Hi all
For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-)
I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems:
- The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration...
- Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user...
This is how Samba, OpenLDAP and the Idealx-Tools are configured:
# egrep -v '^$|^#' smb.conf [global] netbios name = SARGE-TS workgroup = UB security = User server string = %h server (Samba %v) wins support = yes preferred master = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 encrypt passwords = true domain logons = yes domain master = yes logon drive = H: logon home = \\%L\%U ldap passwd sync = Yes os level = 65 passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch ldap suffix = dc=ub,dc=unibas,dc=ch ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add user script = /usr/sbin/smbldap-useradd -m "%u" ldap delete dn = Yes add machine script = /usr/sbin/smbldap-useradd -w "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" short preserve case = yes case sensitive = no map to guest = Bad User guest account = nobody invalid users = root ldap password sync = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Home Directory for %U browseable = no writable = yes create mask = 0700 directory mask = 0700 [netlogon] path = /export/home/samba/netlogon/ # browseable = No # locking = No read only = yes [profiles] path = /export/home/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable force user = %U valid users = %U "Domain Admins"
# egrep -v '^$|^#' slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/phpgwaccount.schema
include /etc/ldap/schema/phpgwcontact.schema
modulepath /usr/lib/ldap
moduleload back_ldbm
backend ldbm
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
password-hash {MD5}
replogfile /var/lib/ldap/replog
loglevel 256
database ldbm
suffix "dc=ub,dc=unibas,dc=ch"
rootdn "cn=manager,dc=ub,dc=unibas,dc=ch"
rootpw {MD5}XXXXXXXXXXXXXXXXXXXXXX==
directory "/var/lib/ldap/ub"
lastmod on
cachesize 40000
dbcachesize 60000000
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass eq
index default sub
index phpgwContactOwner pres,eq,sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by dn="cn=manager,dc=ub,dc=unibas,dc=ch" write
by dn="cn=nss,dc=ub,dc=unibas,dc=ch" read
by * auth
# egrep -v '^$|^#' smbldap_bind.conf slaveDN="cn=manager,dc=ub,dc=unibas,dc=ch" slavePw="XXXXXXX" masterDN="cn=manager,dc=ub,dc=unibas,dc=ch" masterPw="XXXXXX"
# egrep -v '^$|^#' smbldap.conf
SID="S-1-5-21-98201057-1281969052-1085559986"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=ub,dc=unibas,dc=ch"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
scope="sub"
hash_encrypt="MD5"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userGecos="UB Domain User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
userSmbHome="\\sarge-ts\%U"
userProfile="\\sarge-ts\%U\winprofile"
userHomeDrive="H:"
mailDomain="unibas.ch"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"Thanks for any suggestions! Paul
-- Paul Coray Administrator Server und Netzwerk
Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel
Tel: +41 61 267 05 13 Fax: +41 61 267 31 03
mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
