Re: [Samba] Samba PDC + OpenLDAP (Debian Lenny)

2009-08-18 Thread Mike Eggleston 
On Sun, 16 Aug 2009, Henrik Dige Semark might have said:

> Hey.
> I'm trying to move my existing MS-AD over to SAMBA, the place I'm 
> working for is changing all servers from MS to Debian, but all the 
> clients is still a mixed environment for now.
> We have MAC, *NIX, and Windows clients, so its imported that everything 
> keeps running in the same or almost the same way as before the change but.
> 
> When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
> domain it takes 30 sec and then it says "The machine account dos not 
> exist" but as I understand that is what
> "add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
> do right ?
> 
> I have pasted my config + log from OpenLDAP and SAMBA, can anybody see 
> what I have don wrung

I'm not at work and am unable to compare your configuration with
my production configuration. I have a similar environment, though,
and found for windows boxes I needed to create the account in LDAP
first (I use smbldap-adduser ...), then I must also add my samba
server as a WINS server to the windows box, then I can join the
windows box to my samba pdc domain.

Mike
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] Samba PDC + OpenLDAP (Debian Lenny)

2009-08-16 Thread Adam Tauno WIlliams 
> I'm trying to move my existing MS-AD over to SAMBA, the place I'm 

So you have an AD domain?  Samba 3.x does not provide an AD domain, it
provides an NT domains, so your requirement of "everything keeps running
in the same or almost the same way" cannot be met.  Unless you want to
try Samba 4.

> When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
> domain it takes 30 sec and then it says "The machine account dos not 
> exist" but as I understand that is what
> "add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
> do right ?

It is supposed to, yes.

>socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Get rid of all the "socket options" stuff.  Are you using an old HOWTO
or some crap Wiki entry from somewhere?  Setting this directive is an
OLD habit and very obsolete.  Use only the Samba HOWTO and By-Example as
provided on Samba docs.  Assume everything else on the Internet is
obsolete and out-of-date, because it most likely is.

> [2009/08/14 18:22:24,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>  pdb_get_group_sid: Failed to find Unix account for DomAdmin
> [2009/08/14 18:22:24,  1] auth/auth_util.c:make_server_info_sam(562)
>  User DomAdmin in passdb, but getpwnam() fails!

I don't know why it is looking for a "DomAdmin" account. Perhaps your
directory is not fully initialized?  Loaded with the required users,
etc...

> Error: modifications require authentication at 
> /usr/share/perl5/smbldap_tools.pm line 1083.
> [2009/08/14 18:22:48,  0] 
> passdb/pdb_interface.c:pdb_default_create_user(336)
>  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 
> -w -i "hds$"' gave 127

I don't use smblap-tools but this looks like they don't have sufficient
config to authenticate to the DSA.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Samba PDC + OpenLDAP (Debian Lenny)

2009-08-16 Thread Henrik Dige Semark 

Hey.
I'm trying to move my existing MS-AD over to SAMBA, the place I'm 
working for is changing all servers from MS to Debian, but all the 
clients is still a mixed environment for now.
We have MAC, *NIX, and Windows clients, so its imported that everything 
keeps running in the same or almost the same way as before the change but.


When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
domain it takes 30 sec and then it says "The machine account dos not 
exist" but as I understand that is what
"add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
do right ?


I have pasted my config + log from OpenLDAP and SAMBA, can anybody see 
what I have don wrung


# cat /etc/samba/smb.conf
-
# Defining domain name, hostname

[global]
  workgroup = MY-DOMAIN
  netbios name = HDS-Linux - PDC
  server string = Debian Samba-PDC %v
  name resolve order = host bcast
  hosts allow = 192.168.1. 192.168.2. 127.
  wins support = yes

  # Network settings #
  #interfaces = 192.168.5.11
  #username map = /etc/samba/smbusers

  # Security #
  security = ads
  realm = MY-DOMAIN
  nt acl support = Yes
  enable privileges = yes
  encrypt passwords = Yes
  obey pam restrictions = Yes
  password server = my-server.my-domain
  #min passwd length = 5
  #pam password change = no

  # method 1:
  #unix password sync = no
  #ldap passwd sync = yes

  # method 2:
  unix password sync = No
  ldap passwd sync = Yes
  passwd program = /usr/sbin/smbldap-passwd -u "%u"
  passwd chat = "Skift kode: *\n Ny kode*" %n\n "*Gentag ny kode*" 
%n\n"


  # Log #
  log level = 1
  syslog = 1
  log file = /var/log/samba/samba_my-domain.log
  max log size = 10
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
  mangling method = hash2
  Dos charset = 850
  Unix charset = ISO8859-1

  # Logon scripts #
  logon script = scripts/logon.bat
  logon path = \\%L\profile\%U
  logon drive = H:
  logon home = \\%L\%u

  # Server settings #
  time server = Yes
  domain logons = Yes
  domain master = Yes
  os level = 65
  preferred master = Yes

  # Winbind settings #
  winbind use default domain = yes
  winbind separator = %
  winbind uid = 1-21000
  winbind gid = 1-21000
  winbind enum users = yes
  winbind enum groups = yes
  template homedir = /home/%U

  # LDAP settings #
  # passdb backend = ldapsam:"ldap://ldap1.company.com 
ldap://ldap2.company.com";

  passdb backend = ldapsam:ldap://127.0.0.1/
  ldap admin dn = cn=admin,dc=domain,dc=dk
  ldap suffix = dc=domain,dc=dk
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=Computers
  ldap idmap suffix = ou=Idmap

  idmap uid = 1-21000
  idmap gid = 1-21000

  ldap ssl = No

  ldap delete dn = Yes
  add user script = /usr/sbin/smbldap-useradd -a -m "%u"
  add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"
  add group script = /usr/sbin/smbldap-groupadd -p "%g"
  add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
  delete user script = /usr/sbin/smbldap-userdel "%u"
  delete group script = /usr/sbin/smbldap-groupdel "%g"
  delete user from group script = /usr/sbin/smbldap-groupmod -x 
"%u" "%g"

  set primary group script = /usr/sbin/smbldap-usermod -g "%u" "%g"

  # printers configuration #
  printer admin = @"Print Operators"
  load printers = Yes
  create mask = 0640
  directory mask = 0750
  #force create mode = 0640
  #force directory mode = 0750
  printing = cups
  printcap name = cups
  deadtime = 10
  guest account = nobody
  map to guest = Bad User
  dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
  show add printer wizard = yes
  ; to maintain capital letters in shortcuts in any of the profile 
folders:

  preserve case = yes
  short preserve case = yes
  case sensitive = no

[netlogon]
  path = /home/netlogon/
  browseable = No
  read only = yes

[profiles]
  comment = Roaming Profiles
  #path = /var/lib/samba/profiles
  path = /home/profiles
  read only = no
  writeable = yes
  create mask = 0600
  directory mask = 0700
  browseable = No
  guest ok = Yes
  profile acls = yes
  csc policy = disable
  # next line is a great way to secure the profiles
  force user = %U
  # next line allows administrator to access all profiles
  valid users = %U "Domain Admins"

[printers]
  comment = Network Printers
  printer admin = @"Print Operators"
  guest ok = yes
  printable = yes
  path = /home/spool/
  browseable = No
  read only  =