[Samba] Member Server creates sambaDomainName LDAP entry
Brian High
high at u.washington.edu
Fri Jan 25 23:46:19 GMT 2008
Short version:
Why does my domain member server create a sambaDomainName entry in LDAP?
Long Version:
I have created a Domain Member Server for a "NT4 style" Samba domain
with an LDAP backend.
It is a print server, running Winbind (because it solved a group SID
mapping problem and an 'invalid SID' error in syslog), and it works fine
in all other respects, but this:
After joining the domain, the member server creates a sambaDomainName
entry in LDAP that I don't think should be there. It is of the form:
sambaDomainName=HOSTNAME,dc=example,dc=com
... where HOSTNAME is the hostname of the domain member server.
I have Googled this and have come up with some posts to this list:
http://www.google.com/search?q=sambaDomainName+hostname+%22member+server%22
... but none provide an explanation.
Here are some details about my setup (on the domain member server):
First, just to get it out of the way, I created no local users, other
those created by a default RedHat RHEL 5.1 install, such as root,
nobody, etc.
(LDAP, NSS, PAM, Winbind settings created with /usr/sbin/authconfig-tui)
# cat /etc/ldap.conf:
base dc=example,dc=com
nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon
uri ldap://ldap.example.com
ssl no
pam_password md5
# cat /ets/samba/smb.conf:
[global]
workgroup = MYDOMAIN
netbios name = HOSTNAME
server string = Domain Member Server
security = domain
password server = MYPDC MYBDC
passdb backend = ldapsam:ldap://ldap.deohs.washington.edu
wins support = no
ldap suffix = dc=example,dc=com
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /sbin/nologin
load printers = yes
printing = cups
printcap name = cups
winbind use default domain = false
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
public = yes
guest ok = yes
writable = no
printable = yes
# cat /etc/pam.d/system-config-samba
#%PAM-1.0
auth include config-util
account include config-util
session include config-util
# cat /etc/pam.d/config-util
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_timestamp.so
auth include system-auth
account required pam_permit.so
session required pam_permit.so
session optional pam_xauth.so
session optional pam_timestamp.so
# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth sufficient pam_winbind.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account [default=bad success=ok user_unknown=ignore] pam_winbind.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_authtok
password sufficient pam_ldap.so use_authtok
password sufficient pam_winbind.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
# cat /etc/nsswitch.conf
passwd: files ldap winbind
shadow: files ldap winbind
group: files ldap winbind
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.1 (Tikanga)
# uname -a
Linux hostname.example.com 2.6.18-53.1.6.el5 #1 SMP Wed Jan 16 03:56:15
EST 2008 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep 'samba-[0-9]\|ldap-[0-9]\|pam-[0-9]'
openldap-2.3.27-8.el5_1.1
system-config-samba-1.2.39-1.el5
openldap-2.3.27-8.el5_1.1
samba-3.0.25b-1.el5_1.4
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5
pam-0.99.6.2-3.26.el5
nss_ldap-253-5.el5
The member server was joined to the domain with:
# net rpc join MEMBER -W MYDOMAIN -I MYPDC -U root%S3CR1T
# smbpasswd -w S3CR1T
Thanks, in advance, for any explanation you can provide.
--
Brian High
More information about the samba
mailing list