script, which kind of defeats the purpose of using LDAP and samba, so
> they need to be manually removed etc), but haven't gotten around to
> trying to fix them.
>
> (bear in mind
>
>> I'm more of a UNIX guy so these MSisms are a bit of a black magic to
>> me). Following that I started using smbldap-useradd to insert the
>> users in the domain, chowning their homes to the new UNIX uids and
>> wile I was at it, moved the profiles to a separate place in the
>> filesystem (the profile used to be in unix HOME; worked fine but docs
>> said it gives problems so I followed instructions).
>>
>> The situation is as follows:
>> Users no longer have unix private group, their primary group is 100
>> (Users) which is default in those tools and logon to the NT4 machines
>> is ok and attribute mapping is fully turned on (hoped this would cure
>> the sync briefcase becoming a regular dir after roaming
>> logoff/login). File/Directory masks are all 0777.
>>
>> I'm experiencing many problem with this configuration so please give
>> me some hints (documentation pointers if necessary): MS Office keeps
>> popping up the registration initials/username window as if is had
>> been run for the first time (often locking up). Printing no longer
>> works, eg. Acrobat 5 asks to define a default printer before
>> proceeding but the control panel wizard refuses to run. Outlook
>> express asks to choose a user profile from an empty list and creation
>> of a new one fails.
>
>
> Looks like symtoms of not being able to read and write to the
> registry. The users registry is by default only accessible to them
> (and probably admins), defined the the SID (I think). Since the rid
> has changed, you have now prevented all your users from modifying
> their own registry.
>
>
>> Homes drive mapping no longer works.
>
>
> Don't know why this would be broken if you fixed the ownership.
>
>> Accounts belonging to Domain Admins group work ok.
>
>
> Since they have rights on their profile, being admins.
>
>>
>> I'm not near the machines ATM, but I suspect it's the primary group
>> that's @ fault; perhaps it sould be Domain Users. Can you confirm
>> this or is there something worse @ play?
>
>
> I think the problem is that your rid's have changed. You need to either:
> 1)Delete all the user registries (ntuser.dat in their profile)
> 2)Revert to good backups and undo your uid changes, and reimport your
> users into LDAP using something besides smbldap tools (ie
> ldap-migration scripts and the samba import script).
>
> You may also want to read the recent ldap article on
> http://mandrakesecure.net
>
Yes, sounds reasonable. Unfortunately in my previous configuration uids
were < 1024. I read that in NT these RIDs are reserved so I just ported
all users to different UIDs >. Grunt! Anyhow, if I rm -rf all ntuser.dat
files the machines should regenerate so I'll just do that (ah, a new
meaning to hacking...) Fortunately we're still in preop stage so I can
allow myself extended periods of chaos ;-) After all this trouble
though, *NIX setup migration was a breeze... I knew MS would cause
trouble ;-)
Ciao,
Edo
More information about the samba
mailing list