[Samba] Failed to find sambaDomain object to get sambaAlgorithmicRidBase

Bernard Fay bernard.fay at gmail.com
Fri Sep 30 12:50:20 UTC 2016 

I didn't use smbldap-populate. I used ldif files to add groups to LDAP with
ldapadd.

You have rather good questions, NT4 or AD style, I don't know.  I am a Unix
guy with very few knowledge in Windows stuff and I try to stay away from it
as much as I can. I have been asked to setup a new LDAP directory with
Samba passwords stored in this LDAP directory.

I base my work on an actual LDAP and Samba server that is working in our
environment.  This server as role ROLE_STANDALONE.  I also use recipe found
on Internet.

If you can point me to a recipe for an AD DC, I will try it. But what is
the actual difference between both?

I also seriously think about splitting LDAP and samba, no integration at
all between both.

Thanks,


On Fri, Sep 30, 2016 at 8:22 AM, Rowland Penny via samba <
samba at lists.samba.org> wrote:

> On Fri, 30 Sep 2016 08:17:23 -0400
> Bernard Fay <bernard.fay at gmail.com> wrote:
>
> > As suggested I added the two lines below and restarted smb.
> > server role = classic primary domain controller
> > domain master = yes
> >
> >
> > [root at CTSFILE01 samba]# testparm -sn| head -32
> > Load smb config files from /etc/samba/smb.conf
> > rlimit_max: increasing rlimit_max (1024) to minimum Windows limit
> > (16384) Processing section "[homes]"
> > Processing section "[software]"
> > Processing section "[tftp]"
> > Loaded services file OK.
> > Server role: ROLE_DOMAIN_PDC
> >
> > # Global parameters
> > [global]
> >     workgroup = CTS
> >     server string = CTS File Server 01 - Samba version %v
> >     interfaces = lo eth0
> >     server role = classic primary domain controller
> >     security = USER
> >     passdb backend = ldapsam:ldap://ctsldap01/
> >     log file = /var/log/samba/log.%m
> >     max log size = 50
> >     load printers = No
> >     printcap name = /dev/null
> >     disable spoolss = Yes
> >     add user script = /sbin/smbldap-useradd -m "%u"
> >     add group script = /sbin/smbldap-groupadd -p "%g"
> >     add user to group script = /sbin/smbldap-groupmod -m "%u" "%g"
> >     delete user from group script = /sbin/smbldap-groupmod -x "%u"
> > "%g" set primary group script = /sbin/smbldap-usermod -g "%g" "%u"
> >     add machine script = /sbin/smbldap-useradd -w "%u"
> >     domain master = Yes
> >     ldap admin dn = cn=Manager,dc=cts,dc=com
> >     ldap delete dn = Yes
> >     ldap group suffix = ou=Groups
> >     ldap machine suffix = ou=Computers
> >     ldap passwd sync = yes
> >     ldap suffix = "dc=cts,dc=com"
> >     ldap ssl = no
> >     ldap user suffix = ou=Users
> >     idmap config * : backend = tdb
> >     printing = bsd
> >
> >
> > No more perl error, which is a good thing, I think but...
> >
> > smbldap-usermod -a bernard.fay
> > Warning: sambaPrimaryGroupSID could not be set beacuse group of user
> > bernard.fay is not a mapped Domain group!
> > To get a list of groups mapped to Domain groups, use "net groupmap
> > list" on a Domain member machine.
> >
> >
> > net groupmap list
> > It returns nothing then I modified the group Administrators to add a
> > SID as I think is the problem:
> >
> > smbldap-groupmod -a Administrators
> >
> >
> > Then one more time I try to add the object class sambaSAMAccount:
> > [root at CTSFILE01 samba]# smbldap-usermod -a bernard.fay
> > Error: Account for user bernard.fay already _is_ a Samba account!
> > Omit option -a!
> >
> >
> > What??? Now have the objectClass sambaSAMAccount even before
> > modifying it wit smbldap-usermod???  Mystery or there is something I
> > don't understand???
> >
> > ldapsearch -x -b "uid=bernard.fay,ou=people,dc=cts,dc=com" objectClass
> > ...
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: sambaSamAccount
> >
> >
> > I retried "net groupmap list":
> >
> > [root at CTSFILE01 samba]# net groupmap list
> > Administrators (S-1-5-21-3886818290-2676185228-3116881835-513-21001)
> > -> Administrators
> >
> > ok, let's define a password with smbldap-passwd... everything ok with
> > that.
> >
> > Sounds good so far.... let's try to map the home share from a Windows
> > 7 machine.
> >
> > BANG!!! In Windows Explorer when I try to map a samba share drive:
> > "the mapped network drive could not be created because the following
> > error has occured:
> > The security ID structure is invalid."
> >
> >
> > pdbedit -L
> > No builtin backend found, trying to load plugin
> > Module 'ldapsam' loaded
> > smbldap_search_domain_info: Searching
> > for:[(&(objectClass=sambaDomain)(sambaDomainName=CTS))]
> > smbldap_open_connection: connection opened
> > sid S-1-5-21-3886818290-2676185228-3116881835-513-21000 does not
> > belong to our domain
> >
> >
> >
> > What is going on again.....
> >
> >
>
> I think what is going on is that you ran 'smbldap-populate' against
> something that wasn't a PDC.
>
> Can I ask why you are trying to create a new NT4-style PDC ?
>
> Wouldn't you be better creating an AD DC ?
>
> Rowland
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list