[Samba] LDAP PDC migration gone wrong.
jpb at bordengrammar.kent.sch.uk
Tue Apr 17 11:36:04 GMT 2007
I have a problem following the migration of my PDC's backend from tdbsam
to LDAP. We started out with a PDC called SMB1 which ran with a tdbsam
backend. I used pdbedit to convert it to LDAP and built a new server
onto which the LDIF file was loaded. Samba was then setup to use the
LDAP server as a backend. So far so good, Samba runs against LDAP and I
was able to add 60 new XP client machines to the network without any
The problem starts however when trying to access Samba domain member
servers that have been connected since the PDC upgrade.
I go through the process of adding the servers to the domain by setting
the domain SID on the member server using setdomainsid and using net rpc
join -U admin -S SMB5 to join the domain. The latter command brings up
"joined domain BGS" and after restarting samba and winbind, wbinfo -u
and wbinfo -g both return correct lists of users and groups.
Getent passwd and getent group both return full lists of users and
groups from the UNIX/LDAP side suggesting that nss and pam and
successfully communicating with smb5.
The problems start when trying to access shares configured on the member
server. If the ownership of the file is set to testuser who is a member
of the pupils group, testuser can access it. If the owner is set to
admin and the file is grouped to pupils, no-one in the pupils group can
access it even with the group perms set to rwx.
I suspect that as owner/users can access shares but groups can't that
group mapping is stuffed. My questions are therefore as follows.
1) can I set up smb.conf on member servers to access LDAP directly and
abandon winbind. I have two additional seperate networks/NT Domains
accessing the net via an NTLM_AUTH authenticated squid proxy so I
don't know how this will affect them.
2) The domain SID and machine SID on the PDC are the same. Is this
correct? winbind on the PDC returns "error looking up domain users". I'm
quite restricted in what I can try as I have 300 people accessing their
shares on the PDC and don't want to make things any worse than they are.
3) net groupmap on the member servers creates a mapping between NT
Domain and UNIX users but the SIDs are local domain sids and group
permissions seem to fail. Should the Sids in groupmap be local or domain?
Basically, I'm getting confused. Everything worked fine on TDBsam
backends and I need help and clarification.
More information about the samba