[Samba] Re: Migration to Samba
Basiclly you need to change the registry to point to the profile directory to the old place. Here is what I got from the net a while ago. Hope it helps. -- Kang Have you ever had a profile problem? No, not you, never. You have a laptop or a regular computer the was in a domain, but now does not have access to the domain. Below are the steps to allow you to control that profile information. 1) Logon in as WORKGROUP\USERID a) Check to see what directory gets created under C:\Documents and Settings. - most likely will be USERID.WORKGROUP or USERID.WORKGROUP.000 This is the path you will CHANGE in the registry in a later step b) Check old DOMAIN directory ? most likely will be C:\Documents and Settings\USERID This is the path you will USE in the registry in a later step 2) Logout & Login as Local Administrator or Domain Admin 3) Add WORKGROUP\USERID to Local Administrators Group 4) Check number of profiles under User Profiles tool Windows 2000 ? Right Mouse Click on My Computer ? User Profiles Windows XP ? Right Mouse Click on My Computer ? Advanced - User Profiles ? Settings Should see two profiles - DOMAIN\USERID and WORKGROUP\USERID 5) Open Registry - REGEDIT a) Go to this key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList b) Find DOMAIN SID ? Look for the path in Step 1b to under ProfileImagePath key c) Find WORKGROUP SID - Look for the path in Step 1a to under ProfileImagePath key d) Highlight ProfileImagePath key in right-hand window for WORKGROUP SID Double-click and change path to match old DOMAIN path noted about in Step 1b. - will most likely be %SystemDrive%\Documents and Settings\USERID - This path is case sensitive e) Find DOMAIN SID Highlight SID in left-hand window and Delete 6) Logout & Login as WORKGROUP\USERID 7) Check number of profiles under User Profiles tool Should see only one profile now - WORKGROUP\USERID This will also work if you are moving from one domain to another. Just substitute new domain for WORKGROUP. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] can Same SID but different domain name coexit
Hello Can two PDC of different domain name but the same domain SID coexist in the same nework? We are running Windows 2000 AD/PDC, but we do not use any of the AD's features. We don;t run even roaming profiles. We would like to migrate everything to Samba NT4-style PDC. I can migrate as much information as possible to a Samba PDC, unfortunately, all 2000/XP clients cannot login to the domain unless they rejoin the domain (yes, they recognize the fact the domain controller is downgraded to pre-2000 style). My brief tests show that the machine SID won't change af rejoin to the domain. So current plan is to make every client rejoin the domain. Two questions: 1. Can I script to remotely rejoin every client machine (without walking to every machine and reboot it twice)? 2. We would like to have both server (2000 AD/PDC and Samba PDC) up at the same time so we can switch client machine from one server to another one by one or a few at a tme. Two PDCs of the same domain for sure confuse things. What about two different domain with the same domain SID. When the client join the domain, does it look for the domain name or the domain SID? Thank you for your help. -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Hot to configure Samba 3 as PDC and BDC for a Windows network
Hello John, I also like your books "Samba-3 by Example: and :The Official Samba-3 Howto and Reference Guide". Between these books, I managed to test the procedure of migrating our existing NT4 PDC to Samba PDC. The migration is successful for the most parts. I am able to verify that the users/group SIDs/Passwords are correct. However, Windows 2000/XP computers failed to find the samba Domain Controller. They can rejoin the domain without any problem. I verified that the SIDs in 2000/XP is the same as the corresponding one in LDAP backend and there is a SambaNTPassword entry but I don't have a way to check if they are migrated correctly. I have no clue how Window 2000/XP determines if an expected domain is available and what are the conversations between the workstation, samba, and ldap. I monitored the tcpdump during the time a Windows XP started loging in as a domain user and the time it failed not being able to find a domain, most of the traffic is to the LDAP server. What was it looking for? I believe eventually I would see a sesson in your books on What Went Wrong With Mirgration (WWWM). Can I have a preview of that Session now??? Thank you very much! -- Kang Sun [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] No Domain Controller, Please help to interpret tcpdump
Greetings! I am still struggling with the issue that after vampiring from NT4 domain to Samba 3.0.7 with ldap backend, Windows XP cannot find the domain controller. In particular, WXP is an XP Prof which signed in AB_INITIO_DOM domain. After the migration I put the Samba Server (Priscilla) and WXP in an isolated network, and started up Priscilla as PDC for the network. But WXP complains that "the domain controller" is not available. But WXP can re-join the domain with no problem; so apparently the domain controller is there. I verified that the WXP's SID is consistent with that in the ldap database and all the user passwords are migrated OK. So I try to use tcpdump to figure out the interaction between WXP and Samba Server, all I can see are some requests to ldap server at port 138 (ldap server is the same as the samba server). Could someone please help me to interpret the following tcpdump and tell me where/how/when WXP is searching for the domain controller and why it failed? Or if someone can suggest a better way to debug this issue? Thank you a bunch!!! --- Kang Sun 11:33:40.776223 00:0c:29:0a:fa:0b > 00:50:2c:04:14:e8, ethertype IPv4 (0x0800), length 97: IP (tos 0x0, ttl 128, id 374, offset 0, flags [none], proto 17, length: 83) 10.50.21.62.1026 > 10.50.30.32.domain: 33+[|domain] 11:33:40.776792 00:50:2c:04:14:e8 > 00:0c:29:0a:fa:0b, ethertype IPv4 (0x0800), length 97: IP (tos 0x0, ttl 64, id 147, offset 0, flags [DF], proto 17, length: 83) 10.50.30.32.domain > 10.50.21.62.1026: 33 ServFail q:[|domain] 11:33:40.778876 00:0c:29:0a:fa:0b > 00:50:2c:04:14:e8, ethertype IPv4 (0x0800), length 269: IP (tos 0x0, ttl 128, id 376, offset 0, flags [none], proto 17, length: 255) 10.50.21.62.netbios-dgm > 10.50.30.32.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x110E ID=0x8147 IP=10 (0xa).50 (0x32).21 (0x15).62 (0x3e) Port=138 (0x8a) Length=213 (0xd5) Res2=0x0 SourceName=WXP NameType=0x00 (Workstation) DestName= WARNING: Short packet. Try increasing the snap length 11:33:40.780490 00:50:2c:04:14:e8 > 00:0c:29:0a:fa:0b, ethertype IPv4 (0x0800), length 280: IP (tos 0x0, ttl 64, id 462, offset 0, flags [DF], proto 17, length: 266) 10.50.30.32.netbios-dgm > 10.50.21.62.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x100A ID=0x49FD IP=10 (0xa).50 (0x32).30 (0x1e).32 (0x20) Port=138 (0x8a) Length=224 (0xe0) Res2=0x0 SourceName=PRISCILLA NameType=0x00 (Workstation) DestName= WARNING: Short packet. Try increasing the snap length 11:33:40.780936 00:50:2c:04:14:e8 > 00:0c:29:0a:fa:0b, ethertype IPv4 (0x0800), length 280: IP (tos 0x0, ttl 64, id 463, offset 0, flags [DF], proto 17, length: 266) 10.50.30.32.netbios-dgm > 10.50.21.62.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x100A ID=0x49FE IP=10 (0xa).50 (0x32).30 (0x1e).32 (0x20) Port=138 (0x8a) Length=224 (0xe0) Res2=0x0 SourceName=PRISCILLA NameType=0x00 (Workstation) DestName= WARNING: Short packet. Try increasing the snap length 11:33:41.390717 00:0c:29:0a:fa:0b > 00:50:2c:04:14:e8, ethertype IPv4 (0x0800), length 93: IP (tos 0x0, ttl 128, id 377, offset 0, flags [none], proto 17, length: 79) 10.50.21.62.1095 > 10.50.30.32.domain: [udp sum ok] 20+ SRV? _ldap._tcp.dc._msdcs.ABINITIO.COM. (51) 11:33:41.391125 00:50:2c:04:14:e8 > 00:0c:29:0a:fa:0b, ethertype IPv4 (0x0800), length 93: IP (tos 0x0, ttl 64, id 148, offset 0, flags [DF], proto 17, length: 79) 10.50.30.32.domain > 10.50.21.62.1095: [udp sum ok] 20 ServFail q: SRV? _ldap._tcp.dc._msdcs.ABINITIO.COM. 0/0/0 (51) 11:33:41.392415 00:0c:29:0a:fa:0b > 00:50:2c:04:14:e8, ethertype IPv4 (0x0800), length 92: IP (tos 0x0, ttl 128, id 378, offset 0, flags [none], proto 17, length: 78) 10.50.21.62.netbios-ns > 10.50.30.32.netbios-ns: [udp sum ok] >>> NBT UDP PACKET(137): QUERY; REQUEST; UNICAST TrnID=0x8149 OpCode=0 NmFlags=0x10 Rcode=0 QueryCount=1 AnswerCount=0 AuthorityCount=0 AddressRecCount=0 QuestionRecords: Name=AB_INITIO_DOM NameType=0x1C (Unknown) QuestionType=0x20 QuestionClass=0x1 11:33:41.393080 00:50:2c:04:14:e8 > 00:0c:29:0a:fa:0b, ethertype IPv4 (0x0800), length 104: IP (tos 0x0, ttl 64, id 649, offset 0, flags [DF], proto 17, length: 90) 10.50.30.32.netbios-ns > 10.50.21.62.netbios-ns: >>> NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE; UNICAST TrnID=0x8149 OpCode=0 NmFlags=0x58 Rcode=0 QueryCount=0 AnswerCount=1 AuthorityCount=0 AddressRecCount=0 ResourceRecords: Name=AB_INITIO_DOM NameType=0x1C (Unknown) ResType=0x20 ResClass=0x1 TTL=258976 (0x3f3a0) ResourceLength=0 ResourceData= AdditionalData: Data: (6 bytes) [000] 11 00 00 00 70 31 \021\000\000\000p1 11:33:41.394617 00:0c:29:0a:fa:0b > 00:50:2c:04:14:e8, ethertype IPv4 (0x0800), length 296: IP (tos 0x0, ttl 128, id 380, offset 0, flags [none], proto 17, length: 282) 10.50.21.62.netbios-dgm > 10.50.30.32.netbios-dgm: >>> NBT UDP PACKET(138) Res=0x110E ID=0x8148 IP=10 (0xa).50 (0x32).21 (0x15).62 (0x3e)
[Samba] Re: machine account with w2k
As i remembered the smbusers by default mapped root to Administrator -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Could not create posix account info
> When I do a slapcat, iam able to see the users user1, user2, user3.user9. > But when I try to authenticate from a WIN NT WORKSTATION with user9/password, (with the NT4 shutdown and samba acting as a BDC) > I am able to login only with the cached profile. use 'smbldap_usershow.pl user1' to see if you have both sambaUID and UID for user1. You suppose to have both after vampiring. Also, do the same with workstation names to see if you have the sambaNTPassword entry filled up. Notice the SID number, whether they are as expected. -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: PDC from 2 to 3, SID headaches
> Where does Samba 3 store the domain SID? I tried deleting /etc/samba/secrets.tdb, to no avail. Indeed SID is stored in this database. You can use tdbdump to see what are in it. I don't think you need the smbpasswd -X if you are configuring a PDC. 'net rpc getsid' will get the domain SID and set it as your local SID. It is my understanding anyway. -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: vampire failed for undefiled value sambaSID
Greetings,
The problem I had ""Can't call method "get_value" on an undefined
value 'smbaSID'" was due to the fact the initial ldap was not preloaded
to have enough entries. I don't know what entry was missing.
According to Samba-3 by Examples, Chapter 8, I preloaded the ldap
with the preload.LDIF file and then start the migration; I got the
sambaSID undefined error.
Now I run .smbldap-populate.pl, to populate the ldap database,
certain entries are preexiting, the vampring process seems to create all
users, except for every users, I got
"Creating account: bromley
[2004/07/22 13:14:11, 0]
passdb/pdb_ldap.c:ldapsam_add_sam_account(1573)
ldapsam_add_sam_account: User 'bromley' already in the base, with
samba attributes"
Does this message matter?
The preload.LDIF has the following entry, would somebody please tell me
what entry is missing? Thanks!
-- Kang Sun
=
dn: dc=ab,dc=com
objectClass: dcObject
objectClass: organization
dc: ab
o: ab
description: POSIX and Samba LDAP Identity Database
structuralObjectClass: organization
dn: cn=Manager,dc=ab,dc=com
objectClass: organizationalRole
cn: Manager
structuralObjectClass: organizationalRole
dn: ou=Users,dc=ab,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Users
structuralObjectClass: organizationalUnit
dn: ou=People,dc=ab,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
structuralObjectClass: organizationalUnit
dn: ou=Computers,dc=ab,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Computers
structuralObjectClass: organizationalUnit
dn: ou=Groups,dc=ab,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
structuralObjectClass: organizationalUnit
dn: ou=Idmap,dc=ab,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Idmap
structuralObjectClass: organizationalUnit
dn: ou=Domains,dc=ab,dc=com
objectClass: organizationalUnit
ou: Domains
structuralObjectClass: organizationalUnit
==
Greetings!
Vampaire process is running, but it failed create accounts for everyone.
The error message is
"Can't call method "get_value" on an undefined
value at /var/lib/samba/sbin/smbldap-useradd.pl line 152."
And I looked at the mentioned file and the line is
$userGroupSID = $group_entry->get_value('sambaSID');
I am following examples in "Samba-3 by Examples".
Configuration:
Fedora Core 2
Samba-3.0.3 that came with Fedora Core 2
smbldap-tools that came with Samba-3.0.3
It looks like it is the smbldap-tools issue. I briefly looks at the two
pm files but cannot figure out where it went wrong.
Any suggestions?
Thanks!
--- Kang Sun
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Migration: Failed to setup BDC creds
I figure that out. You actually not suppose to start samba while doing hte migration. net rpc vampire will just read the configuration file and figure out where is the backend. Chapter 8 of "Samba-3 by Examples" has detailed procedure. -- kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Solution! -> Re: Does "Admin Users =" accept groups?
admin users= @"Domain Admins" is the correct syntax in smb.conf from smbldap-groupshow.pl I see the list of memberUID in that group, seperated by comma. Hope this helps! -- Kang /smbldap-groupshow.pl "Domain Admins" dn: cn=Domain Admins,ou=Groups,dc=ab,dc=com objectClass: posixGroup,sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: Administrator,ksun,dflagg,jweinfurt,shector description: Netbios Domain Administrators sambaSID: S-1-5-21-1950748365-2870423656-1318170314-512 sambaGroupType: 2 displayName: Domain Admins -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Could two DOMAINS of the same SID exsits on the same network?
Greetings! Few general questions: 1. Could I vampire from a BDC instead of PDC, does a BDC have everything that a PDC has? 2. After vampiring successfully from a PDC to samba-3 BDC, could I promote this samba-3 BDC to a PDC of a new domain NEWDM, would this new domain co-existing with the old domain in the same network? I am worring that the two domains have exact same information, e,g, domain SIDs. Would that affect anything? Thanks! -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] vampire failed for undefiled value sambaSID
Greetings!
Vampaire process is running, but it failed create accounts for everyone.
The error message is
"Can't call method "get_value" on an undefined
value at /var/lib/samba/sbin/smbldap-useradd.pl line 152."
And I looked at the mentioned file and the line is
$userGroupSID = $group_entry->get_value('sambaSID');
I am following examples in "Samba-3 by Examples".
Configuration:
Fedora Core 2
Samba-3.0.3 that came with Fedora Core 2
smbldap-tools that came with Samba-3.0.3
It looks like it is the smbldap-tools issue. I briefly looks at the two
pm files but cannot figure out where it went wrong.
Any suggestions?
Thanks!
--- Kang Sun
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Samba/LDAP/PDC Questions
Thank you for the response! >>1. In what situtation do I need People group as the group for >>machines? > Always. Until they fix the bug/design issue that is. OK, I reconfigured smb.conf and smbldap_config.pm to Users for users, Groups for groups, and People for computers. >>2. Should the PDC itself be in the ldap backend database? > I haven't found a good reason that it 'has' to in my tests. I did join PDC to the domain using 'net rpc join -Uadministrator%secret' according to John H. Terpatra's Samba-3 by Example. After joining, I do see the PDC machine is the ldap backend database. >>3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log >> in to the dmain anymore. It said "User does not exist". > Can you expand on this a bit more? From what you've said (which isn't > much) it almost sounds like you didn't have ldap working as the posix > auth system before you layered on samba. My /etc/ldap.conf is as follow: host 127.0.0.1 base dc=ab,dc=com # nss_base_passwdou=Users,dc=ab,dc=com?one # nss_base_shadowou=Users,dc=ab,dc=com?one # nss_base_group ou=Group,dc=ab,dc=com?one ssl no pam_password md5 # What I was trying to say is that the three nss_base lines: o with or without them, I can do 'getent password' etc with all the posixAcounts o with them uncommented, I cannot loginto a domain account from an XP machine, though the XP machine itself joined the domain on a fly. [* actually I cannot login to a domain account from the XP no matter what after I reconfigure the PDC with People for computers *] So I wonder what exactly these three lines do. The PDC is on Fedora 2 system. I ran authconfig to enable ldap authentication. The pam.d is automatically configured. I am not sure it is using ldap_nss stuff at all. Right now, I can join the XP machine into the domain but after reboot I just cannot log into domain Administrator account. The error from the XP is "The system could not log you on, Make sure your user name and domain are correct, then type your oassword again." >From the log.xp file, I see errors. Any suggestion? -- Kang Sun # [2004/07/20 14:42:38, 0] rpc_server/srv_pipe.c:api_pipe_netsec_process(1397) failed to decode PDU [2004/07/20 14:42:38, 0] rpc_server/srv_pipe_hnd.c:process_request_pdu(605) process_request_pdu: failed to do schannel processing. ## -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Samba/LDAP/PDC Questions
Greetings!
I created a Samba/OpenLDAP/smbldap-tools Primary Domain Controller. So far
I am able to do the folowing:
1. Using USRMGR,EXE to administrating users and groups.
2. Adding Windows 2000, XP workstation on the fly.
3. PDBEDIT/SMBLDAP-TOOLS/GQ all works as they suppose to.
4. LDAP autheticate unix accounts.
However, I am not able to to the following:
1. Cannot joint an NT machine (SP6a) into the domwin. It keeps
saying that "the Machine account is not available or not accessible" even
if I manually added the machine account manually using "smbldap-useradd
NT$".
2. Cannot use SRVMGR.EXE to add machine to domain. It complains
"Access Denied", though I can do other things like change the permission
of a share etc."
3. Cannot join an existing domain after I configure it as a BDC
with the PDC's SID. It complains "Failed to setup BDC creds".
It looks like the communication between samba and openldap is OK since I
can managing user/group with USRMGR.EXE. However, a few questions puzzles
me:
1. In what situtation do I need People group as the group for
machines?
2. Should the PDC itself be in the ldap backend database?
3. In the /etc/ldap.conf, if I turn on the nss staff, I cannot log
in to the dmain anymore. It said "User does not exist".
Here are the specs of my setup:
Fedora 2 (kernel 2.6.5-1.358)
samba-3.0.3-5
openldap-2.1.29-1
smbldap-tools-0.8.5-1.1.fc2.dag
### /etc/samba/smb.conf #
[global]
workgroup = ab
netbios name = pdc
username map = /etc/samba/smbusers
admin users= @"Domain Admins"
server string = Samba Server %v
security = user
encrypt passwords = Yes
min passwd length = 3
obey pam restrictions = No
ldap passwd sync = Yes
time server = Yes
mangling method = hash2
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=Manager,dc=ab,dc=com
ldap suffix = dc=ab,dc=com
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=Users
ldap ssl = no
add user script = /usr/sbin/smbldap-useradd -m "%u"
ldap delete dn = Yes
delete user script = /usr/sbin/smbldap-userdel "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
preserve case = yes
short preserve case = yes
case sensitive = no
[homes]
comment = repertoire de %U, %u
read only = No
create mask = 0644
directory mask = 0775
browseable = No
[netlogon]
path = /home/netlogon/
browseable = No
read only = yes
[profiles]
path = /home/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
# next line is a great way to secure the profiles
force user = %U
# next line allows administrator to access all profiles
valid users = %U "Domain Admins"
# /etc/openldap/slap.conf
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/redhat/autofs.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
pidfile /var/run/slapd.pid
databaseldbm
suffix "dc=ab,dc=com"
rootdn "cn=Manager,dc=ab,dc=com"
rootpw some secret
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShelleq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntryeq,pres,sub
# /etc/smbldap-tools/smbldap.conf
SID="S-1-5-21-324808091-3910462042-2848579765"
slaveLDAP="127.0.0.1"
slavePort="389"
masterLDAP="127.0.0.1"
masterPort="389"
ldapTLS="0"
suffix="dc=ab,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
sco
[Samba] Migration: Failed to setup BDC creds
Greetings I configured a BDC with Samba 3.0.3. When I try to synchronize it with a PDC using "net rpc vampire -Uadministrator%password" I got "Failed to setup BDC creds". With deugger on the got the following information: [2004/07/13 16:19:11, 4] param/loadparm.c:lp_load(3918) pm_process() returned Yes [2004/07/13 16:19:11, 2] lib/interface.c:add_interface(79) added interface ip=10.50.30.32 bcast=10.50.255.255 nmask=255.255.0.0 [2004/07/13 16:19:11, 3] libsmb/cliconnect.c:cli_start_connection(1369) Connecting to host=127.0.0.1 [2004/07/13 16:19:11, 3] lib/util_sock.c:open_socket_out(733) Connecting to 127.0.0.1 at port 445 [2004/07/13 16:19:11, 4] lib/time.c:get_serverzone(122) Serverzone is 14400 [2004/07/13 16:19:11, 4] passdb/secrets.c:secrets_fetch_trust_account_password(261) Using cleartext machine password [2004/07/13 16:19:11, 4] rpc_client/cli_netlogon.c:cli_net_req_chal(45) cli_net_req_chal: LSA Request Challenge from PDC to 127.0.0.1: 2AAEDE6146FC2E56 [2004/07/13 16:19:11, 4] libsmb/credentials.c:cred_session_key(59) cred_session_key [2004/07/13 16:19:11, 4] libsmb/credentials.c:cred_create(90) cred_create [2004/07/13 16:19:11, 4] rpc_client/cli_netlogon.c:cli_net_auth2(102) cli_net_auth2: srv:\\127.0.0.1 acct:PDC$ sc:6 mc: PDC chal E5403E5FCF950D4F neg: 400701ff [2004/07/13 16:19:11, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(283) cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED Failed to setup BDC creds [2004/07/13 16:19:11, 1] utils/net_rpc.c:run_rpc_command(141) rpc command function failed! (NT_STATUS_ACCESS_DENIED) [2004/07/13 16:19:11, 2] utils/net.c:main(792) return code = 1 What went wrong? Thanks! -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Join domain as BDC: could not get CRED
Greetings, I am following Tournier's Howto to configure Samb 3.x as domain controller. I use "net rpc getsid -S -W " to obtain the domain SID and configure smbldap-tools and created the backend database. (The SID is also saved on secrets.db on local machine) I joint this server to the domain successfully using, "net rpc join -Uadministrator%password" The srvmgr.exe can see it joined the domain as a BDC. But when I try to synchronize the domain controllers using "net rpc vampire -Uadministrator&password" It faied with "Can not get CRED" or something like it. Waht did I do wrong? Please reply to my E-mail account at [EMAIL PROTECTED] -- Kang -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Questions on Samba3/OpenLDAP/PDC
Greetings! I set up a PDC with samba 3.0.4 and openldap-2.2.14 and use smbldap-tools to populate ldap database. I am able to use the Microsfot's User Manager (usrmgr.exe) to add and delete users. I have a few questions that I hope you can help me with. 1. smbldap-tools maps Domain Admins group to group ID 512. I created domadmins group with ID 512 in /etc/group and added test as a member of this group. After adding user test from usrmgr.exe on a window XP client, test is automatically members of Domain Admins and Domain Users. Now login as test, on the windows XP client and run usrmgr.exe, I cannot open any of the user. It always say "access denied". In sort, I can add/delete user as Administrator but cannot do the same on test although test is a member of the Domain Admins group, seeing from usrmgr.exe. Did I miss anything? There is no sign that test belong to a Domain Admins group from LDAP database. 2. The Administrator cannot read its roaming profiles. usrmgr and pdbedit show its profile is at \\pdc\profiles\Administrator. The directory is empty. What should be the correct protection and do I need some intial entries there? 3. All users, groups, computers, have to have an entry in the /etc/passwd or/and /etc/group first before usrmgr can add or delete them in ldap backend. Why couldn't samba administrating them as well? 4. I thought ldap can manaing NIS but I have not seen, sorry for my ignorance, a document to integrade NIS/Samba-PDC/openldap together. Could someone give me a pointer? Thank you! Thank you. -- Kang Sun -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
