<sgm...@mail.bloomfield.k12.mo.us> писал(а) в своём письме Thu, 30 Jul
2009 08:46:50 +0700:
sgm...@mail.bloomfield.k12.mo.us wrote:
sgm...@mail.bloomfield.k12.mo.us wrote:
sgm...@mail.bloomfield.k12.mo.us wrote:
sgm...@mail.bloomfield.k12.mo.us wrote:
I did not get this finished last summer, so decided to just wait and
do
it this summer. I have setup my new samba server and was trying to
get
some things tweaked to the way that I want them. I thought that I
had
asked this before and that I could do it, but it seems that it does
not >> work.
My new server is running as a domain server just like the old. It
has
the same domain name and I change the the SID using net setlocalsid
to >> the same sid number as my old server. This new server is in a
test
environment right now.
I was hoping that my old machines could just log into this server
without having to get out of the domain and then rejoin it, but that
does not work. It tells me that the domain is not there until I get
out >> of the old one and then rejoin the new one. Is that how it has
to
work? I was hoping I would not have to do that if I left the domain
name the same and set the SID on the new server. I just want to make
sure I am not missing something before I go around to all 400
computers
on campus and have them removed and rejoined to the domain.
Mr. Terpstra gave me a bit of help. I had done nothing to set my
domainsid, but after doing the following:
net getlocalsid
net getdomainsid
The values are the same on both the old and the new samba server.
This
new server will take the place of my old one. Right now it is on a
network with nothing else on it besides one of my old windows clients.
If
I remove one of my old clients from the domain and then re-add it,
then
it
logs in just fine. If I take an old client from my current network
and
put it on this new network and try to login to the new samba server
then
it gives me the typical:
"Windows cannot connect to the domain either because the domain
controller
is down or otherwise unavailable, or because your computer account was
not
found. Please try again later. If this message continues to appear
contact
your System Administrator for assistance."
The name of the Windows machine is business18 so I did an
'smbldap-adduser
-w business18$' to make sure the machine account was added in to the
directory, but the error was the same. I even changed the uid of the
machine account to match the old one in case that was coming into
play.
Here is my samba config in case someone sees something that I don't.
Which is quite possible since I forget more than I learn it seems. :)
I'll be reading on the How-To to see if I can pick anything else up.
[global]
workgroup = BES
server string = Samba Server Version %v
netbios name = SCHOOL
interfaces = lo eth0
hosts allow = 127. 10.0. 19 2.168.0. localhost
ldap passwd sync = Yes
ldap admin dn = cn=Manager,dc=school,dc=bloomfield.k12.mo.us
ldap suffix = dc=school1,dc=bloomfield.k12.mo.us
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
Dos charset = 850
Unix charset = ISO8859-1
log file = /var/log/samba/log.%m
max log size = 50
security = user
passdb backend = ldapsam:ldap://127.0.0.1
domain master = yes
domain logons = yes
local master = yes
os level = 65
preferred master = yes
wins support = yes
dns proxy = no
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
Well, I am getting ready to take the other server offline and put the
new
one in place. I am planning on just removing all my machines from the
domain and adding them back in to get everything to work, though I
would
prefer not to do this.
I am just not sure where else to look. Thought I would post one last
time. I figure that most of this comes from me not knowing a lot about
ldap and how samba interacts with it. I am still learning.
The passwords on the new server are different than the old. Does that
have any affect on it? Do the passwords have to be the same when it
comes
to the new machine being added in? I did not think that would matter,
but
maybe it does. If it does then that would mean taht the XP machines
somehow saved the password that was used when the machine joined the
domain.
Thanks for any info. I'll play with this some tonight, but if I don't
figure it out, I'll just do as I planned and remove all mahcines from
the
domain and add them back in.
I have messed with this for another 3 hours and have searched everything
that I know to search on the net. Found lots of good hints, but nothing
has worked. I was going to maybe try to slapcat just one computer
account
and then slapadd it back in to see if that would work and if it would
then
I would do all computer accounts.
For some reason there is no '-a' version on my old server even though
the
manpage shows slapcat(8C) on both servers. I did a slap cat and just
deleted everything down to and past the computers entry, but then
noticed
the creatorsName and the modifiersName.
Those are both:
cn: Manager, dc=old-server-name,dc=org
My new server has a different name, so when I slapadd this back in, is
that going to cause problems?
I know that is more of an ldap question, but thought someone could
enlighten me on it here. If I could just get this server to accept
computers without removing/re-adding to the domain, it would save me a
world of time.
Well, I decided to try it so I changed the old-server-name to the
new-server-name in my ldif file and slapadded it into my directory. I
get
the same thing that the domain cannot be found or the machine account is
missing. I will just add the new server in tomorrow and then go around
backing up profiles, removing the machine from the domain and then add it
back in. I like samba, but it hates me I guess. ;)
Thanks for the help.
If you want client machines to be able to log in the old domain, you
really should copy the user database "one-by-one". Old database contains
accounts like "MACHINE$", and those entries have own password. Those
passwords are stored in the registry of a client's system. Of course, if
you simply backup old database, slapcat it to the file, change the "cn"
entries in the file and slapadd it, the resulting user database from the
Samba's point of view will have all the previous accounts and passwords
just in place. This IS the thing you want, don't you? I've got some
experience of changing the cn attribute in LDAP, but the network was
rather much smaller (about 10 computers). I do not remeber exactly, but
there exists an option to reset Samba password for machine account.
Serdge
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
