Re: [Samba] Creation of Domain- and PDC-SID in samba

Paul Coray Thu, 29 Jan 2004 09:24:56 -0800

John,

I finally decided to go for it and kick off our NT-PDC (UB-SERVER). I want to transfer our domain (UB) to Samba 3.0.1 with OpenLDAP (2.1.23-1) as backend on Debian Woody (this machine's netbios-name in my test environment is UB-KIOSK).

I read all documentation I could get a hold on and followed these
procedures you suggested, but I am stuck...

>   * From: John H Terpstra
>   * Subject: Re: [Samba] Creation of Domain- and PDC-SID in samba
>   * Date: Sun, 28 Dec 2003 15:28:33 -0800

1. You must configure LDAP correctly to start off, have a clean Samba
install (never started - ie: no tdb files and no secrets.tdb file).

Done.

2. You must edit smbldap_conf.pm and smb.conf correctly, then do:
        smbpasswd -w 'LDAP_admin_password'
Note: Have "domain master = No"


Done (see att. smb.conf)
# /usr/local/sbin/smbldap-populate
Using builtin directory structure
adding new entry: dc=ub,dc=unibas,dc=ch
adding new entry: ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: ou=Computers,dc=ub,dc=unibas,dc=ch
adding new entry: uid=Administrator,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: uid=nobody,ou=Domain Users,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Admins,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Users,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Guests,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Print Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Backup Operators,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Replicator,ou=Groups,dc=ub,dc=unibas,dc=ch
adding new entry: cn=Domain Computers,ou=Groups,dc=ub,dc=unibas,dc=ch

3. You must do:
        net rpc getsid -S 'NT4server_name' -W 'Domain'
-UAdministrator%'password'


Done:
# net rpc getsid -S UB-SERVER -U Administrator
Storing SID S-1-5-21-98201057-1281969052-1085559986 for Domain UB in
secrets.tdb

This same SID I also stored in the step before to smbldap_conf.pm. Now, does this belong to the domain or to the NT-PDC, or even to the future smb-ldap_PDC?? Guess I'm a little bit confused...

Now this is where the trouble starts:

4. You should then join the domain as a BDC:
        net rpc join -S 'NT4server_name' -UAdministrator%'password'


# net rpc join -S UB-SERVER -UAdministrator
Password:
[2004/01/29 12:20:50, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(326)
  Error domain join verification (reused connection):
NT_STATUS_ACCESS_DENIED
Please make sure that no computer account
named like this machine (UB-KIOSK) exists in the domain
Unable to join domain UB.


I can remove this machine's name from PDC in the Server-Manager as often
as I want, this bloody message
keeps diplaying every time I try to jon the domain...

Of course your next steps consequently will not work:

5. Start Samba

6. Suck off the accounts:
        net rpc vampire -S 'NT4server_name' -UAdministrator%'password'


# net rpc vampire -S UB-SERVER -UAdministrator
Could not retrieve domain trust secret

This is my smb.conf:

[global]
        workgroup = UB
        server string = %h server (Samba %v)
        map to guest = Bad User
        passdb backend = ldapsam:ldap://127.0.0.1/
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 1000
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
        delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = No
        wins server = 131.152.1.78
        ldap suffix = dc=ub,dc=unibas,dc=ch
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Domain Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch
        ldap passwd sync = Yes
        ldap delete dn = Yes
        panic action = /usr/share/samba/panic-action %d
        invalid users = root

[homes]
        comment = Home Directory for %U
        read only = No
        create mask = 0700
        directory mask = 0700
        browseable = No

[netlogon]
        path = /home/netlogon/
        write list = admin
        force user = admin

[profiles]
        path = /home/profiles
        valid users = %U, 'Domain Admins'
        force user = %U
        read only = No
        create mask = 0600
        directory mask = 0700
        guest ok = Yes
        profile acls = Yes
        browseable = No
        csc policy = disable

[printers]
        comment = All Printers
        path = /tmp
        create mask = 0700
        printable = Yes
        browseable = No

[print$]
        comment = Printer Drivers
        path = /var/lib/samba/printer

I guess this does not help you, but I did want to clear the air that
Vampire is not that big a monster - at all.

Hopefully I will overcome this beast or whatsoever... ;-)

Thanks, Cheers

Paul


--
Paul Coray
Administrator Server und Netzwerk

Oeffentliche Bibliothek der Universitaet Basel
EDV-Abteilung
Schoenbeinstrasse 18-20
CH-4056 Basel

Tel: +41 61 267 05 13
Fax: +41 61 267 31 03

mailto:[EMAIL PROTECTED]
http://www.ub.unibas.ch


--
To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Creation of Domain- and PDC-SID in samba

Reply via email to