Ok thanks, i have resolved it...now the samba+ldap part as domain controller works like a charm!
Thank you to all. Claudio. Dale Schroeder ha scritto: > Claudio, > > Your problems may arise from the fact that you have set the > "workgroup" and "netbios name" to identical values. > > [global] > workgroup = MEDIADC > netbios name = MEDIADC > > > See the last sentence of this link: > > On 09/28/2010 4:06 AM, Claudio Prono wrote: > http://oreilly.com/catalog/samba/chapter/book/ch04_04.html > > Dale > > >> Ok, now the join to the domain works, but when i create a new user, and >> i try to login to the Windows XP domain, the windows says to me "Unable >> to access. A periferic is not working". (sorry for the poor traduction, >> but my windows is in italian). Into the samba logs i read this: >> >> [2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special) >> netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0 >> [2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special) >> netbios connect: local=mediadc remote=testafs, name type = 0 >> [2010/09/28 10:07:45.799185, 2] >> smbd/sesssetup.c:1390(setup_new_vc_session) >> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close >> all old resources. >> [2010/09/28 10:07:45.801093, 2] >> smbd/sesssetup.c:1390(setup_new_vc_session) >> setup_new_vc_session: New VC == 0, if NT4.x compatible we would close >> all old resources. >> [2010/09/28 10:07:45.801767, 2] >> lib/smbldap.c:950(smbldap_open_connection) >> smbldap_open_connection: connection opened >> [2010/09/28 10:07:45.865629, 2] >> passdb/pdb_ldap.c:572(init_sam_from_ldap) >> init_sam_from_ldap: Entry found for user: AFS >> [2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password) >> check_ntlm_password: authentication for user [AFS] -> [AFS] -> >> [AFS] >> succeeded >> [2010/09/28 10:07:45.872630, 1] >> rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base) >> _netr_LogonSamLogon: user MEDIADC\AFS has user sid >> S-1-5-21-3218914170-3340994528-1537192846-3010 >> but group sid S-1-5-21-1949818787-1514111066-129980733-513. >> The conflicting domain portions are not supported for NETLOGON calls >> >> This is my testparm (actually): >> >> [global] >> workgroup = MEDIADC >> netbios name = MEDIADC >> map to guest = Bad User >> passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri >> log level = 2 >> printcap name = cups >> add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct >> --makehomedir --homedir /home/%u -f >> delete user script = /usr/sbin/ldapsmb -d -u "%u" -f >> add group script = /usr/sbin/ldapsmb -a -g "%g" -f >> delete group script = /usr/sbin/ldapsmb -d -g "%g" -f >> add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g >> "%g" -f >> delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g >> "%g" -f >> add machine script = "/usr/sbin/ldapsmb -a -wks %u -f" >> logon path = \\%L\profiles\.msprofile >> logon drive = P: >> logon home = \\%L\%U\.9xprofile >> domain logons = Yes >> os level = 99 >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri >> ldap group suffix = ou=group >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Machines >> ldap passwd sync = yes >> ldap suffix = dc=mediaservice-test,dc=pri >> ldap ssl = no >> ldap user suffix = ou=people >> usershare allow guests = Yes >> idmap backend = ldap:ldap://afs-test.mediaservice-test.pri >> cups options = raw >> >> [homes] >> comment = Home Directories >> valid users = %S, %D%w%S >> read only = No >> inherit acls = Yes >> browseable = No >> >> [profiles] >> comment = Network Profiles Service >> path = %H >> read only = No >> create mask = 0600 >> directory mask = 0700 >> store dos attributes = Yes >> >> [users] >> comment = All users >> path = /home >> read only = No >> inherit acls = Yes >> veto files = /aquota.user/groups/shares/ >> >> [groups] >> comment = All groups >> path = /home/groups >> read only = No >> inherit acls = Yes >> >> [printers] >> comment = All Printers >> path = /var/tmp >> create mask = 0600 >> printable = Yes >> browseable = No >> >> [print$] >> comment = Printer Drivers >> path = /var/lib/samba/drivers >> write list = @ntadmin, root >> force group = ntadmin >> create mask = 0664 >> directory mask = 0775 >> >> [netlogon] >> comment = Network Logon Service >> path = /var/lib/samba/netlogon >> write list = root >> >> How i can debug what is wrong? >> >> Any suggestion? >> >> Cordially, >> >> Claudio Prono. >> >> >> >> >> Gaiseric Vandal ha scritto: >>> Wait, you are using samba with openldap backend. >>> >>> Why are you using useradd ??? with this backend you need smbldap >>> instead. >>> like this: >>> >>> passdb backend = ldapsam:ldap://your ldap server >>> ldap passwd sync = yes >>> ldap delete dn = Yes >>> ldap admin dn = cn=root,dc=domain,dc=com,dc=br >>> ldap suffix = dc=domain,dc=com,dc=br >>> ldap machine suffix = ou=Computers >>> ldap user suffix = ou=Users >>> ldap group suffix = ou=Groups >>> ldap idmap suffix = sambaDomainName=DOMAIN >>> idmap backend = ldap:ldap://ldap server >>> idmap alloc backend = ldap:ldap://ldap server >>> idmap uid = 1000-20000 >>> idmap gid = 1000-20000 >>> idmap alloc config:range = 1000-20000 >>> ldap timeout = 15 >>> ldap connection timeout = 2 >>> ldap page size = 1024 >>> >>> # add/remove users >>> add user script = /usr/sbin/smbldap-useradd -m "%u" >>> delete user script = /usr/sbin/smbldap-userdel "%u" >>> # add/remove Groups >>> add group script = /usr/sbin/smbldap-groupadd -p "%g" >>> delete group script = /usr/sbin/smbldap-groupdel "%g" >>> # add/remove user in groups >>> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" >>> "%g" >>> delete user from group script = /usr/sbin/smbldap-groupmod -x >>> "%u" "%g" >>> # define primary group of user >>> set primary group script = /usr/sbin/smbldap-usermod -g >>> "%g" "%u" >>> # add machines in domain >>> add machine script = /usr/sbin/smbldap-useradd -i -w "%u" >>> >>> regards >>> >>> On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal >>> <[email protected]> wrote: >>>> You user script may be adding a LOCAL unix account (in >>>> /etc/passwd.) Do >>>> you see the accounts in there? You may need to custom script that >>>> adds the >>>> accounts to ldap. >>>> >>>> The following may help >>>> >>>> https://gna.org/projects/smbldap-tools/ >>>> >>>> >>>> Remember, that being root on your unix system does not automatically >>>> make >>>> you LDAP admin. >>>> >>>> If you have a single server then having your unix may be OK- samba >>>> will >>>> match the samba user to the unix user via the user id. I have >>>> multiple >>>> server so I use LDAP for unix accounts (previously used NIS.) So >>>> now an >>>> LDAP user has both windows and unix account info. >>>> >>>> >>>> >>>> >>>> >>>> On 09/27/2010 11:08 AM, Claudio Prono wrote: >>>>> Gaiseric Vandal ha scritto: >>>>> >>>>>> Do you have an underlying unix account for the pc (eg >>>>>> SOMEMACHINE$) >>>>>> >>>>>> It is possible to configure scripts that the unix account is >>>>>> created >>>>>> by samba if necessary when samba creates the "Windows" account for >>>>>> the >>>>>> machine. I don't have it set up this way, so I need to create the >>>>>> unix account 1st. >>>>>> >>>>>> >>>>> add machine script = /usr/sbin/useradd -c Machine -d >>>>> /var/lib/nobody -s >>>>> /bin/false %m$ >>>>> >>>>> This script automatically add the machine if needed, or i am >>>>> wrong ? >>>>> >>>>>> Also, I found that since the underlying unix OS may need >>>>>> validate the >>>>>> machine account, I put my machine accounts in either the same >>>>>> ldap ou >>>>>> as people (or in a sub ou.) ("getent passwd" command may need to >>>>>> show >>>>>> your machine accounts as well as people accounts.) >>>>>> >>>>>> If you have manually created the unix account for the machine, can >>>>>> you >>>>>> them manually create the samba account for it >>>>>> >>>>>> e.g. smbpasswd -m -a SOMEMACHINE >>>>>> >>>>>> (I think you leave the $ off .) >>>>>> >>>>>> >>>>>> I use LDAP for both "unix" and "windows" clients so my config >>>>>> choices >>>>>> may not be applicable to a windows-only client environment. >>>>>> >>>>>> >>>>>> On 09/27/2010 09:59 AM, Claudio Prono wrote: >>>>>> -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer Gsm: +39-349-54.33.258 @PSS Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://atpss.net/disclaimer -------------------------------------------------------------------------------- PGP Key - http://keys.atpss.net/c_prono.asc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
