Re: [Samba] Join Machine to Domain
Hi, I forgot to tell you, that the samba password from the uid=Administrator,ou=Users,dc=tow,dc=net MUST be the same like the samba password for root . Because samba will expect both the client and the server user to have the same password. After that the option username map will work correctly. Regards Manuel Piessnegger Kent L. Nasveschuk [EMAIL PROTECTED] To .ma.us [EMAIL PROTECTED] cc 14.11.2003 17:44 Samba List Server [EMAIL PROTECTED] Subject Re: [Samba] Join Machine to Domain I appreciate your help on this. I still am having problems. Attached a some of the pertinent configuration files. I can login in with any account so connection and password to access ldap server works, just can't join domain. I get an error message bad passwd or unknown user. I added the username map but root = administrator still doesn't work. # Administrator, Users, tow.net dn: uid=Administrator,ou=Users,dc=tow,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /accounts/Administrator sambaPwdLastSet: 1068814077 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1068814077 sambaPwdMustChange: 2147483647 sambaHomePath: \\whs1\Administrator sambaHomeDrive: H: sambaProfilePath: \\whs1\profiles\ sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000 loginShell: /bin/bash gecos: Netbios Domain Administrator sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001 userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ== smb.conf: [global] workgroup = WarehamPS encrypt passwords = Yes time server = Yes socket options = TCP_NODELAY security = user logon script = netlogon.bat writable = Yes dns proxy = no directory mask = 02770 preferred master = yes netbios name = WHS1 server string = RedHat 8.0 LDAP Server passdb backend = ldapsam ldap passwd sync = Yes passwd program = /usr/local/samba/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba.%m debug level = 2 max log size = 50 add user script = /usr/local/sbin/smbldap-useradd.pl %u #delete user script = /usr/local/sbin/smbldap-useradd.pl #add group script = /usr/local/sbin/smbldap-groupadd.pl delete group script = /usr/local/sbin/smbldap-groupdel.pl add machine script = /usr/local/samba/bin/smbpasswd -a -m %u #add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s /bin/false -M %u logon script = netlogon.bat logon path = \\%N\profiles\%g logon drive = H: logon home = \\%L\%U domain logons = Yes os level = 64 domain master = Yes dns proxy = No admin users = @domain_admins # wins support = Yes ldap suffix = dc=tow,dc=net ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap admin dn = cn=admin,dc=tow,dc=net ldap ssl = no username map = /usr/local/samba/private/smbusers [homes] comment = Home Directories read only = no browseable = no writable = yes path = %H # valid users = %S hide files = /.*/ [profiles] path = /accounts/profiles read only = no create mask = 0600 directory mask = 0700 [netlogon] comment = Netlogon share path = /usr/local/samba/netlogon locking = no browseable = no read only = yes write list = @domain_admins [staff] comment
Re: [Samba] Join Machine to Domain
Hey, Thanks for getting back to me. I could not put this down till I knew why things weren't working.I finally succeded in making everyting work and finding out why I had problems. I couldn't make it work with administrator. As soon as I deleted the administrator user and replaced user with root, Wah lah! I can join workstations. I removed username map from smb.conf. I also had a very strange error message that I have discovered is caused by some keys in the workstation registry that I changed. These are keys that are reported to need to be changed in XP and not W2K. The learning curve for this is high. I learned a great deal about Samba and LDAP but both packages are slick and work together quite well. All the time I've spent on this has been well worth it. Thanks for your help. Kent N On Mon, 2003-11-17 at 09:27, [EMAIL PROTECTED] wrote: Hi, I forgot to tell you, that the samba password from the uid=Administrator,ou=Users,dc=tow,dc=net MUST be the same like the samba password for root . Because samba will expect both the client and the server user to have the same password. After that the option username map will work correctly. Regards Manuel Piessnegger Kent L. Nasveschuk [EMAIL PROTECTED] To .ma.us [EMAIL PROTECTED] cc 14.11.2003 17:44 Samba List Server [EMAIL PROTECTED] Subject Re: [Samba] Join Machine to Domain I appreciate your help on this. I still am having problems. Attached a some of the pertinent configuration files. I can login in with any account so connection and password to access ldap server works, just can't join domain. I get an error message bad passwd or unknown user. I added the username map but root = administrator still doesn't work. # Administrator, Users, tow.net dn: uid=Administrator,ou=Users,dc=tow,dc=net cn: Administrator sn: Administrator objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 0 uid: Administrator uidNumber: 0 homeDirectory: /accounts/Administrator sambaPwdLastSet: 1068814077 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1068814077 sambaPwdMustChange: 2147483647 sambaHomePath: \\whs1\Administrator sambaHomeDrive: H: sambaProfilePath: \\whs1\profiles\ sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000 loginShell: /bin/bash gecos: Netbios Domain Administrator sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001 userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ== smb.conf: [global] workgroup = WarehamPS encrypt passwords = Yes time server = Yes socket options = TCP_NODELAY security = user logon script = netlogon.bat writable = Yes dns proxy = no directory mask = 02770 preferred master = yes netbios name = WHS1 server string = RedHat 8.0 LDAP Server passdb backend = ldapsam ldap passwd sync = Yes passwd program = /usr/local/samba/bin/smbpasswd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUnix\spassword:* %n\n log file = /var/log/samba.%m debug level = 2 max log size = 50 add user script = /usr/local/sbin/smbldap-useradd.pl %u #delete user script = /usr/local/sbin/smbldap-useradd.pl #add group script = /usr/local/sbin/smbldap-groupadd.pl delete group script = /usr/local/sbin/smbldap-groupdel.pl add machine script = /usr/local/samba/bin/smbpasswd -a -m %u #add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s /bin/false -M %u logon script = netlogon.bat logon path = \\%N\profiles\%g logon drive = H: logon home = \\%L\%U
Re: [Samba] Join Machine to Domain
On Thu, 2003-11-13 at 05:24, [EMAIL PROTECTED] wrote: Hi again, In a other manual (http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html) they write that there must exist a user with uid =0 that meens at the end JUST ROOT OR UID=0 can join w2k client into a domain. In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody and administrator BUT an account with uidNumber=0 (root or administrator) MUST be present if you need add XP/W2K ws. The reason: an administrative account is demanded in the ws side in the join process, and that account must have a uidNumber=0 in the unix world. Is there really no other way as to work with a user with uid=0 in the unix world? I'm sorry but I make no more progress, hmm.. dead brain By the way all Unix and Samba Accounts are presents in the LDAP Yep - we have a very simple bit of code that does a very dumb check for uid==0. This should be fixed, it might even be in bugzilla, but that's the deal for the moment. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Join Machine to Domain
Hello, Is it really possible that just the user root with the samba password can join workstations into the domain? I have also some other users who are domain administrator, but with this users i can't join any workstations into the domain. This is mor me a important security point, because I want to give some people the acces right to join workstations into domain and only this function. Also if the user root is just a domain user in samba you have no rights to change something on a client, but when I start p.e. the user manager it's possible to change users passwords and that isn't nice. I use the following test enviroment: OS: Linux Samba 3 with backend ldapsam OpenLdap 2.1 Regards Manuel Piessnegger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Join Machine to Domain
Hi again, In a other manual (http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html) they write that there must exist a user with uid =0 that meens at the end JUST ROOT OR UID=0 can join w2k client into a domain. In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody and administrator BUT an account with uidNumber=0 (root or administrator) MUST be present if you need add XP/W2K ws. The reason: an administrative account is demanded in the ws side in the join process, and that account must have a uidNumber=0 in the unix world. Is there really no other way as to work with a user with uid=0 in the unix world? I'm sorry but I make no more progress, hmm.. dead brain By the way all Unix and Samba Accounts are presents in the LDAP Manuel Piessnegger The problem might be that by deafult only root has write acces to smbpasswd and /etc/passwd and /etc/shadow I have not verifeid this, though. Bart. [EMAIL PROTECTED] wrote: Hello, Is it really possible that just the user root with the samba password can join workstations into the domain? I have also some other users who are domain administrator, but with this users i can't join any workstations into the domain. This is mor me a important security point, because I want to give some people the acces right to join workstations into domain and only this function. Also if the user root is just a domain user in samba you have no rights to change something on a client, but when I start p.e. the user manager it's possible to change users passwords and that isn't nice. I use the following test enviroment: OS: Linux Samba 3 with backend ldapsam OpenLdap 2.1 Regards Manuel Piessnegger -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
