[Samba] Member Server creates sambaDomainName LDAP entry

Brian High high at u.washington.edu
Fri Jan 25 23:46:19 GMT 2008 

Short version:

Why does my domain member server create a sambaDomainName entry in LDAP?

Long Version:

I have created a Domain Member Server for a "NT4 style" Samba domain
with an LDAP backend.

It is a print server, running Winbind (because it solved a group SID
mapping problem and an 'invalid SID' error in syslog), and it works fine
in all other respects, but this:

After joining the domain, the member server creates a sambaDomainName
entry in LDAP that I don't think should be there.  It is of the form:

sambaDomainName=HOSTNAME,dc=example,dc=com

... where HOSTNAME is the hostname of the domain member server.

I have Googled this and have come up with some posts to this list:

http://www.google.com/search?q=sambaDomainName+hostname+%22member+server%22

... but none provide an explanation.


Here are some details about my setup (on the domain member server):

First, just to get it out of the way, I created no local users, other
those created by a default RedHat RHEL 5.1 install, such as root,
nobody, etc.

(LDAP, NSS, PAM, Winbind settings created with /usr/sbin/authconfig-tui)

# cat /etc/ldap.conf:

base dc=example,dc=com
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
uri ldap://ldap.example.com
ssl no
pam_password md5


# cat /ets/samba/smb.conf:

[global]
   workgroup = MYDOMAIN
   netbios name = HOSTNAME
   server string = Domain Member Server

   security = domain

   password server = MYPDC MYBDC
   passdb backend = ldapsam:ldap://ldap.deohs.washington.edu

   wins support = no

   ldap suffix = dc=example,dc=com
   ldap admin dn = "cn=Directory Manager"
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   ldap user suffix = ou=People

   idmap uid = 16777216-33554431
   idmap gid = 16777216-33554431

   template shell = /sbin/nologin

   load printers = yes
   printing = cups
   printcap name = cups
   winbind use default domain = false

[printers]
        comment = All Printers
        path = /var/spool/samba
        browseable = no
        public = yes
        guest ok = yes
        writable = no
        printable = yes


# cat /etc/pam.d/system-config-samba

#%PAM-1.0
auth        include     config-util
account     include     config-util
session     include     config-util

# cat /etc/pam.d/config-util

#%PAM-1.0
auth            sufficient      pam_rootok.so
auth            sufficient      pam_timestamp.so
auth            include         system-auth
account         required        pam_permit.so
session         required        pam_permit.so
session         optional        pam_xauth.so
session         optional        pam_timestamp.so

# cat /etc/pam.d/system-auth

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        sufficient    pam_smb_auth.so use_first_pass nolocal
auth        sufficient    pam_winbind.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     [default=bad success=ok user_unknown=ignore] pam_winbind.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password    sufficient    pam_ldap.so use_authtok
password    sufficient    pam_winbind.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so


# cat /etc/nsswitch.conf

passwd:     files ldap winbind
shadow:     files ldap winbind
group:      files ldap winbind
hosts:      files dns
bootparams: nisplus [NOTFOUND=return] files
ethers:     files
netmasks:   files
networks:   files
protocols:  files ldap
rpc:        files
services:   files ldap
netgroup:   files ldap
publickey:  nisplus
automount:  files ldap
aliases:    files nisplus


# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.1 (Tikanga)

# uname -a
Linux hostname.example.com 2.6.18-53.1.6.el5 #1 SMP Wed Jan 16 03:56:15
EST 2008 x86_64 x86_64 x86_64 GNU/Linux

# rpm -qa | grep 'samba-[0-9]\|ldap-[0-9]\|pam-[0-9]'
openldap-2.3.27-8.el5_1.1
system-config-samba-1.2.39-1.el5
openldap-2.3.27-8.el5_1.1
samba-3.0.25b-1.el5_1.4
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5


The member server was joined to the domain with:

# net rpc join MEMBER -W MYDOMAIN -I MYPDC -U root%S3CR1T
# smbpasswd -w S3CR1T



Thanks, in advance, for any explanation you can provide.


-- 
Brian High

More information about the samba mailing list