[Samba] Setting up PDC w/ LDAP - Samba

This is a discussion on [Samba] Setting up PDC w/ LDAP - Samba ; I've almost got it. I swear I've almost got it (and I've been doing a lot of swearing lately). I re-built my PDC, starting from scratch. I'm not using the editposix extensions anymore - I'm using the smbldap tools as ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: [Samba] Setting up PDC w/ LDAP

  1. [Samba] Setting up PDC w/ LDAP

    I've almost got it. I swear I've almost got it (and I've been doing a
    lot of swearing lately).

    I re-built my PDC, starting from scratch. I'm not using the editposix
    extensions anymore - I'm using the smbldap tools as shown (I think) in
    the Samba by Example.

    I really really thought I did everything right. Obviously I was wrong.

    What works - all my workstations and logins. Add/create users, join
    workstations to domain. Just about everything.

    The last little item - winbind.

    I suppose I need to give some vitals:
    Samba 3.0.28a.
    Samba PDC - no Windows servers, no BDC's, no member servers.
    Linux and Windows XP workstations.
    OpenLDAP backend with combined Unix and Windows users (using
    LDAP-Account Manager).

    First question: under this configuration, do I need winbind at all?

    If the answer is yes, second question:
    wbinfo -t yields checking the trust secret via RPC calls succeeded
    wbinfo -u yields Error looking up domain users

    The logfile log.wb-AMFESLAN.LOCAL has
    [2008/05/27 12:17:40, 1]
    rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
    cli_pipe_validate_current_pdu: RPC fault code
    DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe
    \lsarpc fnum 0x7169!

    logfile log.winbindd-idmap has
    [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377)
    Initializing idmap domains
    [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388)
    idmap_init: Ignoring domain AMFESLAN.LOCAL

    I should also mention that I can't add the built-in or local groups
    using net.

    partial output of testparm:
    Processing section "[printers]"

    Loaded services file OK.
    Server role: ROLE_DOMAIN_PDC
    Press enter to see a dump of your service definitions

    [global]
    workgroup = AMFESLAN.LOCAL
    realm = AMFESLAN.LOCAL
    server string = %h server (Samba, Ubuntu)
    map to guest = Bad User
    obey pam restrictions = Yes
    passdb backend = ldapsam:ldap://localhost
    pam password change = Yes
    passwd program = /usr/sbin/smbldap-passwd -u %u
    passwd chat = *Enter\snew\s*\spassword:* %n\n
    *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated*
    username map = /etc/samba/smbusers
    unix password sync = Yes
    syslog = 0
    log file = /var/log/samba/log.%m
    max log size = 1000
    time server = Yes
    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480
    SO_SNDBUF=20480
    add user script = /usr/sbin/smbldap-useradd -m "%u"
    delete user script = /usr/sbin/smbldap-userdel "%u"
    add group script = /usr/sbin/smbldap-groupadd -p "%g"
    delete group script = /usr/sbin/smbldap-groupdel "%g"
    add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/sbin/smbldap-groupmod -x
    "%u" "%g"
    set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    add machine script = /usr/sbin/smbldap-useradd -w "%u"
    logon script = logon.cmd
    logon path = \\%L\profiles\%U\%a
    logon drive = U:
    logon home =
    domain logons = Yes
    os level = 64
    preferred master = Yes
    domain master = Yes
    wins support = Yes
    ldap admin dn = "cn=admin,dc=amfeslan,dc=local"
    ldap delete dn = Yes
    ldap group suffix = ou=groups
    ldap idmap suffix = ou=idmap
    ldap machine suffix = ou=machines,ou=users
    ldap passwd sync = Yes
    ldap suffix = dc=amfeslan,dc=local
    ldap ssl = no
    ldap user suffix = ou=users
    panic action = /usr/share/samba/panic-action %d
    idmap backend = ldap:ldap://127.0.0.1
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    winbind enum users = Yes
    winbind enum groups = Yes
    ea support = Yes
    profile acls = Yes
    veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/
    dos filemode = Yes

    [printers]
    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    guest ok = Yes
    printable = Yes
    browseable = No

    --
    Daniel
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  2. Re: [Samba] Setting up PDC w/ LDAP

    no you don't need winbind, i'm using LDAP + samba + NSS_LDAP.

    paste your net command and the error(s) its giving.

    Daniel L. Miller wrote:
    > I've almost got it. I swear I've almost got it (and I've been doing a
    > lot of swearing lately).
    >
    > I re-built my PDC, starting from scratch. I'm not using the editposix
    > extensions anymore - I'm using the smbldap tools as shown (I think) in
    > the Samba by Example.
    >
    > I really really thought I did everything right. Obviously I was wrong.
    >
    > What works - all my workstations and logins. Add/create users, join
    > workstations to domain. Just about everything.
    >
    > The last little item - winbind.
    >
    > I suppose I need to give some vitals:
    > Samba 3.0.28a.
    > Samba PDC - no Windows servers, no BDC's, no member servers.
    > Linux and Windows XP workstations.
    > OpenLDAP backend with combined Unix and Windows users (using
    > LDAP-Account Manager).
    >
    > First question: under this configuration, do I need winbind at all?
    >
    > If the answer is yes, second question:
    > wbinfo -t yields checking the trust secret via RPC calls succeeded
    > wbinfo -u yields Error looking up domain users
    >
    > The logfile log.wb-AMFESLAN.LOCAL has
    > [2008/05/27 12:17:40, 1]
    > rpc_client/cli_pipe.c:cli_pipe_validate_current_pdu(625)
    > cli_pipe_validate_current_pdu: RPC fault code
    > DCERPC_FAULT_OP_RNG_ERROR received from remote machine BUBBA pipe
    > \lsarpc fnum 0x7169!
    >
    > logfile log.winbindd-idmap has
    > [2008/05/27 12:17:40, 1] nsswitch/idmap.c:idmap_init(377)
    > Initializing idmap domains
    > [2008/05/27 12:17:40, 0] nsswitch/idmap.c:idmap_init(388)
    > idmap_init: Ignoring domain AMFESLAN.LOCAL
    >
    > I should also mention that I can't add the built-in or local groups
    > using net.
    >
    > partial output of testparm:
    > Processing section "[printers]"
    >
    > Loaded services file OK.
    > Server role: ROLE_DOMAIN_PDC
    > Press enter to see a dump of your service definitions
    >
    > [global]
    > workgroup = AMFESLAN.LOCAL
    > realm = AMFESLAN.LOCAL
    > server string = %h server (Samba, Ubuntu)
    > map to guest = Bad User
    > obey pam restrictions = Yes
    > passdb backend = ldapsam:ldap://localhost
    > pam password change = Yes
    > passwd program = /usr/sbin/smbldap-passwd -u %u
    > passwd chat = *Enter\snew\s*\spassword:* %n\n
    > *Retype\snew\s*\spassword:* %n\n *all*authentication*tokens*updated*
    > username map = /etc/samba/smbusers
    > unix password sync = Yes
    > syslog = 0
    > log file = /var/log/samba/log.%m
    > max log size = 1000
    > time server = Yes
    > socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=20480
    > SO_SNDBUF=20480
    > add user script = /usr/sbin/smbldap-useradd -m "%u"
    > delete user script = /usr/sbin/smbldap-userdel "%u"
    > add group script = /usr/sbin/smbldap-groupadd -p "%g"
    > delete group script = /usr/sbin/smbldap-groupdel "%g"
    > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
    > delete user from group script = /usr/sbin/smbldap-groupmod -x
    > "%u" "%g"
    > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
    > add machine script = /usr/sbin/smbldap-useradd -w "%u"
    > logon script = logon.cmd
    > logon path = \\%L\profiles\%U\%a
    > logon drive = U:
    > logon home =
    > domain logons = Yes
    > os level = 64
    > preferred master = Yes
    > domain master = Yes
    > wins support = Yes
    > ldap admin dn = "cn=admin,dc=amfeslan,dc=local"
    > ldap delete dn = Yes
    > ldap group suffix = ou=groups
    > ldap idmap suffix = ou=idmap
    > ldap machine suffix = ou=machines,ou=users
    > ldap passwd sync = Yes
    > ldap suffix = dc=amfeslan,dc=local
    > ldap ssl = no
    > ldap user suffix = ou=users
    > panic action = /usr/share/samba/panic-action %d
    > idmap backend = ldap:ldap://127.0.0.1
    > idmap uid = 10000-20000
    > idmap gid = 10000-20000
    > winbind enum users = Yes
    > winbind enum groups = Yes
    > ea support = Yes
    > profile acls = Yes
    > veto oplock files = /*.QBW/*.qbw/*.MDB/*.mdb/
    > dos filemode = Yes
    >
    > [printers]
    > comment = All Printers
    > path = /var/spool/samba
    > create mask = 0700
    > guest ok = Yes
    > printable = Yes
    > browseable = No
    >


    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  3. Re: [Samba] Setting up PDC w/ LDAP

    John H Terpstra wrote:
    > On Tuesday 27 May 2008 02:22:15 pm Daniel L. Miller wrote:
    >
    >> I've almost got it. I swear I've almost got it (and I've been doing a
    >> lot of swearing lately).
    >>

    >
    > Swearing does not help much. :-)
    >
    >

    It does too! I haven't broken a single keyboard!
    >> I re-built my PDC, starting from scratch. I'm not using the editposix
    >> extensions anymore - I'm using the smbldap tools as shown (I think) in
    >> the Samba by Example.
    >>

    >
    > Now that is a really good guide. (Biased opinion of course!) It is a pity that
    > this book is a little out of date. Someone really should contribute updates
    > to it I guess.
    >

    I'd be delighted to - but at the moment it'd be the blind leading the
    totally clueless.
    >> I really really thought I did everything right. Obviously I was wrong.
    >>

    >
    > Ah, you mean you have been learning to swim. A good start to using Samba.
    >

    Unfortunately I still splash far too much without making efficient
    forward progress. I can go sideways really good though!
    >> First question: under this configuration, do I need winbind at all?
    >>

    >
    > That depends! You can probably get away without winbind. If you do need it,
    > you should update the configuration since winbindd has changed since Samba
    > 3.0.20 - the version the book was last updated for.
    >

    Something I haven't seen in print yet - so I'll ask the question. WHEN
    is the appropriate time to use winbind with PDC's and BDC's? If the
    only (intended) purpose is for member servers and joining Windows
    NT/2000+ domains - please say so. The 3.2 Using Samba says "...in the
    majority of cases |winbind| is of primary interest for use with domain
    member servers (DMSs) and domain member clients (DMCs)." - but that's
    not quite the same as, "In an exclusively Samba server environment, with
    a common LDAP backend (replicated or single), winbind offers no
    additional features and in fact can cause problems. Do NOT use winbind
    in such a configuration."
    >> If the answer is yes, second question:
    >> wbinfo -t yields checking the trust secret via RPC calls succeeded
    >> wbinfo -u yields Error looking up domain users
    >>

    >
    > It is no longer possible to use wbinfo on the PDC itself. See Samba Bugzilla
    > bug no. 5453.
    >
    >
    >> I should also mention that I can't add the built-in or local groups
    >> using net.
    >>

    >
    > Correct. For that you will need the new winbind configuration syntax - you are
    > running 3.0.28 aren't you? See man idmap_ldap, or man idmap_tdb.
    >

    Now I'm more confused. I'm reviewing those pages - and while I do see
    some other parameters, they say in their absence they will default to
    using the ones I've specified. I don't see what I'm missing. I've
    revised to show:

    idmap domains = AMFESLAN.LOCAL
    idmap alloc backend = ldap
    winbind enum users = Yes
    winbind enum groups = Yes
    idmap alloc config:range = 10000-20000
    idmap alloc config:ldap_url = ldap://127.0.0.1
    idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
    idmap config AMFESLAN.LOCAL:range = 10000-20000
    idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
    idmap config AMFESLAN.LOCAL:ldap_base_dn =
    ou=idmap,dc=amfeslan,dc=local
    idmap config AMFESLAN.LOCAL:backend = ldap
    idmap config AMFESLAN.LOCAL:default = yes

    Functionality and error messages remain the same.
    > I hope that helps.
    >

    Helps a lot - but I'm needy and greedy and would still appreciate more
    of your insight.


    --
    Daniel
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  4. Re: [Samba] Setting up PDC w/ LDAP

    OK, payment in advance: :-) :-) :-)

    Wait a minute, let me change currencies....

    _.-'''''-._
    .' _ _ '.
    / (o) (o) \
    | |
    | \ / |
    \ '. .' /
    '. `'---'` .'
    '-._____.-'


    _.-'''''-._
    .' _ _ '.
    / (o) (o) \
    | |
    | \ / |
    \ '. .' /
    '. `'---'` .'
    '-._____.-'


    _.-'''''-._
    .' _ _ '.
    / (o) (o) \
    | |
    | \ / |
    \ '. .' /
    '. `'---'` .'
    '-._____.-'


    John H Terpstra wrote:

    >> Something I haven't seen in print yet - so I'll ask the question. WHEN
    >> is the appropriate time to use winbind with PDC's and BDC's?
    >>

    >
    > Winbind is needed when you have domain member servers, and to deal with SIDs
    > for users of trusted foreign domains. Winbind is essential for interdomain
    > trust handling.
    >
    > If all your clients are domain members, and you never get clients from trusted
    > domains on the network, you do not need winbind. You can operate without it
    > without loss of service, but you will not have use of BUILTIN groups (these
    > are created and managed by winbind.
    >
    >

    Almost there. Really....

    Do I NEED those builtin groups for anything? Do I WANT those builtin
    groups for anything (besides avoiding those nuisance error messages in
    my samba logs)?

    If a couple clients are non-domain members (laptops that periodically
    plug-in) - but still no trusted domains involved - is there any need for
    winbind?
    > First: Do NOT use a domain name that has a '.' in it. That has unexpected
    > name resolution consequences. A Samab smb.conf workgroup= parameter should
    > not have a dot in it.
    >
    >

    Ok...now that I've setup everything (again, for the nth time), do I need
    to reconfigure the server and every client? Or just rename it on the
    server and the change will automagically propagate?

    And beyond updating my srv records, will this have other DNS consequences?
    >> idmap domains = AMFESLAN.LOCAL
    >> idmap alloc backend = ldap
    >> winbind enum users = Yes
    >> winbind enum groups = Yes
    >> idmap alloc config:range = 10000-20000
    >> idmap alloc config:ldap_url = ldap://127.0.0.1
    >> idmap alloc config:ldap_base_dn = ou=idmap,dc=amfeslan,dc=local
    >> idmap config AMFESLAN.LOCAL:range = 10000-20000
    >> idmap config AMFESLAN.LOCAL:ldap_url = ldap://127.0.0.1
    >> idmap config AMFESLAN.LOCAL:ldap_base_dn =
    >> ou=idmap,dc=amfeslan,dc=local
    >> idmap config AMFESLAN.LOCAL:backend = ldap
    >> idmap config AMFESLAN.LOCAL:default = yes
    >>

    >
    > IDMAP is used to allocate unique UID/GID's for users from a trusted domain so
    > they can access resources in our domain. IDMAP is also used to create
    > BUILTIN groups.
    >

    Ok...that part I get. What I don't get -
    1. Is the above config (other than the domain name) correct?
    2. How does this config differ from my original one - since the docs
    say the previous version should have worked?

    --
    Daniel
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


  5. Re: [Samba] Setting up PDC w/ LDAP

    John H Terpstra wrote:
    > On Tuesday 27 May 2008 05:45:24 pm Daniel L. Miller wrote:
    >
    >> OK, payment in advance: :-) :-) :-)
    >>
    >> Wait a minute, let me change currencies....
    >>

    >
    > Awe .. forget it! ;-)
    >
    >

    I'm assuming my last payment still has me covered - if you need more
    retainer please let me know.
    >>
    >> Almost there. Really....
    >>
    >> Do I NEED those builtin groups for anything? Do I WANT those builtin
    >> groups for anything (besides avoiding those nuisance error messages in
    >> my samba logs)?
    >>

    >
    > You do not need them specifically. They can be useful, but they are certainly
    > not essential.
    >
    >

    I'm still coming up with a good question to ask on this part....
    >
    >>> First: Do NOT use a domain name that has a '.' in it. That has
    >>> unexpected name resolution consequences. A Samab smb.conf workgroup=
    >>> parameter should not have a dot in it.
    >>>

    >> Ok...now that I've setup everything (again, for the nth time), do I need
    >> to reconfigure the server and every client? Or just rename it on the
    >> server and the change will automagically propagate?
    >>

    >
    > It is safer to re-add your clients to the domain. Even though it is the
    > domain SID that really matters. If it changes you can reset it to the
    > original value, there are some operations that are tied to the domain name,
    > so it is best to readd the clients to the domain.
    >
    >

    Is there a better (read: more efficient, automated, less
    labor-intensive, more fun, whatever) method to re-add than manually
    visiting each workstation (either physically or via RDC of some sort),
    leaving the old domain, and then joining the new one?


    --
    Daniel
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba


+ Reply to Thread