[Samba] 3.0.4/LDAP/AIX Success! but.....

Tarjei Huse tarjei at nu.no
Tue Aug 3 14:19:24 GMT 2004 

On Mon, 2004-08-02 at 18:15, William Jojo wrote:
> I have Samba 3.0.4 with LDAP, *no* winbind running on AIX 5.2.
> 
> 
> My workstation joined the domain!!! woohoo! But before I get too excited,
> I still have a fundamental issue to overcome. Please read on...
> 
> 
> Ok, I know what the following snippet means now!
> 
> 
> [2004/08/02 07:53:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483)
>   init_sam_from_ldap: Entry found for user: CRP4$
> [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
>   Home server: hvdev
> [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323)
>   Home server: hvdev
> [2004/08/02 07:53:47, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2004/08/02 07:53:47, 5]
> rpc_parse/parse_samr.c:init_samr_r_lookup_names(4709)
>   init_samr_r_lookup_names
> [2004/08/02 07:53:47, 5] rpc_server/srv_samr_nt.c:_samr_lookup_names(1445)
>   _samr_lookup_names: 1445
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_debug(82)
>   000000 samr_io_r_lookup_names
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
>       0000 num_rids1: 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
>       0004 ptr_rids : 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
>       0008 num_types1: 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635)
>       000c ptr_types : 00000000
> [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_ntstatus(665)
>       0010 status: NT_STATUS_NONE_MAPPED
> [2004/08/02 07:53:47, 5] rpc_server/srv_pipe.c:api_rpcTNP(1575)
>   api_rpcTNP: called samr successfully
> 
> 
> It means that the SID portion of sambaSID attribute of the machine account
> in LDAP did not match the server's (no really, I did it on purpose).
> 
> 
> Perhaps I should explain further what I'm trying to do here. I have one
> big LDAP server. It has all the posix/samba accounts for everyone on
> campus. I've created all the LDAP entries programmatically including the
> IDMAP entries.
> 
> The idea is to have one LDAP database support up to 7 domains at this
> point. There are several operational and political reasons for this number
> of domains. I think I understand now that IDMAP only provides consistency
> to the uid/gid mappings - NOT a way to make a DC believe that a
> machine/user belongs to a domain.
> 
> When the sambaSamAccount entry for CRP4$ had it's sambaSID value set to an
> arbitrary SID value (preserving the algorithmic RID) it refused to join as
> shown by the aforementioned log dump. When I altered the entry to be
> consistent with the PDC's SID, it joined without batting an eye.
> 
> Is there a way to have the workstation join any domain regardless of it's
> sambaSID value for the sambaSamAccount? Or am I trying to do too much
> with one DIT?
> 
> The other reason I ask is that we allow users to cross domains with
> different roaming profiles preserving the same authentication info from a
> single smbpasswd database shared over NFS *today*. In LDAP, this is going
> to become much more complicated for me, is it not?
> 
> This could be really bad since we have 19306 records in our smbpasswd we'd
> like to move to LDAP, but preserve the single password "feature" we've
> enjoyed for so long.
> 
> 
> If the Samba guru's have any ideas how to overcome this, I would be deeply
> grateful. Or, do I owe my server an apology? ;)

Hmm, what about solving this with domain trusts?

I'm not sure if that would work, but it might.
Tarjei

> 
> 
> 
> Bill

More information about the samba mailing list