[Samba] It would seem to be simple but it's got me scratching my head

Craig White craigwhite at azapple.com
Thu Dec 18 07:02:03 GMT 2003

I am so honored that you took the time to help - now that I finally
slurped it and got it all configured - even on self generated
certificates - LDAPS - this has been the experience that I really feel
as though each lesson was learned after hours of head banging.

Comments interpersed...

On Wed, 2003-12-17 at 23:09, John H Terpstra wrote:
> Craig,
> A few pointers might help you. I had to sweat my way through this stuff so
> I can document it for my new book. This gave me one of those rare moments
> when I started with totally clean systems and set everything up on an
> isolated network. A real tease!
> 1. Beware of the ldap.conf file that has:
> 	nss_base_group          ou=Group,dc=abmas,dc=biz?one
> when it should be:
>         nss_base_group          ou=Groups,dc=abmas,dc=biz?one
> That extra "s" caught me too. It's oly one character though! :)
I was ok on that one - seems as though I luckily found the right
instructions on this - but of course the smbldap_conf.pm - it was like
looking for a needle in a haystack.
> 2. Do not use the "Computers" container for machine accounts. It breaks.
> You can totally avoid the problem by just using the "People" container.
> There is apparently a Samba/LDAP search bug there. Jerry did warn me, but
> I had to prove it for myself! :(
> The symptom of the bug is that Samba (LDAP) can not find the trust account
> for the workstation (same for BDCs).
I know that you just saved me some large amounts of agony here. Thanks 

- of course, one of the reasons that I went this route was to simplify
the user account management for the client - so they didn't have to
create a mail account on the mail server, a Windows account on the
Windows server and a Macintosh account on the Macintosh server. I liked
the idea that these would filter out as Computer accounts but c'est la
> 3. Current CVS (and 3.0.1) has apparanetly a bug that prevents
> Workstations from logging onto the domain for the first time. I
> down-graded to CVS December 1st, and I could log on. Then I updated to
> current CVS and it works fine. This bug bites only when a machine first
> joins the domain. Rejoins work fine.
this client is on Red Hat AS 3 - experimenting with CVS isn't something
I really want to do here. Not that the 24-48 hour turnaround on all but
basic tech support is that desirable - but it is an assurance for the
client. I didn't dare to tell him how little about LDAP I understood
before I started this venture. I think I've learned a lot about LDAP the
last 5 days. I'm just hoping that it remains in this 50 year old brain.
> 4. As for the vampire process - make sure that the back-end you use can
> create accounts that have spaces and/or upper-case characters in the name.
> If your backend can't handle this you must create a work-around that
> intercepts the illegal name and mangles it to something that is legal for
> the underlying backend.
> I hope these comments prove a little helpful - if not too late.
I had both spaces and Upper case characters in users in WinNT Domain -
bad habits learned from Macintosh days - I've reformed and they did
actually import with the vampire - the warning about
SAM_DELTA_DOMAIN_INFO not handled - just when you think you finally
struck gold, there's a message that steals all of the confidence and
satisfaction away. I don't dare promote this machine to PDC until the

Anyway - you samba developers are entirely awesome. 

to lakshmi priya <lpriya at vit.ac.in> who wanted to know if it works and
how it works - the only way to make it work is to do it. It's fairly
trivial to set up Samba to be a Windows NT PDC in a new domain using
local accounts.

Yes, it probably took me a good 30 hours to set up LDAP / certificates /
'migrate' the user/group/services/etc data from Linux server / join the
Windows domain and 'migrate' the Windows /user/group/services/etc data
from the Windows domain and throw in tacking issues such as ssh login
with LDAP backends, nsswitch but I actually get it now - there ain't no
education or reading that's gonna teach you like actually doing it.

I would suppose that in another year or two, there will be some more
sophisticated tools to handle these types of migrations but the
experience will ultimately prove to be valuable.



More information about the samba mailing list