[Samba] Replacement pdc samba3 to samba4 nt classic

Harry Jede walk2sun at arcor.de
Wed Oct 12 11:16:06 UTC 2016 

Am Mittwoch, 12. Oktober 2016 schrieben Sie:

> > # the structure of your DIT
> > # ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru
> > hasSubordinates=TRUE dn
> 
> root at pdc:~# ldapsearch -xLLL -H ldapi:/// -b
> ou=arkhangelsk,dc=rugion,dc=ru hasSubordinates=TRUE dn
> dn: ou=arkhangelsk,dc=rugion,dc=ru
> 
> dn: ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> 
> dn: ou=groups,ou=arkhangelsk,dc=rugion,dc=ru
> 
> dn: ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
> 
> dn: ou=users.deleted,ou=arkhangelsk,dc=rugion,dc=ru

OK,
the structure is the same as referred in smb.conf.


> > # the registered domains
> > # ldapsearch -xLLL -H ldapi:///
> > '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
> > sambaSID
> 
> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName
> sambaSID No such object (32)

BAD,
here something like:
dn: sambaDomainName=EUROPA,dc=europa,dc=xx
sambaDomainName: EUROPA
sambaSID: S-1-5-21-3958726613-3318811842-4132420312
should be returned, we will fix it later.

Later in this mail I have seen that you do not have a defaultsearchbase
 in openldap frontend. so try this:
# ldapsearch -xLLL -H ldapi:/// -b dc=rugion,dc=ru -s sub '(&(sambadomainname=*)(objectclass=sambadomain))' sambaDomainName 
sambaSID


> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> '(objectclass=sambasamaccount)' -b  ou=arkhangelsk,dc=rugion,dc=ru
> sambaacctflags sambaSID
> dn: uid=root,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> sambaAcctFlags: [U          ]
> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-500
> 
> dn: uid=admin,ou=users,ou=arkhangelsk,dc=rugion,dc=ru
> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1001
> sambaAcctFlags: [U          ]
> 
> ...
You have shortened the output.
OK, the only thing I want to see is the domainsid:
S-1-5-21-1997676671-1552059010-3109710481

 
> > # the machines and or trust accounts
> > # ldapsearch -xLLL -H ldapi:///
> > '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
> 
> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> '(&(cn=*$)(objectclass=sambasamaccount))' sambaacctflags sambaSID
> No such object (32)
(OK),
you have not optimized the ldap server, so you do not get 
 any output without searchbase, aka -b <DN>. You may set it in the
 frontend database. Should look like:

# grep -Hri defaultsearch /etc/ldap/slapd.d/*
/etc/ldap/slapd.d/cn=config/olcDatabase={-1}frontend.ldif:olcDefaultSearchBase: dc=europa,dc=xx

DO NOT EDIT cn=config BY HAND. USE THE LDAP* COMMANDS.


> root at pdc:~# ldapsearch -xLLL -H ldapi:///
> '(&(cn=*$)(objectclass=sambasamaccount))' -b
> ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags sambaSID
> dn: uid=pdc$,ou=computers,ou=arkhangelsk,dc=rugion,dc=ru
> sambaSID: S-1-5-21-1997676671-1552059010-3109710481-1015
> sambaAcctFlags: [S          ]
> 
> ...
You have shortened the output again. I am looking for your the domain SID
 AND for DCs. So do it again, but this time pass a filter:
# ldapsearch -xLLL -H ldapi:/// '(&(cn=*$)(objectclass=sambasamaccount))' -b ou=arkhangelsk,dc=rugion,dc=ru sambaacctflags 
sambaSID |egrep -B3 '\[.*S.*\]'


> > # ls -l /var/lib/samba/
> 
> root at pdc:~# ls -l /var/lib/samba/
> total 1832
> -rw-------  1 root root       421888 Oct  7 16:02 account_policy.tdb
> -rw-------  1 root root          696 Oct  6 11:24 group_mapping.tdb
> drwxr-xr-x 10 root root         4096 Oct  6 11:24 printers
> drwxr-xr-x  3 root root         4096 Oct  7 11:10 private
> -rw-------  1 root root       528384 Oct  6 11:24 registry.tdb
> -rw-------  1 root root       421888 Oct  6 11:24 share_info.tdb
> drwxrwx--T  2 root sambashare   4096 Oct  6 11:24 usershares
> -rw-------  1 root root        32768 Oct 11 11:19 winbindd_cache.tdb
> -rw-r--r--  1 root root       421888 Oct 10 11:48 winbindd_idmap.tdb
> drwxr-x---  2 root root         4096 Oct 11 11:19 winbindd_privileged
> -rw-r--r--  1 root root         2496 Oct 12 07:45 wins.dat
> -rw-------  1 root root        24576 Oct 12 07:39 wins.tdb

BAD,
you do not have a secrets.tdb database!!!

If you have one, the important records look like:

# tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 'IDMAP_LDAP|LDAP_BIND'
{
key(53) = "SECRETS/GENERIC/IDMAP_LDAP_*/cn=admin,dc=europa,dc=xx"
data(6) = "your_secret\00"
}
--
{
key(45) = "SECRETS/LDAP_BIND_PW/cn=admin,dc=europa,dc=xx"
data(6) = "your_secret\00"
}


The first changes, set the secrets:
a) secret for the ldap admin specified in smb.conf: cn=admin,dc=rugion,dc=ru
   I hope you know it. Whenever you change the secret in ldap, you *must*
   change it hier.

# smbpasswd -W

b)

### net IDMAP SECRET <DOMAIN> <secret>
<DOMAIN> is the NetBios domain name aka WORKGROUP parameter from smb.conf
<SECRET> is the same as above
i.e.

# net idmap secret CORP.29.RU yourLdapAdminPassword


check if both succeeded with:
# tdbdump /var/lib/samba/secrets.tdb |egrep -B1 -A2 'IDMAP_LDAP|LDAP_BIND'

if true,

set the domainsid:
# net setdomainsid S-1-5-21-1997676671-1552059010-3109710481

and verify it:
# net getdomainsid
SID for local machine CAPELLA is: S-1-5-21-3958726613-3318811842-4132420312
SID for domain EUROPA is: S-1-5-21-3958726613-3318811842-4132420312

You *must* get two records with the same SID. One for yor PDC and one for the
 domain.


If all is OK, restart samba *and* winbind, or better reboot. But changing password
 through PAM is still *not configured* . Read further.


> > # cat /etc/nsswitch.conf
> 
> root at pdc:~# cat /etc/nsswitch.conf
> 
> ethers: db files
> group: compat ldap winbind
> hosts: files dns
> netgroup: nis
> networks: files
> passwd: compat ldap winbind
> protocols: db files
> rpc: db files
> services: db files
> shadow: compat
> 
> > # cat /etc/pam_ldap.conf |egrep -v '^#|^$'
> 
> root at pdc:~# cat /etc/pam_ldap.conf |egrep -v '^#|^$'
> cat: /etc/pam_ldap.conf: No such file or directory

# yours may have:
host 127.0.0.1
base ou=arkhangelsk,dc=rugion,dc=ru
uri ldap://127.0.0.1/
ldap_version 3
rootbinddn cn=admin,dc=rugion,dc=ru
scope sub
bind_policy soft
pam_password exop


> root at pdc:~# cat /etc/ldap.conf |egrep -v '^#|^$'
> host                127.0.0.1
> base                ou=arkhangelsk,dc=rugion,dc=ru
> ldap_version        3
> port                389
> scope               one
> timelimit           30
> bind_policy         soft
> idle_timelimit      3600
> pam_password        md5
> nss_base_passwd     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
> nss_base_group      ou=groups,ou=arkhangelsk,dc=rugion,dc=ru?one
> nss_base_passwd     ou=computers,ou=arkhangelsk,dc=rugion,dc=ru?one
> nss_base_shadow     ou=users,ou=arkhangelsk,dc=rugion,dc=ru?one
> nss_connect_policy  persist
> nss_paged_results   yes
> pagesize            1000
> 
> > # ls -l /etc/pam_ldap.secret
> 
> root at pdc:~# ls -l /etc/pam_ldap.secret
> ls: cannot access '/etc/pam_ldap.secret': No such file or directory
I am not an ubuntu user, but debian user :-) . Ubuntu is a daughter OS,
 so it should or may work like debian. So you should have installed
 and configured libpam-ldap and libnss-ldap. If so:

# ' echo -n 'yourLdapAdminPassword' > /etc/pam_ldap.secret
# chmod 600 /etc/pam_ldap.secret

The rest looks good. I hope you are fine now.
 
> > # cat /etc/pam.d/common-account|egrep -v '^#|^$'
> 
> root at pdc:~# cat /etc/pam.d/common-account|egrep -v '^#|^$'
> account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
> account [success=1 default=ignore]      pam_ldap.so
> account requisite                       pam_deny.so
> account required                        pam_permit.so
> 
> > # cat /etc/pam.d/common-auth|egrep -v '^#|^$'
> 
> root at pdc:~# cat /etc/pam.d/common-auth|egrep -v '^#|^$'
> auth    [success=2 default=ignore]      pam_unix.so nullok_secure
> try_first_pass
> auth    [success=1 default=ignore]      pam_ldap.so use_first_pass
> auth    requisite                       pam_deny.so
> auth    required                        pam_permit.so
> 
> > # cat /etc/pam.d/common-password|egrep -v '^#|^$'
> 
> root at pdc:~# cat /etc/pam.d/common-password|egrep -v '^#|^$'
> password        requisite                       pam_cracklib.so
> reject_username retry=3 minlen=18 difok=3 maxrepeat=2 minclass=4
> lcredit=0 ucredit=2 dcredit=1 ocredit=1
> password        required                        pam_pwhistory.so
> use_authtok enforce_for_root remember=5
> password        [success=2 default=ignore]      pam_unix.so obscure
> use_authtok try_first_pass sha512
> password        [success=1 user_unknown=ignore default=die]
> pam_ldap.so use_authtok try_first_pass
> password        requisite                       pam_deny.so
> password        required                        pam_permit.so
> 
> > # cat /etc/pam.d/common-session|egrep -v '^#|^$'
> 
> root at pdc:~# cat /etc/pam.d/common-session|egrep -v '^#|^$'
> session [default=1]                     pam_permit.so
> session requisite                       pam_deny.so
> session required                        pam_permit.so
> session optional                        pam_umask.so
> session required        pam_unix.so
> session optional                        pam_ldap.so
> session optional        pam_systemd.so


-- 

Gruss
	Harry Jede

More information about the samba mailing list