[Samba] PDC Multiple users

Scott Lovenberg scott.lovenberg at gmail.com
Thu Jan 31 16:37:02 GMT 2008 

Harol Hunter wrote:
> 2008/1/28, Scott Lovenberg <scott.lovenberg at gmail.com>:
>   
>> On Jan 28, 2008 1:39 PM, Harol Hunter <hhuntercu at gmail.com> wrote:
>>     
>>> As you can see I still alive (I don't know for how long but ... ;-)
>>> Well let me tell you all my users have a SID and a UID in her/his
>>> accounts entries in LDAP I'll attach you my full smb.conf hoping you
>>> can help me, thanks a lot pal
>>>
>>> [global]
>>>
>>>
>>>       
>> #########################################################################
>>     
>>> #                               NETBIOS OPTIONS                         #
>>>
>>>       
>> #########################################################################
>>     
>>> netbios name = intranet
>>>
>>> workgroup = icic
>>>
>>> server string = Servidor Intranet
>>>
>>> #disable netbios = yes
>>>
>>>
>>>       
>> #########################################################################
>>     
>>> #                               SERVER OPTIONS                          #
>>>
>>>       
>> #########################################################################
>>     
>>> interfaces = eth0 lo
>>>
>>> bind interfaces only = yes
>>>
>>> socket address = 10.0.0.1
>>>
>>> hosts allow = 10.0.0. 127.
>>>
>>> hosts deny = 0.0.0.0/0
>>>
>>>
>>>       
>> #########################################################################
>>     
>>> #                               DOMAIN OPTIONS                          #
>>>
>>>       
>> #########################################################################
>>     
>>> security = user
>>>
>>> preferred master = yes
>>>
>>> domain master = yes
>>>
>>> local master = yes
>>>
>>> os level = 64
>>>
>>> admin users = @"Domain Admins"
>>>
>>> enable privileges = yes
>>>
>>> allow trusted domains = no
>>>
>>>
>>>       
>> ########################################################################
>>     
>>> #                               PASSWORDS OPTIONS                      #
>>>
>>>       
>> ########################################################################
>>     
>>> passdb backend = ldapsam:ldap://127.0.0.1/
>>>
>>> encrypt passwords = true
>>>
>>> #passwd chat = Cambiando contrasena de \nNueva Contrasena %n\n Retype
>>> new password %n\n
>>>
>>> passwd program = /usr/sbin/smbldap-passwd -u '%u'
>>>
>>> obey pam restrictions = No
>>>
>>>
>>>       
>> ########################################################################
>>     
>>> #                               USERS & GROUPS SCRIPTS                 #
>>>
>>>       
>> ########################################################################
>>     
>>> #min passwd length = 6
>>>
>>> add user script = /usr/sbin/smbldap-useradd -a -m '%u'
>>>
>>> delete user script = /usr/sbin/smbldap-userdel '%u'
>>>
>>> add group script = /usr/sbin/smbldap-groupadd -p '%g'
>>>
>>> delete group script = /usr/sbin/smbldap-groupdel '%g'
>>>
>>> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
>>>
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
>>>
>>> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
>>>
>>> add machine script = /usr/sbin/smbldap-useradd -w '%u'
>>>
>>>
>>>       
>> ########################################################################
>>     
>>> #                                LOGONS OPTIONS                        #
>>>
>>>       
>> ########################################################################
>>     
>>> domain logons = yes
>>>
>>> logon path = \\intranet\profiles\%u
>>>
>>> logon home = \\%L\%u\.profiles
>>>
>>> logon drive = H
>>>
>>> logon script = logon.cmd
>>>
>>>
>>>       
>> #######################################################################
>>     
>>> #                               LDAP OPTIONS                          #
>>>
>>>       
>> #######################################################################
>>     
>>> ldap suffix = dc=my,dc=domain,dc=com
>>>
>>> ldap admin dn = cn=admin,dc=my,dc=domain,dc=com
>>>
>>> ldap machine suffix = ou=Computers
>>>
>>> ldap user suffix = ou=Users
>>>
>>> ldap group suffix = ou=Groups
>>>
>>> ldap idmap suffix = ou=Idmap
>>>
>>> #ldap filter = ((uid=%u)&(objectclass=sambaSamAccount))
>>>
>>> #ldap ssl = start_tls
>>>
>>> ldap passwd sync = Yes
>>>
>>> ldap delete dn = yes
>>>
>>> #ldapsam:trusted = no
>>>
>>>
>>>       
>> #######################################################################
>>     
>>> #                               WINBIND OPTIONS                       #
>>>
>>>       
>> #######################################################################
>>     
>>> idmap backend = ldap://127.0.0.1/
>>>
>>> #idmap uid = 10000-20000
>>>
>>> #idmap gid = 10000-20000
>>>
>>> #winbind separator = '\'
>>>
>>> winbind trusted domains only = yes
>>>
>>> winbind use default domain = yes
>>>
>>>
>>>
>>>       
>> #######################################################################
>>     
>>> #                               LOGS OPTIONS                          #
>>>
>>>       
>> #######################################################################
>>     
>>> log file = /var/log/samba/smb.%m
>>>
>>> #log level = 1
>>>
>>> log level = 10 auth:10 nmbd:10
>>>
>>> #max log size = 5000
>>>
>>> syslog = 0
>>>
>>>
>>>       
>> #######################################################################
>>     
>>> #                               MISC. OPTIONS                         #
>>>
>>>       
>> #######################################################################
>>     
>>> wins support = yes
>>>
>>> time server = yes
>>>
>>> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>>
>>> max xmit = 8192
>>>
>>> #getwd cache = yes
>>>
>>> name resolve order = hosts bcast
>>>
>>> inherit acls = no
>>>
>>> map acl inherit = yes
>>>
>>> server signing = mandatory
>>>
>>> dns proxy = no
>>>
>>> svcctl list = bind9 apache2 chrony cron slapd winbind dhcpd3
>>>
>>>
>>>       
>> #######################################################################
>>     
>>> #                          SHARES                                     #
>>>
>>>       
>> ########################################################################
>>     
>>> [homes]
>>> comment = User's Home
>>>
>>> writable = yes
>>>
>>> browseable = no
>>>
>>> create mask = 0700
>>>
>>> directory mask = 0700
>>>
>>>
>>> [netlogon]
>>>
>>> comment = Network Logon Service
>>>
>>> path = /home/samba/netlogon
>>>
>>> browseable = no
>>>
>>> writable = no
>>>
>>> write list = @"Domain Admins"
>>>
>>>
>>>
>>> [profiles]
>>>
>>> comment = Network Users Profiles
>>>
>>> path = /home/samba/profiles
>>>
>>> csc policy = disable
>>>
>>> writable =yes
>>>
>>> #force user = %U
>>>
>>> #valid users = %U
>>>
>>> profile acls = yes
>>>
>>> browseable = no
>>>
>>> readonly = no
>>>
>>>
>>>
>>>
>>> create mask = 0600
>>>
>>> directory mask = 0700
>>>
>>>       
>> Hrm, settings seem fine, as far as I can tell.  Have you tried the UPHClean
>> Windows Service?
>>
>> From Chapter 27. Desktop Profile Management of the Samba How-To:
>>     
>>> There are certain situations that cause a cached local copy of roaming
>>>       
>> profile not to be deleted on exit, even if the policy to force such deletion
>> is set. To deal with that situation, a special service was created. The
>> application UPHClean (User Profile Hive Cleanup) can be installed as a
>> service on Windows NT4/2000/XP Professional and Windows 2003.
>>     
>>> The UPHClean software package can be downloaded from the User Profile Hive
>>>       
>> Cleanup Service[7] web site.
>>
>> Chapter 27 of the Samba How-To might be worth a read.
>>
>> I'm really fuzzy as to exactly is going on.  All you did was add a few extra
>> clients, correct?  You were deleting the roaming profile successfully before
>> this without having problems?
>>
>>  --
>> Peace and Blessings,
>> -Scott.
>>
>> "Of course, that's just my opinion; I could be wrong"
>> -Dennis Miller
>>     
>
> I think I finally find the problem, but now I don't know how to fix
> it, googling a little I found a few old posts related to my problems
> saying that the problem was the SambaSID entry duplicated so I made a
> search and guess what all my users have the very same SambaSID so you
> were right from the beginning about users map, I read I don't have to
> map the samba  accounts to unix but all the users must have a
> different SambaSID of course, I've no clue how this happened and how
> to solve it, I only assume that it's because of  W2K profiles are
> differents to WXP and the users that start having problems has logged
> in both XP an 2K, am I correct? Any way I'll install XP on this
> computers so all my network have the same OS but I'm still needing
> help how to change uses SambaSID because I'm no sure how this SID is
> given. Once again thanks for your help
>
> Harol Hunter
>
>   
Well, Win2K uses a different home path variable.  I think they suggest 
using something like .9xprofile or something like that for the folder.  
I think there's a section on mixed environments in the samba guide; how 
this plays with LDAP is beyond my experience, but in theory it should 
work exactly the same as without LDAP - the backend data interface 
should not, IMHO, change the behavior of the application.  Of course, 
theory and practice don't mix so well in computer science :). 

I think you can back up your profiles, and change the name of the server 
which should break the SID.  This will invalidate EVERY account (machine 
accounts as well - you'll have to have a script for automatically adding 
machines, or create the machine accounts again), so when you add them 
back, you should get a new SID mapping for each user name.  I wouldn't 
just do this in a production environment, test it before doing it as 
there is no way to undo it!  I'm sure there must be a more elegant way 
to do this, but I don't know it.

More information about the samba mailing list