Re: [Samba] Re: Samba/LDAP/PDC Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Paul Gienger wrote: | | | 1. In what situtation do I need People group as the group for | | machines? | | In the case where you use: | nss_base_passwdou=Users,dc=ab,dc=com?one | | If you use: | nss_base_passwddc=ab,dc=com?sub | | | | Would people please stop suggesting this without explaining the | ramifications? When people stop giving the other reply (that it is impossible). | If you do this, you are going to (theoretically)(1) | severely harm the performance on your server. Yes, for only the LDAP clients which are samba servers. | Setting the nss library | to do a search on the 'entire' directory every time it needs to look up | user information is asinine to put it in a word. That really depends on the structure of your LDAP server. And, you are also ignoring the fact that nss_ldap will use a search fileter for the specific user - and doing a search for ((objectclass=posixAccount)(uid=)) isn't going to be much slower for most small implentations. Then of course, there's always nscd ... If you've tuned your LDAP server, it should be getting most of the entries out of cache anyway. | It's like doing this | in DNS terms... rather than looking for a machine named | 'something.else.com' in the dns servers for else.com you go ask .com who | then goes in and asks else.com by proxy. Doing the first example (the | one searching with ?one) you are restricting searches to a respectable | scope, doing the second you are searching all OUs which may be numerous | and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 | levels deep). If your OUs are so deep, you should be able to have a deeper search filter. I suggested reducing the depth of the search by one level and increasing the scope. If there was already a huge and complex DIT, that still would not have made a big impact. | You would be better served by defining ou=Computers and ou=People under | something like ou=Accounts (which would give you DNs of | ou=Computers,ou=Accounts,dc=ab,dc=com and | ou=People,ou=Accounts,dc=ab,dc=com) | Sure, but the user *first* wanted to get something working ... he didn't ask on the generic LDAP list how to structure his directory for efficient searching (the samba list is the wrong place to ask these questions anyway). | and then then set: | nss_base_passwdou=Accounts,dc=ab,dc=com?sub | | | Note that I'm not saying that doing a sub search is necessarily bad, | just when you are searching your entire ldap DIT, especially for | something that happens as often as passwd lookups. If your LDAP server is tuned and indexed well enough, queries that happen so often should cost nothing. | (1) I say theoretically because I've never tried it, it's a Bad Idea(C) | from the word go. There are a lot of other things that I haven't tried | that are bad ideas but I can safely say they are also dangerous, such as | sticking forks in my eyes and jumping off cliffs. Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.EngRHCE (803004789010797) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFBAP8orJK6UGDSBKcRAvOlAJwOXIGWe5YzmtVIO+AFJg5Vn37idQCgrDTG KqZ1ZXGDjLyPeN49b8CY2fw= =qvFj -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/LDAP/PDC Questions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 | Subject: | [Samba] Samba/LDAP/PDC Questions | From: | [EMAIL PROTECTED] | Date: | Mon, 19 Jul 2004 21:10:29 + (UTC) | To: | [EMAIL PROTECTED] | | Greetings! | | I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far | I am able to do the folowing: | 1. Using USRMGR,EXE to administrating users and groups. | 2. Adding Windows 2000, XP workstation on the fly. | 3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to. | 4. LDAP autheticate unix accounts. | | However, I am not able to to the following: | 1. Cannot joint an NT machine (SP6a) into the domwin. It keeps | saying that the Machine account is not available or not accessible even | if I manually added the machine account manually using smbldap-useradd | NT$. | 2. Cannot use SRVMGR.EXE to add machine to domain. It complains | Access Denied, though I can do other things like change the permission | of a share etc. | 3. Cannot join an existing domain after I configure it as a BDC | with the PDC's SID. It complains Failed to setup BDC creds. | | It looks like the communication between samba and openldap is OK since I | can managing user/group with USRMGR.EXE. However, a few questions puzzles | me: | 1. In what situtation do I need People group as the group for | machines? In the case where you use: nss_base_passwdou=Users,dc=ab,dc=com?one If you use: nss_base_passwddc=ab,dc=com?sub then you can have machine accounts anywhere you like under dc=ab,dc=com Regards, Buchan - -- Buchan Milne Senior Support Technician Obsidian Systems http://www.obsidian.co.za B.EngRHCE (803004789010797) -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFA/lscrJK6UGDSBKcRAlmKAJ4z1HLpysdmbleQbv3+lW7IHblOvACeJ5nn FSzpemqu+CZdgaFGwhmXNII= =tlrI -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba/LDAP/PDC Questions
| 1. In what situtation do I need People group as the group for | machines? In the case where you use: nss_base_passwdou=Users,dc=ab,dc=com?one If you use: nss_base_passwddc=ab,dc=com?sub Would people please stop suggesting this without explaining the ramifications? If you do this, you are going to (theoretically)(1) severely harm the performance on your server. Setting the nss library to do a search on the 'entire' directory every time it needs to look up user information is asinine to put it in a word. It's like doing this in DNS terms... rather than looking for a machine named 'something.else.com' in the dns servers for else.com you go ask .com who then goes in and asks else.com by proxy. Doing the first example (the one searching with ?one) you are restricting searches to a respectable scope, doing the second you are searching all OUs which may be numerous and deep (in our LDAP tree we have 10 OUs, two of which are at least 3 levels deep). You would be better served by defining ou=Computers and ou=People under something like ou=Accounts (which would give you DNs of ou=Computers,ou=Accounts,dc=ab,dc=com and ou=People,ou=Accounts,dc=ab,dc=com) and then then set: nss_base_passwdou=Accounts,dc=ab,dc=com?sub Note that I'm not saying that doing a sub search is necessarily bad, just when you are searching your entire ldap DIT, especially for something that happens as often as passwd lookups. (1) I say theoretically because I've never tried it, it's a Bad Idea(C) from the word go. There are a lot of other things that I haven't tried that are bad ideas but I can safely say they are also dangerous, such as sticking forks in my eyes and jumping off cliffs. -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/LDAP/PDC Questions
Thank you for the response! 1. In what situtation do I need People group as the group for machines? Always. Until they fix the bug/design issue that is. OK, I reconfigured smb.conf and smbldap_config.pm to Users for users, Groups for groups, and People for computers. 2. Should the PDC itself be in the ldap backend database? I haven't found a good reason that it 'has' to in my tests. I did join PDC to the domain using 'net rpc join -Uadministrator%secret' according to John H. Terpatra's Samba-3 by Example. After joining, I do see the PDC machine is the ldap backend database. 3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log in to the dmain anymore. It said User does not exist. Can you expand on this a bit more? From what you've said (which isn't much) it almost sounds like you didn't have ldap working as the posix auth system before you layered on samba. My /etc/ldap.conf is as follow: host 127.0.0.1 base dc=ab,dc=com # nss_base_passwdou=Users,dc=ab,dc=com?one # nss_base_shadowou=Users,dc=ab,dc=com?one # nss_base_group ou=Group,dc=ab,dc=com?one ssl no pam_password md5 # What I was trying to say is that the three nss_base lines: o with or without them, I can do 'getent password' etc with all the posixAcounts o with them uncommented, I cannot loginto a domain account from an XP machine, though the XP machine itself joined the domain on a fly. [* actually I cannot login to a domain account from the XP no matter what after I reconfigure the PDC with People for computers *] So I wonder what exactly these three lines do. The PDC is on Fedora 2 system. I ran authconfig to enable ldap authentication. The pam.d is automatically configured. I am not sure it is using ldap_nss stuff at all. Right now, I can join the XP machine into the domain but after reboot I just cannot log into domain Administrator account. The error from the XP is The system could not log you on, Make sure your user name and domain are correct, then type your oassword again. From the log.xp file, I see errors. Any suggestion? -- Kang Sun # [2004/07/20 14:42:38, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397) failed to decode PDU [2004/07/20 14:42:38, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. ## -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Samba/LDAP/PDC Questions
[EMAIL PROTECTED] wrote: Thank you for the response! And thank you for also posting in plaintext. That fonted stuff was tough to read. 2. Should the PDC itself be in the ldap backend database? I haven't found a good reason that it 'has' to in my tests. I did join PDC to the domain using 'net rpc join -Uadministrator%secret' according to John H. Terpatra's Samba-3 by Example. After joining, I do see the PDC machine is the ldap backend database. Nothing wrong with that... 3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log in to the dmain anymore. It said User does not exist. Can you expand on this a bit more? From what you've said (which isn't much) it almost sounds like you didn't have ldap working as the posix auth system before you layered on samba. My /etc/ldap.conf is as follow: host 127.0.0.1 base dc=ab,dc=com # nss_base_passwdou=Users,dc=ab,dc=com?one # nss_base_shadowou=Users,dc=ab,dc=com?one # nss_base_group ou=Group,dc=ab,dc=com?one ssl no pam_password md5 # What I was trying to say is that the three nss_base lines: o with or without them, I can do 'getent password' etc with all the posixAcounts o with them uncommented, I cannot loginto a domain account from an XP machine, though the XP machine itself joined the domain on a fly. [* actually I cannot login to a domain account from the XP no matter what after I reconfigure the PDC with People for computers *] So I wonder what exactly these three lines do. The PDC is on Fedora 2 system. I ran authconfig to enable ldap authentication. The pam.d is automatically configured. I am not sure it is using ldap_nss stuff at all. Ok, I believe on Fedora that ou=People is the default, so when you uncomment these then you are changing the authentication system and nss to look in Users instead of People. It is running on defaults entirely if these are missing. If you are authenticating directly (ssh or ftp or something) that should fail as well when you have those lines enabled. Right now, I can join the XP machine into the domain but after reboot I just cannot log into domain Administrator account. The error from the XP is The system could not log you on, Make sure your user name and domain are correct, then type your oassword again. Can you log in with a regular user? Perhaps one that you know is configured correctly? It sounds like your machine is added correctly or the error you would get would say something to the effect of 'Cannot find your machine account or the domain controller is unavailable.' I'm sure I mangled that error, but that's the best I can remember right now. From the log.xp file, I see errors. Any suggestion? -- Kang Sun # [2004/07/20 14:42:38, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397) failed to decode PDU [2004/07/20 14:42:38, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. ## A lot of people have posted about schannel stuff, but I think I may have glossed over the end of those threads. Anybody who actually read them care to chime in here? :-/ -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Information Systems Consultant Fax:701-281-1322 URL: www.ae-solutions.commailto: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba