Ok, now the join to the domain works, but when i create a new user, and i try to login to the Windows XP domain, the windows says to me "Unable to access. A periferic is not working". (sorry for the poor traduction, but my windows is in italian). Into the samba logs i read this:
[2010/09/28 10:07:45.795892, 2] smbd/reply.c:536(reply_special) netbios connect: name1=MEDIADC 0x20 name2=TESTAFS 0x0 [2010/09/28 10:07:45.796139, 2] smbd/reply.c:547(reply_special) netbios connect: local=mediadc remote=testafs, name type = 0 [2010/09/28 10:07:45.799185, 2] smbd/sesssetup.c:1390(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/09/28 10:07:45.801093, 2] smbd/sesssetup.c:1390(setup_new_vc_session) setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all old resources. [2010/09/28 10:07:45.801767, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2010/09/28 10:07:45.865629, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: AFS [2010/09/28 10:07:45.872442, 2] auth/auth.c:304(check_ntlm_password) check_ntlm_password: authentication for user [AFS] -> [AFS] -> [AFS] succeeded [2010/09/28 10:07:45.872630, 1] rpc_server/srv_pipe_hnd.c:1602(serverinfo_to_SamInfo_base) _netr_LogonSamLogon: user MEDIADC\AFS has user sid S-1-5-21-3218914170-3340994528-1537192846-3010 but group sid S-1-5-21-1949818787-1514111066-129980733-513. The conflicting domain portions are not supported for NETLOGON calls This is my testparm (actually): [global] workgroup = MEDIADC netbios name = MEDIADC map to guest = Bad User passdb backend = ldapsam:ldap://afs-test.mediaservice-test.pri log level = 2 printcap name = cups add user script = /usr/sbin/ldapsmb -a -u "%u" -smbacct --makehomedir --homedir /home/%u -f delete user script = /usr/sbin/ldapsmb -d -u "%u" -f add group script = /usr/sbin/ldapsmb -a -g "%g" -f delete group script = /usr/sbin/ldapsmb -d -g "%g" -f add user to group script = /usr/sbin/ldapsmb -j -u "%u" -g "%g" -f delete user from group script = /usr/sbin/ldapsmb -r -u "%u" -g "%g" -f add machine script = "/usr/sbin/ldapsmb -a -wks %u -f" logon path = \\%L\profiles\.msprofile logon drive = P: logon home = \\%L\%U\.9xprofile domain logons = Yes os level = 99 preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Administrator,dc=mediaservice-test,dc=pri ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = yes ldap suffix = dc=mediaservice-test,dc=pri ldap ssl = no ldap user suffix = ou=people usershare allow guests = Yes idmap backend = ldap:ldap://afs-test.mediaservice-test.pri cups options = raw [homes] comment = Home Directories valid users = %S, %D%w%S read only = No inherit acls = Yes browseable = No [profiles] comment = Network Profiles Service path = %H read only = No create mask = 0600 directory mask = 0700 store dos attributes = Yes [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp create mask = 0600 printable = Yes browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin, root force group = ntadmin create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root How i can debug what is wrong? Any suggestion? Cordially, Claudio Prono. Gaiseric Vandal ha scritto: > Wait, you are using samba with openldap backend. > > Why are you using useradd ??? with this backend you need smbldap instead. > like this: > > passdb backend = ldapsam:ldap://your ldap server > ldap passwd sync = yes > ldap delete dn = Yes > ldap admin dn = cn=root,dc=domain,dc=com,dc=br > ldap suffix = dc=domain,dc=com,dc=br > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap idmap suffix = sambaDomainName=DOMAIN > idmap backend = ldap:ldap://ldap server > idmap alloc backend = ldap:ldap://ldap server > idmap uid = 1000-20000 > idmap gid = 1000-20000 > idmap alloc config:range = 1000-20000 > ldap timeout = 15 > ldap connection timeout = 2 > ldap page size = 1024 > > # add/remove users > add user script = /usr/sbin/smbldap-useradd -m "%u" > delete user script = /usr/sbin/smbldap-userdel "%u" > # add/remove Groups > add group script = /usr/sbin/smbldap-groupadd -p "%g" > delete group script = /usr/sbin/smbldap-groupdel "%g" > # add/remove user in groups > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" > "%g" > delete user from group script = /usr/sbin/smbldap-groupmod -x > "%u" "%g" > # define primary group of user > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" > # add machines in domain > add machine script = /usr/sbin/smbldap-useradd -i -w "%u" > > regards > > On Mon, Sep 27, 2010 at 12:15 PM, Gaiseric Vandal > <gaiseric.van...@gmail.com> wrote: >> You user script may be adding a LOCAL unix account (in >> /etc/passwd.) Do >> you see the accounts in there? You may need to custom script that >> adds the >> accounts to ldap. >> >> The following may help >> >> https://gna.org/projects/smbldap-tools/ >> >> >> Remember, that being root on your unix system does not automatically >> make >> you LDAP admin. >> >> If you have a single server then having your unix may be OK- samba >> will >> match the samba user to the unix user via the user id. I have >> multiple >> server so I use LDAP for unix accounts (previously used NIS.) So >> now an >> LDAP user has both windows and unix account info. >> >> >> >> >> >> On 09/27/2010 11:08 AM, Claudio Prono wrote: >>> >>> Gaiseric Vandal ha scritto: >>> >>>> >>>> Do you have an underlying unix account for the pc (eg SOMEMACHINE$) >>>> >>>> It is possible to configure scripts that the unix account is created >>>> by samba if necessary when samba creates the "Windows" account for >>>> the >>>> machine. I don't have it set up this way, so I need to create the >>>> unix account 1st. >>>> >>>> >>> >>> add machine script = /usr/sbin/useradd -c Machine -d >>> /var/lib/nobody -s >>> /bin/false %m$ >>> >>> This script automatically add the machine if needed, or i am wrong ? >>> >>>> >>>> Also, I found that since the underlying unix OS may need validate the >>>> machine account, I put my machine accounts in either the same >>>> ldap ou >>>> as people (or in a sub ou.) ("getent passwd" command may need to >>>> show >>>> your machine accounts as well as people accounts.) >>>> >>>> If you have manually created the unix account for the machine, can >>>> you >>>> them manually create the samba account for it >>>> >>>> e.g. smbpasswd -m -a SOMEMACHINE >>>> >>>> (I think you leave the $ off .) >>>> >>>> >>>> I use LDAP for both "unix" and "windows" clients so my config choices >>>> may not be applicable to a windows-only client environment. >>>> >>>> >>>> On 09/27/2010 09:59 AM, Claudio Prono wrote: >>>> >>>>> -- -------------------------------------------------------------------------------- Claudio Prono OPST System Developer Gsm: +39-349-54.33.258 @PSS Srl Tel: +39-011-32.72.100 Via San Bernardino, 17 Fax: +39-011-32.46.497 10141 Torino - ITALY http://atpss.net/disclaimer -------------------------------------------------------------------------------- PGP Key - http://keys.atpss.net/c_prono.asc -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba