[Samba] Re: Samba/LDAP/PDC Questions

ksun at ABINITIO.COM ksun at ABINITIO.COM
Tue Jul 20 19:06:20 GMT 2004 

Thank you for the response!



>>        1. In what situtation do I need People group as the group for 
>>machines?

> Always.  Until they fix the bug/design issue that is.

OK, I reconfigured smb.conf and smbldap_config.pm to Users for users, 
Groups for groups, and People for computers.

>>        2. Should the PDC itself be in the ldap backend database?

> I haven't found a good reason that it 'has' to in my tests.

I did join PDC to the domain using 'net rpc join -Uadministrator%secret' 
according to John H. Terpatra's Samba-3 by Example. After joining, I do 
see the PDC machine is the ldap backend database. 

>>        3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot 
log 
>> in to the dmain anymore. It said "User does not exist".

> Can you expand on this a bit more?  From what you've said (which isn't 
> much) it almost sounds like you didn't have ldap working as the posix 
> auth system before you layered on samba.

My /etc/ldap.conf is as follow:
############################################
host 127.0.0.1
base dc=ab,dc=com
# nss_base_passwd        ou=Users,dc=ab,dc=com?one
# nss_base_shadow        ou=Users,dc=ab,dc=com?one
# nss_base_group         ou=Group,dc=ab,dc=com?one
ssl no
pam_password md5
#############################################

What I was trying to say is that the three nss_base lines:
   o with or without them, I can do 'getent password' etc with all the 
posixAcounts
   o with them uncommented, I cannot loginto a domain account from an XP 
machine, though the XP machine itself joined the domain on a fly.
   [* actually I cannot login to a domain account from the XP no matter 
what after I reconfigure the PDC with People for computers *]
   So I wonder what exactly these three lines do.

   The PDC is on Fedora 2 system. I ran authconfig to enable ldap 
authentication. The pam.d is automatically configured. I am not sure it is 
using ldap_nss stuff at all.

Right now, I can join the XP machine into the domain but after reboot I 
just cannot log into domain Administrator account. The error from the XP 
is "The system could not log you on, Make sure your user name and domain 
are correct, then type your oassword again."

>From the log.xp file, I see errors. Any suggestion?

-- Kang Sun

#####################################################
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
  failed to decode PDU
[2004/07/20 14:42:38, 0] 
rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
  process_request_pdu: failed to do schannel processing.
######################################################

More information about the samba mailing list