[Samba] Re: Issues after Samba updating a Samba PDC to 3.0.23c

Daniel Bramkamp bramkamp at team-datentechnik.de
Fri Oct 6 12:25:22 GMT 2006

Hi again,

while the problem is gone now, I am still not sure it won't happen  
again. I will try to give some more information about the particular  
setup, maybe that will make it easier/possible for you guys to help me  

First of all here's my smb.conf :

--- smb.conf ---
    workgroup = stw-gmh
    admin users = @"Domain Admins"
    netbios name = stw1
    server string = STW1
    printcap name = cups
    load printers = yes
    printing = cups
    printer admin = @"Domain Admins"
    log file = /var/log/samba/log.%m
    max log size = 500
    log level = 3 passdb:5 auth:10 winbind:2
    hosts allow = 192.168. 127.
    map to guest = bad user
    security = user
    encrypt passwords = yes
;  unix password sync = Yes
;  pam password change = yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    interfaces =
    local master = yes
    os level = 33
    domain master = yes
    preferred master = yes
    domain logons = yes
    logon script = %U.bat
    logon path =
    logon home =
    add user script = /usr/sbin/smbldap-useradd '%u'
    delete user script = /usr/sbin/smbldap-userdel '%u'
    add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
    delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
    set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
    add group script = /usr/sbin/smbldap-groupadd '%g' &&  
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
    delete group script = /usr/sbin/smbldap-userdel '%g'
    add machine script = /usr/sbin/smbldap-useradd -w %m
    passdb backend = ldapsam:ldap://localhost:389
    ldap admin dn = cn=root,dc=stw-gmh,dc=lan
    ldap suffix = dc=stw-gmh,dc=lan
    ldap machine suffix = ou=Computers
    ldap user suffix = ou=Users
    ldap group suffix = ou=Groups
    ldap password sync = Yes
    name resolve order = wins lmhosts bcast
    wins support = yes
    wins proxy = yes
    dns proxy = no

    dos charset = 850
    unix charset = ISO8859-1

         comment = EDV
         path = /shared/data/edv
         valid users = @edv
         read list = @edv
         write list = @edv_write
         force user = root
         force group = edv
         create mode = 660
         force create mode = 660
         directory mode = 770
         force directory mode = 770

--- smb.conf ---

There are more shares. They are all defined as the example above, just  
with different access rights. May the "ldapsam_getgroup: Did not find  
group" message appear because there are no group mappings for the UNIX  
groups other than "Domain Admins", "Domain Users, "Domain Computers" ?  
Access rights to the shares are working as intended (as described in  
the release notes for 3.0.23).

Why it reports "smbldap_open: cannot access LDAP when not root" is  
beyond me. Google returns some results for this message. Apparently it  
was a bug in 2003 which has been fixed but was reopened by some guy in  
Aug. 2005. Not even sure if I should have to worry about this message  
at all.

Another thing I have found is this message :

"string_to_sid: Sid @Domain Admins does not start with 'S-'."

This happens with different groups.

After reading the release notes for various samba versions, I found  
that I have to add "index sambaSID sub" to my slapd.conf. Since I  
haven't done that (shame on me), could it be responsible for some of  
the issues I am experiencing ?

Regarding the domain logon problems I only got reports from 2 users  
who are still using fat clients. Both of them are in a branch office  
connected through a 2 MBit fiber line (bridged). The problem has not  
happened on the terminalservers or any fat client on the main site,  
where the servers are located. The branch office had a Samba BDC  
running which I disabled after updating the PDC. Could it be a network  
issue that did not show because the clients logged on to the BDC  
before ? Browsing shares / accessing files after a local logon and  
general network connectivity are ok though.

As mentioned in my original post, the tdb files are from an old  
installation. Would it be a good idea to delete them and start afresh ?

Unfortunately I am unable to experiement a lot since this is a  
production system. Also, I am a bit afraid to make changes for testing  
purposes because I am not sure if things are going to get worse.

Daniel Bramkamp

More information about the samba mailing list