[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
Douglas Phillipson
phillipd at oem.doe.gov
Mon Oct 11 11:29:35 MDT 2010
When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$
I get the following error when adding the machine account:
failed to add entry: � at /var/lib/samba/sbin//smbldap_tools.pm line
497, <DATA> line 283.
Thanks
Doug P
On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
> I'm trying to establish a two way non-transitive trust between a W2003
> A/D box and our SAMBA domain.
>
> We are using smbldap so we can log in on any of the linux boxes with
> the same passwd.
> Samba is version 3.0.33 on Redhat Enterprise.
>
> It's easy to create the trust on the Windows side with AD Domains and
> Trusts but on the Linux side I'm not sure if I need to put the machine
> account locally in smb passwd or use the smbldap passwd on the LDAP
> server. Has anyone done this before?
>
> For the sake of example:
>
> My windows A/D domain is WECN
> My Linux Domain is LECN
>
> I've tried several putting the machine account both in the local file
> and the LDAP passwd file but it just doesn't work. I've got the Samba
> 3 HowTo book and tried lots of googled suggestions but still can't
> seem to make this work. Any suggestions are appreciated. Is there an
> easier way to do this? My end result is to map a share on the SAMBA
> server from a WinXP client computer thats in a W2003 domain without
> having to put in a Linux username/password.
>
> Thanks for your time and suggestions!
> Doug P
>
> My smb.conf [global]
> --------------------------------------------------------------------------------------------------------------------------------------------------
>
> [global]
> dos charset = CP850
> unix charset = UTF-8
> display charset = LOCALE
> workgroup = LECN
> realm =
> netbios name = RSL-PDC1
> netbios aliases =
> netbios scope =
> server string = Primary RSL Samba Server
> interfaces =
> bind interfaces only = No
> security = USER
> auth methods =
> encrypt passwords = Yes
> update encrypted = No
> client schannel = Auto
> server schannel = Auto
> allow trusted domains = Yes
>
>
> map to guest = Never
> null passwords = No
>
> obey pam restrictions = Yes
> password server = *
> smb passwd file = /etc/samba/smbpasswd
> private dir = /etc/samba
> passdb backend = ldapsam:"ldap://127.0.0.1"
> algorithmic rid base = 1000
> root directory =
> guest account = smbguest
>
> passwd chat debug = No
> passwd program = /usr/sbin/smbldap-passwd -u %u
> passwd chat = "Changing UNIX password for*\nNew password*"
> %n\n "*Retype new password*" %n\n"
> passwd chat timeout = 2
> check password script = /usr/sbin/crackcheck -c -d
> /usr/lib/cracklib_dict
> username map =
> password level = 0
> username level = 0
> unix password sync = Yes
> ntlm auth = Yes
> restrict anonymous = Yes
> lanman auth = No
> ;ntlm auth = No
> client NTLMv2 auth = Yes
> client lanman auth = No
> client plaintext auth = No
> preload modules =
> use kerberos keytab = No
>
> log level = 3 vfs:1
> syslog = 0
> syslog only = No
> log file = /var/log/samba/%m.log
> max log size = 500000
> debug timestamp = Yes
> debug hires timestamp = No
> debug pid = No
> debug uid = No
> smb ports = 139
> large readwrite = Yes
> max protocol = NT1
> min protocol = CORE
> read bmpx = No
> read raw = Yes
> write raw = Yes
> disable netbios = No
> acl compatibility =
> defer sharing violations = Yes
> nt pipe support = Yes
> nt status support = Yes
> announce version = 4.9
> announce as = NT
> max mux = 50
> max xmit = 65535
> name resolve order = wins hosts bcast
> max ttl = 259200
> max wins ttl = 518400
> min wins ttl = 21600
> time server = Yes
> unix extensions = Yes
> use spnego = Yes
> client signing = auto
> server signing = No
> client use spnego = Yes
> ;change notify timeout = 60
> deadtime = 15
> getwd cache = Yes
> keepalive = 300
> kernel change notify = Yes
> lpq cache time = 30
> max smbd processes = 0
> paranoid server security = Yes
> max disk size = 0
> max open files = 10000
> socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
> use mmap = Yes
> hostname lookups = No
> name cache timeout = 660
> load printers = Yes
> printcap cache time = 0
> printcap name = cups
> cups server =
> disable spoolss = No
> enumports command =
> addprinter command =
> deleteprinter command =
> show add printer wizard = Yes
> os2 driver map =
> mangling method = hash2
> mangle prefix = 1
> stat cache = Yes
> machine password timeout = 604800
> add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m
> '%u'
> delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
> add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p
> '%g'
> delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl
> -p '%g'
> add user to group script =
> /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
> delete user from group script =
> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
> set primary group script =
> /var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
> add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w
> '%u'
> shutdown script =
> abort shutdown script =
> logon script = logon.bat
> logon path = \\%L\Profiles\%U
> logon drive = H:
> logon home = \\%L\%U
> domain logons = Yes
> os level = 65
> lm announce = Auto
> lm interval = 60
> preferred master = Yes
> local master = Yes
> domain master = No
> browse list = Yes
> enhanced browsing = Yes
> dns proxy = No
> wins proxy = No
> wins server = 172.30.10.107
> wins support = No
> wins hook =
> ;wins partners =
> kernel oplocks = Yes
> ;lock spin count = 3
> lock spin time = 10
> oplock break wait time = 0
> ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
> ldap delete dn = No
> ;ldap filter = (uid=%u)
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = yes
> ldap replication sleep = 1000
> ldap suffix = dc=oem,dc=doe,dc=gov
> ldap ssl = start tls
> ldap timeout = 15
> ldap user suffix = ou=People
> add share command =
> change share command =
> delete share command =
> config file =
> preload =
> lock directory = /var/cache/samba
> pid directory = /var/run
> utmp directory =
> wtmp directory =
> utmp = Yes
> default service =
> message command =
> dfree command =
> get quota command =
> set quota command =
> remote announce =
> remote browse sync =
> socket address = 0.0.0.0
> homedir map = auto.home
> afs username map =
> time offset = 0
> NIS homedir = No
> panic action =
> host msdfs = No
> #enable rid algorithm = Yes
> idmap backend = ldap://127.0.0.1
> idmap uid = 10000-20000
> idmap gid = 10000-20000
> template homedir = /home/%D/%U
> template shell = /bin/false
> #winbind separator = \
> winbind cache time = 300
> ;winbind enable local accounts = No
> winbind enum users = Yes
> winbind enum groups = Yes
> winbind use default domain = No
> winbind trusted domains only = No
> winbind nested groups = No
> comment =
> path =
> username =
> invalid users = bin daemon adm sync shutdown halt mail news
> uucp operator gopher nobody smbguest
> valid users =
> admin users = root
> read list =
> write list =
> ;printer admin =
> force user =
> force group =
> read only = Yes
> create mask = 0744
> force create mode = 00
> security mask = 0777
> force security mode = 00
> directory mask = 0755
> force directory mode = 00
> directory security mask = 0777
> force directory security mode = 00
> force unknown acl user = No
> inherit permissions = No
> inherit acls = No
> guest only = No
> guest ok = No
> #only user = No
> hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16,
> 172.20.0.0/16
> hosts deny = 172.30.20.0/24, 172.20.20.0/24
> ea support = No
> nt acl support = Yes
> profile acls = No
> map acl inherit = Yes
> afs share = No
> block size = 1024
> max connections = 0
> min print space = 0
> strict allocate = No
> strict sync = No
> sync always = No
> use sendfile = No max reported print jobs = 0
> max print jobs = 1000
> printable = No
> printing = cups
> cups options =
> print command =
> lpq command =
> lprm command =
> lppause command =
> lpresume command =
> queuepause command =
> queueresume command =
> printer name =
> use client driver = No
> default devmode = No
> force printername = No
> default case = lower
> case sensitive = Auto
> preserve case = Yes
> short preserve case = Yes
> mangling char = ~
> hide dot files = Yes
> hide special files = No
> hide unreadable = No
> hide unwriteable files = No
> delete veto files = No
> veto files =
> hide files =
> veto oplock files =
> map system = No
> map hidden = No
> map archive = Yes
> mangled names = Yes
> #mangled map =
> store dos attributes = No
> browseable = Yes
> blocking locks = Yes
> csc policy = manual
> fake oplocks = No
> locking = Yes
> oplocks = Yes
> level2 oplocks = Yes
> oplock contention limit = 2
> posix locking = Yes
> strict locking = No
> share modes = Yes
> #copy =
> #include =
> preexec =
> preexec close = No available = Yes
> volume =
> fstype = NTFS
> set directory = No
> wide links = Yes
> follow symlinks = Yes
> dont descend =
> magic script =
> magic output =
> delete readonly = No
> dos filemode = No
> dos filetimes = No
> dos filetime resolution = No
> fake directory create times = No
> vfs objects =
>
>
More information about the samba
mailing list