Re: [Samba] Migrating NT4 Domain with Idealx tools
--On Wednesday, November 17, 2004 05:09:19 PM +0100 Paul Coray [EMAIL PROTECTED] wrote: Marcel de Riedmatten schrieb: Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf? i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch Rather than specify this twice why don't you just move the base up? For example: nss_base_passwd dc=mydomain,dc=ch Bill nss_base_group ou=Groups,dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. Cheers Paul -- Paul Coray Administrator Server und Netzwerk Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel Tel: +41 61 267 05 13 Fax: +41 61 267 31 03 mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch +--- | Bill MacAllister | 14219 Auburn Road | Grass Valley, CA 95949 | 530-272-8555 -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Marcel de Riedmatten schrieb: Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf? i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_group ou=Groups,dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. Cheers Paul -- Paul Coray Administrator Server und Netzwerk Oeffentliche Bibliothek der Universitaet Basel EDV-Abteilung Schoenbeinstrasse 18-20 CH-4056 Basel Tel: +41 61 267 05 13 Fax: +41 61 267 31 03 mailto:[EMAIL PROTECTED] http://www.ub.unibas.ch -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mer 17/11/2004 à 17:09, Paul Coray a écrit : Marcel de Riedmatten schrieb: you can have them separated. What count is that the machines account are visible on domain controllers (PDC BDC) ie getent passwd must show the machine (posix) account. This is nss_ldap configuration. If samba doesn't see the machine (posix) account it won't work . So can I specify more then one nss base for passwd in libnss-ldap.conf i.e. nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_groupou=Groups,dc=mydomain,dc=ch I am not sure. I just don't specify nss_base_passwd ie i just defined base dc=mydomain,dc=ch So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? yes the domain SID _is_ the (local) SID of the PDC and all domain controllers must have the same SID. Thanks Marcel, this is very valuable information to me! I think these should be pointed out more clearly in the docs. ok By the way I am preparing something for the vampire and idmap stuff. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
On Wed, Nov 17, 2004 at 05:37:02PM +0100, Marcel de Riedmatten wrote: nss_base_passwd ou=Users,dc=mydomain,dc=ch nss_base_passwd ou=Computers,dc=mydomain,dc=ch nss_base_group ou=Groups,dc=mydomain,dc=ch I am not sure. I just don't specify nss_base_passwd ie i just defined Yes, this is possible since nss_ldap-204: 204 Luke Howard [EMAIL PROTECTED] * Linux netgroup implementation from Larry Lile -- * Multiple service search descriptor support from Symas * IPv6 patch from Thorsten Kukuk at SuSE -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Marcel de Riedmatten wrote: Le mar 09/11/2004 à 17:57, Paul Coray a écrit : Hi all For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-) I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems: - The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration... This doesn't seem normal. The samba attribute should be added by the vampire. But I my case it doesn't... net rpc vampire says 'Couldn't create Posix information for machinename$'. Well in reality, it did, but without samba atrrs. Now I realize this works when i configure LDAP and Idealx-Tools to store machine accounts in the same container as useraccounts. Although this makes my directory look somewhat messy, I can live with it if I have to. Still I can't add machines doing smbldap-useradd -w, nor when I try to join the domain from a client. So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID Do SIDS for the PDC and for the domain have to be the same? 2) you have joined the domain as BDC 3) you can see the attribute with net samdump - Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user... At distance this is a hard guess. I suggest that you look at the ldap log to get an idea what happend. Rgds Paul -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Migrating NT4 Domain with Idealx tools
Le mar 09/11/2004 à 17:57, Paul Coray a écrit : Hi all For several days I've been doing tests for our upcoming migration from an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4 and some Win2k. We want all of our users eventually switch from Windows to KDE on Linux with thin clients through NX :-) I managed to net rpc vampire all user and machine accounts into LDAP, but then I realized some problems: - The migrated machine accounts have no samba attributes. I can reproduce this behavior adding a machine account doing smbldap-useradd -w [machinename], just as in the 'add machine script' line in smb.conf suggested by Idealx. The machine account machinename$ will exist then, but without sambaSAMAccount object class nor any other samba attribute. Only after adding these by hand and joning the machine to my samba domain, users can login. I tried also using smbldap-useradd with multiple options, -w for workstation account and -a for samba attributes, but no luck. I wish I shouldn't add 200 machines to an already existing domain after the migration... This doesn't seem normal. The samba attribute should be added by the vampire. So I would suspect some problem in the communication with the PDC and double check that on the samba box 1) you have the domain SID as local SID 2) you have joined the domain as BDC 3) you can see the attribute with net samdump - Users, once logged in to Linux, cannot change their password with smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm talking about a logged in user... At distance this is a hard guess. I suggest that you look at the ldap log to get an idea what happend. -- Marcel de Riedmatten signature.asc Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?= -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Migrating NT4 Domain with Idealx tools
Hi all
For several days I've been doing tests for our upcoming migration from
an NT domain to Samba PDC with ldapsam. We have ~200 clients, mostly NT4
and some Win2k. We want all of our users eventually switch from Windows
to KDE on Linux with thin clients through NX :-)
I managed to net rpc vampire all user and machine accounts into LDAP,
but then I realized some problems:
- The migrated machine accounts have no samba attributes. I can
reproduce this behavior adding a machine account doing smbldap-useradd
-w [machinename], just as in the 'add machine script' line in smb.conf
suggested by Idealx. The machine account machinename$ will exist then,
but without sambaSAMAccount object class nor any other samba attribute.
Only after adding these by hand and joning the machine to my samba
domain, users can login. I tried also using smbldap-useradd with
multiple options, -w for workstation account and -a for samba
attributes, but no luck. I wish I shouldn't add 200 machines to an
already existing domain after the migration...
- Users, once logged in to Linux, cannot change their password with
smbldap-passwd. They get 'user [username] doesn't exist.' Well, I'm
talking about a logged in user...
This is how Samba, OpenLDAP and the Idealx-Tools are configured:
# egrep -v '^$|^#' smb.conf
[global]
netbios name = SARGE-TS
workgroup = UB
security = User
server string = %h server (Samba %v)
wins support = yes
preferred master = yes
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
encrypt passwords = true
domain logons = yes
domain master = yes
logon drive = H:
logon home = \\%L\%U
ldap passwd sync = Yes
os level = 65
passdb backend = ldapsam:ldap://127.0.0.1/
ldap admin dn = cn=manager,dc=ub,dc=unibas,dc=ch
ldap suffix = dc=ub,dc=unibas,dc=ch
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Computers
add user script = /usr/sbin/smbldap-useradd -m %u
ldap delete dn = Yes
add machine script = /usr/sbin/smbldap-useradd -w %u
add group script = /usr/sbin/smbldap-groupadd -p %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
short preserve case = yes
case sensitive = no
map to guest = Bad User
guest account = nobody
invalid users = root
ldap password sync = yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
[homes]
comment = Home Directory for %U
browseable = no
writable = yes
create mask = 0700
directory mask = 0700
[netlogon]
path = /export/home/samba/netlogon/
# browseable = No
# locking = No
read only = yes
[profiles]
path = /export/home/samba/profiles
read only = no
create mask = 0600
directory mask = 0700
browseable = No
guest ok = Yes
profile acls = yes
csc policy = disable
force user = %U
valid users = %U Domain Admins
# egrep -v '^$|^#' slapd.conf
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/solaris-nis.schema
include /etc/ldap/schema/solaris.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/phpgwaccount.schema
include /etc/ldap/schema/phpgwcontact.schema
modulepath /usr/lib/ldap
moduleload back_ldbm
backend ldbm
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile/var/run/slapd/slapd.args
password-hash {MD5}
replogfile /var/lib/ldap/replog
loglevel256
databaseldbm
suffix dc=ub,dc=unibas,dc=ch
rootdn cn=manager,dc=ub,dc=unibas,dc=ch
rootpw {MD5}XX==
directory /var/lib/ldap/ub
lastmod on
cachesize 4
dbcachesize 6000
index cn,sn,uid,displayName pres,sub,eq
index uidNumber,gidNumber eq
index sambaSIDeq
index sambaPrimaryGroupSIDeq
index sambaDomainName eq
index objectClass eq
index default sub
index phpgwContactOwner pres,eq,sub
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by self write
by anonymous auth
by * none
access to *
by dn=cn=manager,dc=ub,dc=unibas,dc=ch write
by dn=cn=nss,dc=ub,dc=unibas,dc=ch read
by * auth
# egrep -v '^$|^#' smbldap_bind.conf
slaveDN=cn=manager,dc=ub,dc=unibas,dc=ch
slavePw=XXX
masterDN=cn=manager,dc=ub,dc=unibas,dc=ch
masterPw=XX
# egrep -v '^$|^#' smbldap.conf
