[Samba] Fwd: Migrating server
Harry Jede
walk2sun at arcor.de
Thu Mar 8 14:04:05 UTC 2018
Hi Rob,
first things first. Thanks for the attached logs.txt!!!
> Hi Harry,
>
>
> Here are the outputs. I've attached them as logs with this email too.
>
> root at sam3dc:/tmp/ldifs-gr# ldapmodify -Y external -H ldapi:/// -f
> olcdbindex.ldif
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> modifying entry "olcDatabase={1}hdb,cn=config"
>
>
> root at sam3dc:/tmp/ldifs-gr# service slapd stop
> * Stopping OpenLDAP slapd
>
> [ OK ]
> root at sam3dc:/tmp/ldifs-gr# slapindex -v -n 1
>
> WARNING!
> Runnig as root!
> There's a fair chance slapd will fail to start.
I've overseen this very imortant error message, sorry.
> Check file permissions!
We have run the slapindex command as root. So root becomes
the owner of the files. That is surely wrong, openldap
should be the owner.
This happens because of the no so sophistecated install
scripts of debian/ubuntu. This is not easy fixable without
breaking thousands of installations.
Do the following:
stop slapd
# chown -R openldap:openldap /etc/ldap/slapd.d/cn\=config/
# chown -R openldap:openldap /var/lib/ldap/
start slapd
> indexing id=00000001
> indexing id=00000002
> indexing id=00000003
> indexing id=00000004
> indexing id=00000005
> indexing id=00000006
> It goes on and completes the indexing
Super
> root at sam3dc:/tmp/ldifs-gr# service slapd start
> * Starting OpenLDAP slapd
>
> [ OK ]
>
>
> net getdomainsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032 SID for domain mydomain is:
> S-1-5-21-3936576374-1604348213-1812465911
And this is why I prefer this command!!!
You have different SIDs for PDC and DOMAIN and that is wrong!
> net getlocalsid
> SID for local machine sam3dc is:
> S-1-5-21-286905455-3929894668-3957719032
Nice command but did not help here. Just to show.
> getent passwd sadmin
> sadmin:x:1359:1359::/home/sadmin:/bin/sh
>
> getent passwd tadmin
> tadmin:x:1262:1150:Temp Admin,,,:/home/tadmin:/bin/bash
>
> root at sam3dc:/# getent group 512
> root at sam3dc:/#
> root at sam3dc:/# getent group 1359
> sadmin:x:1359:
getent group 1150
and let us look if these groups are in ldap
## a long one liner
# for g in 512 1359 1150; do ldapsearch -xLLL -b dc=mydomain "(&(objectclass=posixgroup)(gidnumber=$g))";done
> SYSLOG during the netdomainsid and getlocalsid
PS
until tuesday i'm offline
--
Gruss
Harry Jede
More information about the samba
mailing list