Claudio,
Your problems may arise from the fact that you have set the "workgroup"
and "netbios name" to identical values.
[global]
workgroup = MEDIADC
netbios name = MEDIADC
See the last sentence of this link:
On 09/28/2010 4:06 AM, Claudio Prono wrote:
http://oreilly.com/catalog/samba/chapter/book/ch04_04.html
Dale
Ok, now the join to the domain works, but when i create a new user, and
i try to login to the Windows XP domain, the windows says to me "Unable
to access. A periferic is not working". (sorry for the poor traduction,
but my windows is in italian). Into the samba logs i read this:
[2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special)
netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0
[2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special)
netbios connect: local=mediadc remote=testafs, name type = 0
[2010/09/28 10:07:45.799185, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801093, 2] smbd/sesssetup.c:1390(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2010/09/28 10:07:45.801767, 2] lib/smbldap.c:950(smbldap_open_connection)
smbldap_open_connection: connection opened
[2010/09/28 10:07:45.865629, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
init_sam_from_ldap: Entry found for user: AFS
[2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password)
check_ntlm_password: authentication for user [AFS] -> [AFS] -> [AFS]
succeeded
[2010/09/28 10:07:45.872630, 1]
rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base)
_netr_LogonSamLogon: user MEDIADC\AFS has user sid
S-1-5-21-3218914170-3340994528-1537192846-3010
but group sid S-1-5-21-1949818787-1514111066-129980733-513.
The conflicting domain portions are not supported for NETLOGON calls
This is my testparm (actually):
[global]
workgroup = MEDIADC
netbios name = MEDIADC
map to guest = Bad User
passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri
log level = 2
printcap name = cups
add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct
--makehomedir --homedir /home/%u -f
delete user script = /usr/sbin/ldapsmb -d -u "%u" -f
add group script = /usr/sbin/ldapsmb -a -g "%g" -f
delete group script = /usr/sbin/ldapsmb -d -g "%g" -f
add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f
delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g
"%g" -f
add machine script = "/usr/sbin/ldapsmb -a -wks %u -f"
logon path = \\%L\profiles\.msprofile
logon drive = P:
logon home = \\%L\%U\.9xprofile
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = yes
ldap suffix = dc=mediaservice-test,dc=pri
ldap ssl = no
ldap user suffix = ou=people
usershare allow guests = Yes
idmap backend = ldap:ldap://afs-test.mediaservice-test.pri
cups options = raw
[homes]
comment = Home Directories
valid users = %S, %D%w%S
read only = No
inherit acls = Yes
browseable = No
[profiles]
comment = Network Profiles Service
path = %H
read only = No
create mask = 0600
directory mask = 0700
store dos attributes = Yes
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
create mask = 0600
printable = Yes
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin, root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
How i can debug what is wrong?
Any suggestion?
Cordially,
Claudio Prono.
Gaiseric Vandal ha scritto:
Wait, you are using samba with openldap backend.
Why are you using useradd ??? with this backend you need smbldap instead.
like this:
passdb backend = ldapsam:ldap://your ldap server
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=root,dc=domain,dc=com,dc=br
ldap suffix = dc=domain,dc=com,dc=br
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = sambaDomainName=DOMAIN
idmap backend = ldap:ldap://ldap server
idmap alloc backend = ldap:ldap://ldap server
idmap uid = 1000-20000
idmap gid = 1000-20000
idmap alloc config:range = 1000-20000
ldap timeout = 15
ldap connection timeout = 2
ldap page size = 1024
# add/remove users
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
# add/remove Groups
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
# add/remove user in groups
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
# define primary group of user
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
# add machines in domain
add machine script = /usr/sbin/smbldap-useradd -i -w "%u"
regards
On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal
<[email protected]> wrote:
You user script may be adding a LOCAL unix account (in
/etc/passwd.) Do
you see the accounts in there? You may need to custom script that
adds the
accounts to ldap.
The following may help
https://gna.org/projects/smbldap-tools/
Remember, that being root on your unix system does not automatically
make
you LDAP admin.
If you have a single server then having your unix may be OK- samba
will
match the samba user to the unix user via the user id. I have
multiple
server so I use LDAP for unix accounts (previously used NIS.) So
now an
LDAP user has both windows and unix account info.
On 09/27/2010 11:08 AM, Claudio Prono wrote:
Gaiseric Vandal ha scritto:
Do you have an underlying unix account for the pc (eg SOMEMACHINE$)
It is possible to configure scripts that the unix account is created
by samba if necessary when samba creates the "Windows" account for
the
machine. I don't have it set up this way, so I need to create the
unix account 1st.
add machine script = /usr/sbin/useradd -c Machine -d
/var/lib/nobody -s
/bin/false %m$
This script automatically add the machine if needed, or i am wrong ?
Also, I found that since the underlying unix OS may need validate the
machine account, I put my machine accounts in either the same
ldap ou
as people (or in a sub ou.) ("getent passwd" command may need to
show
your machine accounts as well as people accounts.)
If you have manually created the unix account for the machine, can
you
them manually create the samba account for it
e.g. smbpasswd -m -a SOMEMACHINE
(I think you leave the $ off .)
I use LDAP for both "unix" and "windows" clients so my config choices
may not be applicable to a windows-only client environment.
On 09/27/2010 09:59 AM, Claudio Prono wrote:
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
