[Samba] Samba 3.0 PDC+LDAP Help in Fedora Core 1

Kent L. Nasveschuk kent at wareham.k12.ma.us
Sat Jan 10 19:49:54 GMT 2004 

Hello,

I originally ran into this problem when trying to use "administrator"
mapped to root account. I finally settled on using root user in LDAP.
Everything works for joining W2kand XP clients to domain.

LDAP entry for uid=root :

sn: root
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: root
uidNumber: 0
sambaPwdLastSet: 1068914615
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1068914615
sambaPwdMustChange: 2147483647
sambaHomePath: \\whs1\root
sambaHomeDrive: H:
sambaLMPassword: E3B4E05BE6A182C9E13B8B8F6853DCAC
sambaNTPassword: F4858C7E53BB628AE91E0TE9DB6CD467
sambaAcctFlags: [U          ]
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000
loginShell: /bin/bash
gecos: Netbios root user
homeDirectory: /root
userPassword:: e1NNRDV9RmhIS2VJWnpFdkxpMG5PYTAzK3BKbWNRWDFVPQ==
sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-512

Running net groupmap list on PDC among other mappings I get:

...
domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
...

In /etc/group :
...
root:x:0:root
dusers:x:500:
domadmins:x:501:
dcomputers:x:502:
...


Applicable line in smb.conf :

add machine script = /usr/local/samba/bin/smbpasswd -a -m %u

This root account works to machines to domain. The machine accounts need
to be in /etc/passwd also.

ex:
useradd -d /dev/null -s /bin/false -m -c "Computer" whs-0106$

Now I can join comouter "whs-0106" to domain with user root when I right
click on "My Computer"

LDAP entry for workstation "whs-0106"

dn: uid=whs-0106$,ou=Computers,dc=tow,dc=net
uid: whs-0106$
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-3942
sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-515
displayName: WHS-0106$
sambaAcctFlags: [W          ]
objectClass: sambaSamAccount
objectClass: account
sambaPwdCanChange: 1071606889
sambaPwdMustChange: 2147483647
sambaLMPassword: D1921171A5BFAAEE0B4786D995AB9B91
sambaNTPassword: D1921171A5BFAAEE0B4786D995AB9B91
sambaPwdLastSet: 1071606889

It's been suggested by I believe John Terpstra, to put machine accounts
and users into one container object in LDAP due to a problem with
searching for computers. I haven't had any problems with this in fact
I'm experimenting with dividing the domain into logical groups by
building, in my case.

ex. :

ou=HighSchool,dc=tow,dc=net
ou=Users,ou=HighSchool,dc=tow,dc=net
ou=Computers,ou=HighSchool,dc=tow,dc=net

ou=MinotElementarySchool,dc=tow,dc=net
ou=Users,ou=MinotElementarySchool,dc=tow,dc=net
ou=Computers,ou=MinotElementarySchoo,dc=tow,dc=net

ou=DecasElementarySchool,dc=tow,dc=net
ou=Users,ou=DecasElementarySchool,dc=tow,dc=net
ou=Computers,ou=DecasElementarySchoo,dc=tow,dc=net

Anyway, this is beyond what you asked but I was on a roll. Hope this
helps.



On Fri, 2004-01-09 at 15:08, Jason P Holland wrote:
> Hello,
> 
> I am hoping someone will offer some help.  I'm currently trying to setup a
> samba 3 PDC with LDAP authentication backend in Fedora core 1.  I've read
> loads of documentation, including
> 
> http://www.hilinski.net/samba/ldap_PDC_samba.doc
> http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html
> http://samba.idealx.org/samba-ldap-howto.pdf
> 
> As well as tons of posts in the mailing list archives, but I still cannot
> get this combination to work.
> 
> As for the setup, I've installed Openldap 2.1.22, Samba 3.0.0,
> smbldap-tools-0.8.2.  I've run smbpasswd -w to add my slapd.conf password
> to the secrets.tdb file.  I've setup smbldap_conf.pl with my correct SID
> and ldap dn.  I've populated my ldap database using smbldap-populate.pl,
> everything shows up correctly.  I've gone in to the ldap db and fixed
> roots uid and gid as well as its sambaSID so that it can act as
> administrator.  As far as I can tell, its setup correctly.
> 
> However, when I go to join a W2k Workstation client, I get "The user name
> could not be found.".  Thats using root-testing combination from my config
> files.  Samba does automatically create the machine account, that looks
> fine.  But it refuses to join the machine.  Yes, I'm aware of the registry
> hack for XP,W2K machines, and that has also been changed.
> 
> 
> The weird thing is from that client, who I cannot join, I can view shares
> on the PDC using root-testing user pass combination, so I know the
> authentication is working correctly through ldap.  So what does that
> user name not found error really mean?
> 
> Does anyone see anything obviously wrong in my config files that would
> cause this?  I've cut them into the post below.  I would appreciate any
> help as I'm just tired of reading and just can't seem to get past adding
> a machine.  Thanks for any help...
> 
> Jason
> 
> 
> --- begin ldap.conf ----
> 
> HOST 127.0.0.1
> BASE dc=test,dc=edu
> 
> ---- end ldap.conf ----
> 
> 
> --- begin slapd.conf ----
> 
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/samba.schema
> 
> pidfile /var/run/slapd.pid
> argsfile /var/run/slapd.args
> database bdb
> suffix "dc=test,dc=edu"
> rootdn "cn=root,dc=test,dc=edu"
> rootpw testing
> 
> directory /var/lib/ldap
> index objectClass eq
> index cn pres,sub,eq
> index sn pres,sub,eq
> index uid pres,sub,eq
> index displayName pres,sub,eq
> index uidNumber eq
> index gidNumber eq
> index memberUid eq
> index sambaSID eq
> index sambaPrimaryGroupSID eq
> index sambaDomainName eq
> index default sub
> 
> ---- end slapd.conf ----
> 
> 
> ---- begin smb.conf ----
> [global]
> passdb backend = ldapsam
> ldap suffix = "dc=test,dc=edu"
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap admin dn = "cn=root,dc=test,dc=edu"
> ldap ssl = no
> idmap backend = ldap:ldap://127.0.0.1
> passwd chat debug = Yes
> passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u
> passwd chat = *new*password* %n\n *new*password:* %n\ *successfully*
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Never used the IDEALX scripts. Right now I use a shell script to batch
add computers and users.


> add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m
> add user script = /usr/local/sbin/smbldap-useradd.pl -a %u
> delete user script = /usr/local/sbin/smbldap-userdel.pl %u
> add group script = /usr/local/sbin/smbldap-groupadd.pl %g
> delete group script = /usr/local/sbin/smbldap-groupdel.pl %g
> add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g
> delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g
> set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u
> workgroup = TEST
> netbios name = donald
> comment = test samba pdc
> security = user
> null passwords = yes
> encrypt passwords = yes
> logon script=logon.bat
> logon drive =
> logon path =
> domain master = yes
> domain logons = yes
> preferred master = yes
> os level = 33
> wins support = yes
> wins proxy = no
> log file = /var/log/samba/%m.log
> public = No
> browseable = yes
> writable = No
> 
> ; necessary share for domain controller
> [netlogon]
> path = /netlogon
> locking = no
> read only = yes
> write list = ntadmin
> 
> ;test share
> [tmp]
> writeable = yes
> public = yes
> path = /tmp
> 
> [profiles]
> path = /profiles
> read only = no
> writeable = yes
> create mask = 0600
> directory mask = 0700
> 
> ---- end smb.conf ---

One other thing I found that would cause problems adding a computer to a
domain. Duplicate names. If you use ghost disk imaging this is a common
problem.

-- 
Kent L. Nasveschuk <kent at wareham.k12.ma.us>

More information about the samba mailing list