[Samba] security = ads: problem join XP Pro?

Paul Gienger pgienger at ae-solutions.com
Wed Jun 9 19:51:24 GMT 2004

Where are you getting with adding the machines?  You should get a posix 
user added with machinename$ for the uid, then that user will be 
modified to include the sambaSamAccount data. 

I would suggest these for 'official' resources:
there are a couple  of comments below:

>;unix charset = LOCALE
>workgroup = cyberspicace
>netbios name = fs01
>server string = fs01
>socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
>wins support = yes
>;PDC and master browser settings
>os level = 64
>preferred master = yes
>local master = yes
>domain master = yes
>domain logons = yes
>;security and logging settings
>security = user
>encrypt passwords = yes
>unix password sync = yes
>passdb backend = ldapsam:ldap://fs01.cyberspicace.com
>username map = /etc/samba/smbusers
>log level = 1
>syslog = 0
>log file = /var/log/samba/%m
>max log size = 50
>smb ports = 139 445
>;security - interface
>interfaces = eth0 lo 127/8
>bind interfaces only = yes
not necessarily related to your problem, but you could probably do away 
with these if you're on a protected LAN.  Lets try to not be any more 
restrictive than we have to, at least not while testing.

>name resolve order = wins bcast hosts
>time server = yes
>printcap name = CUPS
>printing = cups
>show add printer wizard = yes
>;various scripts
>passwd program = /var/lib/samba/sbin/smbldap-passwd.pl -o %u
>passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
>add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
>delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u
>add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
>delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%'g
>add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u'
>delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x
>set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g'
>add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
You didn't mention, did you configure the smbldap-tools package?  I 
would assume that you did, but covering all the bases here.

>logon script = scripts\logon.bat
>logon path = \\%L\profiles\%U
>logon drive = X:
>admin users = "@Domain Admins"
>printer admin = "@Domain Admins"
>;ldap backend
>ldap suffix = dc=cyberspicace,dc=com
>ldap machine suffix = ou=People
>ldap user suffix = ou=People
>ldap group suffix = ou=Groups
>ldap idmap suffix = ou=Idmap
>ldap admin dn = cn=Manager,dc=cyberspicace,dc=com
Did you store the password for the admin dn with smbpasswd -w ...

>idmap backend = ldap:ldap://fs01.cyberspicace.com
>idmap uid = 10000-20000
>idmap gid = 10000-20000
Don't need these unless you're using winbind.

>map acl inherit = Yes
>include = /etc/samba/shares.conf
>>Are you running any windows servers in your setup or just one samba box
>>and the clients?
>>Assuming the latter, which sounds like you unless I'm badly mis-reading
>>you here, you don't *need* any special DNS entries to make things work.
>>Perhaps you could attach your smb.conf file?  It sounds like your
>>security parameter is way out of whack, which could be causing your
>>security = domain
>>  is for when you have a functioning NT network to add this machine to
>>that holds your login info.  I've successfully added a 3.0 machine to a
>>2.2.x network and then not had to do any passdb setup on it.
>>security = ads
>>  is for configuring authentication against an existing 2000 (/2003?) AD
>>network, which you haven't mentioned here.
>>You probably want (from TOSHaRG):
>>preferred master = yes
>>domain master = yes
>>local master = yes
>>security = user
>>domain logons = yes

Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com

More information about the samba mailing list