[Samba] Re: Issues after Samba updating a Samba PDC to 3.0.23c
Daniel Bramkamp
bramkamp at team-datentechnik.de
Fri Oct 6 12:25:22 GMT 2006
Hi again,
while the problem is gone now, I am still not sure it won't happen
again. I will try to give some more information about the particular
setup, maybe that will make it easier/possible for you guys to help me
out.
First of all here's my smb.conf :
--- smb.conf ---
[global]
workgroup = stw-gmh
admin users = @"Domain Admins"
netbios name = stw1
server string = STW1
printcap name = cups
load printers = yes
printing = cups
printer admin = @"Domain Admins"
log file = /var/log/samba/log.%m
max log size = 500
log level = 3 passdb:5 auth:10 winbind:2
hosts allow = 192.168. 127.
map to guest = bad user
security = user
encrypt passwords = yes
; unix password sync = Yes
; pam password change = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
interfaces = 192.168.1.1
local master = yes
os level = 33
domain master = yes
preferred master = yes
domain logons = yes
logon script = %U.bat
logon path =
logon home =
add user script = /usr/sbin/smbldap-useradd '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/sbin/smbldap-userdel '%g'
add machine script = /usr/sbin/smbldap-useradd -w %m
passdb backend = ldapsam:ldap://localhost:389
ldap admin dn = cn=root,dc=stw-gmh,dc=lan
ldap suffix = dc=stw-gmh,dc=lan
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap password sync = Yes
name resolve order = wins lmhosts bcast
wins support = yes
wins proxy = yes
dns proxy = no
dos charset = 850
unix charset = ISO8859-1
[EDV]
comment = EDV
path = /shared/data/edv
valid users = @edv
read list = @edv
write list = @edv_write
force user = root
force group = edv
create mode = 660
force create mode = 660
directory mode = 770
force directory mode = 770
--- smb.conf ---
There are more shares. They are all defined as the example above, just
with different access rights. May the "ldapsam_getgroup: Did not find
group" message appear because there are no group mappings for the UNIX
groups other than "Domain Admins", "Domain Users, "Domain Computers" ?
Access rights to the shares are working as intended (as described in
the release notes for 3.0.23).
Why it reports "smbldap_open: cannot access LDAP when not root" is
beyond me. Google returns some results for this message. Apparently it
was a bug in 2003 which has been fixed but was reopened by some guy in
Aug. 2005. Not even sure if I should have to worry about this message
at all.
Another thing I have found is this message :
"string_to_sid: Sid @Domain Admins does not start with 'S-'."
This happens with different groups.
After reading the release notes for various samba versions, I found
that I have to add "index sambaSID sub" to my slapd.conf. Since I
haven't done that (shame on me), could it be responsible for some of
the issues I am experiencing ?
Regarding the domain logon problems I only got reports from 2 users
who are still using fat clients. Both of them are in a branch office
connected through a 2 MBit fiber line (bridged). The problem has not
happened on the terminalservers or any fat client on the main site,
where the servers are located. The branch office had a Samba BDC
running which I disabled after updating the PDC. Could it be a network
issue that did not show because the clients logged on to the BDC
before ? Browsing shares / accessing files after a local logon and
general network connectivity are ok though.
As mentioned in my original post, the tdb files are from an old
installation. Would it be a good idea to delete them and start afresh ?
Unfortunately I am unable to experiement a lot since this is a
production system. Also, I am a bit afraid to make changes for testing
purposes because I am not sure if things are going to get worse.
Thanks.
--
Daniel Bramkamp
More information about the samba
mailing list