LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 12-12-2003, 04:53 PM   #1
bedwardj
LQ Newbie
 
Registered: Jun 2001
Location: Austin, TX
Distribution: None for now
Posts: 16

Rep: Reputation: 0
Adding Machine to domain with Samba 3 fails


I am having trouble getting this samba pdc up and running.

My setup is:

Red Hat Enterprise Linux 3
samba-3.0.0
opneldap-2.0.27

I cannot get my WinXP client to switch domains.

After trying to login as Administrator I get a message "Access is denied."

Trying root gets me "User name could not be found."

Here's what I've done:

1. Migrated user & group info from files to ldap with padl scripts.
2. Changed the authentication/info setting so pam and nss look to ldap.
3. Used smbtools from idealx.org to add samba user info.

From WinXP I can access shares on the Samba 3 PDC, but I just can't logon to the domain.

Here's the relevant parts of my smb.conf:

[global]

# Identification
workgroup = aecollab
server string = Samba Server %v

interfaces = eth0
hosts allow = 192.168.1. 127.
; name resolve order = wins lmhosts bcast

# PDC and Browsing
domain master = yes
local master = yes
preferred master = yes
domain logons = yes
os level = 99
remote browse sync = 192.168.1.255
remote announce = 192.168.1.255
wins support = yes
; wins server = 192.168.1.1

# Logging
log level = 10
log file = /var/log/samba/%m.log
max log size = 50 # in kilobytes

# Security
security = user
encrypt passwords = yes
; domain admin group = root brian # looks like this is depricated

# LDAP authenication
passdb backend = ldapsam:ldap://localhost
ldap admin dn = "uid=Administrator,ou=people,dc=aus,dc=aecollab,dc=com"
ldap machine suffix = "ou=machines,dc=aus,dc=aecollab,dc=com"
ldap user suffix = "ou=people,dc=aus,dc=aecollab,dc=com"
ldap group suffix = "ou=group,dc=aus,dc=aecollab,dc=com"
ldap idmap suffix = "ou=idmap,dc=aus,dc=aecollab,dc=com"
ldap ssl = off
ldap suffix = "dc=aus,dc=aecollab,dc=com"
ldap filter = "(&(uid=%u)(objectClass=sambaSamAccount))"
ldap passwd sync = yes

# Unix authenitcation
# smb passwd file = /etc/samba/smbpasswd
# unix password sync = yes
# passwd program = /usr/bin/passwd %u
# passwd chat = *New*UNIX*password* %n\n *ReType*new*UNIX*password* %n\n *
passwd:*all*authentication*tokens*updated*successfully*
; username map = /etc/samba/smbusers
; add user script = /usr/local/sbin/smbldap-useradd.pl -w %u
add machine script = /usr/local/sbin/smbldap-useradd.pl -w %u

I am struggling with whether or not I need to worry about mapping NT groups to unix groups. Things like idmap, net group add, etc.

Are there specific users & groups I need to make this work? Is there something on the client side that needs a tweak?

I have come along way, and feel like this is the last little bit.

Any help will be much appreciated.

-Brian
 
Old 12-13-2003, 08:57 AM   #2
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
Do you have a root samba account in the ldap server? Try adding one then join hte domain as root.
 
Old 12-15-2003, 11:56 AM   #3
bedwardj
LQ Newbie
 
Registered: Jun 2001
Location: Austin, TX
Distribution: None for now
Posts: 16

Original Poster
Rep: Reputation: 0
Here is what I have in the ldap server:

dn: uid=Administrator,ou=People,dc=aus,dc=aecollab,dc=com
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaLMPassword: <lmsecret>
sambaNTPassword: <ntsecret>
sambaPwdLastSet: 1071177378
userPassword: <unixsecret>
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSamAccount
homeDirectory: /dev/null
loginShell: /sbin/nologin
sn: Administrator
cn: Administrator
description: Netbios Domain Administrator
displayName: Administrator
uid: Administrator
gidNumber: 512
gecos: Netbios Domain Administrator
sambaAcctFlags: [UX ]
uidNumber: 500
sambaPrimaryGroupSID: <sid>-1001
sambaSID: <sid>-1000
sambaDomainName: AECOLLAB

dn: uid=root,ou=People,dc=aus,dc=aecollab,dc=com
uid: root
cn: root
sn: root
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: sambaSamAccount
userPassword: <unixsecret>
shadowLastChange: 12373
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: root
sambaLMPassword: <lmsecret>
sambaNTPassword: <ntsecret>
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaAcctFlags: [UX ]
sambaPwdLastSet: 1147483647
sambaPrimaryGroupSID: <sid>-512
sambaSID: <sid>-512

dn: sambaDomainName=AECOLLAB,dc=aus,dc=aecollab,dc=com
sambaDomainName: AECOLLAB
sambaSID: <sid>
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain

dn: cn=Domain Admins,ou=Group,dc=aus,dc=aecollab,dc=com
objectClass: posixGroup
cn: Domain Admins
gidNumber: 512
memberUid: Administrator
memberUid: root
description: Netbios Domain Administrators (need smb.conf configuration)

dn: cn=root,ou=Group,dc=aus,dc=aecollab,dc=com
objectClass: posixGroup
objectClass: top
objectClass: sambaGroupMapping
cn: root
userPassword: {crypt}x
gidNumber: 0
sambaSID: <sid>-512
sambaGroupType: 2
displayName: root
description: Local Unix group

Is there something I'm missing or have incorrect?

Thanks,
Brian
 
Old 12-15-2003, 01:19 PM   #4
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
AFAIK it is case sensitive so "people" is not the same as "People". Try making the P uppercase in smb.conf then restart samba and try joining the domain as root.
 
Old 12-15-2003, 04:59 PM   #5
bedwardj
LQ Newbie
 
Registered: Jun 2001
Location: Austin, TX
Distribution: None for now
Posts: 16

Original Poster
Rep: Reputation: 0
I don't think the case-sensitivity was the issue. I did change the case in smb.conf to match the LDAP directory. After restarting, the logs showed that the binds failed. So, then I had to issue smbpasswd -w again to update the secrets file. That is case sensitive apparently. After that it would bind again, but return to the same problem.

I looked around some more and found that the smbldap-useradd.pl script has a portion commented out in the ADD MACHINE section. The script assumes that the sambaSamAccount info will be added for the machine when it initially joins the domain.

So, uncommented that portion of the script to let the script add the samba info. Then I deleted the machine accounts under the ou=Machines branch. Then ran smbldap-useradd.pl to add the machine. No problems.

The WinXP box then joined the domain using the root user without fail.

Now my problem is that I cannot get the user's home directory to load correctly.

I removed all the stuff related to logon home/path/script/drive from the ldap directory to let smb.conf handle it. I added logon drive = H: to smb.conf.

The homes section:
[home]
valid users = %S
browseable = no
; no explicit path info

From /var/netlogon/logon.bat
NET USE H: /HOME /YES

Whenever I login in the command window executing the logon.bat script asks for a valid username and password. Nothing works - even to browse to it.

So, I tried...
valid users = %U

This works except that in My Network Places you can see everyone's home directory. You can't access them, but you can see them. I thought that you were only supposed to see your own directory - not everyone else's.

This is a minor issue, but I'd like to understand the difference between %U, %S, and %u. The smb.conf man file does not explain these very well.

Thanks again,
Brian
 
Old 12-16-2003, 01:12 PM   #6
david_ross
Moderator
 
Registered: Mar 2003
Location: Scotland
Distribution: Slackware, RedHat, Debian
Posts: 12,047

Rep: Reputation: 66
I think it should be:
[homes]

Not:
[home]
 
Old 12-16-2003, 08:23 PM   #7
bedwardj
LQ Newbie
 
Registered: Jun 2001
Location: Austin, TX
Distribution: None for now
Posts: 16

Original Poster
Rep: Reputation: 0
It is [homes] in my file, just a typo on my post.

I turned browseable = no in the global section and will explicitly turn it on in each section. I am also using %u and took out the NET USE H: /HOME section in the logon.bat file. It all seems to be doing what I want now.

Thanks again.

-Brian
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Adding machine to Domain lapthorn Linux - Networking 2 03-19-2004 09:07 AM
Adding a Suse 9.0 machine to a windows domain Harry Seldon Linux - Newbie 1 02-26-2004 08:50 PM
trouble adding Xp machine to Domain redhattan Linux - Networking 2 12-28-2003 07:27 AM
Joining a machine from another domain to my linux samba domain acummins Linux - Networking 0 09-13-2003 07:07 AM
Problem in Adding a machine to Domain raviduvvuri Linux - Networking 3 12-05-2002 10:23 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:19 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration