[Samba] Re: Samba/LDAP/PDC Questions
Paul Gienger
pgienger at ae-solutions.com
Tue Jul 20 20:38:56 GMT 2004
ksun at ABINITIO.COM wrote:
>Thank you for the response!
>
>
And thank you for also posting in plaintext. That fonted stuff was
tough to read.
>>> 2. Should the PDC itself be in the ldap backend database?
>>>
>>>
>>I haven't found a good reason that it 'has' to in my tests.
>>
>>
>
>I did join PDC to the domain using 'net rpc join -Uadministrator%secret'
>according to John H. Terpatra's Samba-3 by Example. After joining, I do
>see the PDC machine is the ldap backend database.
>
>
Nothing wrong with that...
>>> 3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot
>>>
>>>
>log
>
>
>>>in to the dmain anymore. It said "User does not exist".
>>>
>>>
>
>
>
>>Can you expand on this a bit more? From what you've said (which isn't
>>much) it almost sounds like you didn't have ldap working as the posix
>>auth system before you layered on samba.
>>
>>
>
>My /etc/ldap.conf is as follow:
>############################################
>host 127.0.0.1
>base dc=ab,dc=com
># nss_base_passwd ou=Users,dc=ab,dc=com?one
># nss_base_shadow ou=Users,dc=ab,dc=com?one
># nss_base_group ou=Group,dc=ab,dc=com?one
>ssl no
>pam_password md5
>#############################################
>
>What I was trying to say is that the three nss_base lines:
> o with or without them, I can do 'getent password' etc with all the
>posixAcounts
> o with them uncommented, I cannot loginto a domain account from an XP
>machine, though the XP machine itself joined the domain on a fly.
> [* actually I cannot login to a domain account from the XP no matter
>what after I reconfigure the PDC with People for computers *]
> So I wonder what exactly these three lines do.
>
> The PDC is on Fedora 2 system. I ran authconfig to enable ldap
>authentication. The pam.d is automatically configured. I am not sure it is
>using ldap_nss stuff at all.
>
>
Ok, I believe on Fedora that ou=People is the default, so when you
uncomment these then you are changing the authentication system and nss
to look in Users instead of People. It is running on defaults entirely
if these are missing. If you are authenticating directly (ssh or ftp or
something) that should fail as well when you have those lines enabled.
>Right now, I can join the XP machine into the domain but after reboot I
>just cannot log into domain Administrator account. The error from the XP
>is "The system could not log you on, Make sure your user name and domain
>are correct, then type your oassword again."
>
>
Can you log in with a regular user? Perhaps one that you know is
configured correctly? It sounds like your machine is added correctly or
the error you would get would say something to the effect of 'Cannot
find your machine account or the domain controller is unavailable.' I'm
sure I mangled that error, but that's the best I can remember right now.
>>From the log.xp file, I see errors. Any suggestion?
>
>-- Kang Sun
>
>#####################################################
>[2004/07/20 14:42:38, 0]
>rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
> failed to decode PDU
>[2004/07/20 14:42:38, 0]
>rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
> process_request_pdu: failed to do schannel processing.
>######################################################
>
>
A lot of people have posted about schannel stuff, but I think I may have
glossed over the end of those threads. Anybody who actually read them
care to chime in here? :-/
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc.
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto: pgienger at ae-solutions.com
More information about the samba
mailing list