Re: [Samba] Can't login to Samba PDC
* Scott Gross [EMAIL PROTECTED] nulis: ... button (from Win2K network identification screen). The computer is being added to the _COMPUTERS_ container in my LDAP with the appropriate trailing $ (uid=fife3400sales02$,ou=_COMPUTERS_). The domain portion of all SID's is the same (User-Group-Computer-sambaDomainName). When the workstation tries to authenticate the user I can see the connection to IPC$ on the samba server. 'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of 'cn=Domain Users,ou=_GROUPS_'. You put computer account under ou=_COMPUTER_ and users under ou=_USERS_ etc, any reason putting on funky ou name or is this just because of default value in smbldaptools? Have you set pam/nss ldap correctly (/etc/ldap.conf), whats getent passwd /group tell? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't login to Samba PDC
Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server = PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote: I was planning to do each machine manually rather than using scripts to move the users as I have to change a lot of things on the users PC to keep them running after I move them to the new domain. So my intention was to join the computer to the new domain, add the user to the Samba domain then configure their PC for the new e-mail system and such. I have to do about 100 workstations in many different locations and a slow change over with no problems is preferable to a faster one where users might experience problems. This having been said I'm still having problems that after I join the workstation to the new domain I can't login to it. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, February 27, 2004 9:33 PM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Let's keep this on list - there are a lot brighter people than I am on this stuff... On Fri, 2004-02-27 at 19:58, Scott Gross wrote: 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? migrate as in move from one to the other. I'm trying to get the Samba server running while we're using NT4 and then I will move my users and workstations to the new domain. I'm going to move them one machine and user at a time manually. Yes LDAP handles the linux logins as well and this is working. I haven't set-up the LDAP to log the logins but this is something I want to do as well. OK - I am trying to understand what you are telling me. I can't possibly envision a scenario that you can make this work - moving one computer and one user over at a time. The computer accounts continually change their passwords. This is what the net rpc vampire command is designed to do, move the machine accounts, user accounts and group accounts over to new setup while still retaining all the SID structure. It indeed works - I know because I did it. That is not to say that it is without it's problems but it is - the intended method and I learned a long time ago about the benefit to calculate wind direction before I start peeing. If you really feel as though you have LDAP set up properly - it appears that you have a grasp on it since you can run ldapsearch from command line (I am shocked at the number of people that think they have LDAP running and can't query LDAP), then you really should just slapcat your current setup, dump it, slapadd the stuff you need into LDAP and use the net rpc vampire and suck it all in. You should have no problem getting it to simultaneously add the posixAccount sambaSamAccount properties - the only things that you may have to reconcile are 1 - existing accounts in posixland that you want to be both posix samba (perhaps you have overlap and different passwords/uid's) and 2 - It's hard to pull the plug on the existing NT 4 server because it probably has file print shares that you wanna keep around...try shutting off the netlogon service AFTER - you change the settings in smb.conf to make it PDC like and restarting smbd/nmbd. It will still be mostly functional Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't login to Samba PDC
First thing is...please keep this on list Second thing is...if NT is a PDC, then machine accounts should be created on that system - You can't simulataneously have a Windows Samba PDC/BDC of any combination. How would you be sure which machine is getting the machine accounts and which machine is handling the authentication? Craig On Mon, 2004-03-01 at 09:48, Scott Gross wrote: First thing is first. I need to be able to join a machine to the domain and be able to login to the domain. This is just to test and make sure the new Samba server is working. This is the problem I'm having and what I'm looking for help on. Not how to migrate my users. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 8:52 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server = PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote: I was planning to do each machine manually rather than using scripts to move the users as I have to change a lot of things on the users PC to keep them running after I move them to the new domain. So my intention was to join the computer to the new domain, add the user to the Samba domain then configure their PC for the new e-mail system and such. I have to do about 100 workstations in many different locations and a slow change over with no problems is preferable to a faster one where users might experience problems. This having been said I'm still having problems that after I join the workstation to the new domain I can't login to it. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, February 27, 2004 9:33 PM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Let's keep this on list - there are a lot brighter people than I am on this stuff... On Fri, 2004-02-27 at 19:58, Scott Gross wrote: 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? migrate as in move from one to the other. I'm trying to get the Samba server running while we're using NT4 and then I will move my users and workstations to the new domain. I'm going to move them one machine and user at a time manually. Yes LDAP handles the linux logins as well and this is working. I haven't set-up the LDAP to log the logins but this is something I want to do as well. OK - I am trying to understand what you are telling me. I can't possibly envision a scenario that you can make this work - moving one computer and one user over at a time. The computer accounts continually change their passwords. This is what the net rpc vampire command is designed to do, move the machine accounts, user accounts and group accounts over to new setup while still retaining all the SID structure. It indeed works - I know because I did it. That is not to say that it is without it's problems but it is - the intended method and I learned a long time ago about the benefit to calculate wind direction before I start peeing. If you really feel as though you have LDAP set up properly - it appears that you have a grasp on it since you can run ldapsearch from command line (I am shocked at the number of people that think they have LDAP running and can't query LDAP), then you really should just slapcat your current setup, dump it, slapadd the stuff you need into LDAP and use the net rpc vampire and suck it all in. You should have no problem getting it to simultaneously add the posixAccount sambaSamAccount properties - the only things that you may have to reconcile are 1 - existing accounts in posixland that you want to be both posix samba (perhaps you have overlap and different passwords/uid's) and 2 - It's hard to pull the plug on the existing NT 4 server because it probably has file print shares that you wanna keep around...try shutting off the netlogon service AFTER - you change the settings in smb.conf to make it PDC like and restarting smbd/nmbd. It will still be mostly functional Craig -- To unsubscribe from
RE: [Samba] Can't login to Samba PDC
On Mon, 2004-03-01 at 10:42, Scott Gross wrote: First thing is what list do you keeping talking about? Am I not supposed to be asking about Samba things in this list? --- The Samba list is the list I am specifically referring to. Everytime you hit the 'reply' button, it replies only to me. If you hit 'reply to all' it will also reply to the samba list. Every reply I have hit, I have added the [EMAIL PROTECTED] to the address because you seem to only want to reply to me. Thus, you would be asking Samba things to the samba list if you would only include the samba list in your replies. --- Second is the domain names are different. That is how you can tell which domain you are logging into. Why don't you try helping with the problem or let someone else if you don't want to. --- I would be happy to let someone else help you - you have to actually post to the list instead of just emailing me. If the domain names are different, then your usage of the term migrate in your original email was misleading and I'm sorry it took me 4 emails to get this information out of you. Evidently, the method you are using to 'join' the domain with the computer isn't functioning properly. Are you putting the computer accounts in the 'People' container? Is root a samba member? Do you use the Win2K/WinXP wizard to join the domain? Craig -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 9:43 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC First thing is...please keep this on list Second thing is...if NT is a PDC, then machine accounts should be created on that system - You can't simulataneously have a Windows Samba PDC/BDC of any combination. How would you be sure which machine is getting the machine accounts and which machine is handling the authentication? Craig On Mon, 2004-03-01 at 09:48, Scott Gross wrote: First thing is first. I need to be able to join a machine to the domain and be able to login to the domain. This is just to test and make sure the new Samba server is working. This is the problem I'm having and what I'm looking for help on. Not how to migrate my users. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 8:52 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server = PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote: I was planning to do each machine manually rather than using scripts to move the users as I have to change a lot of things on the users PC to keep them running after I move them to the new domain. So my intention was to join the computer to the new domain, add the user to the Samba domain then configure their PC for the new e-mail system and such. I have to do about 100 workstations in many different locations and a slow change over with no problems is preferable to a faster one where users might experience problems. This having been said I'm still having problems that after I join the workstation to the new domain I can't login to it. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Friday, February 27, 2004 9:33 PM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Let's keep this on list - there are a lot brighter people than I am on this stuff... On Fri, 2004-02-27 at 19:58, Scott Gross wrote: 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? migrate as in move from one to the other. I'm trying to get the Samba server running while we're using NT4 and then I will move my users and workstations to the new domain. I'm going to move them one machine and user at a time manually. Yes LDAP handles the linux logins as well and this is working. I haven't set-up the LDAP to log the logins but this is something I want to do as well. OK - I am trying
RE: [Samba] Can't login to Samba PDC
Sorry, when I was hitting reply I thought it was going back to the list not just to you. I wasn't paying attention to the address line in the e-mail. I'm not using the windows wizard to join the domain but I am doing the join from the windows workstation. I'm not big on some of the wizards so I use the change button (from windows XP computer name screen) or the properties button (from Win2K network identification screen). The computer is being added to the _COMPUTERS_ container in my LDAP with the appropriate trailing $ (uid=fife3400sales02$,ou=_COMPUTERS_). The domain portion of all SID's is the same (User-Group-Computer-sambaDomainName). When the workstation tries to authenticate the user I can see the connection to IPC$ on the samba server. 'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of 'cn=Domain Users,ou=_GROUPS_'. I did just notice that 'cn=Domain Computers,ou=_GROUPS_' doesn't have any members in it. Do I need to add the computers to this group? -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 10:16 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC On Mon, 2004-03-01 at 10:42, Scott Gross wrote: First thing is what list do you keeping talking about? Am I not supposed to be asking about Samba things in this list? --- The Samba list is the list I am specifically referring to. Everytime you hit the 'reply' button, it replies only to me. If you hit 'reply to all' it will also reply to the samba list. Every reply I have hit, I have added the [EMAIL PROTECTED] to the address because you seem to only want to reply to me. Thus, you would be asking Samba things to the samba list if you would only include the samba list in your replies. --- Second is the domain names are different. That is how you can tell which domain you are logging into. Why don't you try helping with the problem or let someone else if you don't want to. --- I would be happy to let someone else help you - you have to actually post to the list instead of just emailing me. If the domain names are different, then your usage of the term migrate in your original email was misleading and I'm sorry it took me 4 emails to get this information out of you. Evidently, the method you are using to 'join' the domain with the computer isn't functioning properly. Are you putting the computer accounts in the 'People' container? Is root a samba member? Do you use the Win2K/WinXP wizard to join the domain? Craig -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 9:43 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC First thing is...please keep this on list Second thing is...if NT is a PDC, then machine accounts should be created on that system - You can't simulataneously have a Windows Samba PDC/BDC of any combination. How would you be sure which machine is getting the machine accounts and which machine is handling the authentication? Craig On Mon, 2004-03-01 at 09:48, Scott Gross wrote: First thing is first. I need to be able to join a machine to the domain and be able to login to the domain. This is just to test and make sure the new Samba server is working. This is the problem I'm having and what I'm looking for help on. Not how to migrate my users. -Original Message- From: Craig White [mailto:[EMAIL PROTECTED] Sent: Monday, March 01, 2004 8:52 AM To: Scott Gross Cc: [EMAIL PROTECTED] Subject: RE: [Samba] Can't login to Samba PDC Please keep this on list... The logical thing to do would be to keep your NT server as the PDC. Set up samba not to be a domain controller at all but as a member server to the domain (join that machine to the domain - using password server = PDC / security = domain and net join ...) That way, you can create all of the users, join all the machines, set up roaming profiles (on the 'member' server) and get all ready. Then, when you are ready, you can do the net rpc vampire command and suck all of the user accounts/machine accounts/groups into your LDAP. Craig On Mon, 2004-03-01 at 09:34, Scott Gross wrote: I was planning to do each machine manually rather than using scripts to move the users as I have to change a lot of things on the users PC to keep them running after I move them to the new domain. So my intention was to join the computer to the new domain, add the user to the Samba domain then configure their PC for the new e-mail system and such. I have to do about 100 workstations in many different locations and a slow change over with no problems is preferable
[Samba] Can't login to Samba PDC
We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't login to Samba PDC
Did you configure nss and pam to work with ldap ? Do you have netlogon share path world writable? BLOCKQUOTE { BORDER-LEFT:#1F4687 1px solid; padding-left:20px; margin-left: 0px; }-Original Message- From: Scott Gross [EMAIL PROTECTED] Sent: Friday, 27. Feb 2004 15:22 -0800 To: [EMAIL PROTECTED] Subject: [Samba] Can't login to Samba PDC We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Can't login to Samba PDC
On Fri, 2004-02-27 at 16:22, Scott Gross wrote: We're trying to migrate from a windows NT domain to a Samba domain. I've installed Samba 3.0.2a with an LDAP backend. The server seems to be running fine as I can browse the shares from a non-domain Win2k workstation after a successful password check. The workstations join the domain just fine but after I join them to the domain I can't log in to them. I've checked my schannel and sign or seal settings in the Samba server and the workstation but still no luck. Any help is greatly appreciated, I've been working at this for about two months now and I'm just getting frustrated. Not enough information to give a meaningful answer. 1 - signorseal settings applicable to Samba 2.x not 3.x 2 - logs? why would you think that /var/log/samba/smbd.log, /var/log/samba/log.nmbd, /var/log/samba/ip.of.connecting.system wouldn't give you real clues to what's going on? 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? 4 - you seem to have not stated the required - I have read the 'how-to' at http://us1.samba.org/samba/docs/man/ 5 - net getlocalsid / ldapsearch -x -h localhost -b 'base-of-ldap' '(cn=Domain User)' #do they sid portions match? Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Can't login to Samba PDC
Let's keep this on list - there are a lot brighter people than I am on this stuff... On Fri, 2004-02-27 at 19:58, Scott Gross wrote: 3 - migrate? as in net rpc vampire? - how certain are you that LDAP is working? Does LDAP handle linux login? Are you logging ldap connections etc? migrate as in move from one to the other. I'm trying to get the Samba server running while we're using NT4 and then I will move my users and workstations to the new domain. I'm going to move them one machine and user at a time manually. Yes LDAP handles the linux logins as well and this is working. I haven't set-up the LDAP to log the logins but this is something I want to do as well. OK - I am trying to understand what you are telling me. I can't possibly envision a scenario that you can make this work - moving one computer and one user over at a time. The computer accounts continually change their passwords. This is what the net rpc vampire command is designed to do, move the machine accounts, user accounts and group accounts over to new setup while still retaining all the SID structure. It indeed works - I know because I did it. That is not to say that it is without it's problems but it is - the intended method and I learned a long time ago about the benefit to calculate wind direction before I start peeing. If you really feel as though you have LDAP set up properly - it appears that you have a grasp on it since you can run ldapsearch from command line (I am shocked at the number of people that think they have LDAP running and can't query LDAP), then you really should just slapcat your current setup, dump it, slapadd the stuff you need into LDAP and use the net rpc vampire and suck it all in. You should have no problem getting it to simultaneously add the posixAccount sambaSamAccount properties - the only things that you may have to reconcile are 1 - existing accounts in posixland that you want to be both posix samba (perhaps you have overlap and different passwords/uid's) and 2 - It's hard to pull the plug on the existing NT 4 server because it probably has file print shares that you wanna keep around...try shutting off the netlogon service AFTER - you change the settings in smb.conf to make it PDC like and restarting smbd/nmbd. It will still be mostly functional Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba