[Samba] Creation of Domain- and PDC-SID in samba

Paul Coray paul.coray at unibas.ch
Thu Jan 29 16:22:19 GMT 2004 

John,

I finally decided to go for it and kick off our NT-PDC (UB-SERVER). I 
want to transfer our domain (UB) to Samba 3.0.1 with OpenLDAP (2.1.23-1) 
as backend on Debian Woody (this machine's netbios-name in my test 
environment is UB-KIOSK).

I read all documentation I could get a hold on and followed these
procedures you suggested, but I am stuck...

 >   * From: John H Terpstra
 >   * Subject: Re: [Samba] Creation of Domain- and PDC-SID in samba
 >   * Date: Sun, 28 Dec 2003 15:28:33 -0800

> 1. You must configure LDAP correctly to start off, have a clean Samba
> install (never started - ie: no tdb files and no secrets.tdb file).

Done.

> 2. You must edit smbldap_conf.pm and smb.conf correctly, then do:
>	smbpasswd -w 'LDAP_admin_password'
> Note: Have "domain master = No"

Done (see att. smb.conf)
# /usr/local/sbin/smbldap-populate
Using builtin directory structure
adding new entry: dc=ub,dc=unibas,dc=ch
adding new entry: ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Computers,dc=ub,dc=unibas,dc=ch
adding new entry: uid=Administrator,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: uid=nobody,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Admins,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Users,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Guests,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Print Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Backup Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Replicator,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Computers,ou=Groups,dc=ub,dc=unibas,dc=ch


> 3. You must do:
>	net rpc getsid -S 'NT4server_name' -W 'Domain'
> -UAdministrator%'password'

Done:
# net rpc getsid -S UB-SERVER -U Administrator
Storing SID S-1-5-21-98201057-1281969052-1085559986 for Domain UB in
secrets.tdb

This same SID I also stored in the step before to smbldap_conf.pm. Now, 
does this belong to the domain or to the NT-PDC, or even to the future 
smb-ldap_PDC?? Guess I'm a little bit confused...

Now this is where the trouble starts:

> 4. You should then join the domain as a BDC:
>	net rpc join -S 'NT4server_name' -UAdministrator%'password'

# net rpc join -S UB-SERVER -UAdministrator
Password:
[2004/01/29 12:20:50, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(326)
   Error domain join verification (reused connection):
NT_STATUS_ACCESS_DENIED
Please make sure that no computer account
named like this machine (UB-KIOSK) exists in the domain
Unable to join domain UB.


I can remove this machine's name from PDC in the Server-Manager as often
as I want, this bloody message
keeps diplaying every time I try to jon the domain...

Of course your next steps consequently will not work:


> 5. Start Samba

> 6. Suck off the accounts:
>	net rpc vampire -S 'NT4server_name' -UAdministrator%'password'

# net rpc vampire -S UB-SERVER -UAdministrator
Could not retrieve domain trust secret


This is my smb.conf:

[global]
         workgroup = UB
         server string = %h server (Samba %v)
         map to guest = Bad User
         passdb backend = ldapsam:ldap://127.0.0.1/
         syslog = 0
         log file = /var/log/samba/log.%m
         max log size = 1000
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
         add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
         add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
         delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
         set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
         add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
         domain logons = Yes
         os level = 65
         preferred master = Yes
         domain master = No
         wins server = 131.152.1.78
         ldap suffix = dc=ub,dc=unibas,dc=ch
         ldap machine suffix = ou=Computers
         ldap user suffix = ou=Domain Users
         ldap group suffix = ou=Groups
         ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch
         ldap passwd sync = Yes
         ldap delete dn = Yes
         panic action = /usr/share/samba/panic-action %d
         invalid users = root

[homes]
         comment = Home Directory for %U
         read only = No
         create mask = 0700
         directory mask = 0700
         browseable = No

[netlogon]
         path = /home/netlogon/
         write list = admin
         force user = admin

[profiles]
         path = /home/profiles
         valid users = %U, 'Domain Admins'
         force user = %U
         read only = No
         create mask = 0600
         directory mask = 0700
         guest ok = Yes
         profile acls = Yes
         browseable = No
         csc policy = disable

[printers]
         comment = All Printers
         path = /tmp
         create mask = 0700
         printable = Yes
         browseable = No

[print$]
         comment = Printer Drivers
         path = /var/lib/samba/printer

> I guess this does not help you, but I did want to clear the air that
> Vampire is not that big a monster - at all.

Hopefully I will overcome this beast or whatsoever... ;-)

Thanks, Cheers

Paul




-- 
Paul Coray
Administrator Server und Netzwerk

Oeffentliche Bibliothek der Universitaet Basel
EDV-Abteilung
Schoenbeinstrasse 18-20
CH-4056 Basel

Tel: +41 61 267 05 13
Fax: +41 61 267 31 03

mailto:paul.coray at unibas.ch
http://www.ub.unibas.ch

More information about the samba mailing list