On Mon, 2004-08-02 at 18:15, William Jojo wrote: > I have Samba 3.0.4 with LDAP, *no* winbind running on AIX 5.2. > > > My workstation joined the domain!!! woohoo! But before I get too excited, > I still have a fundamental issue to overcome. Please read on... > > > Ok, I know what the following snippet means now! > > > [2004/08/02 07:53:47, 2] passdb/pdb_ldap.c:init_sam_from_ldap(483) > init_sam_from_ldap: Entry found for user: CRP4$ > [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323) > Home server: hvdev > [2004/08/02 07:53:47, 4] lib/substitute.c:automount_server(323) > Home server: hvdev > [2004/08/02 07:53:47, 3] smbd/sec_ctx.c:pop_sec_ctx(386) > pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 > [2004/08/02 07:53:47, 5] > rpc_parse/parse_samr.c:init_samr_r_lookup_names(4709) > init_samr_r_lookup_names > [2004/08/02 07:53:47, 5] rpc_server/srv_samr_nt.c:_samr_lookup_names(1445) > _samr_lookup_names: 1445 > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_debug(82) > 000000 samr_io_r_lookup_names > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635) > 0000 num_rids1: 00000000 > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635) > 0004 ptr_rids : 00000000 > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635) > 0008 num_types1: 00000000 > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_uint32(635) > 000c ptr_types : 00000000 > [2004/08/02 07:53:47, 5] rpc_parse/parse_prs.c:prs_ntstatus(665) > 0010 status: NT_STATUS_NONE_MAPPED > [2004/08/02 07:53:47, 5] rpc_server/srv_pipe.c:api_rpcTNP(1575) > api_rpcTNP: called samr successfully > > > It means that the SID portion of sambaSID attribute of the machine account > in LDAP did not match the server's (no really, I did it on purpose). > > > Perhaps I should explain further what I'm trying to do here. I have one > big LDAP server. It has all the posix/samba accounts for everyone on > campus. I've created all the LDAP entries programmatically including the > IDMAP entries. > > The idea is to have one LDAP database support up to 7 domains at this > point. There are several operational and political reasons for this number > of domains. I think I understand now that IDMAP only provides consistency > to the uid/gid mappings - NOT a way to make a DC believe that a > machine/user belongs to a domain. > > When the sambaSamAccount entry for CRP4$ had it's sambaSID value set to an > arbitrary SID value (preserving the algorithmic RID) it refused to join as > shown by the aforementioned log dump. When I altered the entry to be > consistent with the PDC's SID, it joined without batting an eye. > > Is there a way to have the workstation join any domain regardless of it's > sambaSID value for the sambaSamAccount? Or am I trying to do too much > with one DIT? > > The other reason I ask is that we allow users to cross domains with > different roaming profiles preserving the same authentication info from a > single smbpasswd database shared over NFS *today*. In LDAP, this is going > to become much more complicated for me, is it not? > > This could be really bad since we have 19306 records in our smbpasswd we'd > like to move to LDAP, but preserve the single password "feature" we've > enjoyed for so long. > > > If the Samba guru's have any ideas how to overcome this, I would be deeply > grateful. Or, do I owe my server an apology? ;)
Hmm, what about solving this with domain trusts? I'm not sure if that would work, but it might. Tarjei > > > > Bill -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba