[Samba] Users being deleted from Domain Users group on Samba BDC during vampire process of migration

Bradley Tate btate at objectmastery.com
Tue Nov 30 11:23:47 GMT 2004 

I'm having the same problem but sadly also have no solution. Any clues 
I'd be grateful.

Cheers,
Bradley.

Alex_Brown at pap.state.ga.us wrote:

>I think I'm having a problem during the vampire process.  Would someone
>tell me why my domain users are being deleted from the Domain Users group
>after they are created?
>
>First, the accounts are being created normally...
>
>Creating account: marshah
>Creating account: marshab
>Creating account: johnp
>.
>.
>.
>Creating account: ronniem
>Creating account: bobbyr
>Creating account: robertk
>Creating account: g4400$
>Creating account: INFI2292-80$
>Creating account: PAP-E06EFL2FLCA$
>Creating account: G830-78$
>Creating account: COL190GPCTAB-62$
>Creating account: PERIA30-63$
>Creating account: ROM010IA30-71$
>Creating account: DEK480IA30-73$
>Group members of Domain Admins:
>charliebrown,faxserver,joeblow(primary),vbe(primary),snoopy(primary),epo,xerox,
>Group members of Domain Users: PRIMARY$(primary),CONSDEV
>$(primary),marshah(primary),marshab(primary),johnp(primary) . . . <snip>
>rajg(primary),FIEGATEWAY450-5$(primary),MAC120I2652-8
>$(primary),FISGE2000D-2$(primary),DISGE2000D-1$(primary),ADA440GPCTAB-6
>$(primary),CJRG450ROG-29$(primary),DAL230GPCTAB-21
>$(primary),THO070GPCTAB-65$(primary),CAN300GPCTAB-5
>$(primary),ADA440GPCTAB-75$(primary),THO070GPCTAB-7
>$(primary),CAN300GPCTAB-4$(primary),DOU400GPCTAB-25
>$(primary),CAR540GPCTAB-8$(primary),LAG310GPCTAB-5$(primary),ELL560GPCTAB-2
>$(primary),LAG310GPCTAB-12$(primary),ELL560GPCTAB-18
>$(primary),LAG310GPCTAB-2$(primary),ELL560GPCTAB-4$(primary),CON360GPCTAB-2
>$(primary),LAG310GPTAB-15$(primary),INFGFE2000D-100
>$(primary),LAG310GPCTAB-6$(primary),DAH590GPCTAB-6$(primary)
>.
>.
>.
><snip>
>
>Then the users are being deleted . . .
>
>deleting user marshah from group Domain Users
>deleting user marshab from group Domain Users
>deleting user johnp from group Domain Users
>.
>.
>.
>deleting user joyceb from group Domain Users
>deleting user lyndae from group Domain Users
>deleting user janices from group Domain Users
>deleting user mredding from group Domain Users
>deleting user darylb from group Domain Users
>deleting user deborahm from group Domain Users
>deleting user tammyc from group Domain Users
>deleting user jeanettb from group Domain Users
>deleting user dessiep from group Domain Users
>deleting user jennifej from group Domain Users
>
>The users with "(primary)" attached to their name are being deleted.  As
>you can see, the Domain Admins group no longer includes jonathanb, ninos or
>vbe.
>
>sd1:~# getent group | grep "Domain Admins"
>Domain Admins:x:512:charliebrown,faxserver,epo,xerox
>
>There were several hundred domain users but after the migration there are
>only a few.
>
>-----------------------------------------------------------------------------------------------------------------------------
>Here is my smb.conf.
>
>[global]
>unix charset = LOCALE
>workgroup = PAP
>netbios name = SD1
>server string =
>announce version = 4.0
>#interfaces = lo
>#bind interfaces only = Yes
>passdb backend = ldapsam:ldap://127.0.0.1
>username map = /etc/samba/smbusers
>log level = 2
>syslog = 0
>log file = /var/log/samba/log.%m
>max log size = 50
>smb ports = 139 445
>name resolve order = wins bcast hosts
>time server = Yes
>printcap name = CUPS
>show add printer wizard = No
>
>add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>delete user script = /usr/local/sbin/smbldap-userdel "%u"
>add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
>"%g"
>set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>
>logon script = scripts\SLOGIC.bat
>logon path =
>logon drive = X:
>domain logons = Yes
>domain master = No
>preferred master = Yes
>ldap delete dn = Yes
>ldap suffix = dc=home,dc=us
>ldap machine suffix = ou=Computers
>ldap user suffix = ou=Users
>ldap group suffix = ou=Groups
>
>## Example 6.5. LDAP Based smb.conf File, Server: MASSIVE global Section:
>Part B
>ldap idmap suffix = ou=Idmap
>ldap admin dn = cn=admin,dc=home,dc=us
>idmap backend = ldap:ldap://127.0.0.1
>idmap uid = 10000-20000
>idmap gid = 10000-20000
>map acl inherit = Yes
>printing = cups
>printer admin = Administrator, alexb
>
>[netlogon]
>comment = Network Logon Service
>path = /var/lib/samba/netlogon
>guest ok = Yes
>locking = No
>
>[homes]
>comment = Home Directories
>valid users = %U
>read only = No
>browseable = No
>
>------------------------------------------------------------------------------------------------------------
>Here is my smbldap.conf
>
>SID removed from this intentionally.
>
># Ex: slaveLDAP=127.0.0.1
>slaveLDAP="127.0.0.1"
>slavePort="389"
>
># Master LDAP : needed for write operations
># Ex: masterLDAP=127.0.0.1
>masterLDAP="127.0.0.1"
>masterPort="389"
>
># Use TLS for LDAP
># If set to 1, this option will use start_tls for connection
># (you should also used the port 389)
>ldapTLS="0"
>
># How to verify the server's certificate (none, optional or require)
># see "man Net::LDAP" in start_tls section for more details
>verify="require"
>
># CA certificate
># see "man Net::LDAP" in start_tls section for more details
>cafile="/etc/smbldap-tools/ca.pem"
>
># certificate to use to connect to the ldap server
># see "man Net::LDAP" in start_tls section for more details
>clientcert="/etc/smbldap-tools/smbldap-tools.pem"
>
># key certificate to use to connect to the ldap server
># see "man Net::LDAP" in start_tls section for more details
>clientkey="/etc/smbldap-tools/smbldap-tools.key"
>
># LDAP Suffix
># Ex: suffix=dc=IDEALX,dc=ORG
>suffix="dc=home,dc=us"
>
># Where are stored Users
># Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
>usersdn="ou=Users,${suffix}"
>
># Where are stored Computers
># Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>computersdn="ou=Computers,${suffix}"
>
># Where are stored Groups
># Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
>groupsdn="ou=Groups,${suffix}"
>
># Where are stored Idmap entries (used if samba is a domain member server)
># Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
>idmapdn="ou=Idmap,${suffix}"
>
># Where to store next uidNumber and gidNumber available
>sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
>
># Default scope Used
>scope="sub"
>
># Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)
>hash_encrypt="SSHA"
>
># if hash_encrypt is set to CRYPT, you may set a salt format.
># default is "%s", but many systems will generate MD5 hashed
># passwords if you use "$1$%.8s". This parameter is optional!
>crypt_salt_format="%s"
>
>##############################################################################
>#
># Unix Accounts Configuration
>#
>##############################################################################
>
># Login defs
># Default Login Shell
># Ex: userLoginShell="/bin/bash"
>userLoginShell="/bin/bash"
>#userLoginShell="/bin/false"
>
># Home directory
># Ex: userHome="/home/%U"
>userHome="/home/%U"
>#userHome="/dev/null"
>
># Gecos
>userGecos="System User"
>
># Default User (POSIX and Samba) GID
>defaultUserGid="513"
>
># Default Computer (Samba) GID
>defaultComputerGid="515"
>
># Skel dir
>skeletonDir="/etc/skel"
>
># Default password validation time (time in days) Comment the next line if
># you don't want password to be enable for defaultMaxPasswordAge days (be
># careful to the sambaPwdMustChange attribute's value)
>defaultMaxPasswordAge="99"
>
>##############################################################################
>#
># SAMBA Configuration
>#
>##############################################################################
>
># The UNC path to home drives location (%U username substitution)
># Ex: \\My-PDC-netbios-name\homes\%U
># Just set it to a null string if you want to use the smb.conf 'logon home'
># directive and/or disable roaming profiles
>#userSmbHome="\\SD1\homes\%U"
>userSmbHome=""
>
># The UNC path to profiles locations (%U username substitution)
># Ex: \\My-PDC-netbios-name\profiles\%U
># Just set it to a null string if you want to use the smb.conf 'logon path'
># directive and/or disable roaming profiles
>#userProfile="\\SD1\profiles\%U"
>userProfile=""
>
># The default Home Drive Letter mapping
># (will be automatically mapped at logon time if home directory exist)
># Ex: H: for H:
>userHomeDrive="X:"
>#userHomeDrive=""
>
># The default user netlogon script name (%U username substitution)
># if not used, will be automatically username.cmd
># make sure script file is edited under dos
># Ex: %U.cmd
># userScript="startup.cmd" # make sure script file is edited under dos
>userScript="SLOGIC.bat"
>#userScript=""
>-------------------------------------------------------------------------------------------------------------------------
>And here is my libnss-ldap.conf
>host 127.0.0.1
>
># The distinguished name of the search base.
>base dc=home,dc=us
>
># The LDAP version to use (defaults to 3
># if supported by client library)
>ldap_version 3
>
># The distinguished name to bind to the server with
># if the effective user ID is root. Password is
># stored in /etc/ldap.secret (mode 600)
>rootbinddn cn=admin,dc=home,dc=us
>
>nss_base_group          ou=Groups,dc=home,dc=us?one
>nss_base_hosts          ou=Computers,dc=home,dc=us?one
>----------------------------------------------------------------------------------------------------------------------
>
>What am I doing wrong?
>
>Thanks for any help you can give.
>
>Alex
>
>
>  
>

More information about the samba mailing list