Joe Kraft jvk-list at thekrafts.org
Mon Mar 30 01:58:13 GMT 2009

I'm testing out a new Samba setup to hopefully replace my aging Win2k
domain.  I've got some of it working: 
  - My PDC (shadow) seems to be working on the CASA domain with an LDAP
  - nss_ldap and pam_ldap are working on shadow
  - I can run wbinfo -u and get the user info from LDAP on shadow.
  - I can run wbinfo -a username%password and authenticate a user on shadow.

I can run getent passwd and getent group and see the local users/groups as
well as the ones in the ldap directory but if I change /etc/nsswitch.conf
to only use winbind for passwd, I get nothing.

I see the following message in all of the winbind logs
[2009/03/29 09:03:26,  1]
  cli_pipe_validate_current_pdu: RPC fault code DCERPC_FAULT_OP_RNG_ERROR
received from remote machine SHADOW pipe \lsarpc fnum 0x71a5!

this message appears over and over in log.winbindd
[2009/03/29 21:46:00,  2] winbindd/winbindd.c:remove_client(761)
  final write to client failed: Broken pipe

Are either of those messages familiar to anyone?  Are they something I need
to follow up on?  Are they an indicator of something I don't have
configured correctly.  

I'm learning a lot in the process, but I'm kind of running out of ideas for
what I need to do to get winbind to work on the PDC.  I'm also seeing the
same set of errors from every client I've built also.  I used the same
smb.conf with localhost changed to shadow.casa.local and the security
changed from user to domain.

If anyone can let me know what I don't have configured correctly please let
me know.


All servers are running FreeBSD 7.1, and Samba 3.2.8.

settings from SHADOW:
shadow# testparm
Load smb config files from /usr/local/etc/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Processing section "[printers]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

        workgroup = CASA
        server string = Shadow, the Casa PDC
        passdb backend = ldapsam:ldap://shadow.casa.local
        log level = 2
        log file = /var/log/samba/log.%m
        max log size = 50
        time server = Yes
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script
= /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script
= /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script
= /usr/local/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        logon path = \\eberon\Profiles\%U
        domain logons = Yes
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=samba,ou=DSA,dc=casa,dc=local
        ldap group suffix = ou=group
        ldap machine suffix = ou=machine
        ldap passwd sync = Yes
        ldap suffix = dc=casa,dc=local
        ldap user suffix = ou=accounts,ou=people
        idmap domains = ALLDOMAINS
        idmap alloc backend = ldap
        idmap alloc config:range = 10000 - 20000
        idmap alloc config:ldap_user_dn = cn=samba,ou=DSA,dc=casa,dc=local
        idmap alloc config:ldap_url = ldap://shadow.casa.local/
        idmap alloc config:ldap_base_dn = ou=Idmap,dc=casa,dc=local
        idmap config ALLDOMAINS:range = 10000 - 20000
        idmap config ALLDOMAINS:ldap_url = ldap://localhost/
        idmap config ALLDOMAINS:ldap_base_dn = ou=Idmap,dc=casa,dc=local
        idmap config ALLDOMAINS:backend = ldap
        idmap config ALLDOMAINS:default = yes

        comment = Home Directories
        read only = No
        browseable = No

        comment = Network Logon Service
        path = /usr/local/samba/lib/netlogon
        guest ok = Yes
        share modes = No

        comment = All Printers
        path = /var/spool/samba
        printable = Yes
        browseable = No

More information about the samba mailing list