[Samba] Samba/LDAP/PDC Questions

ksun at ABINITIO.COM ksun at ABINITIO.COM
Mon Jul 19 21:10:29 GMT 2004 

Greetings!

I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far 
I am able to do the folowing:
        1. Using USRMGR,EXE to administrating users and groups.
        2. Adding Windows 2000, XP workstation on the fly.
        3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to.
        4. LDAP autheticate unix accounts.

However, I am not able to to the following:
        1. Cannot joint an NT machine (SP6a) into the domwin. It keeps 
saying that "the Machine account is not available or not accessible" even 
if I manually added the machine account manually using "smbldap-useradd 
NT$".
        2. Cannot use SRVMGR.EXE to add machine to domain. It complains 
"Access Denied", though I can do other things like change the permission 
of a share etc."
        3. Cannot join an existing domain after I configure it as a BDC 
with the PDC's SID. It complains "Failed to setup BDC creds".

It looks like the communication between samba and openldap is OK since I 
can managing user/group with USRMGR.EXE. However, a few questions puzzles 
me:
        1. In what situtation do I need People group as the group for 
machines?
        2. Should the PDC itself be in the ldap backend database?
        3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log 
in to the dmain anymore. It said "User does not exist".

Here are the specs of my setup:
        Fedora 2 (kernel 2.6.5-1.358)
        samba-3.0.3-5
        openldap-2.1.29-1
        smbldap-tools-0.8.5-1.1.fc2.dag

########### /etc/samba/smb.conf #########################
[global]
        workgroup = ab
        netbios name = pdc
        username map = /etc/samba/smbusers
        admin users= @"Domain Admins"
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        ldap passwd sync = Yes
        time server = Yes
        mangling method = hash2

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        ldap admin dn = cn=Manager,dc=ab,dc=com
        ldap suffix = dc=ab,dc=com
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        ldap ssl = no
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g" 
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" 
"%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/netlogon/
        browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles 
        force user = %U 
        # next line allows administrator to access all profiles 
        valid users = %U "Domain Admins"

##################### /etc/openldap/slap.conf 
################################
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/redhat/autofs.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2
pidfile /var/run/slapd.pid

database        ldbm
suffix          "dc=ab,dc=com"
rootdn          "cn=Manager,dc=ab,dc=com"
rootpw          some secret

directory       /var/lib/ldap

index objectClass                       eq,pres
index ou,cn,mail,surname,givenname      eq,pres,sub
index uidNumber,gidNumber,loginShell    eq,pres
index uid,memberUid                     eq,pres,sub
index nisMapName,nisMapEntry            eq,pres,sub

##################### /etc/smbldap-tools/smbldap.conf 
################################

SID="S-1-5-21-324808091-3910462042-2848579765"

slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"

ldapTLS="0"

suffix="dc=ab,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"

userLoginShell="/bin/tcsh"
userHome="/u/%U"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"

userSmbHome="\\pdc\%U"
userProfile=""
userHomeDrive="H:"

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

######################## /etc/ldap.conf ################################
#
host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwd        ou=Users,dc=ab,dc=com?one
# nss_base_shadow        ou=Users,dc=ab,dc=com?one
# nss_base_group         ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5

--- Kang Sun

More information about the samba mailing list