[Samba] Setup of a new PDC with Samba 3.2.0 - Samba

This is a discussion on [Samba] Setup of a new PDC with Samba 3.2.0 - Samba ; Hello, I setting up a new PDC for a new domain using samba 3.2.0 I use LDAP as passwd/idmap backend. I started from scratch just creating the OU for the users/groups/machines/idmaps in the ldap directory, + a user used to ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: [Samba] Setup of a new PDC with Samba 3.2.0

  1. [Samba] Setup of a new PDC with Samba 3.2.0

    Hello,

    I setting up a new PDC for a new domain using samba 3.2.0
    I use LDAP as passwd/idmap backend.

    I started from scratch just creating the OU for the
    users/groups/machines/idmaps in the ldap directory, + a user used to bind
    to ldap.

    So from there I started winbind and ran net sam provision, which worked
    great.
    Now I plan this domain will have a one way trust with one other domain,
    and as I start playing with wbinfo to verify the local/builtin groups
    appear, I found that wbinfo -t fails to check secret with :
    myserver:/usr/local/samba/bin# wbinfo -t
    checking the trust secret via RPC calls failed
    error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
    Could not check secret

    So, I'm wondering, do I need to create some kind of machine trust account
    for the PDC itself, or this reply from wbinfo -t is expected ?

    [global]
    workgroup = EVENTLAB
    netbios name = TLS-SRV-01
    server string = Samba for EventLab
    interfaces = eth1 lo
    bind interfaces only = Yes
    hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
    socket address = 10.211.254.253
    passdb backend = ldapsam:ldap://127.0.0.1:389
    ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
    ldap user suffix = ou=People
    ldap group suffix = ou=Groups
    ldap machine suffix = ou=Machines
    ldap suffix = dc=x-files,dc=fr
    ldapsam:trusted = Yes
    ldapsam:editposix = Yes
    time server = Yes
    map acl inherit = Yes
    nt acl support = Yes
    unix charset = UTF-8
    # unix password sync = Yes
    # passwd chat = *new*password* %n\n*new*password* %n\n *updated*
    # pam password change = No
    passwd program = /usr/sbin/smbldap-passwd %u
    # username map = /etc/samba/username.map
    reset on zero vc = Yes
    use sendfile = Yes
    #
    # Logon options
    #
    domain logons = Yes
    logon drive = h:
    logon path = \\TLS-SRV-01\Profiles\%U
    logon home = \\TLS-SRV-01\%U
    logon script = Startup.bat

    #
    # Printing options
    #
    load printers = No

    #
    # Browsing options
    #
    os level = 65
    announce version = 4.9
    preferred master = No
    domain master = Yes
    local master = No
    # remote browse sync = 10.212.254.254
    # remote announce = 10.212.254.254

    #
    # WINS and resolver options
    #
    wins support = Yes
    # wins server = 10.212.254.254
    wins proxy = Yes
    name resolve order = lmhosts wins host bcast

    #
    # Debug options
    #
    log level = 0
    debug timestamp = No
    debug prefix timestamp = No
    debug hires timestamp = No
    debug pid = Yes
    debug uid = Yes

    #
    # Winbind options
    #
    winbind enum users = Yes
    winbind enum groups = Yes
    idmap domains = TRUSTEDDOM
    idmap config TRUSTEDDOM:backend = ldap
    idmap config TRUSTEDDOM:default = Yes
    idmap config TRUSTEDDOM:ldap_base_dn =
    ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
    idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
    idmap config TRUSTEDDOM:ldap_url = ldap://localhost/
    idmap config TRUSTEDDOM:range = 10000 - 10999

    idmap alloc backend = ldap
    idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
    idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
    idmap alloc config:ldap_url = ldap://localhost/
    idmap alloc config:range = 20000 - 20999
    template homedir = /home/home/%D/%U
    template shell = /bin/false
    winbind: rpc only = yes
    winbind nested groups = yes



    --
    François Legal
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  2. Re: [Samba] Setup of a new PDC with Samba 3.2.0

    On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:
    > Hello,
    >
    > I setting up a new PDC for a new domain using samba 3.2.0
    > I use LDAP as passwd/idmap backend.
    >
    > I started from scratch just creating the OU for the
    > users/groups/machines/idmaps in the ldap directory, + a user used to bind
    > to ldap.
    >
    > So from there I started winbind and ran net sam provision, which worked
    > great.
    > Now I plan this domain will have a one way trust with one other domain,
    > and as I start playing with wbinfo to verify the local/builtin groups
    > appear, I found that wbinfo -t fails to check secret with :
    > myserver:/usr/local/samba/bin# wbinfo -t
    > checking the trust secret via RPC calls failed
    > error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
    > Could not check secret
    >
    > So, I'm wondering, do I need to create some kind of machine trust account
    > for the PDC itself, or this reply from wbinfo -t is expected ?


    Yes, you need to "join" the machine to itself (the PDC) using net join
    before winbindd will work in this way on the PDC. Sorry, rather
    counterintuative I know but the way it works at present.

    Jeremy.
    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

  3. Re: [Samba] Setup of a new PDC with Samba 3.2.0

    Ok,

    I just missed this part from the documentation (by the way, could anybody
    spot me to the place where this is specified. I could see in Samba Howto
    chapter 13, but this is not obvious).
    So I did successfully join the domain, and now I get the following error
    on wbinfo -t :
    MYSERVER:~# wbinfo -t
    checking the trust secret via RPC calls failed
    error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
    Could not check secret

    This looks like a resolver issue. I have
    wins server = 10.212.254.254
    wins proxy = Yes
    name resolve order = lmhosts wins host bcast
    in smb.conf, and my lmhost file says
    10.211.254.253 MYDOMAIN
    10.211.254.253 MYSERVER
    and anyway the nmblookup succeeds:
    tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
    querying MYDOMAIN on 10.212.254.254
    10.211.254.253 MYDOMAIN<1b>
    tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
    querying MYDOMAIN on 10.212.254.254
    10.211.254.253 MYDOMAIN<1c>

    > On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:
    >> Hello,
    >>
    >> I setting up a new PDC for a new domain using samba 3.2.0
    >> I use LDAP as passwd/idmap backend.
    >>
    >> I started from scratch just creating the OU for the
    >> users/groups/machines/idmaps in the ldap directory, + a user used to
    >> bind
    >> to ldap.
    >>
    >> So from there I started winbind and ran net sam provision, which worked
    >> great.
    >> Now I plan this domain will have a one way trust with one other domain,
    >> and as I start playing with wbinfo to verify the local/builtin groups
    >> appear, I found that wbinfo -t fails to check secret with :
    >> myserver:/usr/local/samba/bin# wbinfo -t
    >> checking the trust secret via RPC calls failed
    >> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
    >> Could not check secret
    >>
    >> So, I'm wondering, do I need to create some kind of machine trust
    >> account
    >> for the PDC itself, or this reply from wbinfo -t is expected ?

    >
    > Yes, you need to "join" the machine to itself (the PDC) using net join
    > before winbindd will work in this way on the PDC. Sorry, rather
    > counterintuative I know but the way it works at present.
    >
    > Jeremy.
    >



    --

    --
    To unsubscribe from this list go to the following URL and read the
    instructions: https://lists.samba.org/mailman/listinfo/samba

+ Reply to Thread