[Samba] PDC with openldap

Joern Adomeit sambapdc at gmx.de
Fri Jul 4 05:47:54 MDT 2014 

Hi,

I'm new here and I've got a problem. OK this is evident.

Running OpenSuSE 13.1 as SAMBA4-PDC with openLdap-backend. All from SuSE Repos.

Works fine except joining a Windows-Client to the domain. This means also no shared-profiles.

I'm able to use the shares from the PDC on the windows-clients. User- and group-permissions are working.


smb.conf:


[global]

workgroup = BIH

name resolve order = bcast host lmhosts wins

dns forwarder = xxx.xxx.xxx.xxx

log file = /var/log/samba/log.%m

max log size = 50

debug level = 10

debug pid = Yes

bind interfaces only = yes

passdb backend = ldapsam:ldap://gen.hhi.hamburg.de

printing = cups

printcap name = cups

printcap cache time = 750

cups options = raw

map to guest = Bad User

logon path = \\%L\profiles\.msprofile

logon home = \\%L\%U\.9xprofile

logon drive = P:

usershare allow guests = Yes

add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.rb %m$

domain logons = Yes

domain master = Yes

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

ldap machine suffix = ou=Machines

ldap passwd sync = Yes

ldap user suffix = ou=Users

local master = Yes

os level = 65

preferred master = Yes

security = user

usershare max shares = 100

wins support = Yes

idmap backend = ldap:ldap://gen.hhi.hamburg.de

ldap suffix = dc=hhi,dc=hamburg,dc=de

ldap admin dn = cn=Administrator,dc=hhi,dc=hamburg,dc=de

[homes]

comment = Home Directories

valid users = %S, %D%w%S

browseable = No

read only = No

inherit acls = Yes

[profiles]

comment = Network Profiles Service

path = %H

read only = No

store dos attributes = Yes

create mask = 0600

directory mask = 0700

[users]

comment = All users

path = /home

read only = No

inherit acls = Yes

veto files = /aquota.user/groups/shares/

[groups]

comment = All groups

path = /home/groups

read only = No

inherit acls = Yes

...



[netlogon]

comment = Network Logon Service

path = /var/lib/samba/netlogon

write list = root


[public]

comment = public samba folder

guest ok = Yes

inherit acls = Yes

path = /home/samba/public

read only = Yes




Communication between PDC and Ldaps-Server works. Samba passwords from the users are used properly.

Machine-account was added from as Ldif from an old and still working Samba 3 server, because smbladp is not in the SuSE-Repos. Adduser creates machine-accounts only in /etc/passwd and shadow, not in the ldap.



bremen.ldif:


# bremen$, Machines,hhi.hamburg.de

dn: uid=bremen$,ou=Machines,dc=hhi,dc=hamburg,dc=de

sambaLMPassword: XXXXXXXXXXXXXXXXXX

sambaPrimaryGroupSID: S-1-5-21-XXXXXXXXXXXXXXXX-1201

givenName: bremen

objectClass: top

objectClass: posixAccount

objectClass: inetOrgPerson

objectClass: sambaSamAccount

userPassword:: XXXXXXXXXXXXXXXXXXXXX

uid: bremen$

uidNumber: 1002

cn: bremen

sambaPwdLastSet: 1401797671

loginShell: /bin/bash

sambaAcctFlags: [U ]

gidNumber: 100

sambaPwdMustChange: 2147483647

sambaNTPassword: XXXXXXXXXXXXXXXXXX

sambaPwdCanChange: 1401797671

sambaSID: S-1-5-21-XXXXXXXXXXXXXXXXXX-3004

homeDirectory: /dev/null

sn: machine


Trying to join leads to a error message about an existing account.

If the ldap-entry is deleted, the client complains that this account didn't exist in the domain.

So, they are talking with each other



Wireshark shows all involved machines communicating


/var/log/samba/log.bremen ends with:


[2014/06/13 16:12:30.005919, 10, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:2499(smbd_smb2_request_done_ex)

   smbd_smb2_request_done_ex: idx[1] status[NT_STATUS_OK] body[4] dyn[no:0] at ../source3/smbd/smb2_sesssetup.c:793
[2014/06/13 16:12:30.005955, 10, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:874(smb2_set_operation_credit)
   smb2_set_operation_credit: requested 1, charge 1, granted 1, current possible/max 482/512, total granted/max/low/range 31/8192/41/31
[2014/06/13 16:12:30.006589, 10, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/smb2_server.c:1002(smbd_server_connection_terminate_ex)
   smbd_server_connection_terminate_ex: reason[NT_STATUS_CONNECTION_RESET] at ../source3/smbd/smb2_server.c:3293
[2014/06/13 16:12:30.006660,  4, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/06/13 16:12:30.006694,  5, pid=48495, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2014/06/13 16:12:30.006723,  5, pid=48495, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:528(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2014/06/13 16:12:30.006774,  5, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2014/06/13 16:12:30.006812,  4, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/sec_ctx.c:316(set_sec_ctx)
   setting sec ctx (0, 0) - sec_ctx_stack_ndx = 0
[2014/06/13 16:12:30.006842,  5, pid=48495, effective(0, 0), real(0, 0)] ../libcli/security/security_token.c:53(security_token_debug)
   Security token: (NULL)
[2014/06/13 16:12:30.006870,  5, pid=48495, effective(0, 0), real(0, 0)] ../source3/auth/token_util.c:528(debug_unix_user_token)
   UNIX token of user 0
   Primary group is 0 and contains 0 supplementary groups
[2014/06/13 16:12:30.006913,  5, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/uid.c:425(smbd_change_to_root_user)
   change_to_root_user: now uid=(0,0) gid=(0,0)
[2014/06/13 16:12:30.006953,  5, pid=48495, effective(0, 0), real(0, 0)] ../source3/lib/messages.c:340(messaging_deregister)
   Deregistering messaging pointer for type 1536 - private_data=0x7f5a2f0fdc30
[2014/06/13 16:12:30.007051,  3, pid=48495, effective(0, 0), real(0, 0)] ../source3/smbd/server_exit.c:212(exit_server_common)
   Server exit (NT_STATUS_CONNECTION_RESET)

He just said bye.




I can't find any report, that samba 4 isr running as a PDC with openldap-Backend and allowing windows-clients to join and use roaming-profiles.

Did anyone figure out how to do?


As far as I understood, only AD-Server are needig the samba-internal ldap

Any help would be fantastic.


Ciao

More information about the samba mailing list