[Samba] samba pdc with ldap backend setup problems

Bob Hetzel beh at case.edu
Tue Oct 24 19:47:51 GMT 2006


I'm struggling trying to set up a samba 3.0.23c PDC with ldap 
backend.  The server is Fedora 5, OpenLdap version 2.3.19-4.
I've got it so smbd and nmbd start properly and I can use a windows 
box and see the domain using srvmgr.exe and usrmgr.exe.  I'm then 
able to signon from a windows XP computer with the command
net use \\pdcserver\ipc$ /user:root rootpassword

Some things that aren't working right...  please excuse the long post 
but I thought I'd try to include some relevant files before being 
asked, to save some trouble.

1) some of the groups defined in ldap do not show up in usrmgr.exe.
net groupmap list produces

Domain Admins (S-1-5-21-2256156769-696857544-2990674152-512) -> Domain Admins
Domain Users (S-1-5-21-2256156769-696857544-2990674152-513) -> Domain Users
Domain Guests (S-1-5-21-2256156769-696857544-2990674152-514) -> Domain Guests
Domain Computers (S-1-5-21-2256156769-696857544-2990674152-515) -> 
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

but usrmgr.exe omits Administrators and all the other ones listed 
above after it.

the ldap log file logs this (among other things) when refreshing usrmgr.exe
Oct 24 14:30:59 pdcserver slapd[18335]: <= bdb_substring_candidates: 
(sambaSID) index_param failed (18)

2) when viewing the domain in srvmgr.exe I see the PDC when I list 
all computers in the domain (although it's currently the only 
computer just as I would expect) and the type column is filled in 
with "Windows NT Primary" just as I expect.   When enable the setting 
called "Show Domain Members Only" the list is empty.
When I do this the ldap logfile logs this...
Oct 24 14:15:04 pdcserver slapd[18335]: conn=48 op=62 SRCH 
base="ou=Group,dc=som,dc=com" scope=2 deref=0 

I have no servers entries under the Group section in my ldap tree, so 
how does that get put in there?

I'd prefer not to use ldap for anything other than samba related 
users.  Linux users should not by default get access.  I'm hoping 
this means I don't have to mess with Pam, is that correct?

Here's the config files...

#my /etc/ldap.conf file

host pdcserver.meds.cwru.edu
base dc=som,dc=com
binddn cn=Manager,dc=som,dc=com
bindpw <password removed>
rootbinddn cn=Manager,dc=som,dc=com
bind_timelimit 30
idle_timelimit 3600
pam_password exop
nss_base_passwd         ou=People,dc=som,dc=com?one
nss_base_shadow         ou=People,dc=som,dc=com?one
nss_base_group          ou=Group,dc=som,dc=com?one
nss_initgroups_ignoreusers root,ldap
ssl off
tls_cacertfile /etc/pki/tls/certs/hypothalamus.cer

#my nsswitch.conf file

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns wins
networks:       files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:       files
publickey:      files
automount:      files
aliases:        files

#my smb.conf file

client ntlmv2 auth = yes
client lanman auth = no
ntlm auth = no
lanman auth = no
workgroup = SOMtest
netbios name = pdcserver
passdb backend = ldapsam:ldap://pdcserver.meds.cwru.edu
domain master = Yes
domain logons = Yes
logon path = ""
lm announce = No
wins server =
wins support = no
name resolve order = wins host
add user script = /usr/sbin/smbldap-useradd -m '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
ldap admin dn = cn=Manager,dc=som,dc=com
ldap suffix = dc=som,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=People
log level = 3
load printers = no
idmap backend = ldap:ldap://pdcserver.meds.cwru.edu
username map = /etc/samba/smbusers
        comment = netlogon share
        path = /home/netlogon
        read only = yes
# my slapd.conf file

loglevel 256
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/hypothalamus.cer
TLSCertificateFile /etc/pki/tls/certs/brain-new.cer
TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
TLSCRLCheck none
database        bdb
suffix          "dc=som,dc=com"
rootdn          "cn=Manager,dc=som,dc=com"
rootpw          <password removed>
checkpoint 1024 5
directory       /var/lib/ldap
index   objectClass     eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index   sambaSID              eq
index   sambaSIDList          eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   sambaGroupType        eq
index   default               sub

#my /etc/samba/smbusers file

root = administrator admin
nobody = guest pcguest smbguest

More information about the samba mailing list