Re: [Samba] Domain trusts with W2003 and SAMBA 3.0.33 on RHEL (Added info)

Mon, 11 Oct 2010 12:17:35 -0700

I would try disabling the machine account scripts, and manually creating the unix level account domain trust with what ever tools you use to for ldap accounts. That should help eliminate if the script is just not running correctly. 


When you join local windows machine to the domain, are they adding 
correctly?  Is the underlying unix account for the machine created?


You could also probably run the script from the command line

    /var/lib/samba/sbin/smbldap-useradd.pl -w thedomainname



On 10/11/2010 01:43 PM, Douglas Phillipson wrote:

oops, should be using a machine arg, tried:
/var/lib/samba/sbin/smbldap-useradd.pl -w -c "Domain Trust" ECN$

Still get error:


failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, <DATA> line 283.


DOug P

On 10/11/2010 10:29 AM, Douglas Phillipson wrote:

When trying to add the machine account with smb-ldap, I use the syntax:
/var/lib/samba/sbin/smbldap-useradd.pl -a -B 1 -c "Domain Trust" ECN$

I get the following error when adding the machine account:


failed to add entry:  at /var/lib/samba/sbin//smbldap_tools.pm line 
497, <DATA> line 283.


Thanks
Doug P

On 10/11/2010 09:53 AM, Douglas Phillipson wrote:

I'm trying to establish a two way non-transitive trust between a 
W2003 A/D box and our SAMBA domain.



We are using smbldap so we can log in on any of the linux boxes with 
the same passwd.

Samba is version 3.0.33 on Redhat Enterprise.


It's easy to create the trust on the Windows side with AD Domains 
and Trusts but on the Linux side I'm not sure if I need to put the 
machine account locally in smb passwd or use the smbldap passwd on 
the LDAP server.  Has anyone done this before?


For the sake of example:

My windows A/D domain is WECN
My Linux Domain is LECN


I've tried several putting the machine account both in the local 
file and the LDAP passwd file but it just doesn't work.  I've got 
the Samba 3 HowTo book and tried lots of googled suggestions but 
still can't seem to make this work.  Any suggestions are 
appreciated.  Is there an easier way to do this?  My end result is 
to map a share on the SAMBA server from a WinXP client computer 
thats in a W2003 domain without having to put in a Linux 
username/password.


Thanks for your time and suggestions!
Doug P

My smb.conf [global]

-------------------------------------------------------------------------------------------------------------------------------------------------- 


[global]
        dos charset = CP850
        unix charset = UTF-8
        display charset = LOCALE
        workgroup = LECN
        realm =
        netbios name = RSL-PDC1
        netbios aliases =
        netbios scope =
        server string = Primary RSL Samba Server
        interfaces =
        bind interfaces only = No
        security = USER
        auth methods =
        encrypt passwords = Yes
        update encrypted = No
        client schannel = Auto
        server schannel = Auto
        allow trusted domains = Yes


        map to guest = Never
        null passwords = No

        obey pam restrictions = Yes
        password server = *
        smb passwd file = /etc/samba/smbpasswd
        private dir = /etc/samba
        passdb backend = ldapsam:"ldap://127.0.0.1";
        algorithmic rid base = 1000
        root directory =
        guest account = smbguest

        passwd chat debug = No
        passwd program = /usr/sbin/smbldap-passwd -u %u

        passwd chat = "Changing UNIX password for*\nNew password*" 
%n\n "*Retype new password*" %n\n"

        passwd chat timeout = 2

        check password script = /usr/sbin/crackcheck -c -d  
/usr/lib/cracklib_dict

        username map =
        password level = 0
        username level = 0
        unix password sync = Yes
        ntlm auth = Yes
        restrict anonymous = Yes
        lanman auth = No
        ;ntlm auth = No
        client NTLMv2 auth = Yes
        client lanman auth = No
        client plaintext auth = No
        preload modules =
        use kerberos keytab = No

        log level = 3 vfs:1
        syslog = 0
        syslog only = No
        log file = /var/log/samba/%m.log
        max log size = 500000
        debug timestamp = Yes
        debug hires timestamp = No
        debug pid = No
        debug uid = No
        smb ports = 139
        large readwrite = Yes
        max protocol = NT1
        min protocol = CORE
        read bmpx = No
        read raw = Yes
        write raw = Yes
        disable netbios = No
        acl compatibility =
        defer sharing violations = Yes
        nt pipe support = Yes
        nt status support = Yes
        announce version = 4.9
        announce as = NT
        max mux = 50
        max xmit = 65535
        name resolve order = wins hosts bcast
        max ttl = 259200
        max wins ttl = 518400
        min wins ttl = 21600
        time server = Yes
        unix extensions = Yes
        use spnego = Yes
        client signing = auto
        server signing = No
        client use spnego = Yes
        ;change notify timeout = 60
        deadtime = 15
        getwd cache = Yes
        keepalive = 300
        kernel change notify = Yes
        lpq cache time = 30
        max smbd processes = 0
        paranoid server security = Yes
        max disk size = 0
        max open files = 10000
        socket options = TCP_NODELAY SO_KEEPALIVE IPTOS_LOWDELAY
        use mmap = Yes
        hostname lookups = No
        name cache timeout = 660
        load printers = Yes
        printcap cache time = 0
        printcap name = cups
        cups server =
        disable spoolss = No
        enumports command =
        addprinter command =
        deleteprinter command =
        show add printer wizard = Yes
        os2 driver map =
        mangling method = hash2
        mangle prefix = 1
        stat cache = Yes
        machine password timeout = 604800

        add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a 
-m '%u'
        delete user script = /var/lib/samba/sbin/smbldap-userdel.pl 
'%u'
        add group script = /var/lib/samba/sbin/smbldap-groupadd.pl 
-p '%g'
        delete group script = 
/var/lib/samba/sbin/smbldap-groupdel.pl -p '%g'
        add user to group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -m '%u' '%g'
        delete user from group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
        set primary group script = 
/var/lib/samba/sbin/smbldap-groupmod.pl -g '%u' '%g'
        add machine script = /var/lib/samba/sbin/smbldap-useradd.pl 
-w '%u'

        shutdown script =
        abort shutdown script =
        logon script = logon.bat
        logon path = \\%L\Profiles\%U
        logon drive = H:
        logon home = \\%L\%U
        domain logons = Yes
        os level = 65
        lm announce = Auto
        lm interval = 60
        preferred master = Yes
        local master = Yes
        domain master = No
        browse list = Yes
        enhanced browsing = Yes
        dns proxy = No
        wins proxy = No
        wins server = 172.30.10.107
        wins support = No
        wins hook =
        ;wins partners =
        kernel oplocks = Yes
        ;lock spin count = 3
        lock spin time = 10
        oplock break wait time = 0
        ldap admin dn = cn=Manager,dc=oem,dc=doe,dc=gov
        ldap delete dn = No
        ;ldap filter = (uid=%u)
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = yes
        ldap replication sleep = 1000
        ldap suffix = dc=oem,dc=doe,dc=gov
        ldap ssl = start tls
        ldap timeout = 15
        ldap user suffix = ou=People
        add share command =
        change share command =
        delete share command =
        config file =
        preload =
        lock directory = /var/cache/samba
        pid directory = /var/run
        utmp directory =
        wtmp directory =
        utmp = Yes
        default service =
        message command =
        dfree command =
        get quota command =
        set quota command =
        remote announce =
        remote browse sync =
        socket address = 0.0.0.0
        homedir map = auto.home
        afs username map =
        time offset = 0
        NIS homedir = No
        panic action =
        host msdfs = No
        #enable rid algorithm = Yes
        idmap backend = ldap://127.0.0.1
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        template homedir = /home/%D/%U
        template shell = /bin/false
        #winbind separator = \
        winbind cache time = 300
        ;winbind enable local accounts = No
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = No
        winbind trusted domains only = No
        winbind nested groups = No
        comment =
        path =
        username =

        invalid users = bin daemon adm sync shutdown halt mail news 
uucp operator gopher nobody smbguest

        valid users =
        admin users = root
        read list =
        write list =
        ;printer admin =
        force user =
        force group =
        read only = Yes
        create mask = 0744
        force create mode = 00
        security mask = 0777
        force security mode = 00
        directory mask = 0755
        force directory mode = 00
        directory security mask = 0777
        force directory security mode = 00
        force unknown acl user = No
        inherit permissions = No
        inherit acls = No
        guest only = No
        guest ok = No
        #only user = No

        hosts allow = 127.0.0.0/8, 172.30.0.0/16, 172.25.0.0/16, 
172.20.0.0/16

        hosts deny = 172.30.20.0/24, 172.20.20.0/24
        ea support = No
        nt acl support = Yes
        profile acls = No
        map acl inherit = Yes
        afs share = No
        block size = 1024
        max connections = 0
        min print space = 0
        strict allocate = No
        strict sync = No
        sync always = No
        use sendfile = No        max reported print jobs = 0
        max print jobs = 1000
        printable = No
        printing = cups
        cups options =
        print command =
        lpq command =
        lprm command =
        lppause command =
        lpresume command =
        queuepause command =
        queueresume command =
        printer name =
        use client driver = No
        default devmode = No
        force printername = No
        default case = lower
        case sensitive = Auto
        preserve case = Yes
        short preserve case = Yes
        mangling char = ~
        hide dot files = Yes
        hide special files = No
        hide unreadable = No
        hide unwriteable files = No
        delete veto files = No
        veto files =
        hide files =
        veto oplock files =
        map system = No
        map hidden = No
        map archive = Yes
        mangled names = Yes
        #mangled map =
        store dos attributes = No
        browseable = Yes
        blocking locks = Yes
        csc policy = manual
        fake oplocks = No
        locking = Yes
        oplocks = Yes
        level2 oplocks = Yes
        oplock contention limit = 2
        posix locking = Yes
        strict locking = No
        share modes = Yes
        #copy =
        #include =
        preexec =
        preexec close = No        available = Yes
        volume =
        fstype = NTFS
        set directory = No
        wide links = Yes
        follow symlinks = Yes
        dont descend =
        magic script =
        magic output =
        delete readonly = No
        dos filemode = No
        dos filetimes = No
        dos filetime resolution = No
        fake directory create times = No
        vfs objects =








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba






















					Reply via email to