[Samba] Setup of a new PDC with Samba 3.2.0

Printable View

07-11-2008, 03:00 PM
unix

[Samba] Setup of a new PDC with Samba 3.2.0

Hello,

I setting up a new PDC for a new domain using samba 3.2.0
I use LDAP as passwd/idmap backend.

I started from scratch just creating the OU for the
users/groups/machines/idmaps in the ldap directory, + a user used to bind
to ldap.

So from there I started winbind and ran net sam provision, which worked
great.
Now I plan this domain will have a one way trust with one other domain,
and as I start playing with wbinfo to verify the local/builtin groups
appear, I found that wbinfo -t fails to check secret with :
myserver:/usr/local/samba/bin# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret

So, I'm wondering, do I need to create some kind of machine trust account
for the PDC itself, or this reply from wbinfo -t is expected ?

[global]
workgroup = EVENTLAB
netbios name = TLS-SRV-01
server string = Samba for EventLab
interfaces = eth1 lo
bind interfaces only = Yes
hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
socket address = 10.211.254.253
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap suffix = dc=x-files,dc=fr
ldapsam:trusted = Yes
ldapsam:editposix = Yes
time server = Yes
map acl inherit = Yes
nt acl support = Yes
unix charset = UTF-8
# unix password sync = Yes
# passwd chat = *new*password* %n\n*new*password* %n\n *updated*
# pam password change = No
passwd program = /usr/sbin/smbldap-passwd %u
# username map = /etc/samba/username.map
reset on zero vc = Yes
use sendfile = Yes
#
# Logon options
#
domain logons = Yes
logon drive = h:
logon path = \\TLS-SRV-01\Profiles\%U
logon home = \\TLS-SRV-01\%U
logon script = Startup.bat

#
# Printing options
#
load printers = No

#
# Browsing options
#
os level = 65
announce version = 4.9
preferred master = No
domain master = Yes
local master = No
# remote browse sync = 10.212.254.254
# remote announce = 10.212.254.254

#
# WINS and resolver options
#
wins support = Yes
# wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast

#
# Debug options
#
log level = 0
debug timestamp = No
debug prefix timestamp = No
debug hires timestamp = No
debug pid = Yes
debug uid = Yes

#
# Winbind options
#
winbind enum users = Yes
winbind enum groups = Yes
idmap domains = TRUSTEDDOM
idmap config TRUSTEDDOM:backend = ldap
idmap config TRUSTEDDOM:default = Yes
idmap config TRUSTEDDOM:ldap_base_dn =
ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_url = ldap://localhost/
idmap config TRUSTEDDOM:range = 10000 - 10999

idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap alloc config:ldap_url = ldap://localhost/
idmap alloc config:range = 20000 - 20999
template homedir = /home/home/%D/%U
template shell = /bin/false
winbind: rpc only = yes
winbind nested groups = yes

--
François Legal
--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
07-11-2008, 06:50 PM
unix

Re: [Samba] Setup of a new PDC with Samba 3.2.0

On Fri, Jul 11, 2008 at 04:50:55PM +0200, [email]devel@thom.fr.eu.org[/email] wrote:[color=blue]
> Hello,
>
> I setting up a new PDC for a new domain using samba 3.2.0
> I use LDAP as passwd/idmap backend.
>
> I started from scratch just creating the OU for the
> users/groups/machines/idmaps in the ldap directory, + a user used to bind
> to ldap.
>
> So from there I started winbind and ran net sam provision, which worked
> great.
> Now I plan this domain will have a one way trust with one other domain,
> and as I start playing with wbinfo to verify the local/builtin groups
> appear, I found that wbinfo -t fails to check secret with :
> myserver:/usr/local/samba/bin# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> Could not check secret
>
> So, I'm wondering, do I need to create some kind of machine trust account
> for the PDC itself, or this reply from wbinfo -t is expected ?[/color]

Yes, you need to "join" the machine to itself (the PDC) using net join
before winbindd will work in this way on the PDC. Sorry, rather
counterintuative I know but the way it works at present.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]
07-12-2008, 08:40 AM
unix

Re: [Samba] Setup of a new PDC with Samba 3.2.0

Ok,

I just missed this part from the documentation (by the way, could anybody
spot me to the place where this is specified. I could see in Samba Howto
chapter 13, but this is not obvious).
So I did successfully join the domain, and now I get the following error
on wbinfo -t :
MYSERVER:~# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret

This looks like a resolver issue. I have
wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast
in smb.conf, and my lmhost file says
10.211.254.253 MYDOMAIN
10.211.254.253 MYSERVER
and anyway the nmblookup succeeds:
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1b>
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1c>
[color=blue]
> On Fri, Jul 11, 2008 at 04:50:55PM +0200, [email]devel@thom.fr.eu.org[/email] wrote:[color=green]
>> Hello,
>>
>> I setting up a new PDC for a new domain using samba 3.2.0
>> I use LDAP as passwd/idmap backend.
>>
>> I started from scratch just creating the OU for the
>> users/groups/machines/idmaps in the ldap directory, + a user used to
>> bind
>> to ldap.
>>
>> So from there I started winbind and ran net sam provision, which worked
>> great.
>> Now I plan this domain will have a one way trust with one other domain,
>> and as I start playing with wbinfo to verify the local/builtin groups
>> appear, I found that wbinfo -t fails to check secret with :
>> myserver:/usr/local/samba/bin# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>> Could not check secret
>>
>> So, I'm wondering, do I need to create some kind of machine trust
>> account
>> for the PDC itself, or this reply from wbinfo -t is expected ?[/color]
>
> Yes, you need to "join" the machine to itself (the PDC) using net join
> before winbindd will work in this way on the PDC. Sorry, rather
> counterintuative I know but the way it works at present.
>
> Jeremy.
>[/color]

--

--
To unsubscribe from this list go to the following URL and read the
instructions: [url]https://lists.samba.org/mailman/listinfo/samba[/url]