[Samba] Re: Samba/LDAP/PDC Questions

Tue Jul 20 20:38:56 GMT 2004

ksun at ABINITIO.COM wrote:

>Thank you for the response!
>  
>
And thank you for also posting in plaintext.  That fonted stuff was 
tough to read.

>>>       2. Should the PDC itself be in the ldap backend database?
>>>      
>>>
>>I haven't found a good reason that it 'has' to in my tests.
>>    
>>
>
>I did join PDC to the domain using 'net rpc join -Uadministrator%secret' 
>according to John H. Terpatra's Samba-3 by Example. After joining, I do 
>see the PDC machine is the ldap backend database. 
>  
>
Nothing wrong with that...

>>>       3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot 
>>>      
>>>
>log 
>  
>
>>>in to the dmain anymore. It said "User does not exist".
>>>      
>>>
>
>  
>
>>Can you expand on this a bit more?  From what you've said (which isn't 
>>much) it almost sounds like you didn't have ldap working as the posix 
>>auth system before you layered on samba.
>>    
>>
>
>My /etc/ldap.conf is as follow:
>############################################
>host 127.0.0.1
>base dc=ab,dc=com
># nss_base_passwd        ou=Users,dc=ab,dc=com?one
># nss_base_shadow        ou=Users,dc=ab,dc=com?one
># nss_base_group         ou=Group,dc=ab,dc=com?one
>ssl no
>pam_password md5
>#############################################
>
>What I was trying to say is that the three nss_base lines:
>   o with or without them, I can do 'getent password' etc with all the 
>posixAcounts
>   o with them uncommented, I cannot loginto a domain account from an XP 
>machine, though the XP machine itself joined the domain on a fly.
>   [* actually I cannot login to a domain account from the XP no matter 
>what after I reconfigure the PDC with People for computers *]
>   So I wonder what exactly these three lines do.
>
>   The PDC is on Fedora 2 system. I ran authconfig to enable ldap 
>authentication. The pam.d is automatically configured. I am not sure it is 
>using ldap_nss stuff at all.
>  
>
Ok, I believe on Fedora that ou=People is the default, so when you 
uncomment these then you are changing the authentication system and nss 
to look in Users instead of People.  It is running on defaults entirely 
if these are missing.  If you are authenticating directly (ssh or ftp or 
something) that should fail as well when you have those lines enabled.

>Right now, I can join the XP machine into the domain but after reboot I 
>just cannot log into domain Administrator account. The error from the XP 
>is "The system could not log you on, Make sure your user name and domain 
>are correct, then type your oassword again."
>  
>
Can you log in with a regular user?  Perhaps one that you know is 
configured correctly?  It sounds like your machine is added correctly or 
the error you would get would say something to the effect of 'Cannot 
find your machine account or the domain controller is unavailable.'  I'm 
sure I mangled that error, but that's the best I can remember right now.

>>From the log.xp file, I see errors. Any suggestion?
>
>-- Kang Sun
>
>#####################################################
>[2004/07/20 14:42:38, 0] 
>rpc_server/srv_pipe.c:api_pipe_netsec_process(1397)
>  failed to decode PDU
>[2004/07/20 14:42:38, 0] 
>rpc_server/srv_pipe_hnd.c:process_request_pdu(605)
>  process_request_pdu: failed to do schannel processing.
>######################################################
>  
>
A lot of people have posted about schannel stuff, but I think I may have 
glossed over the end of those threads.  Anybody who actually read them 
care to chime in here? :-/


-- 
Paul Gienger                     Office: 701-281-1884
Applied Engineering Inc.         
Information Systems Consultant   Fax:    701-281-1322
URL: www.ae-solutions.com        mailto: pgienger at ae-solutions.com