[Samba] Ldap PDC NT4 Redhat 9 domain problems
Syms.MS at forces.gc.ca
Syms.MS at forces.gc.ca
Wed Oct 8 18:19:01 GMT 2003
I'm running into some domain problems setting up Windows NT 4.0, Samba 3.0
(from source), OpenLDAP 2.0.27 and RedHat 9.
I can't get a workstation to join the domain: when I attempt to join the
domain from the workstation add machine gui with username and password, I'm
told "The machine account for this computer either does not exist or is
inaccessible"- but the add machine script creates the account successfully
in the ou=Computers container.
>From the log files, you can see the machine account script executing just
fine: Samba then attempts to find the newly created machine account and
can't!!
I can access the server through network neighbourhood just fine. My domain
appears and I can login and mess around with the shares. The accounts I'm
creating with the idealx perl tools allow my to login into the unix console
with the posix accounts and I can see the users and groups with getent & id.
which brings up two questions:
1/ The standard seems to be to place machine accounts in a separate
ou=Computers/Systems/Machines container, but since the machine name is a
modified user account, how does it find it if it isn't in the
ou=People/users container.
2/ When I use net groupmap to associate RID's with Posix groups, should
these mappings appear in the ou=Idmap container I've created for them?
Here are the details of my config. Any help would be appreciated.
tks
Scott Syms
Halifax, NS Canada
Ldap dif file
++++++++++++++++++++++++++++++++++++++++++++++++++++
# bubbles, can, ca
dn: dc=bubbles,dc=can,dc=ca
objectClass: dcObject
objectClass: organization
dc: bubbles
o: gc
# People, bubbles, can, ca
dn: ou=People,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: People
# Groups, bubbles, can, ca
dn: ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Groups
# Computers, bubbles, can, ca
dn: ou=Computers,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Computers
# Idmap, bubbles, can, ca
dn: ou=Idmap,dc=bubbles,dc=can,dc=ca
objectClass: organizationalUnit
ou: Idmap
# Administrator, People, bubbles, can, ca
dn: uid=Administrator,ou=People,dc=bubbles,dc=can,dc=ca
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\testserver\homes
sambaHomeDrive: U:
sambaProfilePath: \\testserver\profiles\
sambaPrimaryGroupSID: S-1-5-21-1675029196-2412627112-2623540412-512
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-2996
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaPwdLastSet: 1065201832
userPassword:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
# nobody, People, bubbles, can, ca
dn: uid=nobody,ou=People,dc=bubbles,dc=can,dc=ca
cn: nobody
sn: nobody
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\testserver\homes
sambaHomeDrive: U:
sambaProfilePath: \\testserver\profiles\
sambaPrimaryGroupSID: S-1-5-21-1675029196-2412627112-2623540412-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NU ]
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-2998
loginShell: /bin/false
# Domain Admins, Groups, bubbles, can, ca
dn: cn=Domain Admins,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: Administrator
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-512
sambaGroupType: 2
displayName: Domain Admins
# Domain Users, Groups, bubbles, can, ca
dn: cn=Domain Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-513
sambaGroupType: 2
displayName: Domain Users
# Domain Guests, Groups, bubbles, can, ca
dn: cn=Domain Guests,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users (not implemented yet)
# Administrators, Groups, bubbles, can, ca
dn: cn=Administrators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the
computer/sambaDom
ainName (not implemented yet)
memberUid: Administrator
# Users, Groups, bubbles, can, ca
dn: cn=Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 545
cn: Users
description: Netbios Domain Ordinary users (not implemented yet)
# Guests, Groups, bubbles, can, ca
dn: cn=Guests,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 546
cn: Guests
memberUid: nobody
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-546
sambaGroupType: 2
displayName: Guests
# Power Users, Groups, bubbles, can, ca
dn: cn=Power Users,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 547
cn: Power Users
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-547
sambaGroupType: 2
displayName: Power Users
# Account Operators, Groups, bubbles, can, ca
dn: cn=Account Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-548
sambaGroupType: 2
displayName: Account Operators
# Server Operators, Groups, bubbles, can, ca
dn: cn=Server Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
gidNumber: 549
cn: Server Operators
description: Netbios Domain Server Operators (need smb.conf configuration)
# Print Operators, Groups, bubbles, can, ca
dn: cn=Print Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-550
sambaGroupType: 2
displayName: Print Operators
# Backup Operators, Groups, bubbles, can, ca
dn: cn=Backup Operators,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-551
sambaGroupType: 2
displayName: Backup Operators
# Replicator, Groups, bubbles, can, ca
dn: cn=Replicator,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicator
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-552
sambaGroupType: 2
displayName: Replicator
# Domain Computers, Groups, bubbles, can, ca
dn: cn=Domain Computers,ou=Groups,dc=bubbles,dc=can,dc=ca
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 553
cn: Domain Computers
description: Local Unix group
sambaSID: S-1-5-21-1675029196-2412627112-2623540412-515
sambaGroupType: 2
displayName: Domain Computers
# CANDOMAIN, bubbles, can, ca
dn: sambaDomainName=CANDOMAIN,dc=bubbles,dc=can,dc=ca
sambaDomainName: CANDOMAIN
sambaSID: S-1-5-21-1675029196-2412627112-2623540412
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
smb.conf file
++++++++++++++++++++++++++++++++++++++++++++++++++++
[global]
workgroup = CANDOMAIN
netbios name = TESTSERVER
server string = Samba 3.0 ldapsam
passdb backend = ldapsam:ldap://192.200.10.101
log level = 100
max xmit = 65535
deadtime = 15
add user script = /usr/sbin/smbldap-useradd.pl -a '%u'
delete user script = /usr/sbin/smbldap-userdel.pl '%u'
add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow.pl '%g'|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/sbin/smbldap-userdel.pl '%g'
add user to group script = /usr/sbin/smbldap-groupmod.pl -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod.pl -x
'%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod.pl -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd.pl -w '%u'
logon script = wkix32.exe
logon path = \\%N\profiles\%u
logon drive = L:
logon home = \\homeserver\%u
domain logons = Yes
os level = 50
preferred master = Yes
domain master = Yes
dns proxy = No
ldap server = 192.200.10.101
ldap port = 389
ldap suffix = dc=bubbles,dc=can,dc=ca
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap admin dn = cn=ldapadmin,dc=bubbles,dc=can,dc=ca
ldap ssl = start tls
idmap backend = ldapsam:ldap://192.200.10.101
idmap uid = 10000-20000
idmap gid = 10000-20000
[netlogon]
path = /usr/local/samba/lib/netlogon
write list = Administrator
[profiles]
path = /home/profiles
read only = No
create mask = 0600
directory mask = 070
[homes]
comment = Home directory
read only = No
[webfiles]
path = /usr/local/apache/htdocs
Script to build the Group mappings
++++++++++++++++++++++++++++++++++++++++++++++++++++
#!/bin/bash
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-512
unixgroup="Domain Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-513
unixgroup="Domain Users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-514
unixgroup="Domain Guest" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-515
unixgroup="Domain Computers" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-516
unixgroup="Domain Controllers" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-517
unixgroup="Domain Certificate Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-518
unixgroup="Domain Schema Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-519
unixgroup="Domain Domain Enterprise Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-520
unixgroup="Domain Policy Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-544
unixgroup="Admins" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-545
unixgroup="users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-546
unixgroup="Guests" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-547 unixgroup="Power
Users" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-548
unixgroup="Account Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-549
unixgroup="System Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-550 unixgroup="Print
Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-551
unixgroup="Backup Operators" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-552
unixgroup="Replicator" type=domain
net groupmap add sid=`net getlocalsid|awk '{print $6}'`-553 unixgroup="RAS
Servers" type=domain
More information about the samba
mailing list