Re: [Samba] Migrating NT4 Domain with Idealx tools
--On Wednesday, November 17, 2004 05:09:19 PM +0100 Paul Coray [EMAIL PROTECTED] wrote: Marcel de Riedmatten schrieb: Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf? i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch Rather than specify this twice why don't you just move the base up? For example: nss_base_passwd dc=mydomain,dc=ch Bill nss_base_group ou=Groups,dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. Cheers Paul -- Paul Coray Administrator Server und Netzwerk Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel Tel: +41 61 267 05 13 Fax: +41 61 267 31 03 mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Marcel de Riedmatten schrieb: Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf? i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_group ou=Groups,dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. Cheers Paul -- Paul Coray Administrator Server und Netzwerk Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel Tel: +41 61 267 05 13 Fax: +41 61 267 31 03 mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mer 17/11/2004 à 17:09, Paul Coray a écrit : Marcel de Riedmatten schrieb: you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_groupou=Groups,dc=mydomain,dc=ch I am not sure. I just don't specify nss_base_passwd ie i just defined base dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. ok By the way I am preparing something for the vampire and idmap stuff. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
On Wed, Nov 17, 2004 at 05:37:02PM +0100, Marcel de Riedmatten wrote: nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_group ou=Groups,dc=mydomain,dc=ch I am not sure. I just don't specify nss_base_passwd ie i just defined Yes, this is possible since nss_ldap-204: 204 Luke Howard [EMAIL PROTECTED] * Linux netgroup implementation from Larry Lile -- * Multiple service search descriptor support from Symas * IPv6 patch from Thorsten Kukuk at SuSE -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Marcel de Riedmatten wrote: Le mar 09/11/2004 à 17:57, Paul Coray a écrit : Hi all For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-) I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems: - The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration... This doesn't seem normal. The samba attribute should be added by the vampire. But I my case it doesn't... net rpc vampire says 'Couldn't create Posix information for machinename$'. Well in reality, it did, but without samba atrrs. Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? 2) you have joined the domain as BDC 3) you can see the attribute with net samdump - Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user... At distance this is a hard guess. I suggest that you look at the ldap log to get an idea what happend. Rgds Paul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mar 09/11/2004 à 17:57, Paul Coray a écrit : Hi all For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-) I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems: - The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration... This doesn't seem normal. The samba attribute should be added by the vampire. So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID 2) you have joined the domain as BDC 3) you can see the attribute with net samdump - Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user... At distance this is a hard guess. I suggest that you look at the ldap log to get an idea what happend. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Migrating NT4 Domain with Idealx tools
Hi all For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-) I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems: - The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration... - Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user... This is how Samba, OpenLDAP and the Idealx-Tools are configured: # egrep -v '^$|^#' smb.conf [global] netbios name = SARGE-TS workgroup = UB security = User server string = %h server (Samba %v) wins support = yes preferred master = yes log file = /var/log/samba/log.%m max log size = 1000 syslog = 0 encrypt passwords = true domain logons = yes domain master = yes logon drive = H: logon home = \\%L\%U ldap passwd sync = Yes os level = 65 passdb backend = ldapsam:ldap://127.0.0.1/ ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch ldap suffix = dc=ub,dc=unibas,dc=ch ldap group suffix = ou=Groups ldap user suffix = ou=Users ldap machine suffix = ou=Computers add user script = /usr/sbin/smbldap-useradd -m %u ldap delete dn = Yes add machine script = /usr/sbin/smbldap-useradd -w %u add group script = /usr/sbin/smbldap-groupadd -p %g add user to group script = /usr/sbin/smbldap-groupmod -m %u %g delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g set primary group script = /usr/sbin/smbldap-usermod -g %g %u short preserve case = yes case sensitive = no map to guest = Bad User guest account = nobody invalid users = root ldap password sync = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 [homes] comment = Home Directory for %U browseable = no writable = yes create mask = 0700 directory mask = 0700 [netlogon] path = /export/home/samba/netlogon/ # browseable = No # locking = No read only = yes [profiles] path = /export/home/samba/profiles read only = no create mask = 0600 directory mask = 0700 browseable = No guest ok = Yes profile acls = yes csc policy = disable force user = %U valid users = %U Domain Admins # egrep -v '^$|^#' slapd.conf include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/solaris-nis.schema include /etc/ldap/schema/solaris.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/samba.schema include /etc/ldap/schema/phpgwaccount.schema include /etc/ldap/schema/phpgwcontact.schema modulepath /usr/lib/ldap moduleload back_ldbm backend ldbm schemacheck on pidfile /var/run/slapd/slapd.pid argsfile/var/run/slapd/slapd.args password-hash {MD5} replogfile /var/lib/ldap/replog loglevel256 databaseldbm suffix dc=ub,dc=unibas,dc=ch rootdn cn=manager,dc=ub,dc=unibas,dc=ch rootpw {MD5}XX== directory /var/lib/ldap/ub lastmod on cachesize 4 dbcachesize 6000 index cn,sn,uid,displayName pres,sub,eq index uidNumber,gidNumber eq index sambaSIDeq index sambaPrimaryGroupSIDeq index sambaDomainName eq index objectClass eq index default sub index phpgwContactOwner pres,eq,sub access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * none access to * by dn=cn=manager,dc=ub,dc=unibas,dc=ch write by dn=cn=nss,dc=ub,dc=unibas,dc=ch read by * auth # egrep -v '^$|^#' smbldap_bind.conf slaveDN=cn=manager,dc=ub,dc=unibas,dc=ch slavePw=XXX masterDN=cn=manager,dc=ub,dc=unibas,dc=ch masterPw=XX # egrep -v '^$|^#' smbldap.conf