problems with tdbsam

arobinson74 · 04-12-2005, 06:35 PM

I have been trying to get tdbsam working instead of using smbpasswd as the backend. I have done the following:
[list=1][*]Modified smb.conf:

Code:

[global]
security = user
admin users = @smbsysadmin
printer admin = @smbsysadmin
username map = /etc/samba/smbusers
auth methods = guest sam winbind
# problems with:
passdb backend = tdbsam
# working:
# passdb backend = tdbsam smbpasswd
idmap uid = 10000-20000
idmap gid = 10000-20000
template primary group = "Domain Users"
template shell = /bin/bash
...

[*]Setup groups:

Code:

groupadd svnusers
groupadd smbsysadmin
groupadd svndev

useradd -G smbsysadmin,svnusers ... smbadmin
useradd -G smbusers,users ... testuser

net groupmap modify  ntgroup="Domain Admins" unixgroup=smbsysadmin
net groupmap modify  ntgroup="Domain Users" unixgroup=smbusers
net groupmap modify  ntgroup="Domain Guests" unixgroup=nobody
net groupmap add  ntgroup="SVN Developers" unixgroup=svndev

[*]Check groups config:

Code:

# groups testuser
testuser : users svndev smbusers
# groups smbadmin
smbadmin : smbsysadmin smbusers

[*]Check net groups: [CODE]#net user info smbadmin -U smbadmin%XXX
Domain Admins <-- Where is "Domain Users"?
#net user info testuser -U smbadmin%XXX
SVN Developers <-- Where is "Domain Users"? [/list=1]

Before, I had "Domain Users" mapped to "users". When that was true, I could not execute "pdbedit -a testuser" or "smbpasswd -a testuser" as it printed:

Code:

tdb_update_sam: Failing to store a SAM_ACCOUNT for [testuser] without a primary group RID

When I changed it to use smbusers, the command worked, but it isn't seeming to work perfectly.

When I have "passdb backend = tdbsam smbpasswd" in the smb.conf, I am able to logon to the domain on a WinXP Pro box using testuser. However, if I use "passdb backend = tdbsam", the login fails with the message box

Code:

Windows cannot connect to the domain, either because the domain controller is down or otherwise unavailable, or because your computer account was not found. Please try again later. If this message continues to appear, contact your system administrator for assistance.

It looks like tdbsam is the preferred backend over smbpasswd, so I would rather stick with that rule. The network I am introducing this PDC is a network with WinXP home, Win98 and WinXP pro computers.

There seems to be lacking documentation on using tdbsam. I'd rather not use ldap, as that is more than I need, and the setup looks like a pain. I am using the samba that is packed with Slackware 10.1 (I have not recompiled it).

arobinson74 · 04-13-2005, 01:26 PM

Found the issue with adding groups and the "pdbedit -a" command. My groupmapping was corrupted from too much debugging of mine. I had execute "net groupmap clean" and then remap/add my groups. Now "net user info <user> -U <user>" is printing the "Domain Users". I rebuilt my tdbsam database as well (deleted the file, then readded the users). Despite this, I still cannot log my computer into the domain.

I created machine trust account manually, so that is there. With high logging, I can see in log.smbd that the user authentication succeeds, but the WinXP still has the same error. Will try to remove the computer from the domain and readd it...

arobinson74 · 04-13-2005, 01:52 PM

That was it.

Removed the computer from the domain, then readded it.

Can login now. There must have been something that wasn't done when I set up the tdbsam database initially.