[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Mike Brady mike.brady at devnull.net.nz
Thu Feb 24 01:25:09 MST 2011


Quoting Daniel Müller <mueller at tropenklinik.de>:

> I had a test system running with the same rpms. Did the setup as described
> and could not change user passwords and sync things the
> way it should to my ldap slave. In the end I recognized I had to run winbind
> on the pdc!?
> And after all I was missing a real step by step setup. So I returned to
> smba/ldap smbldaptools setting up my system in an hour(Master - Master
> Repication).
> If you can post your editposix setup to me I would try a second time :-)
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
>
> -----Ursprüngliche Nachricht-----
> Von: Mike Brady [mailto:mike.brady at devnull.net.nz]
> Gesendet: Mittwoch, 23. Februar 2011 19:18
> An: mueller at tropenklinik.de
> Cc: 'Jon Detert'; samba at lists.samba.org
> Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP
> environment
>
> Quoting Daniel Müller <mueller at tropenklinik.de>:
>
>> " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried
>> this it did not
>> Work right. And there is nowhere a good and new howto about this feature.
> No
>> description goes into the depth.
>>
>> -----------------------------------------------
>> EDV Daniel Müller
>>
>> Leitung EDV
>> Tropenklinik Paul-Lechler-Krankenhaus
>> Paul-Lechler-Str. 24
>> 72076 Tübingen
>>
>> Tel.: 07071/206-463, Fax: 07071/206-499
>> eMail: mueller at tropenklinik.de
>> Internet: www.tropenklinik.de
>> -----------------------------------------------
>> -----Ursprüngliche Nachricht-----
>> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
> Im
>> Auftrag von Mike Brady
>> Gesendet: Mittwoch, 23. Februar 2011 09:17
>> An: Jon Detert
>> Cc: samba at lists.samba.org
>> Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP
>> environment
>>
>> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>>
>>> On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady
>>> <mike.brady at devnull.net.nz> wrote:
>>>> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>>>>
>>>>> Hello,
>>>>>
>>>>> I can't join a winxp box to my samba domain.  I just have one samba
>>>>> server, meant to act as a PDC for domain='CHI'.
>>>>> Any ideas how to troubleshoot and/or remedy?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Jon
>>>>>
>>>>> Context:
>>>>> ------------
>>>>> samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
>>>>> smbldap-tools v0.9.6.
>>>>> I 'populated' the ldap with 'smbldap-populate'.
>>>>>
>>>>> I try to join the winxp box, authenticating to the domain as user
>>>>> 'jdetert', which is a member of the 'Administrators' group:
>>>>> # smbldap-groupshow Administrators
>>>>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
>>>>> objectClass: top,posixGroup,sambaGroupMapping
>>>>> gidNumber: 544
>>>>> cn: Administrators
>>>>> description: Netbios Domain Members can fully administer the
>>>>> computer/sambaDomainName
>>>>> sambaSID: S-1-5-32-544
>>>>> sambaGroupType: 5
>>>>> displayName: Administrators
>>>>> memberUid: jdetert,root
>>>>>
>>>>> What happens:
>>>>> ----------------------
>>>>> a failure dialog window pops up on the winxp box with this message:
>>>>> 'The following error occurred attempting to join the domain "CHI":
>>>>> The user name could not be found.'
>>>
>>> -- snip --
>>>
>>>> I am working through a similar setup at the moment.
>>>>
>>>> Looking at the smbldap-useradd source, status 9 is "user must not exist
>> in
>>>> LDAP", so I assume from that that the workstation userid already exists?
>>>
>>>
>>> Turns out you are correct.  So, I deleted the 'user'="testfsclient$"
>>> from the ou=Computers, and retried, but it failed with the same error,
>>> and it re-created the user object.
>>>
>>> Any ideas how/why joining the domain is not fully working?
>>>
>>> Thanks,
>>>
>>> Jon
>>>
>> Jon
>>
>> A couple more things:
>> 1) smbldap-populate initializes the sambaGroupType for all the
>> S-1-5-32-* SIDs to 5.  This is incorrect.  It should be 4, but this
>> probably isn't causing this issue.
>> 2) I think that root needs to be in the Domain Admins group in order
>> to join a machine to the domain, not the Administrators group which is
>> a local group.  At least that is how I am set up.
>> 3) Depending on the details of your implementation you may not need to
>> use smbldap-tools at all.  Have a look at the ldapsam:editposix and
>> ldapsam:trusted on the smb.conf man page.  Note that using
>> ldapsam:editposix is one case where winbind is required on a Samba PDC.
>>
>> Mike
>>
>>
>> ----------------------------------------------------------------
>> This message was sent using IMP, the Internet Messaging Program.
>>
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>>
>
> Daniel
>
> Exactly how did ldapsam:editposix not "work right"?
>
> I thought that the smb.conf man page described things well enough.
>
> I have converted my test set up from using smbldap-tools to using
> ldapsam:posixedit and so far it is doing everything that I was using
> smbldap-tools for correctly.  I am using the SerNet 3.5.6 RPMs.
>
> Mike
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
>
>
Daniel

 From a working smbldap-tools configuration all I did was comment out  
the "script" options in smb.conf and add ldapsam:editposix = yes.

So all the relevant options for me would be:

# LDAP Configuration
passdb backend = ldapsam:"ldap://127.0.0.1"
ldapsam:trusted = yes
ldapsam:editposix = yes
ldap ssl = off
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers,ou=Users
ldap user suffix = ou=People,ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=sambaadmin,dc=example,dc=com

# Winbind/Idmap
idmap backend = ldap:ldap://127.0.0.1
ldap idmap suffix = ou=Idmap
idmap uid = 10000-20000
idmap gid = 10000-20000

I have nss_ldap setup and you must run Winbind as Idmap is used to  
allocate UIDs for new accounts/machines.  I use LAM to do user admin  
so editposix is really only being used to join machines to the domain  
and for users to change there passwords.  But with these functions I  
have had no issues so far.

Mike



----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.



More information about the samba mailing list