[Samba] Re: Re: SID problem with working samba
tonign at xtec.net
Thu Jan 24 16:56:20 GMT 2008
El Thu, 24 Jan 2008 05:49:20 -0500
Jamrock <news_jamrock at yahoo.com> ha escrit:
> "toni" <tonign at xtec.net> wrote in message
> news:20080123201746.45b21417 at gamma...
> > this server has also a ldap server to resolve system users (via
> > nsswitch), and the contents are replicated from a master ldap in the
> > PDC (i think this is what you are proposing, isn't it?)
> Not really. On a Windows 2003 domain, there are a few domain
> controllers that contain Active Directory. Active Directory is not
> loaded on member servers. No replication takes place there.
> The member server is configured to redirect all authentication
> requests to a domain controller.
> Chapter 7 discusses the various ways that Samba member servers can be
> configured to redirect authentication requests to a single database of
> usernames and passwords.
> You can use NSS/LDAP. You can use NSS and Winbind. You can use an
> adduser script if you don't want to use NSS.
i would like to use nss/ldap, because BDC and PDC use it, for
simplicity. this is what i'm trying
> The common factor in all three approaches is the fact that the pdc
> contains the authoritative list of usernames and passwords. Member
> servers query that list.
> The member server will cache the data it sees on the pdc but the pdc
> is the definitive source.
yes, this is what i'm doing, ldap server on BDC and member server is
replicated from PDC and synchronized using slurpd. however i've changed
my ldap.conf and smb.conf to check directly against ldap on the PDC
> Look at the smb.conf file in example 7.1.. It simply tells the member
> server to look to the ldap installation on the pdc when it needs to
> authenticate users. The /etc/nsswitch.conf is configured to use ldap
> for authentication. The only difference here is that the ldap is
> stored on another machine.
i have same configuration (as far as i can understand) that example 7.1
shows, but with winbindd started i can't mount shares from clients and
log file shows:
[2008/01/24 17:13:32, 0, effective(0, 0), real(0, 0)] rpc_client/cli_pipe.c:cli_rpc_pipe_open_ntlmssp_internal(2362)
cli_rpc_pipe_open_ntlmssp_internal: cli_rpc_pipe_bind failed with error NT_STATUS_NETWORK_ACCESS_DENIED
if i stop winbindd, i can mount shres but i must wait the 60
i'm trying to figure out where the problem is, regards to the nss/ldap
configuration, and i think the problem is Primary Group SID, when
winbindd runs, pdbedit shows the correct value, but when it's stopped,
it shows an incorrect value (i think it causes the timeout)
thanks for your help!
my smb.conf now (complete):
netbios name = SERVER
workgroup = DOMAIN
local master = no
security = domain
password server = *
mangling method = hash2
encrypt passwords = yes
passdb backend = ldapsam:"ldaps://pdc ldap://localhost"
idmap backend = ldap:"ldaps://pdc ldap://localhost"
ldap suffix = dc=domain,dc=intranet
ldap admin dn = cn=Manager,dc=domain,dc=intranet
ldap ssl = yes
ldap machine suffix = ou=Machines
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap passwd sync = Yes
ldap delete dn = Yes
add user script = /opt/smbldap_tools-0.9.1/smbldap-useradd -a '%u'
delete user script = /opt/smbldap_tools-0.9.1/smbldap-userdel '%u'
add group script = /opt/smbldap_tools-0.9.1/smbldap-groupadd -p '%g'
delete group script = /opt/smbldap_tools-0.9.1/smbldap-groupdel '%g'
add user to group script
= /opt/smbldap_tools-0.9.1/smbldap-groupmod -m '%u' '%g' delete user
from group script = /opt/smbldap_tools-0.9.1/smbldap-groupmod -x '%u'
'%g' set primary group script
= /opt/smbldap_tools-0.9.1/smbldap-usermod -g '%g' '%u' add machine
script = /opt/smbldap_tools-0.9.1/smbldap-useradd -w '%u' passwd
program = /opt/smbldap_tools-0.9.1/smbldap-passwd '%u' passwd chat =
*ew*password* %n\n *new*password* %n\n passwd chat debug = Yes socket
options = SO_KEEPALIVE TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192 interfaces = eth0 name resolve order = hosts wins
lmhosts bcast dos charset = CP850
unix charset = ISO8859-1
wins server = 10.0.2.11
time server = yes
log file = /var/log/samba/samba.%m.log
log level = 0
max log size = 100000
debug uid = yes
load printers = yes
printing = cups
printcap name = cups
cups server = 10.0.2.22
enable privileges = yes
nt acl support = yes
inherit acls = Yes
unix password sync = no
unix extensions = no
More information about the samba