Hello, I' have problems with samba3 + ldap PDC. in particular can't join more then 2 workstation at domain. i thinks that problems is on generating the UID part on SID (the final part) the first Computer then join on domain have SID S-1-5-21-3642312925-2943760701-1776766777-3000
the second have evere SID S-1-5-21-3642312925-2943760701-1776766777-2052 after never workstation succeed join on domain, samba adds corectly a posix account on LDAP directory,but not complete it with sambaSamAttributes my configuration is samba 3.0.2 openldap2-2.1.22 smbldap-tools-0.8.3 on SuSE 9.0 my final scenario is 1 master-ldap 10 slave-ldap with samba PDC with different domain follow configuration files /etc/ldap.conf # Your LDAP server. Must be resolvable without using LDAP. host 127.0.0.1 # The distinguished name of the search base. base ou=People,dc=xxx,dc=it # The LDAP version to use (defaults to 3 # if supported by client library) ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=Manager,dc=example,dc=it # The credentials to bind with. # Optional: default is no credential. #bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=Manager,dc=example,dc=it pam_password crypt # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 ssl no nss_base_passwd dc=xxx,dc=it nss_base_shadow dc=xxx,dc=it nss_base_group dc=xxx,dc=it #ssl on smb.conf # Global parameters [global] workgroup = DEPARTMENT1 netbios name = SERVER-DEPARTMENT1 security = user passdb backend = ldapsam:ldap://localhost log level = 2 time server = Yes socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY printcap name = CUPS add user script = /usr/local/sbin/smbldap-useradd -a %u add machine script = /usr/local/sbin/smbldap-useradd -w %u logon script = logon.bat logon path = \\%L\homes\.windows_profile logon drive = Y: os level = 65 preferred master = Yes domain master = Yes wins support = Yes ldap suffix = dc=xxx,dc=it ldap machine suffix = ou=depart1,ou=Computers ldap user suffix = ou=depart1,ou=People ldap group suffix = ou=depart1,ou=Groups ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) ldap admin dn = "cn=Manager,dc=uaf,dc=it" ldap ssl = no printing = cups veto files = /*.eml/*.nws/riched20.dll/*.{*}/ [netlogon] path = /home/netlogon browseable = No [profiles] path = /home/samba-ntprof read only = No create mask = 0600 directory mask = 0700 browseable = No [homes] comment = Home Directories valid users = %S read only = No create mask = 0640 directory mask = 0750 browseable = No /etc/openldap/slap.conf # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.23.2.8 2003/05/24 23:19:14 kurt Exp $ # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args ####################################################################### # ldbm database definitions ####################################################################### database ldbm suffix "dc=xxx,dc=it" rootdn "cn=Manager,dc=uaf,dc=it" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw secret # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub /etc/smbtools/smbtools.conf # $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $ # $Id: smbldap.conf,v 1.2 2004/01/14 22:24:44 jtournier Exp $ # # smbldap-tools.conf : Q & D configuration file for smbldap-tools # This code was developped by IDEALX (http://IDEALX.org/) and # contributors (their names can be found in the CONTRIBUTORS file). # # Copyright (C) 2001-2002 IDEALX # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, # USA. # Purpose : # . be the configuration file for all smbldap-tools scripts ############################################################################## # # General Configuration # ############################################################################## # UID and GID starting at... UID_START="1000" GID_START="1000" # Put your own SID # to obtain this number do: net getlocalsid SID="S-1-5-21-3642312925-2943760701-1776766777" ############################################################################## # # LDAP Configuration # ############################################################################## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Ex: $slaveLDAP=127.0.0.1 slaveLDAP="127.0.0.1" slavePort="389" # Master LDAP : needed for write operations # Ex: $masterLDAP=127.0.0.1 masterLDAP="127.0.0.1" masterPort="389" # Use TLS for LDAP # If set to 1, this option will use start_tls for connection # (you should also used the port 389) ldapTLS="0" # LDAP Suffix # Ex: $suffix=dc=xxx,dc=ORG suffix="dc=xxx,dc=it" # Where are stored Users # Ex: $usersdn=ou=Users,$suffix for ou=Users,dc=xxx,dc=ORG usersdn="ou=depart1,ou=People,dc=xxx,dc=it" # Where are stored Computers # Ex: $computersdn=ou=itputers,$suffix for ou=itputers,dc=xxx,dc=ORG computersdn="ou=depart1,ou=Computer,dc=xxx,dc=it" # Where are stored Groups # Ex $groupsdn=ou=Groups,$suffix for ou=Groups,dc=xxx,dc=ORG groupsdn="ou=depart1,ou=Groups,dc=xxx,dc=it" # Default scope Used scope="sub" # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA) hash_encrypt="CRYPT" ############################################################################## # # Unix Accounts Configuration # ############################################################################## # Login defs # Default Login Shell # Ex: $userLoginShell=q(/bin/bash) userLoginShell="/bin/bash" # Home directory prefix (without username) # Ex: $userHomePrefix=q(/home/) userHomePrefix="/home/" # Gecos userGecos="System User" # Default User (POSIX and Samba) GID defaultUserGid="513" # Default Computer (Samba) GID defaultComputerGid="553" # Skel dir skeletonDir="/etc/skel" # Default password validation time (time in days) Comment the next line if # you don't want password to be enable for $defaultMaxPasswordAge days (be # careful to the sambaPwdMustChange attribute's value) defaultMaxPasswordAge="55" ############################################################################## # # SAMBA Configuration # ############################################################################## # The UNC path to home drives location without the username last extension # (will be dynamically prepended) # Ex: \\My-PDC-netbios-name\homes # Just set it to a null string if you want to use the smb.conf 'logon home' # directive and/or desabling roaming profiles userSmbHome="\\PDC-SMB3\homes" # The UNC path to profiles locations without the username last extension # (will be dynamically prepended) # Ex: \\My-PDC-netbios-name\profiles\ # Just set it to a null string if you want to use the smb.conf 'logon path' # directive and/or desabling roaming profiles userProfile="" # The default Home Drive Letter mapping # (will be automatically mapped at logon time if home directory exist) # Ex: q(U:) for U: userHomeDrive="Y:" # The default user netlogon script name # if not used, will be automatically username.cmd # $userScript=startup.cmd # make sure script file is edited under dos ############################################################################## # # SMBLDAP-TOOLS Configuration (default are ok for a RedHat) # ############################################################################## # Allows not to use smbpasswd (if $with_smbpasswd == 0 in smbldap_conf.pm) but # prefer mkntpwd... most of the time, it's a wise choice :-) with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" mk_ntpasswd="/usr/local/sbin/mkntpwd" # those next externals commands are kept fot the migration scripts and # for the populate script: this will be updated as soon as possible slaveURI="ldap://$slaveLDAP:$slavePort" masterURI="ldap://$masterLDAP:$masterPort" ldap_path="/usr/bin" #if ( $ldapTLS eq 0 ) { # ldap_opts=-x #} elsif ( $ldapTLS eq 1 ) { # $ldap_opts=-x -Z #} else { # die ldapTLS option must be either 0 or 1.\n #} #ldapmodify=/usr/bin/ldapmodify $ldap_opts -H $masterURI -D '$masterDN' -w '$masterPw' and basic entry for ldap dn: sambaDomainName=DEPARTMENT1,ou=Domains,dc=xxx,dc=it objectClass: sambaDomain sambaDomainName: DEPARTMENT1 sambaSID: S-1-5-21-3642312925-2943760701-1776766777 sambaAlgorithmicRidBase: 1000 structuralObjectClass: sambaDomain entryUUID: eac2e35e-f183-1027-93fa-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212084804Z entryCSN: 2004021208:48:04Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212084804Z dn: cn=Depart1_Guests,ou=depart1,ou=Groups,dc=xxx,dc=it objectClass: posixGroup objectClass: sambaGroupMapping cn: Depart1_Guests gidNumber: 10001 description: Depart1_Guests sambaGroupType: 2 displayName: Depart1_Guests structuralObjectClass: posixGroup entryUUID: 60f48dd4-f184-1027-93ff-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212085123Z sambaSID: S-1-5-21-3642312925-2943760701-1776766777-514 entryCSN: 2004021208:52:07Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212085207Z dn: cn=Depart1_Users,ou=depart1,ou=Groups,dc=xxx,dc=it objectClass: posixGroup objectClass: sambaGroupMapping cn: Depart1_Users gidNumber: 10002 description: Depart1_Users sambaSID: S-1-5-21-3642312925-2943760701-1776766777-513 sambaGroupType: 2 displayName: Depart1_Users structuralObjectClass: posixGroup entryUUID: 8aac9a36-f184-1027-9401-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212085233Z entryCSN: 2004021208:52:33Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212085233Z dn: cn=Depart1_Admins,ou=depart1,ou=Groups,dc=xxx,dc=it objectClass: posixGroup objectClass: sambaGroupMapping cn: Depart1_Admins gidNumber: 10000 description: Depart1_Admins sambaSID: S-1-5-21-3642312925-2943760701-1776766777-512 sambaGroupType: 2 displayName: Depart1_Admins structuralObjectClass: posixGroup entryUUID: d0cf8466-f18d-1027-8b18-d75e5ed076c6 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212095856Z entryCSN: 2004021209:58:56Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212095856Z dn: uid=root-depart1,ou=depart1,ou=People,dc=xxx,dc=it objectClass: posixAccount objectClass: shadowAccount objectClass: sambaSamAccount objectClass: inetOrgPerson gecos: Samba Admin homeDirectory: /root loginShell: /bin/bash uidNumber: 0 gidNumber: 0 sn: ooooppppp uid: root-Depart1 sambaPwdLastSet: 1066177062 sambaLogonTime: 0 sambaLogoffTime: 0 sambaKickoffTime: 0 sambaPwdCanChange: 1066177062 sambaPwdMustChange: 2147483647 displayName: root-depart1 cn: root-Depart1 sambaSID: S-1-5-21-3642312925-2943760701-1776766777-500 sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-512 sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4 sambaAcctFlags: [U ] structuralObjectClass: inetOrgPerson entryUUID: fc5bdb7e-f184-1027-9403-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212085543Z entryCSN: 2004021209:44:25Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212094425Z dn: uid=nobody,ou=depart1,ou=People,dc=xxx,dc=it objectClass: account objectClass: sambaSamAccount objectClass: posixAccount uid: nobody sambaPwdLastSet: 1026225030 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 displayName: Nobody cn: Nobody sambaSID: S-1-5-21-3642312925-2943760701-1776766777-501 sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-514 gecos: Nobody or Guest homeDirectory: / loginShell: /dev/null uidNumber: 99 gidNumber: 99 sambaAcctFlags: [UX ] structuralObjectClass: account entryUUID: 11c8f49c-f185-1027-9404-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212085619Z entryCSN: 2004021208:56:19Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212085619Z dn: uid=root,ou=depart1,ou=People,dc=xxx,dc=it uid: root sambaSID: S-1-5-21-3642312925-2943760701-1776766777-1000 sambaPrimaryGroupSID: S-1-5-21-3642312925-2943760701-1776766777-1001 displayName: root sambaPwdCanChange: 1066177167 sambaPwdMustChange: 2147483647 sambaLMPassword: 44EFCE164AB921CAAAD3B435B51404EE sambaNTPassword: 32ED87BDB5FDC5E9CBA88547376818D4 sambaPwdLastSet: 1066177167 sambaAcctFlags: [U ] objectClass: account objectClass: sambaSamAccount structuralObjectClass: account entryUUID: 29b1aa0e-f185-1027-9405-cac86a6d5033 creatorsName: cn=Manager,dc=xxx,dc=it createTimestamp: 20040212085659Z entryCSN: 2004021209:46:10Z#0x0001#0#0000 modifiersName: cn=Manager,dc=xxx,dc=it modifyTimestamp: 20040212094610Z Sorry for by bad English Vanni -- *************************************************************** * Un Anello per domarli,Un Anello per trovarli * Un Anello per ghermirli e nel buio incatenarli * (J.R.R. Tolkien) *************************************************************** * E-Mail: [EMAIL PROTECTED] * * ICQ: 43066840 * PGP_KEY * http://tagliamento.sci.uniud.it/~dricca/vanni.asc ***************************************************************
pgp00000.pgp
Description: signature
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba