[Samba] Replacement pdc samba3 to samba4 nt classic

Rowland Penny rpenny at samba.org
Mon Oct 10 14:20:43 UTC 2016


On Mon, 10 Oct 2016 17:42:54 +0500
Gavrilov Aleksey via samba <samba at lists.samba.org> wrote:

> Migration was held in connection with the breakdown of the old server
> after setting up a new server stopped working to add windows pc to a
> domain
> 
> root at pdc:/var/log/samba# cat /etc/samba/smb.conf
> 
> [global]
>          # Default options
>          allow nt4 crypto               = yes
>          client ntlmv2 auth             = no
>          disable spoolss                = yes
>          dns proxy                      = no
>          dont descend                   = ./lost+found
>          guest account                  = nobody
>          hide files                     = /.*/lost+found/
>          hide unreadable                = yes
>          idmap gid                      = 10000-30000
>          idmap uid                      = 10000-30000
>          invalid users                  = root bin daemon adm sync 
> shutdown halt mail news uucp proxy www-data backup sshd
>          ldap admin dn                  = "cn=admin,dc=rugion,dc=ru"
>          ldap delete dn                 = no
>          ldap group suffix              = ou=groups
>          ldap machine suffix            = ou=computers
>          ldap passwd sync               = yes
>          ldap ssl                       = off
>          ldap suffix                    =
> ou=arkhangelsk,dc=rugion,dc=ru ldap user suffix               =
> ou=users load printers                  = no
>          locking                        = yes
>          log file                       = /var/log/samba/log.%m
> #    log level = 4
>          logon home                     =
>          logon path                     =
>          logon script                   = \\PDC\netlogon\logon.bat
>          map to guest                   = Bad User
>          max log size                   = 1000
>          obey pam restrictions          = yes
>          pam password change            = yes
>          panic action
> = /usr/share/samba/panic-action %d passdb backend                 =
> ldapsam:ldap://127.0.0.1/ ldapsam:trusted=yes
>      ldapsam:editposix=yes
>          passwd chat                    = *Enter\snew\s*\spassword:* 
> %n\n *Retype\snew\s*\spassword:* %n\n
> *password\supdated\ssuccessfully* . passwd program
> = /usr/bin/passwd %u printcap name                  = /dev/null
>          printing                       = bsd
>          require strong key             = no
>          server role                    = classic primary domain
> controller server string                  = %h file server
>          show add printer wizard        = no
>          smb2 leases                    = yes
>          syslog                         = 0
>          template shell                 = /bin/bash
>          unix charset                   = UTF8
>          unix password sync             = yes
>          use sendfile                   = yes
>          usershare allow guests         = yes
> #       wins server                    = 192.168.29.17
>      wins support = yes
>          workgroup                      = corp.29.ru
>      netbios name = pdc
>      local master = yes
>      os level = 255
>      domain master = yes
>      domain logons = yes
>      preferred master = auto
>      #local master = yes
>          add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
>          rename user script = /usr/sbin/smbldap-usermod -r '%unew'
> '%uold' delete user script = /usr/sbin/smbldap-userdel '%u'
>          set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g'
>          delete group script = /usr/sbin/smbldap-groupdel '%g'
>          add user to group script = /usr/sbin/smbldap-groupmod -m
> '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod
> -x '%u' '%g'
>          add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
> 
> #    add machine script = /usr/local/sbin/ldapaddmachine '%u'
> nt_computers #    add user script = /usr/local/sbin/ldapadduser '%u'
> nt_users #    add group script = /usr/local/sbin/ldapaddgroup '%g'
> #    add user to group script = /usr/local/sbin/ldapaddusertogroup
> '%u' '%g' #    delete user script = /usr/local/sbin/ldapdeleteuser
> '%u' #    delete group script = /usr/local/sbin/ldapdeletegroup '%g'
> #    delete user from group script = 
> /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
> #    set primary group script = /usr/local/sbin/ldapsetprimarygroup
> '%u' '%g'
> #    rename user script = /usr/local/sbin/ldaprenameuser '%uold'
> '%unew'
> 
> 
> 
> [netlogon]
>          comment                        = netlogon share
>          create mask                    = 0660
>          directory mask                 = 0770
>          guest ok                       = no
>          inherit acls                   = yes
>          inherit owner                  = yes
>          inherit permissions            = yes
>          locking                        = no
>          map acl inherit                = yes
>          path                           = /srv/samba/netlogon
>          read list                      = @nt_users
>          read only                      = No
>          write list                     = @nt_admin
> 
> root at pdc:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
> SID="S-1-5-21-1997676671-1552059010-3109710481"
> sambaDomain="CORP.29.RU"
> ldapTLS="0"
> masterLDAP="127.0.0.1"
> masterPort="389"
> suffix="ou=arkhangelsk,dc=rugion,dc=ru"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> userSmbHome=
> userProfile=
> userHomeDrive=
> userScript=//pdc/netlogon/logon.bat
> mailDomain="corp.29.ru"
> defaultComputerGid="515"
> defaultUserGid="513"
> 
> 
> 
> root at pdc:/var/log/samba# smbldap-populate
> Populating LDAP directory for domain CORP.29.RU 
> (S-1-5-21-1997676671-1552059010-3109710481)
> (using builtin directory structure)
> 
> Use of uninitialized value $prefix in substitution (s///) at 
> /usr/local/sbin/smbldap-populate line 175.
> Use of uninitialized value $prefix in split at 
> /usr/local/sbin/smbldap-populate line 178.
> entry ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=computers,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru
> already exist. Updating it...
> entry uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already
> exist. entry cn=Domain
> Admins,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry cn=Domain Users,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Guests,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Computers,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Administrators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Account Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Print Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Backup Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru 
> already exist.
> entry cn=Replicators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already 
> exist.
> 
> Please provide a password for the domain root:
> /usr/local/sbin/smbldap-passwd: user root doesn't exist
> 
> 
> root at pdc:/var/log/samba# smbldap-config
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>         smbldap-tools script configuration
>         -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Before starting, check
>   . if your samba controller is up and running.
>   . if the domain SID is defined (you can get it with the 'net
> getlocalsid')
> 
>   . you can leave the configuration using the Ctrl-c key combination
>   . empty value can be set with the "." character
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> 
> 
> root at pdc:/var/log/samba# net getlocalsid
> smbldap_search_domain_info: Got too many (3) domain info entries for 
> domain CORP.29.RU
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain. We cannot work reliably without it.
> pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error
> was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> WARNING: Could not open passdb
> 
> root at pdc:/var/log/samba# net rpc join -S pdc -U admin%secret
> Failed to join domain: failed to lookup DC info for domain
> 'CORP.29.RU' over rpc: The connection was refused
> You have new mail in /var/mail/root
> root at pdc:/var/log/samba#
> 
> 
> How do I introduce a new PDC in a domain?
> 

A couple of things spring to mind here, the first is, you seem to be
using a REALM name for a workgroup name i.e. you have 'corp.29.ru' and
it should be something like 'corp'. Secondly, you have these lines:

     ldapsam:trusted=yes
     ldapsam:editposix=yes

You also have lines that refer to smbldap-tools, you dont need
smbldap-tools if you use the above two lines, see 'man smb.conf' for
more info.

Rowland



More information about the samba mailing list