[Samba] Problems Migrating password and group info to ldap
Hi Samba list, I am migrating a v3.0.9 (Suse 9.2) smbpasswd backend samba domain over to a v3.0.9 (suse 9.2) ldapsam backend and I have been incurring some problems I have not been able to resolve. Intial setup: 1. samba (working) (at least any new account created can login domain and SID properly registered in LDAP) 2. ldap (working) (server accepting logins via ldap accounts) 3. smbldap tools (latest) problem: When using smbldap-tools-migrate-accounts over to ldap using the passwd group and shadow files all the posix information is created but it is lacking enough samba information for the user to login in to the new domain via the migrated account. In the new accounts In the new ldap (posix/samba) accounts (after migraiton) I am missing necessary samba account information for those new users to be allowed to login into the domain. If I use the pdbedit -e -i options to migrate the smpasswd file to ldap (machine accounts/samba account) it does not create the possix information. note: Everything was setup with configure.pl scripts from IDEALX and smbldap-tools Does anyone have some advice for me about how to make this migration as trasnparent as possible? smb.conf - testparm no problems smb.conf file [global] workgroup = TALL netbios name = TALL-PDC # enable privileges = yes interfaces = 192.168.1.122 username map = /etc/samba/smbusers server string = Samba Server %v security = user encrypt passwords = Yes min passwd length = 3 obey pam restrictions = No #unix password sync = Yes #passwd program = /usr/local/sbin/smbldap-passwd -u %u #passwd chat = Changing password for*\nNew password* %n\n *Retype new password* %n\n ldap passwd sync = Yes log level = 0 syslog = 0 log file = /var/log/samba/log.%m max log size = 10 time server = Yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 mangling method = hash2 Dos charset = 850 Unix charset = ISO8859-1 logon script = logon.bat logon drive = Z: logon home = logon path = domain logons = Yes os level = 65 preferred master = Yes domain master = Yes wins support = Yes passdb backend = ldapsam:ldap://127.0.0.1/ # passdb backend = ldapsam:ldap://127.0.0.1/ ldap://slave.idealx.com; # ldap filter = ((objectclass=sambaSamAccount)(uid=%u)) ldap admin dn = cn=Manager,dc=TALL,dc=EDU ldap suffix = dc=TALL,dc=EDU ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers ldap idmap suffix = ou=Users #ldap ssl = start tls add user script = /opt/IDEALX/sbin/smbldap-useradd -m %u ldap delete dn = Yes #delete user script = /opt/IDEALX/sbin/smbldap-userdel %u add machine script = /opt/IDEALX/sbin/smbldap-useradd -w %u add group script = /opt/IDEALX//sbin/smbldap-groupadd -p %g #delete group script = /opt/IDEALX/sbin/smbldap-groupdel %g add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m %u %g delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x %u %g set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g %g %u # printers configuration printer admin = @Print Operators load printers = Yes create mask = 0640 directory mask = 0750 nt acl support = No printing = cups printcap name = cups deadtime = 10 guest account = nobody map to guest = Bad User dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd show add printer wizard = yes ; to maintain capital letters in shortcuts in any of the profile folders: preserve case = yes short preserve case = yes case sensitive = no smbldap_bind.con SID=S-1-5-21-3460938701-4015227088-2286478190 # Domain name the Samba server is in charged. # If not defined, parameter is taking from smb.conf configuration file # Ex: sambaDomain=IDEALX-NT sambaDomain=TALL ## # # LDAP Configuration # ## # Notes: to use to dual ldap servers backend for Samba, you must patch # Samba with the dual-head patch from IDEALX. If not using this patch # just use the same server for slaveLDAP and masterLDAP. # Those two servers declarations can also be used when you have # . one master LDAP server where all writing operations must be done # . one slave LDAP server where all reading operations must be done # (typically a replication directory) # Slave LDAP server # Ex: slaveLDAP=127.0.0.1 # If not defined, parameter is set to 127.0.0.1 slaveLDAP=127.0.0.1 # Slave LDAP port # If not defined, parameter is set to 389 slavePort=389 # Master
[Samba] Upgrade from 2.8 to 3.0 groupmap broken any ideas?
Hello, Background: I recently upgraded a samba 2.8 system to samba 3.0 dl'ed from samba.org current. Everything works great except the group mapping and some net sessions that get stuck but I want to focus on the groupmap issue today. Things I have done: Delete group_mapping.tdb -- restarted samba -- net groupmap modify ntgroup='Domain Admins' unixgroup=ntadmins -- result: shows that it's mapped but no dice. The users in ntadmins group still do not have access to domain admin stuff like being able to log into every workstation and have full rights like samba 2.8 Domain Admin group option. I like groupmap better anyhow. side note: While working on this issue a couple of weeks ago I deleted the tdb and restarted smb .. it worked!!! but then I went to do a modify and it stopped working .. right back to where I started.. ughh. Possible Reason: 1. During the upgrade is it possible that something got corrupted (anything that would have affected this feature)? 2. Did I leave any important settings or configs out? etc... 3. My smb.conf is pretty basic.. right out of the build with modifications only to use smbpasswd backend and some other services for directories. But.. If you want I can post it. Possbile Solutions: 1. I am not opposed to rebuilding smb from source (newer source) if it will fix the problem easier than hunting down the bad files. 2. Fix the bad files ( if it's time effective) 3. Switch to Win2003 (ooohh sorry no one wants to do that :) ps. John T: I have committed to memory the groupmap section of the howto, with some other fav sections :) Thanks for providing such a valuble and effective resource. Thanks Jeff -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Popular Samba Password Backend Survey
Hi, I have been reading this news group for quite a while and have never run accross any kind of discussion on What is the best choice for the password backend of your samba server and why do you feel so strongly about that? Thanks -- Jeff Davies [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] here's a fix for Goldmine (and other ISAM database based programs) on Windows NT/2000/XP clients talking to samba
Goldmine seems to a compiled database application compiled in something likeClipper. Clipper applications record lock through ISAM like files (DBF). However, in Windows NT/2000/XP, Opportunistic locking is turned on by default in order to accelerate file transfer from file services. [Windows 95/98 did not Opportunisticly lock] However, opportunistic locking corrupts ISAM and ISAM like databases. Here is how to turn off opportunistic locking. (NOTE: It has to be turned off at a system wide level, there is no provision in windows to enable this for some file services and not for others.) --- Opportunistic locking turned off on the Windows XP client in this way: Start-Run-(type in) RegEdt32 navigate to \Hkey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters new Key or type DWORD name EnableOplocks leave value at default 0. navigate to \Hkey_Local_Machine\System\CurrentControlSet\Services\LanManWorkstation\Parameters new Key or type DWORD name EnableOplocks leave value at default 0. Close rededt32 and reboot. - --- This has solved our Goldmine database corruption problems (started when the first Windows XP client was connected (all other machines were Windows 98). Wizard Systems, makers of Goldmine has been notified, and the above information will be on their support database. This also should solve similar problems (if any are found) with similar MS Access systems using shared database files (as opposed to passthru SQL to backend ODBC connectors to SQL Servers of one sort or another). There was a post by a user saying Goldmine is a horrible system we moved to MS Access which was rather unhelpful. Our sales people think Goldmine is excellent, and having written many a customised CRM system in Lotus Notes (Dow Jones (London), Ryder UK etc), I also think Goldmine is a good program. (could perhaps do with the option of putting data into a back end SQL server eg MySQL etc). And I've seen an awful lot of CRM systems. Jeff Davies Electronics Engineer Aber Instruments Ltd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] here's a fix for Goldmine (and other ISAM database based programs) on Windows NT/2000/XP clients talking to samba
Goldmine seems to a compiled database application compiled in something likeClipper. Clipper applications record lock through ISAM like files (DBF). However, in Windows NT/2000/XP, Opportunistic locking is turned on by default in order to accelerate file transfer from file services. [Windows 95/98 did not Opportunisticly lock] However, opportunistic locking corrupts ISAM and ISAM like databases. Here is how to turn off opportunistic locking. (NOTE: It has to be turned off at a system wide level, there is no provision in windows to enable this for some file services and not for others.) --- Opportunistic locking turned off on the Windows XP client in this way: Start-Run-(type in) RegEdt32 navigate to \Hkey_Local_Machine\System\CurrentControlSet\Services\LanManServer\Parameters new Key or type DWORD name EnableOplocks leave value at default 0. navigate to \Hkey_Local_Machine\System\CurrentControlSet\Services\LanManWorkstation\Parameters new Key or type DWORD name EnableOplocks leave value at default 0. Close rededt32 and reboot. - --- This has solved our Goldmine database corruption problems (started when the first Windows XP client was connected (all other machines were Windows 98). Wizard Systems, makers of Goldmine has been notified, and the above information will be on their support database. This also should solve similar problems (if any are found) with similar MS Access systems using shared database files (as opposed to passthru SQL to backend ODBC connectors to SQL Servers of one sort or another). There was a post by a user saying Goldmine is a horrible system we moved to MS Access which was rather unhelpful. Our sales people think Goldmine is excellent, and having written many a customised CRM system in Lotus Notes (Dow Jones (London), Ryder UK etc), I also think Goldmine is a good program. (could perhaps do with the option of putting data into a back end SQL server eg MySQL etc). And I've seen an awful lot of CRM systems. -- Jeff Davies Electronics Engineer Aber Instruments Ltd -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba