[Samba] Replacement pdc samba3 to samba4 nt classic
Rowland Penny
rpenny at samba.org
Mon Oct 10 14:20:43 UTC 2016
On Mon, 10 Oct 2016 17:42:54 +0500
Gavrilov Aleksey via samba <samba at lists.samba.org> wrote:
> Migration was held in connection with the breakdown of the old server
> after setting up a new server stopped working to add windows pc to a
> domain
>
> root at pdc:/var/log/samba# cat /etc/samba/smb.conf
>
> [global]
> # Default options
> allow nt4 crypto = yes
> client ntlmv2 auth = no
> disable spoolss = yes
> dns proxy = no
> dont descend = ./lost+found
> guest account = nobody
> hide files = /.*/lost+found/
> hide unreadable = yes
> idmap gid = 10000-30000
> idmap uid = 10000-30000
> invalid users = root bin daemon adm sync
> shutdown halt mail news uucp proxy www-data backup sshd
> ldap admin dn = "cn=admin,dc=rugion,dc=ru"
> ldap delete dn = no
> ldap group suffix = ou=groups
> ldap machine suffix = ou=computers
> ldap passwd sync = yes
> ldap ssl = off
> ldap suffix =
> ou=arkhangelsk,dc=rugion,dc=ru ldap user suffix =
> ou=users load printers = no
> locking = yes
> log file = /var/log/samba/log.%m
> # log level = 4
> logon home =
> logon path =
> logon script = \\PDC\netlogon\logon.bat
> map to guest = Bad User
> max log size = 1000
> obey pam restrictions = yes
> pam password change = yes
> panic action
> = /usr/share/samba/panic-action %d passdb backend =
> ldapsam:ldap://127.0.0.1/ ldapsam:trusted=yes
> ldapsam:editposix=yes
> passwd chat = *Enter\snew\s*\spassword:*
> %n\n *Retype\snew\s*\spassword:* %n\n
> *password\supdated\ssuccessfully* . passwd program
> = /usr/bin/passwd %u printcap name = /dev/null
> printing = bsd
> require strong key = no
> server role = classic primary domain
> controller server string = %h file server
> show add printer wizard = no
> smb2 leases = yes
> syslog = 0
> template shell = /bin/bash
> unix charset = UTF8
> unix password sync = yes
> use sendfile = yes
> usershare allow guests = yes
> # wins server = 192.168.29.17
> wins support = yes
> workgroup = corp.29.ru
> netbios name = pdc
> local master = yes
> os level = 255
> domain master = yes
> domain logons = yes
> preferred master = auto
> #local master = yes
> add user script = /usr/sbin/smbldap-useradd -m '%u' -t 1
> rename user script = /usr/sbin/smbldap-usermod -r '%unew'
> '%uold' delete user script = /usr/sbin/smbldap-userdel '%u'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g'
> '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m
> '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod
> -x '%u' '%g'
> add machine script = /usr/sbin/smbldap-useradd -w '%u' -t 1
>
> # add machine script = /usr/local/sbin/ldapaddmachine '%u'
> nt_computers # add user script = /usr/local/sbin/ldapadduser '%u'
> nt_users # add group script = /usr/local/sbin/ldapaddgroup '%g'
> # add user to group script = /usr/local/sbin/ldapaddusertogroup
> '%u' '%g' # delete user script = /usr/local/sbin/ldapdeleteuser
> '%u' # delete group script = /usr/local/sbin/ldapdeletegroup '%g'
> # delete user from group script =
> /usr/local/sbin/ldapdeleteuserfromgroup '%u' '%g'
> # set primary group script = /usr/local/sbin/ldapsetprimarygroup
> '%u' '%g'
> # rename user script = /usr/local/sbin/ldaprenameuser '%uold'
> '%unew'
>
>
>
> [netlogon]
> comment = netlogon share
> create mask = 0660
> directory mask = 0770
> guest ok = no
> inherit acls = yes
> inherit owner = yes
> inherit permissions = yes
> locking = no
> map acl inherit = yes
> path = /srv/samba/netlogon
> read list = @nt_users
> read only = No
> write list = @nt_admin
>
> root at pdc:/var/log/samba# cat /etc/smbldap-tools/smbldap.conf
> SID="S-1-5-21-1997676671-1552059010-3109710481"
> sambaDomain="CORP.29.RU"
> ldapTLS="0"
> masterLDAP="127.0.0.1"
> masterPort="389"
> suffix="ou=arkhangelsk,dc=rugion,dc=ru"
> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
> userSmbHome=
> userProfile=
> userHomeDrive=
> userScript=//pdc/netlogon/logon.bat
> mailDomain="corp.29.ru"
> defaultComputerGid="515"
> defaultUserGid="513"
>
>
>
> root at pdc:/var/log/samba# smbldap-populate
> Populating LDAP directory for domain CORP.29.RU
> (S-1-5-21-1997676671-1552059010-3109710481)
> (using builtin directory structure)
>
> Use of uninitialized value $prefix in substitution (s///) at
> /usr/local/sbin/smbldap-populate line 175.
> Use of uninitialized value $prefix in split at
> /usr/local/sbin/smbldap-populate line 178.
> entry ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry ou=computers,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry sambaDomainName=CORP.29.RU,ou=arkhangelsk,dc=rugion,dc=ru
> already exist. Updating it...
> entry uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry uid=nobody,ou=users,ou=arkhangelsk,dc=rugion,dc=ru already
> exist. entry cn=Domain
> Admins,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already exist.
> entry cn=Domain Users,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Guests,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Domain Computers,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Administrators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Account Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Print Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Backup Operators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> already exist.
> entry cn=Replicators,ou=groups,ou=arkhangelsk,dc=rugion,dc=ru already
> exist.
>
> Please provide a password for the domain root:
> /usr/local/sbin/smbldap-passwd: user root doesn't exist
>
>
> root at pdc:/var/log/samba# smbldap-config
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> smbldap-tools script configuration
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Before starting, check
> . if your samba controller is up and running.
> . if the domain SID is defined (you can get it with the 'net
> getlocalsid')
>
> . you can leave the configuration using the Ctrl-c key combination
> . empty value can be set with the "." character
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
>
>
> root at pdc:/var/log/samba# net getlocalsid
> smbldap_search_domain_info: Got too many (3) domain info entries for
> domain CORP.29.RU
> pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to
> the domain. We cannot work reliably without it.
> pdb backend ldapsam:ldap://127.0.0.1/ did not correctly init (error
> was NT_STATUS_CANT_ACCESS_DOMAIN_INFO)
> WARNING: Could not open passdb
>
> root at pdc:/var/log/samba# net rpc join -S pdc -U admin%secret
> Failed to join domain: failed to lookup DC info for domain
> 'CORP.29.RU' over rpc: The connection was refused
> You have new mail in /var/mail/root
> root at pdc:/var/log/samba#
>
>
> How do I introduce a new PDC in a domain?
>
A couple of things spring to mind here, the first is, you seem to be
using a REALM name for a workgroup name i.e. you have 'corp.29.ru' and
it should be something like 'corp'. Secondly, you have these lines:
ldapsam:trusted=yes
ldapsam:editposix=yes
You also have lines that refer to smbldap-tools, you dont need
smbldap-tools if you use the above two lines, see 'man smb.conf' for
more info.
Rowland
More information about the samba
mailing list