[Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)
Douglas Phillipson
phillipd at oem.doe.gov
Mon Oct 11 11:43:00 MDT 2010
oops, should be using a machine arg, tried:
/var/lib/samba/sbin/smbldap-useradd.pl -w -c "Domain Trust" ECN$
Still get error:
failed to add entry: � at /var/lib/samba/sbin//smbldap_tools.pm line
497, <DATA> line 283.
DOug P
On 10/11/2010 10:29 AM, Douglas Phillipson wrote:
> When trying to add the machine account with smb-ldap, I use the syntax:
> /var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$
>
> I get the following error when adding the machine account:
>
> failed to add entry: � at /var/lib/samba/sbin//smbldap_tools.pm line
> 497, <DATA> line 283.
>
> Thanks
> Doug P
>
> On 10/11/2010 09:53 AM, Douglas Phillipson wrote:
>> I'm trying to establish a two way non-transitive trust between a
>> W2003 A/D box and our SAMBA domain.
>>
>> We are using smbldap so we can log in on any of the linux boxes with
>> the same passwd.
>> Samba is version 3.0.33 on Redhat Enterprise.
>>
>> It's easy to create the trust on the Windows side with AD Domains and
>> Trusts but on the Linux side I'm not sure if I need to put the
>> machine account locally in smb passwd or use the smbldap passwd on
>> the LDAP server. Has anyone done this before?
>>
>> For the sake of example:
>>
>> My windows A/D domain is WECN
>> My Linux Domain is LECN
>>
>> I've tried several putting the machine account both in the local file
>> and the LDAP passwd file but it just doesn't work. I've got the
>> Samba 3 HowTo book and tried lots of googled suggestions but still
>> can't seem to make this work. Any suggestions are appreciated. Is
>> there an easier way to do this? My end result is to map a share on
>> the SAMBA server from a WinXP client computer thats in a W2003 domain
>> without having to put in a Linux username/password.
>>
>> Thanks for your time and suggestions!
>> Doug P
>>
>> My smb.conf [global]
>> --------------------------------------------------------------------------------------------------------------------------------------------------
>>
>> [global]
>> dos charset = CP850
>> unix charset = UTF-8
>> display charset = LOCALE
>> workgroup = LECN
>> realm =
>> netbios name = RSL-PDC1
>> netbios aliases =
>> netbios scope =
>> server string = Primary RSL Samba Server
>> interfaces =
>> bind interfaces only = No
>> security = USER
>> auth methods =
>> encrypt passwords = Yes
>> update encrypted = No
>> client schannel = Auto
>> server schannel = Auto
>> allow trusted domains = Yes
>>
>>
>> map to guest = Never
>> null passwords = No
>>
>> obey pam restrictions = Yes
>> password server = *
>> smb passwd file = /etc/samba/smbpasswd
>> private dir = /etc/samba
>> passdb backend = ldapsam:"ldap://127.0.0.1"
>> algorithmic rid base = 1000
>> root directory =
>> guest account = smbguest
>>
>> passwd chat debug = No
>> passwd program = /usr/sbin/smbldap-passwd -u %u
>> passwd chat = "Changing UNIX password for*\nNew password*"
>> %n\n "*Retype new password*" %n\n"
>> passwd chat timeout = 2
>> check password script = /usr/sbin/crackcheck -c -d
>> /usr/lib/cracklib_dict
>> username map =
>> password level = 0
>> username level = 0
>> unix password sync = Yes
>> ntlm auth = Yes
>> restrict anonymous = Yes
>> lanman auth = No
>> ;ntlm auth = No
>> client NTLMv2 auth = Yes
>> client lanman auth = No
>> client plaintext auth = No
>> preload modules =
>> use kerberos keytab = No
>>
>> log level = 3 vfs:1
>> syslog = 0
>> syslog only = No
>> log file = /var/log/samba/%m.log
>> max log size = 500000
>> debug timestamp = Yes
>> debug hires timestamp = No
>> debug pid = No
>> debug uid = No
>> smb ports = 139
>> large readwrite = Yes
>> max protocol = NT1
>> min protocol = CORE
>> read bmpx = No
>> read raw = Yes
>> write raw = Yes
>> disable netbios = No
>> acl compatibility =
>> defer sharing violations = Yes
>> nt pipe support = Yes
>> nt status support = Yes
>> announce version = 4.9
>> announce as = NT
>> max mux = 50
>> max xmit = 65535
>> name resolve order = wins hosts bcast
>> max ttl = 259200
>> max wins ttl = 518400
>> min wins ttl = 21600
>> time server = Yes
>> unix extensions = Yes
>> use spnego = Yes
>> client signing = auto
>> server signing = No
>> client use spnego = Yes
>> ;change notify timeout = 60
>> deadtime = 15
>> getwd cache = Yes
>> keepalive = 300
>> kernel change notify = Yes
>> lpq cache time = 30
>> max smbd processes = 0
>> paranoid server security = Yes
>> max disk size = 0
>> max open files = 10000
>> socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
>> use mmap = Yes
>> hostname lookups = No
>> name cache timeout = 660
>> load printers = Yes
>> printcap cache time = 0
>> printcap name = cups
>> cups server =
>> disable spoolss = No
>> enumports command =
>> addprinter command =
>> deleteprinter command =
>> show add printer wizard = Yes
>> os2 driver map =
>> mangling method = hash2
>> mangle prefix = 1
>> stat cache = Yes
>> machine password timeout = 604800
>> add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a
>> -m '%u'
>> delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
>> add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p
>> '%g'
>> delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl
>> -p '%g'
>> add user to group script =
>> /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
>> delete user from group script =
>> /var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
>> set primary group script =
>> /var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
>> add machine script = /var/lib/samba/sbin/smbldap-useradd.pl
>> -w '%u'
>> shutdown script =
>> abort shutdown script =
>> logon script = logon.bat
>> logon path = \\%L\Profiles\%U
>> logon drive = H:
>> logon home = \\%L\%U
>> domain logons = Yes
>> os level = 65
>> lm announce = Auto
>> lm interval = 60
>> preferred master = Yes
>> local master = Yes
>> domain master = No
>> browse list = Yes
>> enhanced browsing = Yes
>> dns proxy = No
>> wins proxy = No
>> wins server = 172.30.10.107
>> wins support = No
>> wins hook =
>> ;wins partners =
>> kernel oplocks = Yes
>> ;lock spin count = 3
>> lock spin time = 10
>> oplock break wait time = 0
>> ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
>> ldap delete dn = No
>> ;ldap filter = (uid=%u)
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap replication sleep = 1000
>> ldap suffix = dc=oem,dc=doe,dc=gov
>> ldap ssl = start tls
>> ldap timeout = 15
>> ldap user suffix = ou=People
>> add share command =
>> change share command =
>> delete share command =
>> config file =
>> preload =
>> lock directory = /var/cache/samba
>> pid directory = /var/run
>> utmp directory =
>> wtmp directory =
>> utmp = Yes
>> default service =
>> message command =
>> dfree command =
>> get quota command =
>> set quota command =
>> remote announce =
>> remote browse sync =
>> socket address = 0.0.0.0
>> homedir map = auto.home
>> afs username map =
>> time offset = 0
>> NIS homedir = No
>> panic action =
>> host msdfs = No
>> #enable rid algorithm = Yes
>> idmap backend = ldap://127.0.0.1
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> template homedir = /home/%D/%U
>> template shell = /bin/false
>> #winbind separator = \
>> winbind cache time = 300
>> ;winbind enable local accounts = No
>> winbind enum users = Yes
>> winbind enum groups = Yes
>> winbind use default domain = No
>> winbind trusted domains only = No
>> winbind nested groups = No
>> comment =
>> path =
>> username =
>> invalid users = bin daemon adm sync shutdown halt mail news
>> uucp operator gopher nobody smbguest
>> valid users =
>> admin users = root
>> read list =
>> write list =
>> ;printer admin =
>> force user =
>> force group =
>> read only = Yes
>> create mask = 0744
>> force create mode = 00
>> security mask = 0777
>> force security mode = 00
>> directory mask = 0755
>> force directory mode = 00
>> directory security mask = 0777
>> force directory security mode = 00
>> force unknown acl user = No
>> inherit permissions = No
>> inherit acls = No
>> guest only = No
>> guest ok = No
>> #only user = No
>> hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16,
>> 172.20.0.0/16
>> hosts deny = 172.30.20.0/24, 172.20.20.0/24
>> ea support = No
>> nt acl support = Yes
>> profile acls = No
>> map acl inherit = Yes
>> afs share = No
>> block size = 1024
>> max connections = 0
>> min print space = 0
>> strict allocate = No
>> strict sync = No
>> sync always = No
>> use sendfile = No max reported print jobs = 0
>> max print jobs = 1000
>> printable = No
>> printing = cups
>> cups options =
>> print command =
>> lpq command =
>> lprm command =
>> lppause command =
>> lpresume command =
>> queuepause command =
>> queueresume command =
>> printer name =
>> use client driver = No
>> default devmode = No
>> force printername = No
>> default case = lower
>> case sensitive = Auto
>> preserve case = Yes
>> short preserve case = Yes
>> mangling char = ~
>> hide dot files = Yes
>> hide special files = No
>> hide unreadable = No
>> hide unwriteable files = No
>> delete veto files = No
>> veto files =
>> hide files =
>> veto oplock files =
>> map system = No
>> map hidden = No
>> map archive = Yes
>> mangled names = Yes
>> #mangled map =
>> store dos attributes = No
>> browseable = Yes
>> blocking locks = Yes
>> csc policy = manual
>> fake oplocks = No
>> locking = Yes
>> oplocks = Yes
>> level2 oplocks = Yes
>> oplock contention limit = 2
>> posix locking = Yes
>> strict locking = No
>> share modes = Yes
>> #copy =
>> #include =
>> preexec =
>> preexec close = No available = Yes
>> volume =
>> fstype = NTFS
>> set directory = No
>> wide links = Yes
>> follow symlinks = Yes
>> dont descend =
>> magic script =
>> magic output =
>> delete readonly = No
>> dos filemode = No
>> dos filetimes = No
>> dos filetime resolution = No
>> fake directory create times = No
>> vfs objects =
>>
>>
>
More information about the samba
mailing list