I am having trouble getting this samba pdc up and running.

My setup is:

Red Hat Enterprise Linux 3
samba-3.0.0
opneldap-2.0.27

I cannot get my WinXP client to switch domains.

After trying to login as Administrator I get a message "Access is denied."

Trying root gets me "User name could not be found."

Here's what I've done:

1. Migrated user & group info from files to ldap with padl scripts.
2. Changed the authentication/info setting so pam and nss look to ldap.
3. Used smbtools from idealx.org to add samba user info.

From WinXP I can access shares on the Samba 3 PDC, but I just can't logon to the domain.

Here's the relevant parts of my smb.conf:

[global]

# Identification
workgroup = aecollab
server string = Samba Server %v

interfaces = eth0
hosts allow = 192.168.1. 127.
; name resolve order = wins lmhosts bcast

# PDC and Browsing
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
os level = 99
remote browse sync = 192.168.1.255
remote announce = 192.168.1.255
wins support = yes
; wins server = 192.168.1.1

# Logging
log level = 10
log file = /var/log/samba/%m.log
max log size = 50 # in kilobytes

# Security
security = user
encrypt passwords = yes
; domain admin group = root brian # looks like this is depricated

# LDAP authenication
passdb backend = ldapsam:ldap://localhost
ldap admin dn = "uid=Administrator,ou=people,dc=aus,dc=aecollab,dc=com"
ldap machine suffix = "ou=machines,dc=aus,dc=aecollab,dc=com"
ldap user suffix = "ou=people,dc=aus,dc=aecollab,dc=com"
ldap group suffix = "ou=group,dc=aus,dc=aecollab,dc=com"
ldap idmap suffix = "ou=idmap,dc=aus,dc=aecollab,dc=com"
ldap ssl = off
ldap suffix = "dc=aus,dc=aecollab,dc=com"
ldap filter = "(&(uid=%u)(objectClass=sambaSamAccount))"
ldap passwd sync = yes

# Unix authenitcation
# smb passwd file = /etc/samba/smbpasswd
# unix password sync = yes
# passwd program = /usr/bin/passwd %u
# passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *
passwd:*all*authentication*tokens*updated*successfully*
; username map = /etc/samba/smbusers
; add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u

I am struggling with whether or not I need to worry about mapping NT groups to unix groups. Things like idmap, net group add, etc.

Are there specific users & groups I need to make this work? Is there something on the client side that needs a tweak?

I have come along way, and feel like this is the last little bit.

Any help will be much appreciated.

-Brian

Do you have a root samba account in the ldap server? Try adding one then join hte domain as root.

Here is what I have in the ldap server:

dn: uid=Administrator,ou=People,dc=aus,dc=aecollab,dc=com
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaLMPassword: <lmsecret>
sambaNTPassword: <ntsecret>
sambaPwdLastSet: 1071177378
userPassword: <unixsecret>
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
homeDirectory: /dev/null
loginShell: /sbin/nologin
sn: Administrator
cn: Administrator
description: Netbios Domain Administrator
displayName: Administrator
uid: Administrator
gidNumber: 512
gecos: Netbios Domain Administrator
sambaAcctFlags: [UX ]
uidNumber: 500
sambaPrimaryGroupSID: <sid>-1001
sambaSID: <sid>-1000
sambaDomainName: AECOLLAB

dn: uid=root,ou=People,dc=aus,dc=aecollab,dc=com
uid: root
cn: root
sn: root
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword: <unixsecret>
shadowLastChange: 12373
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
sambaLMPassword: <lmsecret>
sambaNTPassword: <ntsecret>
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaAcctFlags: [UX ]
sambaPwdLastSet: 1147483647
sambaPrimaryGroupSID: <sid>-512
sambaSID: <sid>-512

dn: sambaDomainName=AECOLLAB,dc=aus,dc=aecollab,dc=com
sambaDomainName: AECOLLAB
sambaSID: <sid>
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

dn: cn=Domain Admins,ou=Group,dc=aus,dc=aecollab,dc=com
objectClass: posixGroup
cn: Domain Admins
gidNumber: 512
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators (need smb.conf configuration)

dn: cn=root,ou=Group,dc=aus,dc=aecollab,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: root
userPassword: {crypt}x
gidNumber: 0
sambaSID: <sid>-512
sambaGroupType: 2
displayName: root
description: Local Unix group

Is there something I'm missing or have incorrect?

Thanks,
Brian

AFAIK it is case sensitive so "people" is not the same as "People". Try making the P uppercase in smb.conf then restart samba and try joining the domain as root.

I don't think the case-sensitivity was the issue. I did change the case in smb.conf to match the LDAP directory. After restarting, the logs showed that the binds failed. So, then I had to issue smbpasswd -w again to update the secrets file. That is case sensitive apparently. After that it would bind again, but return to the same problem.

I looked around some more and found that the smbldap-useradd.pl script has a portion commented out in the ADD MACHINE section. The script assumes that the sambaSamAccount info will be added for the machine when it initially joins the domain.

So, uncommented that portion of the script to let the script add the samba info. Then I deleted the machine accounts under the ou=Machines branch. Then ran smbldap-useradd.pl to add the machine. No problems.

The WinXP box then joined the domain using the root user without fail.

Now my problem is that I cannot get the user's home directory to load correctly.

I removed all the stuff related to logon home/path/script/drive from the ldap directory to let smb.conf handle it. I added logon drive = H: to smb.conf.

The homes section:
[home]
valid users = %S
browseable = no
; no explicit path info

From /var/netlogon/logon.bat
NET USE H: /HOME /YES

Whenever I login in the command window executing the logon.bat script asks for a valid username and password. Nothing works - even to browse to it.

So, I tried...
valid users = %U

This works except that in My Network Places you can see everyone's home directory. You can't access them, but you can see them. I thought that you were only supposed to see your own directory - not everyone else's.

This is a minor issue, but I'd like to understand the difference between %U, %S, and %u. The smb.conf man file does not explain these very well.

Thanks again,
Brian

I think it should be:
[homes]

Not:
[home]

It is [homes] in my file, just a typo on my post.

I turned browseable = no in the global section and will explicitly turn it on in each section. I am also using %u and took out the NET USE H: /HOME section in the logon.bat file. It all seems to be doing what I want now.

Thanks again.

-Brian