[Samba] Setting up PDC w/ LDAP
awilliam at mdah.state.ms.us
Tue May 27 20:49:17 GMT 2008
no you don't need winbind, i'm using LDAP + samba + NSS_LDAP.
paste your net command and the error(s) its giving.
Daniel L. Miller wrote:
> I've almost got it. I swear I've almost got it (and I've been doing a
> lot of swearing lately).
> I re-built my PDC, starting from scratch. I'm not using the editposix
> extensions anymore - I'm using the smbldap tools as shown (I think) in
> the Samba by Example.
> I really really thought I did everything right. Obviously I was wrong.
> What works - all my workstations and logins. Add/create users, join
> workstations to domain. Just about everything.
> The last little item - winbind.
> I suppose I need to give some vitals:
> Samba 3.0.28a.
> Samba PDC - no Windows servers, no BDC's, no member servers.
> Linux and Windows XP workstations.
> OpenLDAP backend with combined Unix and Windows users (using
> LDAP-Account Manager).
> First question: under this configuration, do I need winbind at all?
> If the answer is yes, second question:
> wbinfo -t yields checking the trust secret via RPC calls succeeded
> wbinfo -u yields Error looking up domain users
> The logfile log.wb-AMFESLAN.LOCAL has
> [2008/05/27 12:17:40, 1]
> cli_pipe_validate_current_pdu: RPC fault code
> DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe
> \lsarpc fnum 0x7169!
> logfile log.winbindd-idmap has
> [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377)
> Initializing idmap domains
> [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388)
> idmap_init: Ignoring domain AMFESLAN.LOCAL
> I should also mention that I can't add the built-in or local groups
> using net.
> partial output of testparm:
> Processing section "[printers]"
> Loaded services file OK.
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
> workgroup = AMFESLAN.LOCAL
> realm = AMFESLAN.LOCAL
> server string = %h server (Samba, Ubuntu)
> map to guest = Bad User
> obey pam restrictions = Yes
> passdb backend = ldapsam:ldap://localhost
> pam password change = Yes
> passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = *Enter\snew\s*\spassword:* %n\n
> *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated*
> username map = /etc/samba/smbusers
> unix password sync = Yes
> syslog = 0
> log file = /var/log/samba/log.%m
> max log size = 1000
> time server = Yes
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480
> add user script = /usr/sbin/smbldap-useradd -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd -p "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
> logon script = logon.cmd
> logon path = \\%L\profiles\%U\%a
> logon drive = U:
> logon home =
> domain logons = Yes
> os level = 64
> preferred master = Yes
> domain master = Yes
> wins support = Yes
> ldap admin dn = "cn=admin,dc=amfeslan,dc=local"
> ldap delete dn = Yes
> ldap group suffix = ou=groups
> ldap idmap suffix = ou=idmap
> ldap machine suffix = ou=machines,ou=users
> ldap passwd sync = Yes
> ldap suffix = dc=amfeslan,dc=local
> ldap ssl = no
> ldap user suffix = ou=users
> panic action = /usr/share/samba/panic-action %d
> idmap backend = ldap:ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> winbind enum users = Yes
> winbind enum groups = Yes
> ea support = Yes
> profile acls = Yes
> veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/
> dos filemode = Yes
> comment = All Printers
> path = /var/spool/samba
> create mask = 0700
> guest ok = Yes
> printable = Yes
> browseable = No
More information about the samba