[Samba] Creation of Domain- and PDC-SID in samba
Paul Coray
paul.coray at unibas.ch
Thu Jan 29 16:22:19 GMT 2004
John,
I finally decided to go for it and kick off our NT-PDC (UB-SERVER). I
want to transfer our domain (UB) to Samba 3.0.1 with OpenLDAP (2.1.23-1)
as backend on Debian Woody (this machine's netbios-name in my test
environment is UB-KIOSK).
I read all documentation I could get a hold on and followed these
procedures you suggested, but I am stuck...
> * From: John H Terpstra
> * Subject: Re: [Samba] Creation of Domain- and PDC-SID in samba
> * Date: Sun, 28 Dec 2003 15:28:33 -0800
> 1. You must configure LDAP correctly to start off, have a clean Samba
> install (never started - ie: no tdb files and no secrets.tdb file).
Done.
> 2. You must edit smbldap_conf.pm and smb.conf correctly, then do:
> smbpasswd -w 'LDAP_admin_password'
> Note: Have "domain master = No"
Done (see att. smb.conf)
# /usr/local/sbin/smbldap-populate
Using builtin directory structure
adding new entry: dc=ub,dc=unibas,dc=ch
adding new entry: ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Computers,dc=ub,dc=unibas,dc=ch
adding new entry: uid=Administrator,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: uid=nobody,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Admins,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Users,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Guests,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Print Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Backup Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Replicator,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Computers,ou=Groups,dc=ub,dc=unibas,dc=ch
> 3. You must do:
> net rpc getsid -S 'NT4server_name' -W 'Domain'
> -UAdministrator%'password'
Done:
# net rpc getsid -S UB-SERVER -U Administrator
Storing SID S-1-5-21-98201057-1281969052-1085559986 for Domain UB in
secrets.tdb
This same SID I also stored in the step before to smbldap_conf.pm. Now,
does this belong to the domain or to the NT-PDC, or even to the future
smb-ldap_PDC?? Guess I'm a little bit confused...
Now this is where the trouble starts:
> 4. You should then join the domain as a BDC:
> net rpc join -S 'NT4server_name' -UAdministrator%'password'
# net rpc join -S UB-SERVER -UAdministrator
Password:
[2004/01/29 12:20:50, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(326)
Error domain join verification (reused connection):
NT_STATUS_ACCESS_DENIED
Please make sure that no computer account
named like this machine (UB-KIOSK) exists in the domain
Unable to join domain UB.
I can remove this machine's name from PDC in the Server-Manager as often
as I want, this bloody message
keeps diplaying every time I try to jon the domain...
Of course your next steps consequently will not work:
> 5. Start Samba
> 6. Suck off the accounts:
> net rpc vampire -S 'NT4server_name' -UAdministrator%'password'
# net rpc vampire -S UB-SERVER -UAdministrator
Could not retrieve domain trust secret
This is my smb.conf:
[global]
workgroup = UB
server string = %h server (Samba %v)
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1/
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
domain logons = Yes
os level = 65
preferred master = Yes
domain master = No
wins server = 131.152.1.78
ldap suffix = dc=ub,dc=unibas,dc=ch
ldap machine suffix = ou=Computers
ldap user suffix = ou=Domain Users
ldap group suffix = ou=Groups
ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch
ldap passwd sync = Yes
ldap delete dn = Yes
panic action = /usr/share/samba/panic-action %d
invalid users = root
[homes]
comment = Home Directory for %U
read only = No
create mask = 0700
directory mask = 0700
browseable = No
[netlogon]
path = /home/netlogon/
write list = admin
force user = admin
[profiles]
path = /home/profiles
valid users = %U, 'Domain Admins'
force user = %U
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable
[printers]
comment = All Printers
path = /tmp
create mask = 0700
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/printer
> I guess this does not help you, but I did want to clear the air that
> Vampire is not that big a monster - at all.
Hopefully I will overcome this beast or whatsoever... ;-)
Thanks, Cheers
Paul
--
Paul Coray
Administrator Server und Netzwerk
Oeffentliche Bibliothek der Universitaet Basel
EDV-Abteilung
Schoenbeinstrasse 18-20
CH-4056 Basel
Tel: +41 61 267 05 13
Fax: +41 61 267 31 03
mailto:paul.coray at unibas.ch
http://www.ub.unibas.ch
More information about the samba
mailing list