Hi all
For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-)
I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems:
- The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration...
- Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user...
This is how Samba, OpenLDAP and the Idealx-Tools are configured:
# egrep -v '^$|^#' smb.conf [global] netbios name = SARGE-TS workgroup = UB security = User server string = %h server (Samba %v) wins support = yes preferred master = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 encrypt passwords = true domain logons = yes domain master = yes logon drive = H: logon home = \\%L\%U ldap passwd sync = Yes os level = 65 passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch ldap suffix = dc=ub,dc=unibas,dc=ch ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" short preserve case = yes case sensitive = no map to guest = Bad User guest account = nobody invalid users = root ldap password sync = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Home Directory for %U browseable = no writable = yes create mask = 0700 directory mask = 0700 [netlogon] path = /export/home/samba/netlogon/ # browseable = No # locking = No read only = yes [profiles] path = /export/home/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable force user = %U valid users = %U "Domain Admins"
# egrep -v '^$|^#' slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/solaris-nis.schema include /etc/ldap/schema/solaris.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/phpgwaccount.schema include /etc/ldap/schema/phpgwcontact.schema modulepath /usr/lib/ldap moduleload back_ldbm backend ldbm schemacheck on pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args password-hash {MD5} replogfile /var/lib/ldap/replog loglevel 256 database ldbm suffix "dc=ub,dc=unibas,dc=ch" rootdn "cn=manager,dc=ub,dc=unibas,dc=ch" rootpw {MD5}XXXXXXXXXXXXXXXXXXXXXX== directory "/var/lib/ldap/ub" lastmod on cachesize 40000 dbcachesize 60000000 index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index objectClass eq index default sub index phpgwContactOwner pres,eq,sub access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by dn="cn=manager,dc=ub,dc=unibas,dc=ch" write by dn="cn=nss,dc=ub,dc=unibas,dc=ch" read by * auth
# egrep -v '^$|^#' smbldap_bind.conf slaveDN="cn=manager,dc=ub,dc=unibas,dc=ch" slavePw="XXXXXXX" masterDN="cn=manager,dc=ub,dc=unibas,dc=ch" masterPw="XXXXXX"
# egrep -v '^$|^#' smbldap.conf SID="S-1-5-21-98201057-1281969052-1085559986" slaveLDAP="127.0.0.1" slavePort="389" masterLDAP="127.0.0.1" masterPort="389" ldapTLS="0" suffix="dc=ub,dc=unibas,dc=ch" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}" scope="sub" hash_encrypt="MD5" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userGecos="UB Domain User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" userSmbHome="\\sarge-ts\%U" userProfile="\\sarge-ts\%U\winprofile" userHomeDrive="H:" mailDomain="unibas.ch" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd"
Thanks for any suggestions! Paul
-- Paul Coray Administrator Server und Netzwerk
Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel
Tel: +41 61 267 05 13 Fax: +41 61 267 31 03
mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba