[Samba] samba pdc with ldap backend setup problems

Silas Wind swi at clipper-group.com
Wed Oct 25 11:58:19 GMT 2006 

Hi Bob

I have the exact same error with users and groups created using
smbldap-useradd /group add   ETC ETC I can only see the same group as you
from windows. when using LDAP browser = all users and groups are shown.

If i use windows to Unix mapping tool net  rpc ....... then i can see the
group from Windows usermanager  (see chapter 13 in the official samba guide
- samba howto collection)

- Please notify me if you get a solution to this problem


Venlig hilsen/Best regards

Silas Wind
---------------------------------------
Clipper Group A/S
Harbour House
Sundkrogsgade 21
DK-2100 Copenhagen
---------------------------------------------
Main  : +45 4911 8090
Cell    : +45 3038 5090
Fax    : +45 4911 8001
www.clipper-group.com
IM Jabber id: swi at clipper-it.com
---------------------------------------------
Project Lead (ITA)


                                                                           
             Bob Hetzel                                                    
             <beh at case.edu>                                                
             Sent by:                                                   To 
             samba-bounces+swi         samba at lists.samba.org               
             =clipper-group.co                                          cc 
             m at lists.samba.org                                             
                                                                   Subject 
                                       [Samba] samba pdc with ldap backend 
             24-10-2006 21:47          setup problems                      
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           
                                                                           





Greetings...

I'm struggling trying to set up a samba 3.0.23c PDC with ldap
backend.  The server is Fedora 5, OpenLdap version 2.3.19-4.
I've got it so smbd and nmbd start properly and I can use a windows
box and see the domain using srvmgr.exe and usrmgr.exe.  I'm then
able to signon from a windows XP computer with the command
net use \\pdcserver\ipc$ /user:root rootpassword

Some things that aren't working right...  please excuse the long post
but I thought I'd try to include some relevant files before being
asked, to save some trouble.

1) some of the groups defined in ldap do not show up in usrmgr.exe.
net groupmap list produces

Domain Admins (S-1-5-21-2256156769-696857544-2990674152-512) -> Domain
Admins
Domain Users (S-1-5-21-2256156769-696857544-2990674152-513) -> Domain Users
Domain Guests (S-1-5-21-2256156769-696857544-2990674152-514) -> Domain
Guests
Domain Computers (S-1-5-21-2256156769-696857544-2990674152-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators

but usrmgr.exe omits Administrators and all the other ones listed
above after it.

the ldap log file logs this (among other things) when refreshing usrmgr.exe
Oct 24 14:30:59 pdcserver slapd[18335]: <= bdb_substring_candidates:
(sambaSID) index_param failed (18)

2) when viewing the domain in srvmgr.exe I see the PDC when I list
all computers in the domain (although it's currently the only
computer just as I would expect) and the type column is filled in
with "Windows NT Primary" just as I expect.   When enable the setting
called "Show Domain Members Only" the list is empty.
When I do this the ldap logfile logs this...
Oct 24 14:15:04 pdcserver slapd[18335]: conn=48 op=62 SRCH
base="ou=Group,dc=som,dc=com" scope=2 deref=0
filter="(&(objectClass=sambaGroupMapping)(|(displayName=servers)(cn=servers)))"


I have no servers entries under the Group section in my ldap tree, so
how does that get put in there?

I'd prefer not to use ldap for anything other than samba related
users.  Linux users should not by default get access.  I'm hoping
this means I don't have to mess with Pam, is that correct?

Here's the config files...

#my /etc/ldap.conf file

host pdcserver.meds.cwru.edu
base dc=som,dc=com
binddn cn=Manager,dc=som,dc=com
bindpw <password removed>
rootbinddn cn=Manager,dc=som,dc=com
bind_timelimit 30
idle_timelimit 3600
pam_password exop
nss_base_passwd         ou=People,dc=som,dc=com?one
nss_base_shadow         ou=People,dc=som,dc=com?one
nss_base_group          ou=Group,dc=som,dc=com?one
nss_initgroups_ignoreusers root,ldap
ssl off
tls_cacertfile /etc/pki/tls/certs/hypothalamus.cer

=====
#my nsswitch.conf file

passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns wins
networks:       files dns
bootparams: files
ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files
netgroup:       files
publickey:      files
automount:      files
aliases:        files


=======
#my smb.conf file

[global]
client ntlmv2 auth = yes
client lanman auth = no
ntlm auth = no
lanman auth = no
workgroup = SOMtest
netbios name = pdcserver
passdb backend = ldapsam:ldap://pdcserver.meds.cwru.edu
domain master = Yes
domain logons = Yes
logon path = ""
lm announce = No
wins server = 129.22.4.10 129.22.4.11
wins support = no
name resolve order = wins host
add user script = /usr/sbin/smbldap-useradd -m '%u'
add group script = /usr/sbin/smbldap-groupadd '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
ldap admin dn = cn=Manager,dc=som,dc=com
ldap suffix = dc=som,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap machine suffix = ou=People
log level = 3
load printers = no
idmap backend = ldap:ldap://pdcserver.meds.cwru.edu
username map = /etc/samba/smbusers
[netlogon]
        comment = netlogon share
        path = /home/netlogon
        read only = yes
====
# my slapd.conf file

loglevel 256
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
TLSCACertificateFile /etc/pki/tls/certs/hypothalamus.cer
TLSCertificateFile /etc/pki/tls/certs/brain-new.cer
TLSCertificateKeyFile /etc/pki/tls/private/privkey.pem
TLSCRLCheck none
database        bdb
suffix          "dc=som,dc=com"
rootdn          "cn=Manager,dc=som,dc=com"
rootpw          <password removed>
checkpoint 1024 5
directory       /var/lib/ldap
index   objectClass     eq
index cn                      pres,sub,eq
index sn                      pres,sub,eq
index uid                     pres,sub,eq
index displayName             pres,sub,eq
index uidNumber               eq
index gidNumber               eq
index memberUid               eq
index   sambaSID              eq
index   sambaSIDList          eq
index   sambaPrimaryGroupSID  eq
index   sambaDomainName       eq
index   sambaGroupType        eq
index   default               sub

=====
#my /etc/samba/smbusers file

root = administrator admin
nobody = guest pcguest smbguest

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list