[Samba] Setting up PDC w/ LDAP
Daniel L. Miller
dmiller at amfes.com
Tue May 27 19:22:15 GMT 2008
I've almost got it. I swear I've almost got it (and I've been doing a
lot of swearing lately).
I re-built my PDC, starting from scratch. I'm not using the editposix
extensions anymore - I'm using the smbldap tools as shown (I think) in
the Samba by Example.
I really really thought I did everything right. Obviously I was wrong.
What works - all my workstations and logins. Add/create users, join
workstations to domain. Just about everything.
The last little item - winbind.
I suppose I need to give some vitals:
Samba 3.0.28a.
Samba PDC - no Windows servers, no BDC's, no member servers.
Linux and Windows XP workstations.
OpenLDAP backend with combined Unix and Windows users (using
LDAP-Account Manager).
First question: under this configuration, do I need winbind at all?
If the answer is yes, second question:
wbinfo -t yields checking the trust secret via RPC calls succeeded
wbinfo -u yields Error looking up domain users
The logfile log.wb-AMFESLAN.LOCAL has
[2008/05/27 12:17:40, 1]
rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
cli_pipe_validate_current_pdu: RPC fault code
DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe
\lsarpc fnum 0x7169!
logfile log.winbindd-idmap has
[2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377)
Initializing idmap domains
[2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388)
idmap_init: Ignoring domain AMFESLAN.LOCAL
I should also mention that I can't add the built-in or local groups
using net.
partial output of testparm:
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions
[global]
workgroup = AMFESLAN.LOCAL
realm = AMFESLAN.LOCAL
server string = %h server (Samba, Ubuntu)
map to guest = Bad User
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://localhost
pam password change = Yes
passwd program = /usr/sbin/smbldap-passwd -u %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated*
username map = /etc/samba/smbusers
unix password sync = Yes
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
time server = Yes
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480
SO_SNDBUF=20480
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon script = logon.cmd
logon path = \\%L\profiles\%U\%a
logon drive = U:
logon home =
domain logons = Yes
os level = 64
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = "cn=admin,dc=amfeslan,dc=local"
ldap delete dn = Yes
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=machines,ou=users
ldap passwd sync = Yes
ldap suffix = dc=amfeslan,dc=local
ldap ssl = no
ldap user suffix = ou=users
panic action = /usr/share/samba/panic-action %d
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
ea support = Yes
profile acls = Yes
veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/
dos filemode = Yes
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
--
Daniel
More information about the samba
mailing list