[Samba] PROBLEM WITH SAMBA AS PDC + LDAP joining MS MACHINES

Pablo Bullian pablo.bullian at gmail.com
Thu Dec 14 19:17:05 GMT 2006


hi, i have a problem whe i try to join windows XP or 2000 to my new
samba+ldap PDC, i get the error USER COULD NOT BE FOUND,, or something
like that (I have it in spanish), but whit the phpmyldapadmin i see
that the machine appear, i'm joining in the machines with the user
root, that i add with smbldap-populate -a root, and then with
smbldap-usermod -u 0 root (i think that make the uid 0).

I give u my configs

-------------------------------------------------------------------------
smb.conf

# Global parameters
[global]
        workgroup = SIS
        netbios name = pdc-linux
        #interfaces = 192.168.5.11
        #username map = /etc/samba/smbusers
        enable privileges = yes
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        ldap passwd sync = Yes
        #unix password sync = Yes
        passwd program = /usr/sbin/smbldap-passwd -u %u
        passwd chat = "Changing password for*\nNew password*" %n\n
"*Retype new password*" %n\n"
        ldap passwd sync = Yes
        log level = 0
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        obey pam restrictions = no

        logon script = logon.bat
        logon drive = H:
        logon home =
        logon path =

        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ ldap://slave.idealx.com"
        # ldap filter = (&(objectclass=sambaSamAccount)(uid=%u))
        ldap admin dn = cn=Admin,dc=PDC,dc=COM
        ldap suffix = dc=PDC,dc=COM
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
       # ldap ssl = start tls
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/sbin/smbldap-userdel "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        #delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"

        # printers configuration
        printer admin = @"Print Operators"
        load printers = Yes
        create mask = 0640
        directory mask = 0750
        nt acl support = No
        printing = cups
        printcap name = cups
        deadtime = 10
        guest account = nobody
        map to guest = Bad User
        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
        show add printer wizard = yes
        ; to maintain capital letters in shortcuts in any of the
profile folders:
        preserve case = yes
        short preserve case = yes
        case sensitive = no

[homes]
        comment = repertoire de %U, %u
        read only = No
        create mask = 0644
        directory mask = 0775
        browseable = No

[netlogon]
        path = /home/netlogon/
        browseable = No
        read only = yes

[profiles]
        path = /home/profiles
        read only = no
        create mask = 0600
        directory mask = 0700
        browseable = No
        guest ok = Yes
        profile acls = yes
        csc policy = disable
        # next line is a great way to secure the profiles
        force user = %U
        # next line allows administrator to access all profiles
        valid users = %U "Domain Admins"

[printers]
        comment = Network Printers
        printer admin = @"Print Operators"
        guest ok = yes
        printable = yes
        path = /home/spool/
        browseable = No
        read only  = Yes
        printable = Yes
        print command = /usr/bin/lpr -P%p -r %s
        lpq command = /usr/bin/lpq -P%p
        lprm command = /usr/bin/lprm -P%p %j

[print$]
        path = /home/printers
        guest ok = No
        browseable = Yes
        read only = Yes
        valid users = @"Print Operators"
        write list = @"Print Operators"
        create mask = 0664
        directory mask = 0775

[public]
        comment = Repertoire public
        path = /home/public
        browseable = Yes
        guest ok = Yes
        read only = No
        directory mask = 0775
        create mask = 0664

-------------------------------------------------------------------------

nsswitch.conf

# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd:      compat ldap
group:       compat ldap
shadow:      compat ldap

hosts:          files dns ldap
networks:       files

protocols:      db  files
services:       db  files
ethers:         db  files
rpc:            db  files

netgroup:       files
#netgroup:    ldap [NOTFOUND=return] files

#netmasks:    files
#bootparams:  files

#automount:   files
#aliases:     files

-------------------------------------------------------------------------

libnss-ldap.conf

###DEBCONF###
host 127.0.0.1
base dc=PDC,dc=COM
ldap_version 3
nss_base_passwd ou=Users,dc=PDC,dc=COM
nss_base_group  ou=Groups,dc=PDC,dc=COM
#ssl start_tls
#tls_checkpeer no


-------------------------------------------------------------------------

slapd.conf

# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

#######################################################################
# Global Directives:

# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema

index         uid,uidNumber,gidNumber,memberUid       eq
index         cn,mail,surname,givenname               eq,subinitial
index         sambaSID                                eq
index         sambaPrimaryGroupSID                    eq
index         sambaDomainName                         eq


# Schema check allows for forcing entries to
# match schemas for their objectClasses's
schemacheck     on

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile         /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile        /var/run/slapd.args

# Read slapd.conf(5) for possible values
loglevel        0

# Where the dynamically loaded modules are stored
modulepath      /usr/lib/ldap
moduleload      back_bdb

#######################################################################
# Specific Backend Directives for bdb:
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend         bdb
checkpoint 512 30

#######################################################################
# Specific Backend Directives for 'other':
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend                <other>

#######################################################################
# Specific Directives for database #1, of type bdb:
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database        bdb

# The base of your directory in database #1
suffix          "dc=PDC,dc=COM"

rootdn "cn=Admin,dc=PDC,dc=COM"
rootpw {MD5}gr9Rh8KtwfEBGbSCiSBZbg==


# Where the database file are physically stored for database #1
directory       "/var/lib/ldap"

# Indexing options for database #1
index           objectClass eq

# Save the time that the entry gets modified, for database #1
lastmod         on

# Where to store the replica logs for database #1
# replogfile    /var/lib/ldap/replog

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,sambaNTPassword,sambaLMPassword
        by dn="cn=Admin,dc=PDC,dc=COM" write
        by anonymous auth
        by self write
        by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms.  Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
        by dn="cn=Admin,dc=PDC,dc=COM" write
        by * read

# For Netscape Roaming support, each user gets a roaming
# profile for which they have write access to
#access to dn=".*,ou=Roaming,o=morsnet"
#        by dn="cn=Admin,dc=PDC,dc=COM" write
#        by dnattr=owner write

#######################################################################
# Specific Directives for database #2, of type 'other' (can be bdb too):
# Database specific directives apply to this databasse until another
# 'database' directive occurs
#database        <other>

# The base of your directory for database #2
#suffix         "dc=debian,dc=org"


Thanks a lot
-- 
'May the source be with you'

Pablo E. Bullian
Network Administrator


More information about the samba mailing list