[Samba] Profile Problem with ldap backend

ds_shadof at uni-altai.ru ds_shadof at uni-altai.ru
Tue Jul 13 15:06:11 GMT 2004 

The Samba 3.0.5rc1 server is configured as a PDC.

[global]
#       client code page = 866
# NetBIOS name of that comp
        netbios name = TOLTEC
#Name of Domain
        workgroup = liin
#Comment
        server string = Samba PDC %v
#Interface where samba works
        interfaces = 10.0.0.4/24 127.0.0.1/24
        bind interfaces only = yes
        hosts allow = 10.0.0.
        name resolve order = hosts bcast
#DOMAIN CONFIG
        encrypt passwords = Yes
        domain master = Yes
        local master = Yes
        prefered master = Yes
        security = user
        domain logons = yes
# ONLY FOR 2K/XP!
        client ntlmv2 auth = Yes  
# NO WIN9X IN OUR DOMAIN!!!!!
        client lanman auth = no
        client plaintext auth = no
#TEst this
        disable netbios = no
#OS level!!!
        os level = 65 
#ALL about Loggin ^)
        log level = 10
        log file = /var/log/samba/%m.log
        max log size = 2000

#WINBIND CONFIG!!!!
        winbind separator = +
        winbind use default domain = Yes
        winbind uid =10000-20000
        winbind gid =10000-20000
#If i comment it then
#[2004/07/14 01:30:40, 0] nsswitch/winbindd_util.c:winbindd_param_init(560)
#  winbindd: idmap uid range missing or invalid
#[2004/07/14 01:30:40, 0] nsswitch/winbindd_util.c:winbindd_param_init(561)
#  winbindd: cannot continue, exiting.
#  Could not init idmap -- netlogon proxy only
# strange thing.... on 3.0.4 i don't need to write it
        winbind enum users = yes
        winbind enum groups = yes
        password server= localhost
        
        logon path = \\%L\profiles\%u
        logon script = logon.bat
        
        logon drive = H:
#       logon home = \\%L\%u\.win_profile\%m 
# NO 9X HERE!!!
        
        time server = yes
        
#LDAP STARTS HERE
        passdb backend = ldapsam:ldap://localhost
        ldap admin dn = "cn=Manager,dc=liin,dc=org"
        ldap server = localhost
        ldap port = 389
        ldap suffix = dc=liin,dc=org
        ldap machine suffix = ou=people
        ldap user suffix = ou=people
        ldap group suffix = ou=groups
#       ldap filter = "(&(uid%=%U)(ObjectClass=sambaSamAccount))"
#LDAP continue
        ldap idmap suffix = ou=Idmap
        idmap backend = ldap:ldap//localhost
        idmap uid = 10000 - 20000
        idmap gid = 10000 - 20000
#what is it?
        map acl inherit = yes
#       printing = cups
#       printer admin = Administrator

#IDEALx SCRIPT's Rulezz
add user script = /usr/sbin/smbldap-useradd -a -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
        
#       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#       load printers = No

#       dns proxy = No
        guest account = nobody

[netlogon]
        path = /usr/local/netlogon
        writable = no 
        browsable = no
[profiles]
        path = /home/nt-prof
        browsable = no
        writable = yes
        create mask = 0600
        directory mask = 0700
        guest ok = yes
        profile acl = no
[homes]
        read only = no
        browsable = no
        guest ok = no
        map archive = yes

When i try to logon WinXP(pro) says:
"Windows cannot find the server profile and is logging you on with a temporart profile."
 or somenthing like that. I have russian copy of winxp.
Next hi says:
"Windows cannot find the local profile and is logging you on with a temporart profile."
(it because i removed c:\Documents and Settings\Default User)
And now the strange thing begin:
It logons and download default profile from samba netlogon share(!!!)
I waste a week about this problem....
i try tdb backend and all works fine when i back to ldap backend things go wrong

OS RH8
OPENLDAP 2.2.14
Samba tested 3.0.4-3.0.5rc1

Problem n2:
Problem With Winbind(or not?)

[2004/07/14 01:59:55, 3] sam/idmap.c:idmap_init(131)
  idmap_init: using 'ldap' as remote backend
[2004/07/14 01:59:55, 5] lib/smbldap.c:smbldap_search(931)
  smbldap_search: base => [ou=Idmap,dc=liin,dc=org], filter => [(objectclass=sambaUnixIdPool)], scope => [2]
[2004/07/14 01:59:55, 10] lib/smbldap.c:smbldap_open_connection(543)
  smbldap_open_connection: ldap//localhost
[2004/07/14 01:59:55, 0] lib/smbldap.c:smbldap_open_connection(546)
  ldap_initialize: Time limit exceeded
[2004/07/14 01:59:55, 1] lib/smbldap.c:smbldap_retry_open(908)
  Connection to LDAP Server failed for the 1 try!
[2004/07/14 01:59:55, 8] lib/util.c:fcntl_lock(1646)
  fcntl_lock 7 13 0 1 1
[2004/07/14 01:59:55, 8] lib/util.c:fcntl_lock(1681)
  fcntl_lock: Lock call successful

I use idealx smbldap-populate to fill ldap directory

More information about the samba mailing list