[Samba] Fwd: Migrating server
Rob Thoman
emailthomasrob at gmail.com
Thu Mar 8 06:26:48 UTC 2018
Hi Harry,
sadmin and tadmin are both admin logins. I was trying to domain join with
both. sadmin is in ldap
The olcdbindex.ldif gave this error
SASL/EXTERNAL authentication started SASL username:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config" ldap_modify: Other (e.g.,
implementation specific) error (80) additional info: index attribute
"dhcpClassData" undefined
I did the indexing and also the log level
Here is what I got with tail -f /var/log/syslog|sed -nre 's/^.*(
slapd.*$)/\1/p' net getlocasid
slapd[2332]: <= bdb_equality_candidates: (uid) not indexed slapd[2332]:
conn=1090 op=10 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
conn=1090 op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))" slapd[2332]:
conn=1090 op=11 SRCH attr=sambaSID slapd[2332]: <= bdb_equality_candidates:
(gidNumber) not indexed slapd[2332]: conn=1090 op=11 SEARCH RESULT tag=101
err=0 nentries=0 text= slapd[2332]: conn=1090 op=12 SRCH base="dc=mydomain"
scope=2 deref=0 filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))"
slapd[2332]: conn=1090 op=12 SRCH attr=uid uidNumber gidNumber
homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange
sambaLogonTime sambaLogoffTime sambaKickoffTime cn sn displayName
sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=12 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=13 SRCH base="dc=mydomain"
scope=2 deref=0 filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=13 SRCH attr=sambaSID slapd[2332]: <=
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=13 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
op=14 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=dozer15$)(objectClass=sambaSamAccount))" slapd[2332]:
conn=1090 op=14 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1090 op=14 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1090 op=15 SRCH base="dc=mydomain"
scope=2 deref=0 filter="(&(gidNumber=1005)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1090 op=15 SRCH attr=sambaSID slapd[2332]: <=
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1090
op=15 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1090
fd=20 closed (connection lost) slapd[2332]: conn=1091 fd=20 ACCEPT from
IP=[::1]:38914 (IP=[::]:389) slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" method=128 slapd[2332]: conn=1091 op=0 BIND
dn="cn=admin,dc=mydomain" mech=SIMPLE ssf=0 slapd[2332]: conn=1091 op=0
RESULT tag=97 err=0 text= slapd[2332]: conn=1091 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)" slapd[2332]: conn=1091 op=1 SRCH
attr=supportedControl slapd[2332]: conn=1091 op=1 SEARCH RESULT tag=101
err=0 nentries=1 text= slapd[2332]: conn=1091 op=2 SRCH base="dc=mydomain"
scope=2 deref=0
filter="(&(objectClass=sambaDomain)(sambaDomainName=mydomain))"
slapd[2332]: conn=1091 op=2 SRCH attr=sambaDomainName sambaNextRid
sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
objectClass slapd[2332]: conn=1091 op=2 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1091 fd=20 closed (connection lost)
Joining the machine to the domain
slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(uid=sadmin)(objectClass=sambaSamAccount))" slapd[2332]:
conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime
sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory
modifyTimestamp sambaLogonHours modifyTimestamp uidNumber gidNumber
homeDirectory loginShell gecos slapd[2332]: <= bdb_equality_candidates:
(uid) not indexed slapd[2332]: conn=1120 op=9 SEARCH RESULT tag=101 err=0
nentries=1 text= slapd[2332]: conn=1120 op=10 SRCH base="dc=mydomain"
scope=2 deref=0 filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]: <=
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=10 SEARCH RESULT tag=101 err=0 nentries=0 text= slapd[2332]: conn=1120
op=11 SRCH base="dc=mydomain" scope=2 deref=0
filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)(gidNumber=1359)))"
slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID slapd[2332]: <=
bdb_equality_candidates: (memberUid) not indexed slapd[2332]: <=
bdb_equality_candidates: (gidNumber) not indexed slapd[2332]: conn=1120
op=11 SEARCH RESULT tag=101 err=0 nentries=1 text=
The two ways I can join a machine to teh domain is
- Change to TDBSAM
- Remove both the lines from smb.conf
ldapsam:editposix = yes ldapsam:trusted = yes
The strange thing is that Win7 joins to the domain, reboots then gives the
domain trust failed message. Windows10 joins and works. That might be an
issue with the machine password
My question is that are we loosing anything by not using the editposix and
trusted option. I understand that smbdlap is not supported but it seems to
work in my testing
On Wed, Mar 7, 2018 at 10:10 PM, Harry Jede <walk2sun at arcor.de> wrote:
> Hi Rob,
>
>
>
> > olcDbIndex: ou eq
>
> > olcDbIndex: mail eq
>
> > olcDbIndex: surname eq
>
> > olcDbIndex: givenname eq
>
> > olcDbIndex: loginShell eq
>
> > olcDbIndex: uniqueMember eq,pres
>
> > olcDbIndex: sambaSID eq
>
> > olcDbIndex: sambaPrimaryGroupSID eq
>
> > olcDbIndex: sambaGroupType eq
>
> > olcDbIndex: sambaSIDList eq
>
> > olcDbIndex: sambaDomainName eq
>
> > olcDbIndex: default sub
>
> > olcDbIndex: nisMapName eq
>
> > olcDbIndex: nisMapEntry eq
>
> Dont looks good.
>
>
>
> replace the indices
>
> # ldapmodify -Y external -H ldapi:/// -f olcdbindex.ldif
>
>
>
> stop slapd
>
> # /etc/init.d/slapd stop
>
>
>
> re-index
>
> # slapindex -v -n 1
>
>
>
> start slapd
>
> # /etc/init.d/slapd start
>
>
>
> We want to watch the communication between samba and ldap:
>
>
>
> First, we set another loglevel
>
> # ldapmodify -Y external -H ldapi:/// -f olcloglevel.ldif
>
>
>
> and then run in an extra terminal:
>
>
>
> tail -f /var/log/syslog|sed -nre 's/^.*( slapd.*$)/\1/p'
>
>
>
> You will see the communication between samba and slapd.
>
> This is the output from: *net getdomainsid*
>
>
>
> slapd[18826]: conn=1000 fd=13 ACCEPT from IP=127.0.0.1:33707 (IP=
> 0.0.0.0:389)
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx" method=128
>
> slapd[18826]: conn=1000 op=0 BIND dn="cn=admin,dc=afrika,dc=xx"
> mech=SIMPLE ssf=0
>
> slapd[18826]: conn=1000 op=0 RESULT tag=97 err=0 text=
>
> # the bind from smbd
>
>
>
> slapd[18826]: conn=1000 op=1 SRCH base="" scope=0 deref=0
> filter="(objectClass=*)"
>
> slapd[18826]: conn=1000 op=1 SRCH attr=supportedControl
>
> slapd[18826]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> # the search from smbd for supportedControls
>
>
>
> slapd[18826]: conn=1000 op=2 SRCH base="dc=afrika,dc=xx" scope=2 deref=0
> filter="(&(objectClass=sambaDomain)(sambaDomainName=schule))"
>
> slapd[18826]: conn=1000 op=2 SRCH attr=sambaDomainName sambaNextRid
> sambaNextUserRid sambaNextGroupRid sambaSID sambaAlgorithmicRidBase
> objectClass
>
> slapd[18826]: conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
>
> slapd[18826]: conn=1000 fd=13 closed (connection lost)
>
> # and finaly the search for "sambaDomainName and sambaSID"
>
> # samba do not search for single attributes,
>
> # instead all attributes from an objectclass
>
>
>
> ###
>
> $ cat olcloglevel.ldif
>
> dn: cn=config
>
> changetype: modify
>
> replace: olcloglevel
>
> olcloglevel: 256
>
> -
>
>
>
> $ cat olcdbindex.ldif
>
> dn: olcDatabase={1}hdb,cn=config
>
> changetype: modify
>
> replace: olcDbIndex
>
> olcDbIndex: cn eq,sub
>
> olcDbIndex: dc eq
>
> olcDbIndex: default eq
>
> olcDbIndex: dhcpClassData eq
>
> olcDbIndex: dhcpHWAddress eq
>
> olcDbIndex: displayName eq,sub
>
> olcDbIndex: gidNumber eq
>
> olcDbIndex: givenName eq,sub
>
> olcDbIndex: loginShell eq
>
> olcDbIndex: mail eq,sub,approx
>
> olcDbIndex: memberUid eq,sub
>
> olcDbIndex: objectClass eq
>
> olcDbIndex: ou eq
>
> olcDbIndex: sambaDomainName eq
>
> olcDbIndex: sambaGroupType eq
>
> olcDbIndex: sambaPrimaryGroupSID eq
>
> olcDbIndex: sambaSID eq
>
> olcDbIndex: sambaSIDList eq
>
> olcDbIndex: sn eq,sub
>
> olcDbIndex: uid eq,sub
>
> olcDbIndex: uidNumber eq
>
> olcDbIndex: uniqueMember eq
>
>
>
> --
>
>
>
> Gruss
>
> Harry Jede
>
More information about the samba
mailing list