-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dale,
Thanks - I think that has taken care of the permissions problems. Question: Is there a reason the bdc needs direct communications with the ldap database? I would have imagined these queries could be retrieved via communication between smbd. Bill Dale Schroeder wrote: > I believe your errors primarily lie in your BDC configuration. > See > http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html#id304335 > for minimum requirements. > > Bill Schwanitz wrote: > I am trying to get a samba setup with with a pdc/bdc configuration. The > backend information stores are openldap ( for passdb and idmap ) > > I have followed the instructions in the Samba Guide and the > documentation provided with the smbldap-tools package. > > Samba version: 3.0.24 > smbldap-tools: Using the version included in samba ( > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2 ) > > I can join machines to the domain. If I do a getent passwd from either > of the two servers, I get the requisite information ( and it looks valid > ). I have nsswitch pulling the information from ldap on both systems. > > Layout: > > fdsclient: pdc > fdsclient2: bdc > fdsmaster: openldap 2.2.13 > OS on all systems is CentOS 4, mostly up to date on patches ( as of a > few days ago ) > All three systems are being run from within vmware - not sure it really > matters here. > > - From the pdc, if I run the command "net rpc user -U root%pass", I get > back the three currently-configured users. If I use the same command > from the bdc, I get nothing. If I do a "wbinfo -u" from the bdc, I get > the requisite information. > > when I log into a windows machine ( joined to the domain ) and browse > the shares on both pdc and bdc, I get mixed results in file/dir > ownership. The files/dirs on the pdc report the domain\user values. If I > look at the permissions of a share on the bdc, I get "Unix user \ > *user*" instead of the domain\user. > > Below is the smb.conf configuration for the pdc: > > [global] > workgroup = BILSCH.LOCAL > server string = Samba Server %v > security = user > passdb backend = ldapsam:ldap://fdsmaster.bilsch.local/ > idmap backend = ldapsam:ldap://fdsmaster.bilsch.local/ > passwd program = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-passwd -u %u > passwd chat = "Changing password for*\nNew password*" %n\n > "*Retype new password*" %n\n" > passwd chat debug = Yes > passwd chat timeout = 5 > enable privileges = yes > username map = /etc/samba/smbusers > log level = 3 > log file = /var/log/samba/%m.log > max log size = 100000 > time server = Yes > deadtime = 10 > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > printcap name = cups > add user script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd > -m "%u" > add group script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupadd -p > "%g" > add user to group script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m > "%u" "%g" > delete user from group script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x > "%u" "%g" > set primary group script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g > '%g' '%u' > add machine script = > /usr/share/doc/samba-3.0.24/LDAP/smbldap-tools-0.9.2/smbldap-useradd > -w "%u" > logon script = logon.bat > logon path = \\fdsclient\profiles\%U > logon drive = H: > name resolve order = wins bcast hosts > domain logons = Yes > os level = 255 > preferred master = Yes > domain master = Yes > local master = Yes > wins support = Yes > #ldap admin dn = cn=smbadmin,ou=DSA,dc=bilsch,dc=local > ldap admin dn = cn=Manager,dc=bilsch,dc=local > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap machine suffix = ou=Users,ou=Computers > ldap passwd sync = Yes > ldap suffix = dc=bilsch,dc=local > ldap ssl = start tls > ldap user suffix = ou=Users > #idmap uid = 15000-20000 > #idmap gid = 15000-20000 > winbind enum users = Yes > winbind enum groups = Yes > winbind use default domain = Yes > create mask = 0640 > directory mask = 0750 > case sensitive = No > dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd > null passwords = yes > encrypt passwords = yes > > smb.conf from the bdc: > > [global] > workgroup = BILSCH.LOCAL > server string = Samba Server %v > security = domain > password server = fdsclient.bilsch.local > log level = 4 > log file = /var/log/samba/%m.log > enable privileges = yes > max log size = 50 > os level = 0 > time server = Yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > load printers = No > local master = No > domain master = No > preferred master = No > dns proxy = No > cups options = raw > winbind enum users = Yes > winbind enum groups = Yes > winbind separator = + > idmap uid = 10000-20000 > idmap gid = 10000-20000 > template shell = /bin/false > winbind use default domain = Yes > nt acl support = yes > map acl inherit = yes > > net rpc info output: > > ( pdc ) > [EMAIL PROTECTED]:/var/log/samba# net rpc info -U root%*pass* > Domain Name: BILSCH.LOCAL > Domain SID: S-1-5-21-3786926362-4055794989-769170274 > Sequence number: 1171644069 > Num users: 3 > Num domain groups: 4 > Num local groups: 0 > > ( bdc ) > [EMAIL PROTECTED]:/# net rpc info -U root%*pass* > Domain Name: BILSCH.LOCAL > Domain SID: S-1-5-21-3786926362-4055794989-769170274 > Sequence number: 1171644046 > Num users: 3 > Num domain groups: 4 > Num local groups: 0 > > [EMAIL PROTECTED]:/var/log/samba# net getdomainsid -U root%*pass* > SID for domain FDSCLIENT is: S-1-5-21-3786926362-4055794989-769170274 > SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274 > > [EMAIL PROTECTED]:/# net getdomainsid -U root%*pass* > SID for domain FDSCLIENT2 is: S-1-5-21-944702772-1279947625-2865619123 > SID for domain BILSCH.LOCAL is: S-1-5-21-3786926362-4055794989-769170274 > > with smbclient, accessing a share on the bdc, with showacls on: > > FILENAME:\vmware-config0 > MODE:D > SIZE:0 > MTIME:Mon Feb 12 10:06:32 2007 > revision: 1 > type: 0x8004: SEC_DESC_DACL_PRESENT SEC_DESC_SELF_RELATIVE > DACL > ACL Num ACEs: 3 revision: 2 > --- > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0x1ff > Permissions: 0x1f01ff: SYNCHRONIZE_ACCESS > WRITE_OWNER_ACCESS WRITE_DAC_ACCESS READ_CONTROL_ACCESS DELETE_ACCESS > SID: S-1-22-1-0 > > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0xa9 > Permissions: 0x1200a9: SYNCHRONIZE_ACCESS > READ_CONTROL_ACCESS > SID: S-1-22-2-0 > > ACE > type: ACCESS ALLOWED (0) flags: 0 > Specific bits: 0xa9 > Permissions: 0x1200a9: SYNCHRONIZE_ACCESS > READ_CONTROL_ACCESS > SID: S-1-1-0 > > Owner SID: S-1-22-1-0 > Parent SID: S-1-22-2-0 > > Anyone have ideas on what I am doing wrong here? > - -- Bill Schwanitz An eye for an eye makes the whole world blind. - Mahatma Gandhi -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFF1gCsujRCu3O+ziARAkXaAKDDNGaDzvW4PbJZgcslc8TN1aLdAgCfXxSt fXEjSacJalkscV6jmoWiFQw= =5v+1 -----END PGP SIGNATURE----- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
