[Samba] PDC Problems(winbind, joining domain, net groupmap, etc), FreeBSD 5.3, LDAP

Flatfender flatfender at gmail.com
Wed Apr 13 21:20:06 GMT 2005 

Goal: Have Samba operate as a PDC using LDAP as its passwd backend. 
Be able to have W2K servers as member servers.

Note: I have not posted any .conf files, because I not sure what files
would be relavent in seeing.  Since somethings are working and
somethings are not.

Software list:

Samba 3.0.12
nss_ldap-1.204_5 
openldap-client-2.2.19
openldap-server-2.2.23
p5-perl-ldap-0.32.02
pam_ldap-1.7.6
smbldap-tools-0.8.8

What works:

Openldap seems to be working fine, and I can use SSH & IMAP with LDAP
user credentials.
ldapsearch work with starttls.
smbldap scripts from idealx seem to work(also with starttls). 
smbldap-populate worked fine. as well as smbldap-useradd.

If I browse network neigborhood with a w2k client I can authenticate
to a users home share that is in LDAP.

What doesn't work:

wbinfo -g shows:

BUILTIN^administrators
BUILTIN^account operators
BUILTIN^print operators
BUILTIN^backup operators
BUILTIN^replicators

I would have expected it to show the domain name instead of BUILTIN,
which makes me think the ldap lookup is failing

wbinfo -u shows:
Error looking up domain users

Also when I try to join a W2K Pro worksation to the domain using the
root account/password it fails with the username cannot be found error
message.   But the add machine script partially works. 
smbldap-useradd -w adds the posix attributes to the ldap directory but
the samba attributes are missing.  I have workstations being added to
the ou=computer section in ldap, and I have my ldap.conf and
nss_ldap.con set to point to a level above ou=Users and ou=computers
for the passwd side of things so that they should be properly found
when descending the ldap tree.

trying to add or modify group mappings with net groupmap add or net
groupmap modify fails.

Since getent isn't implemented in FreeBSD, I am using " pw group show
-a " and "pw user show -a"  This enumerates local files but nothing
from LDAP.

One thing I have noticed about the idealx smbldap scripts is that they
will write a partial record to ldap even if part of the script fails.

Also, I thought I read at one point that the nsswitch implementation
in FreeBSD is missing some components so user and groups still need to
be in local /etc/group & /etc/passwd files.  Can anyone confirm the
status of this?

I think I am a little unsure of how to handle both unix and nt groups
in an ldap implementation.


If anyone has any ideas on where to begin trouble shooting this, I
would appreciate it.


Thank You,

Matt

More information about the samba mailing list