[Samba] My story installing Samba-LDAP PDC (it has a happy ending)

Vegeta lord.vegeta at ica.luz.ve
Thu Jan 15 02:13:11 GMT 2004


OK.

I am starting to believe that Samba 3.0.x is not stable.
At least, the documentation for Samba as PDC with OpenLDAP backend (which is
what I have been trying to do for four days) is crap.
All the documentation for 3.0.x is mixed with 2.2.x. Most documents start as
instructions for 3.0.x but put a lot of information that doesn't apply to
3.0.x, but 2.2.x.
People in the mailing list sometimes give answers that apply to 2.2.x.
Some people tell me there is a bug that prevents the use of ou=Computers for
machine accounts. Some people say they have no problems.
Some people say I have to have Administrator with uid=0, some people tell me
it must not be 0.
Everyone says smbldap-tools work great, but they always give me strange
errors.

I'm starting again, this time with 3.0.2pre1.


I'm going to use Samba-HOWTO-Collection.pdf as the main guide for general
samba configuration and
http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html for LDAP configuration
(even though I know they have errors regarding 3.0.x).

I'm running SuSE 9.0 on an x86 machine. I have my openldap server running
without problem. At the moment is has no samba information except the
inclusion of the samba.schema in the slapd.conf.
I'm using the JXplorer tool to add/modify/delete directory information.
My LDAP base is dc=ica,dc=luz,dc=ve.
The server is listening without SSL (port 389) on interface 127.0.0.1
(localhost) interface and listening LDAPS (with SSL, port 636) on all
interfaces (I know this is deprecated in favor of StartTLS, but this
configuration works well for me).


1. Samba 3.0.1 compiled and installed without problems with the following
commands:

./configure --prefix=/opt/samba-3.0.2pre1 --with-ldap --with-quotas 
--with-winbind --with-libsmbclient --with-fhs --with-smbmount

make

make install

2. The first step is configuring the smb.conf file.
I read the documentation and I think I understand most parts of it.
The only example in Section 5.3 (Domain Control  Example Configuration) is
for a tdbsam backend, which I am not interested in. I use a similar
configuration, configuration but using information from Section 11.4.4
(Account Information Databases - ldapsam) and previous experience.

My first version of smb.conf is:
--------START smb.conf----------
[global]
#Only allow hosts in my network
hosts allow = 172.17.6.0/255.255.255.0
netbios name = BOA
workgroup = ICALUZ
security = user
encrypt passwords = yes
preferred master = yes
domain master = yes
local master = yes
domain logons = yes
unix charset = "ISO-8859-1"

os level = 33

ldap suffix = dc=ica,dc=luz,dc=ve
ldap admin dn = "cn=Manager,dc=ica,dc=luz,dc=ve"

idmap backend = ldap:ldap://localhost
idmap gid = 10000-20000
idmap uid = 10000-20000
ldap idmap suffix = ou=Idmap

passdb backend = ldapsam:ldap://localhost
ldap ssl = off
ldap delete dn = no
ldap user suffix = ou=Personas
ldap group suffix = ou=Grupos
ldap machine suffix = ou=Personas
#ldap machine suffix = ou=Computadoras
#ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
ldap filter = (uid=%u)

logon path = \\%N\profiles\%u
logon drive = H:
logon home = \\homeserver\%u\winprofile
#logon home = \\%N\%u
logon script = logon.cmd

#logging
log level = 2
log file = /var/lib/samba/%m.log

[netlogon]
path = /var/lib/samba/netlogon
read only = yes
write list = domadmin

[profiles]
path = /var/lib/samba/profiles
read only = no
create mask = 0644
directory mask = 0755

[test]
path=/tmp
writeable=yes
public=yes
--------END smb.conf----------
Differences with respect to the documentation:
hosts allow: only computers from my network can connect to the server.
The order of some directives is changed because I like it better this way.
It aparently doesn't matter (if there is a mistake, please corerct me).

unix charset: My native language is Spanish and it is common to have files
with accented letters. The smb-ldap3-howto (which is from Spain) recommends
using CP850, but it did not work for me. ISO-8859-1 works great.

ldap ssl: I do not use SSL because the LDAP server is in the same machine as
samba.

ldap machine suffix: The documentation (Ssmba Howto Collection - SHC) says
one should
use ou=Computers (ou=Computadoras in spanish). I have this commented and am
using ou=Personas (equivalent to ou=People) since a lot of people say there
is a bug in Samba 3.0.x that prevents it from searching ou=Computers tree.
I do not know if this is fixed in Samba 3.0.2pre1,I'll test that later if
everything else goes fine.

ldap filter: the documentation (example 11.4.1 in SHC) says one should use
(&(uid=%u)(objectclass=sambaSamAccount)), but I found out in previous
installations that it doesn't work, at least when you use smbpasswd -a,
because at that time entries do not have the sambaSamAccount class and are
filtered out. ldap filter =&(uid=%u) workd for me last time so that's what
I'm using.

I do not yet understand what Idmap does. I read it maps Unix group and user
IDs ti Windows user and group SIDs. I am somewhat confused because
instructions also say a tool called net groupmap should be used to map unix
groups to windows groups. Someone please clarify.
I put some entries for it because if it is going to store information I
prefer that it does so in the LDAP directory.

There are a few differences in the netlogon and profiles shares. I used
domadmin instead of ntadmin for write list of netlogon and used different
masks in profiles.

I'm using logon home = \\homeserver\%u\winprofile, but this isn't goiun to
work because I haven't configured a homserver server. I'll correct this
when everything else works OK.

2. The SHC say I should add the following entries:
- The organization. I added it.

- A directory manager (dn: cn=Manager). I didn't add this because it is
created automatically by OpenLDAP.

-Groups, People and Computers organizational units. I added these.

-An admin entry for each of the previously created ou's. I didn't add these
because I am going to administer the entries using the cn=Manager.

3. The SHC says I should use the following command so it can access the LDAP
server.

     smbpasswd -w <password>

I did this whithout problems.
>From this point on all the LDAP related information in SHC applies to Samba
2.2.x.
It talks about sambaSamAccount, but all described parameters apply to the
Samba 2.2.x sambaAccount. So I switch to SLH.

4. The first relevant thing I find is that there are some Ldap basic entries
(also with posixAccount).
SLH says:
"In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody
and administrator BUT an account with uidNumber=0 (root or administrator)
MUST  be present if you need add XP/W2K ws. The reason: an administrative
account is demanded in the ws side in the join process, and that account
must have a uidNumber=0 in the unix world.

Remember that in the ldapsam backend the rid mapping is algorthmic based:
rid='2*uidNumber+1000' and primaryGroup='2*uidNumber+100+1', so a root or
any administrative account must have a rid of 1000, and a sambaSID like:


sambaSID: S-1-5-21-298858960-1863792627-3661451959-1000
 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-1001


The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins
group (rid=512).
"
What I interpret from this is that I have to create three posixAccounts
(root, Administrator and nobody, although it seems root and nobody might
have been enough) and an NT administrative group. Both root and
administrator have to belong to the administrative group. There are no
instructions at this point on how to create the groups. They appear later.

There are other things that are not clear.

I have read (and it appears later in SLH) that three Samba (NT) groups must
be created: "Domain Admins", "Domain Users" and "Domain Guests" and that
these groups should have rid's 512, 513 and 514 respectively. To map the
groups, SLH says the following commands should be used:

        net groupmap add rid=514 ntgroup="Domain Guests" unixgroup=nobody
        net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users
        net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=admins

There is another thing that is not clear. The (LDIF) entries appear with all
samba attributes set, but it is not clear how they must be set, but I know
they are set with smbpasswd -a.
The example that comes with SLH says the following about the three accounts:
Administrator:
uidNumber: 506   --- I asume this can be any number not equal to 0
gidNumber: 0   --- maybe because the posixGroup 0 should be previosly mapped
to sambaGroup rid 512, althogh this is not written anywhere. Is this true?
sambaSID: a number that ends with 500 (I really don't know if this is truly
necessary, but it DOES NOT come from the formula given above).
sambaPrimaryGroupSID: must end with 512 (to indicate it belongs to the
Domain Admins group, I assume).
sambaAcctFlags [UX         ]  -- user account and password doesn't expire

nobody:
uidNumber: 99   --- I asume this can be any number not equal to 0
gidNumber:99   --- Idem
sambaSID: a number that ends with 501 (I don't know if this is necessary,
but it DOES NOT come from the formula given above).
sambaPrimaryGroupSID: must end with 514 (to indicate it belongs to the
Domain Guests group, I assume).
sambaAcctFlags [UX         ]  -- user account and password doesn't expire

root:
uidNumber: not shown, but I assume 0
gidNumber:Idem
sambaSID: a number that ends with 1000 (I don't know if this necessary, but
it comes from the formula given above).
sambaPrimaryGroupSID: must end with 1001 (I don't know if this is either
necessary or correct, but it comes from from the formula above, unless it
is wrong and it is 1001 instead of the strange value 100+1).
sambaAcctFlags [U          ]  -- user account

The last time I followed the instructions and created the users first I did
not get the right values for sambaPrimaryGroupSID (I got the expected
values using the formulas). This time I decided to first create the groups,
do the mappings and then create the users.
To create the groups I first create the following posixGroups entries in the
LDAP directory:

dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: users
description: Local Unix group
gidNumber: 100

dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: domadmin
description: Local Unix group
gidNumber: 0

dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
cn: nobody
description: Local Unix group
gidNumber: 65533

I mapped the groups to samba groups with the following commands:



I added the following LDAP entries:
        net groupmap add rid=514 ntgroup="Domain Guests" unixgroup=nobody
        net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users
        net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=domadmin

All commands worked successfully. Now the group entries look like this:

dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: users
description: Local Unix group
displayName: Domain Users
gidNumber: 100
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-513

dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: domadmin
description: Local Unix group
displayName: Domain Admins
gidNumber: 0
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-512

dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: nobody
description: Local Unix group
displayName: Domain Guests
gidNumber: 65533
sambaGroupType: 2
sambaSID: S-1-5-21-893857118-1575030141-3707423182-514

They look good, I think.

Now I'm going to add the users.
I put these entries in the directory:

dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: root
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sn: root
uid: root
uidNumber: 0

dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: nobody
gidNumber: 65533
homeDirectory: /dev/null
loginShell: /dev/null
sn: nobody
uid: nobody
uidNumber: 65533

dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
cn: Administrator
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sn: Administrator
uid: Administrator
uidNumber: 506

dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
cn: Borra
gidNumber: 100
homeDirectory: /home/borra
loginShell: /bin/bash
shadowExpire: -1
shadowFlag: 7100670
shadowInactive: -1
shadowLastChange: 11762
shadowMax: 99999
shadowMin: -1
shadowWarning: -1
sn: Borra
uid: borra
uidNumber: 1010
userPassword:: Ym9ycmE=

The borra user is a normal (test) user.


5. At this point the SLH discusses some steps I already did:
  - group mapping
  - configuring smb.conf, which I already configured not exactly like SLH
says because there are things that I know don't work for me.
  - smbpasswd -w <passwd>

6. The next step in SLH is "Starting and stopping the samba server". I will
do that after I add samba attributes to users in the directory.

7. The next step in SLH is "Adding accounts with smbpasswd".
SLH says that smbpasswd "makes all the ldap stuff for you, from the
scratch" (even though the first step about configuring accounts shows ldap
entries them with all samba attributes).
SLH says to add users "./bin/smbpasswd -a <user> -D 256" and to add machines
"./bin/smbpasswd  -m -a <ws_name>$ -D 256".

Of course this doesn't add users to LDAP directory, but adds samba
attributes to existing users in the directory.
I ran successfully the following commands:
smbpasswd -a root
smbpasswd -a Administrator
smbpasswd -a nobody

Now the entries in the directory look like this:

dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: top
objectClass: sambaSamAccount
cn: borra
displayName: borra
gidNumber: 100
homeDirectory: /home/borra
loginShell: /bin/bash
sambaAcctFlags: [U          ]
sambaLMPassword: 9C66ABD24F833796AAD3B435B51404EE
sambaNTPassword: B481BD80DA6D4E289F47611E924D5A3C
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-513
sambaPwdCanChange: 1074126298
sambaPwdLastSet: 1074126298
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-3020
shadowExpire: -1
shadowFlag: 7100670
shadowInactive: -1
shadowLastChange: 11762
shadowMax: 99999
shadowMin: -1
shadowWarning: -1
sn: Romero
uid: borra
uidNumber: 1010
userPassword:: Ym9ycmE=

dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: nobody
displayName: nobody
gidNumber: 99
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: C95F11D5EBB770D2AAD3B435B51404EE
sambaNTPassword: 3A1F23F3A6E96E48C4D256A557BF7C9F
sambaPwdCanChange: 1074126257
sambaPwdLastSet: 1074126257
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-501
sn: nobody
uid: nobody
uidNumber: 1000

dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: Administrator
displayName: Administrator
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: 6A98EB0FB88A449CBE6FABFD825BCA61
sambaNTPassword: D144986C6122B1B1654BA39932465528
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512
sambaPwdCanChange: 1074126020
sambaPwdLastSet: 1074126020
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-2012
sn: Administrator
uid: Administrator
uidNumber: 506

dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: person
objectClass: posixAccount
objectClass: top
objectClass: sambaSamAccount
cn: root
displayName: root
gidNumber: 0
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [U          ]
sambaLMPassword: D480EA9533C500D4AAD3B435B51404EE
sambaNTPassword: 329153F560EB329C0E1DEEA55E88A1E9
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512
sambaPwdCanChange: 1074126010
sambaPwdLastSet: 1074126010
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-1000
sn: root
uid: root
uidNumber: 0

Everithing looks more or less good. I do not know if it is OK, but at least
Administrator and root do have the 512 in the sambaPrimaryGroupSID
attribute. The user nobody had no value in sambaPrimaryGroupSID. I do not
know whay, but I do not care much because that's nobody.

7. At this point I start samba simply running smbd and nmbd.
The log says:
[2004/01/14 20:40:23, 2] lib/interface.c:add_interface(79)
  added interface ip=172.17.6.2 bcast=172.17.255.255 nmask=255.255.0.0
[2004/01/14 20:40:23, 0] smbd/server.c:main(781)
  standard input is not a socket, assuming -D option
[2004/01/14 20:40:23, 2] lib/tallocmsg.c:register_msg_pool_usage(57)
  Registered MSG_REQ_POOL_USAGE
[2004/01/14 20:40:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71)
  Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED
[2004/01/14 20:40:23, 2] smbd/server.c:open_sockets_smbd(318)
  waiting for a connection

It seems OK.

8. Before doing the next step in SLH, I will try to mount the test share
using smbmount from an external unix machine and from a windows machine
using the test user borra.
      smbmount //boa/test mnt -o username=borra

I tried the same command from the server I am configuring and it worked
great.
BTW, boa is the name of the server I am configuring (I think I never said
that).

>From windows it worked well too.
Accented letters worked well in both environments.

9. The next step is what has never worked for me. "Joining workstations (NT,
W2K, XP) to the Samba domain".
SLH says:
 "Basically you need cover these steps to add (join) a windows NT/W2K/XP to
the domain:
in the PDC samba server create an account for the machine
one entry in the /etc/passwd or equivalent (nsswitch...) for the
machine_name$-ended
 one basic entry in the ldap previous to call to the smbpasswd
 one full entry in the ldap withsmbpasswd -a -m <machine_name>$
 in the MS workstation, if is a XP or W2K you need set in the registry:
SignOrSeal to "0" in the MS workstation you need join to the domain ASAP
via:"
 blah blah...
I interpret this as sayng that I need to add an enrty in both /etc/passwd
and the LDAP server. This is absurd to me. If I'm using LDAP, that's the
only place where it makes sense to me to add the machine account.
Maybe I'm wrong. Maybe the reason of ou=Computers not working is because
Samba needs to see the machine as users and, since nss_ldap is configured
to search users only in ou=People then the only other way for it to see
them as users is adding them to /etc/password. Maybe this is also wrong.
Of course this instructions are incomplete because everywhere I see it is
required to have a value for "add machine script" in smb.conf.

I have read (probably in the mailing list) that the SignOrSeal change is not
required in Samba 3.0.x. This maybe possible.
I have also read that W2K and WinXP do not support manual creation of the
account.
Since the machine I want to add is W2K I will try to join it automatically
to the domain.

My first attempt will be with the server configuration as it is. It failed,
as was expected.

I see that smbldap-tools work well for most people in the list and they use
that as the command to run in "add machine script". I downloaded thos tools
(version 0.8.2) and they do not work. No matter what I do, I always get the
same kind of error:

failed to perform search; No such object at /root/smbldap-tools-0.8.2/
smbldap_tools.pm line 156, <DATA> line 283.
failed to add entry: referral missing at ./smbldap-useradd.pl line 251,
<DATA> line 283.
No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 180,
<DATA> line 283.

I configured the smbldap_tools.pm correctly (at least that is what I think).
I installed every possible perl package that comes with SuSE 9 (including
one called perl-ldap or something like that).
I gave up with those tools. I do not like them anyway because they say they
do not support shadowAccount and I intend to use shadowAccount.
These tools look like they perform the combind work of ldapadd (or
ldapmodidy, etc.) and smbpasswd. I have no problems adding LDAP entries
manually, especially with JXplorer and later using smbpasswd to set samba
attributes, so I will not use these tools.

Since SLH redirects me to SHC. I go to Chapter 7 "Domain Membership".
It explains some thing I think I understand, but all specific to a tdbsam
backend.

I first explains manual creation of machine accounts using useradd and
smbpasswd -a -m.
I think I would have no problem first adding posixAcocunt info ni LDAP and
then using smbpasswd -a -m.

Then SHC goes to a section called "On-the-Fly Creation of Machine Trust
Accounts".
SHC says:
" The second (and recommended) way of creating Machine Trust Accounts is
simply to allow the Samba server to create them as needed when the client
is joined to the domain.

Since each Samba Machine Trust Account requires a corresponding UNIX
account, a method for automatically creating the UNIX account is usually
supplied; this requires configuration of the add machine script option in
smb.conf. This method is not required, however, corresponding UNIX accounts
may also be created manually. "

As I understand it, the add machine account only requires adding the
posixAccount information and not the samba account information. I assume
then that samba automatically executes "smbpasswd -a -m <machine>".

The example (not using LDAP) could not be clearer:
add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M
%u

Since "corresponding UNIX accounts may also be created manually" I will add
a machine account entry manually to the LDAP server and then try to join
the W2K machine automatically to the domain.

The  first problem I face is what to use as gidNumber. The example uses 100,
which is usually a user group id. I checked Table 12.1 in SHC and there is
a non-essential group called "Domain Computers" with RID=515. Since I
couldn't find a specific gidNumber to use in this circumstance, I will
create a domcomputers posix group mapped to Samba RID 515 and use the
corresponding gidNumber for the machine account.
After the operation "net groupmap list" shows:
Domain Users (S-1-5-21-893857118-1575030141-3707423182-513) -> users
Domain Admins (S-1-5-21-893857118-1575030141-3707423182-512) -> root
Domain Guests (S-1-5-21-893857118-1575030141-3707423182-514) -> nobody
Domain Computers (S-1-5-21-893857118-1575030141-3707423182-515) ->
domcomputers

I added the following entry to the LDAP server:
dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
cn: machorro$
description: test machine
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
uid: machorro$
uidNumber: 2000

Now I will try to join it to the domain.
I am using the root account since I read that an account with uidNumber=0 is
required for this operation.

IT WORKED!!!!!!!! IT WORKED!!!!!!!!!!
machorro said: "Bienvenido al dominio ICALUZ", that is "Welcome to ICALUZ
domain".
I really thought it was not going to work.

The machorro$ LDAP entry now is:
dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
objectClass: sambaSamAccount
cn: machorro$
description: test machine
displayName: machorro$
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
sambaAcctFlags: [W          ]
sambaLMPassword: 104BB6F47FAC1C3C8154FBC2F211C5B1
sambaNTPassword: FBC80084DF2D1D4B223A643F74611420
sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-515
sambaPwdCanChange: 1074130590
sambaPwdLastSet: 1074130590
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-893857118-1575030141-3707423182-5000
uid: machorro$
uidNumber: 2000


I logged in in machorro and it only complained about not being able to
create the profile on the server, but that is because i have
logon home = \\homeserver\%u\winprofile
And homeserver doesn't exist. It used a local profile and everything else
was fine.

Well, now I have nothing else to do. Simply add more users and more
machines.

Wait. I will now try to put the machine account under the ou=Computers tree,
just to see what happens.
The first thing I'll try will be moving the machorro$ account to the
ou=Computadoras subtree and changing the smb.conf "ldap machine suffix"
entry to ou=Computadoras.
I turned off machorro and stopped samba.
Now I moved the machorro account to ou=Computadoras (which is very easy with
JXplorer).
Then i start samba (smbd and nmbd) and turn on machorro.
I could log in withou problems. Interesting.
Now I will try to add another machine to the domain.
I first added the following entry to the LDAP server:
dn: uid=titanic$,ou=Computadoras,dc=ica,dc=luz,dc=ve
objectClass: posixAccount
objectClass: device
objectClass: top
cn: titanic$
description: test machine
gidNumber: 101
homeDirectory: /dev/null
loginShell: /dev/null
uid: titanic$
uidNumber: 2001

When I tried to join titanic to the domain, but I got the following error:
    "the user name could not be found."

I suppose this happens when samba does the equivalent to smbpasswd -a -m.
Bud luck.
But at least I can add W2K machines to the domain.
I am very happy.

I apologize for calling crap the Samba documentation. It was of great help,
but it certainly needs improvement. And I hope the ou=Computers bug is
fixed soon.

I expect this story could help others trying to do the same I am doing. The
next battle will be configuring a BDC, but that will be another day.

Regards,
VS

-- 
Fuera Chávez



More information about the samba mailing list