[Samba] 3.0.4/LDAP/AIX Success! but.....

William Jojo jojowil at hvcc.edu
Mon Aug 2 16:15:12 GMT 2004 


I have Samba 3.0.4 with LDAP, *no* winbind running on AIX 5.2.


My workstation joined the domain!!! woohoo! But before I get too excited,
I still have a fundamental issue to overcome. Please read on...


Ok, I know what the following snippet means now!


[2004/08/02 07:53:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
  init_sam_from_ldap: Entry found for user: CRP4$
[2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
  Home server: hvdev
[2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
  Home server: hvdev
[2004/08/02 07:53:47, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2004/08/02 07:53:47, 5]
rpc_parse/parse_samr.c:init_samr_r_lookup_names(4709)
  init_samr_r_lookup_names
[2004/08/02 07:53:47, 5] rpc_server/srv_samr_nt.c:_samr_lookup_names(1445)
  _samr_lookup_names: 1445
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_debug(82)
  000000 samr_io_r_lookup_names
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0000 num_rids1: 00000000
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0004 ptr_rids : 00000000
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      0008 num_types1: 00000000
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
      000c ptr_types : 00000000
[2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
      0010 status: NT_STATUS_NONE_MAPPED
[2004/08/02 07:53:47, 5] rpc_server/srv_pipe.c:api_rpcTNP(1575)
  api_rpcTNP: called samr successfully


It means that the SID portion of sambaSID attribute of the machine account
in LDAP did not match the server's (no really, I did it on purpose).


Perhaps I should explain further what I'm trying to do here. I have one
big LDAP server. It has all the posix/samba accounts for everyone on
campus. I've created all the LDAP entries programmatically including the
IDMAP entries.

The idea is to have one LDAP database support up to 7 domains at this
point. There are several operational and political reasons for this number
of domains. I think I understand now that IDMAP only provides consistency
to the uid/gid mappings - NOT a way to make a DC believe that a
machine/user belongs to a domain.

When the sambaSamAccount entry for CRP4$ had it's sambaSID value set to an
arbitrary SID value (preserving the algorithmic RID) it refused to join as
shown by the aforementioned log dump. When I altered the entry to be
consistent with the PDC's SID, it joined without batting an eye.

Is there a way to have the workstation join any domain regardless of it's
sambaSID value for the sambaSamAccount? Or am I trying to do too much
with one DIT?

The other reason I ask is that we allow users to cross domains with
different roaming profiles preserving the same authentication info from a
single smbpasswd database shared over NFS *today*. In LDAP, this is going
to become much more complicated for me, is it not?

This could be really bad since we have 19306 records in our smbpasswd we'd
like to move to LDAP, but preserve the single password "feature" we've
enjoyed for so long.


If the Samba guru's have any ideas how to overcome this, I would be deeply
grateful. Or, do I owe my server an apology? ;)



Bill

More information about the samba mailing list