Re: [Samba] PDC: System SID missing / inconsistent with domain SID

[Eric Shubert]

On 08/26/2013 01:21 PM, Eric Shubert wrote:

I'm guessing that adding a TACS-DC record to the old host would fix the
problem of not being able to get its SID.


This appears to work now.


I'm also guessing that adding a LANYARD record to the new host *might*
make it recognize that it's a domain controller. I hope to test this
later today, when users are gone.


This didn't appear to help. The new DC still doesn't recognize itself as 
a DC:

# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
#

I do have the SID of the domain/host that was created by this host. I 
wonder if restoring those records in secrets.tdb, then using the net 
command to change the SID of the domain and host might fix things up. 
Does the net setdomainsid command do anything more than change the value 
of the record in the tdb file? If it does, that could be a solution.


Anyone have any insight about how to go about changing the host name of 
a domain controller (while migrating it)?


Thanks.

--
-Eric 'shubes'

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: System SID missing / inconsistent with domain SID

[Eric Shubert]

I've recently come across the same situation, while migrating a 3.0.33 
PDC host to 3.6.9. I had renamed the old host some time ago from LANYARD 
to TACS-DC. The old host still functions fine, except for not being able 
to get its own SID.


Old DC host:
[root@tacs-dc samba]# net getdomainsid
Could not fetch local SID
[root@tacs-dc samba]# tdbdump secrets.tdb
{
key(19) = "SECRETS/DOMGUID/R3I"
data(16) = "\DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B"
}
{
key(19) = "SECRETS/SID/LANYARD"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
{
key(15) = "SECRETS/SID/R3I"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
[root@tacs-dc samba]# net rpc trustdom list -U shubes
Password:
Trusted domains list:

none

Trusting domains list:

none
[root@tacs-dc samba]#


I've migrated everything (accounts, tdb files) to a new host, and 
changed the LANYARD record to TACS-DC in the secrets.tdb, which 
corresponds to the new hostname:

[root@tacs-dc private]# net getdomainsid
SID for local machine TACS-DC is: S-1-5-21-93357678-3857568473-1617xx
SID for domain R3I is: S-1-5-21-93357678-3857568473-1617xx
[root@tacs-dc private]# tdbdump secrets.tdb
{
key(19) = "SECRETS/DOMGUID/R3I"
data(16) = "\DF\DDA\01\F62\8CG\A8\80\B4\1CFM\1D\0B"
}
{
key(19) = "SECRETS/SID/TACS-DC"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
{
key(15) = "SECRETS/SID/R3I"
data(68) = "\01\04\00\00\00\00\00\05\15\00\00\00n\86\90\05\D9\D2\ED (...)"
}
[root@tacs-dc private]# net rpc trustdom list -U shubes
Unable to find a suitable server for domain R3I
Couldn't connect to domain controller: NT_STATUS_UNSUCCESSFUL
[root@tacs-dc private]#

Everything appears to be working, except that the new host isn't 
recognized as a domain controller. Note that workstations are able to 
log on to the domain using the new DC host though.


I'm guessing that adding a TACS-DC record to the old host would fix the 
problem of not being able to get its SID.


I'm also guessing that adding a LANYARD record to the new host *might* 
make it recognize that it's a domain controller. I hope to test this 
later today, when users are gone.


It appears to me that the original host name which created the domain is 
stored in some way somewhere else (I see it in the USER_ records in the 
passdb.tdb file). If so, can this somehow be changed? The documentation 
I've found all says how to migrate to another host keeping the host name 
the same, but I haven't been able to find anything about changing the 
host name.


Does anyone have any other ideas why this new host isn't being 
recognized as a DC?


Thanks.

--
-Eric 'shubes'
On 04/29/2010 03:08 AM, Frank Stanek wrote:

Hello,

I recently noticed a problem on our PDC (samba 3.0.32
on SLES 10 SP2) which I kind of know how to solve after
web research but I am unclear about the possible
consequences for our domain and clients.

The situation is this:
Originally samba was set up on this machine to test. Back
then its hostname was infrahostnew, so there is a SID for
that NETBIOS name in secrets.tdb. When the PDC went in
production, we had to change the hostname to infrahost.
We then provisioned our domain MYDOMAIN. Now there is also
a SID for MYDOMAIN in secrets.tdb which is different than
the SID of infrahostnew. Also there is no SID at all for
the new NETBIOS name infrahost. This causes for example
net getlocalsid to fail.

My research suggests that the NETBIOS name SID of the PDC
infrahost should be the same as the domain SID, is that
correct? Also, I found an article that dealt with inconsistent
SIDs; it suggested to set the NETBIOS SID to be the same
as the domain SID. But this article dealt with the case
that there actually _is_ a NETBIOS SID in secrets.tdb but
it's not the same as the domain SID. This is not our case
however since there is no SID at all for the NETBIOS name.

We haven't noticed any problems because of this at all,
I just stumbled upon it when I went to check the SIDs
routinely. How would you suggest I proceed in this situation?
Should we set the NETBIOS SID to be the same as the domain
SID with net setlocalsid? What possible consequences could
there be? We are very concerned that this may introduce problems
for our clients that we don't have at the moment. But I
wouldn't like to keep things in an inconsistent state like
this either.

I'd be glad for any insights.

Regards
Frank





--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

[Sreejith ir]

Hiii

Were you able to resolve the issue.
Thanks for the reply

-Sreejith
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

[Eimac Dude]

On 1/24/2013 7:31 PM, Nico Kadel-Garcia wrote:

On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude  wrote:

Brought in a new Windows 7 64-bit machine and that one works... So it seems
to be a Windows configuration issue, but what other settings could possibly
cause this authentication failure? The new machine is a recent clean install
and uses MSE as antivirus, whereas the older workstations use AVG and
Ad-Aware. But I doubt the antivirus could cause the difference. And I don't
see any difference in the network configuration of the machines. Any
suggestions? I can't simply replace all Windows clients on our network...

The new machine has a new hostname? Are they both statically
configured in DNS? Do they both have all the system patches? And have
you tried yanking out AVG and replacing it with MSE?
All have same new patches. The new machine has a different hostname. But 
I've also tried changing the hostname of the old machine... The only 
thing I didn't test yet is removing AVG.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

[Moray Henderson]

> From: Eimac Dude [mailto:eimacd...@aol.com]
> Sent: 24 January 2013 19:43
> To: samba@lists.samba.org
> Subject: [Samba] PDC: "The trust relationship ... failed" from the
> beginning
> 
> Hi,
> 
> When I try a net logon from Windows 7 64-bit Business (don't have any
> other Windows machines), I get "The trust relationship between this
> workstation and the primary domain failed". The discussion I've found
> around the Web regarding this error message seems to be only in the
> context of the 30 day password expiry issue, where the solution is to
> simply rejoin the domain. Unfortunately, I have this problem *always*,
> and rejoining does not help. I have not been able to do a net login at
> all, from the first time I tried. At the same time, there's no problem
> accessing the Samba shares by going to \\SMB in Windows Explorer and
> logging in with the same user accounts.
> 
> # smbstatus
> Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64
> 
> The LAN is on 172.16. and the Samba machine is also the LAN's DNS
> server; not using LDAP.
> 
> We had been using Samba for simple file sharing, with no domain
> functionality enabled, and with the Windows machines on the network
> configured as members of the workgroup. We recently decided to set
> Samba as a PDC and support roaming profiles, and have been blocked by
> this trust error.
> 
> I made some changes to smb.conf, which can be seen here:
> http://pastebin.com/raw.php?i=qKvQq3W2
> 
> The profiles directory was chmod 2775 and its group changed from root
> to users. The netlogon directory is 755. Initially, in smb.conf the
> name resolve order was starting with dns, but Windows 7 kept giving me
> an error about not finding the domain when I tried to change from
> workgroup to domain, so I took that out and set wins as the first item
> in the list.
> 
> # cat /etc/samba/smbusers:
> root = administrator Administrator admin nobody = guest pcguest
> smbguest
> 
> I added root to smbpasswd. I also executed the following:
> 
> net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
> net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
> net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514
> type=d net rpc rights grant -U root "URBASE\Domain Admins"
> SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege
> SeDiskOperatorPrivilege SeRemoteShutdownPrivilege
> 
> The Windows machines are configured as specified on
> wiki.samba.org/index.php/Windows7 (that is, I only edited
> DomainCompatibilityMode and DNSNameResolutionRequired). Changing from
> workgroup to domain and rebooting, then trying to log in with one of
> the SMB users gives me the "The trust relationship between this
> workstation and the primary domain failed" error. I can only log into
> the local machine account. If, instead of changing from workgroup to
> domain directly, I try to use the network ID wizard, it eventually
> leads to the same error when it tries to set up the domain user.
> Looking at /etc/samba/smbpasswd, the machine account shows up there so
> the add machine script seems to be working; however,
> 
> # tail /var/log/samba/log.smbd
> [2013/01/23 14:26:16.350332, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:26:16.352562, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> [2013/01/23 14:37:22.518159, 0]
> rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
> _netr_ServerAuthenticate3: netlogon_creds_server_check failed.
> Rejecting auth request from client BRIX machine account BRIX$
> 
> Why is it not working? I don't know how to troubleshoot this. I've
> tried removing the machine from the domain then taking it out of
> smbpasswd and the Unix accounts, and then rejoining, but same errors. I
> tried manually adding the IP address in the Windows machine's WINS
> setting, but it doesn't make a difference.
> 
> One thing I'm unsure of is the DNS suffixes thing which seems to be
> mentioned on some sites in association with this. In the Windows
> clients, under "Append these DNS suffixes (in order)" we've normally
> had as suffix the DNS master zone for the LAN, which is different from
> the domain name in smb.conf -- if that matters at all given joining the
> domain should be using WINS instead of DNS for name resolution. I tried
> adding the domain in there anyway, but it doesn't help.
> 
> Can anyone kindly help? I've asked on a couple of other forums but to
> no avail...
> 
> 

Are the clocks synchronised between the 2 machines?  According to 

http://community.spiceworks.com/topic/170347-trust-relationship-between-this
-workstation-and-primary-domain-failed 

clock discrepancy can be one 

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

[Nico Kadel-Garcia]

On Thu, Jan 24, 2013 at 8:57 PM, Eimac Dude  wrote:
> Brought in a new Windows 7 64-bit machine and that one works... So it seems
> to be a Windows configuration issue, but what other settings could possibly
> cause this authentication failure? The new machine is a recent clean install
> and uses MSE as antivirus, whereas the older workstations use AVG and
> Ad-Aware. But I doubt the antivirus could cause the difference. And I don't
> see any difference in the network configuration of the machines. Any
> suggestions? I can't simply replace all Windows clients on our network...

The new machine has a new hostname? Are they both statically
configured in DNS? Do they both have all the system patches? And have
you tried yanking out AVG and replacing it with MSE?
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC: "The trust relationship ... failed" from the beginning

[Eimac Dude]

Brought in a new Windows 7 64-bit machine and that one works... So it 
seems to be a Windows configuration issue, but what other settings could 
possibly cause this authentication failure? The new machine is a recent 
clean install and uses MSE as antivirus, whereas the older workstations 
use AVG and Ad-Aware. But I doubt the antivirus could cause the 
difference. And I don't see any difference in the network configuration 
of the machines. Any suggestions? I can't simply replace all Windows 
clients on our network...


On 1/24/2013 11:43 AM, Eimac Dude wrote:

Hi,

When I try a net logon from Windows 7 64-bit Business (don't have any 
other Windows machines), I get "The trust relationship between this 
workstation and the primary domain failed". The discussion I've found 
around the Web regarding this error message seems to be only in the 
context of the 30 day password expiry issue, where the solution is to 
simply rejoin the domain. Unfortunately, I have this problem *always*, 
and rejoining does not help. I have not been able to do a net login at 
all, from the first time I tried. At the same time, there's no problem 
accessing the Samba shares by going to \\SMB in Windows Explorer and 
logging in with the same user accounts.


# smbstatus
Samba version 3.6.7-48.12.1-2831-SUSE-SL12.2-x86_64

The LAN is on 172.16. and the Samba machine is also the LAN's DNS 
server; not using LDAP.


We had been using Samba for simple file sharing, with no domain 
functionality enabled, and with the Windows machines on the network 
configured as members of the workgroup. We recently decided to set 
Samba as a PDC and support roaming profiles, and have been blocked by 
this trust error.


I made some changes to smb.conf, which can be seen here: 
http://pastebin.com/raw.php?i=qKvQq3W2


The profiles directory was chmod 2775 and its group changed from root 
to users. The netlogon directory is 755. Initially, in smb.conf the 
name resolve order was starting with dns, but Windows 7 kept giving me 
an error about not finding the domain when I tried to change from 
workgroup to domain, so I took that out and set wins as the first item 
in the list.


# cat /etc/samba/smbusers:
root = administrator Administrator admin
nobody = guest pcguest smbguest

I added root to smbpasswd. I also executed the following:

net groupmap add ntgroup="Domain Admins" unixgroup=root rid=512 type=d
net groupmap add ntgroup="Domain Users"  unixgroup=users rid=513 type=d
net groupmap add ntgroup="Domain Guests" unixgroup=nobody rid=514 type=d
net rpc rights grant -U root "URBASE\Domain Admins" 
SeMachineAccountPrivilege SePrintOperatorPrivilege SeAddUsersPrivilege 
SeDiskOperatorPrivilege SeRemoteShutdownPrivilege


The Windows machines are configured as specified on 
wiki.samba.org/index.php/Windows7 (that is, I only edited 
DomainCompatibilityMode and DNSNameResolutionRequired). Changing from 
workgroup to domain and rebooting, then trying to log in with one of 
the SMB users gives me the "The trust relationship between this 
workstation and the primary domain failed" error. I can only log into 
the local machine account. If, instead of changing from workgroup to 
domain directly, I try to use the network ID wizard, it eventually 
leads to the same error when it tries to set up the domain user. 
Looking at /etc/samba/smbpasswd, the machine account shows up there so 
the add machine script seems to be working; however,


# tail /var/log/samba/log.smbd
[2013/01/23 14:26:16.350332, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:26:16.352562, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$
[2013/01/23 14:37:22.518159, 0] 
rpc_server/netlogon/srv_netlog_nt.c:976(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: netlogon_creds_server_check failed. 
Rejecting auth request from client BRIX machine account BRIX$


Why is it not working? I don't know how to troubleshoot this. I've 
tried removing the machine from the domain then taking it out of 
smbpasswd and the Unix accounts, and then rejoining, but same errors. 
I tried manually adding the IP address in the Windows machine's WINS 
setting, but it doesn't make a difference.


One thing I'm unsure of is the DNS suffixes thing which seems to be 
mentioned on some sites in association with this. In the Windows 
clients, under "Append these DNS suffixes (in order)" we've normally 
had as suffix the DNS master zone for the LAN, which is different from 
the domain name in smb.conf -- if that matters at all given joining 
the domain should be using WINS instead of DNS for name resolution. I 
tried adding the domain in there anyway, but it doesn't help.


Can anyone kindly help? I've asked on a coupl

Re: [Samba] PDC and BDCs : net rpc testjoin

[Gémes Géza]

2012-10-23 23:52 keltezéssel, Michael Wood írta:

Hi Marcio

On 23 October 2012 21:01, Marcio Oli  wrote:

Ok Michalel, thanks.

But is not clear to me yet.
The samba PDCs and BDCs have obligation to be joined to domain?
In other words, I need to type a manual linux command within Samba Domain
Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) .

I think Geza was saying that you do (for Samba 3), but I have not run
a Samba 3 PDC/BDC before, so I am not the one to answer that question.


OK

First: Thanks Michael for correcting my typo
Second: For Samba3 PDC/BDC there is no need to be joined to the domain, 
if you do not plan to use winbind on them (e.g. for trusted domains, or 
ldapsam:editposix stuff)


Hope that is clearer now.

Regards,
Marcio.

2012/10/23 Michael Wood 

Hi

On 23 October 2012 16:48, Marcio Oli  wrote:

Thanks Gémes!

 I'sorry about my ignorance, but what is a aka classic domain?

"aka classic domain now" (I think Geza meant to say "now" instead of
"not") means that the type of domain that Samba3 implements is now
"also known as" a "classic domain".

I hope my explanation helps :)


 My samba version is 3.5.10-116.el6_2.
 OS: Red Hat Enterprise Linux Server release 6.2 / Linux
2.6.32-131.6.1.el6.x86_64

Best regards,

Marcio Oliveira.

2012/10/23 Gémes Géza 


2012-10-22 20:10 keltezéssel, Marcio Oli írta:

I think the question is simple, so anybody could help me with
this?

   The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?


In a samba3 (aka classic domain not)

[...]

--
Michael Wood 

--
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)

Regards

Geza Gemes
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

[Michael Wood]

Hi Marcio

On 23 October 2012 21:01, Marcio Oli  wrote:
> Ok Michalel, thanks.
>
> But is not clear to me yet.
> The samba PDCs and BDCs have obligation to be joined to domain?
> In other words, I need to type a manual linux command within Samba Domain
> Controllers (like: # net rpc join [DOMAIN] -U AdminUserofDomain) .

I think Geza was saying that you do (for Samba 3), but I have not run
a Samba 3 PDC/BDC before, so I am not the one to answer that question.

> Regards,
> Marcio.
>
> 2012/10/23 Michael Wood 
>>
>> Hi
>>
>> On 23 October 2012 16:48, Marcio Oli  wrote:
>> > Thanks Gémes!
>> >
>> > I'sorry about my ignorance, but what is a aka classic domain?
>>
>> "aka classic domain now" (I think Geza meant to say "now" instead of
>> "not") means that the type of domain that Samba3 implements is now
>> "also known as" a "classic domain".
>>
>> I hope my explanation helps :)
>>
>> > My samba version is 3.5.10-116.el6_2.
>> > OS: Red Hat Enterprise Linux Server release 6.2 / Linux
>> > 2.6.32-131.6.1.el6.x86_64
>> >
>> > Best regards,
>> >
>> > Marcio Oliveira.
>> >
>> > 2012/10/23 Gémes Géza 
>> >
>> >> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>> >>
>> >>I think the question is simple, so anybody could help me with
>> >> this?
>> >>>   The questions are:
>> >>>
>> >>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>> >>>
>> >> In a samba3 (aka classic domain not)
>> [...]
>>
>> --
>> Michael Wood 
>
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

[Michael Wood]

Hi

On 23 October 2012 16:48, Marcio Oli  wrote:
> Thanks Gémes!
>
> I'sorry about my ignorance, but what is a aka classic domain?

"aka classic domain now" (I think Geza meant to say "now" instead of
"not") means that the type of domain that Samba3 implements is now
"also known as" a "classic domain".

I hope my explanation helps :)

> My samba version is 3.5.10-116.el6_2.
> OS: Red Hat Enterprise Linux Server release 6.2 / Linux
> 2.6.32-131.6.1.el6.x86_64
>
> Best regards,
>
> Marcio Oliveira.
>
> 2012/10/23 Gémes Géza 
>
>> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>>
>>I think the question is simple, so anybody could help me with this?
>>>   The questions are:
>>>
>>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>>>
>> In a samba3 (aka classic domain not)
[...]

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

[Marcio Oli]

Thanks Gémes!

I'sorry about my ignorance, but what is a aka classic domain?
My samba version is 3.5.10-116.el6_2.
OS: Red Hat Enterprise Linux Server release 6.2 / Linux
2.6.32-131.6.1.el6.x86_64

Best regards,

Marcio Oliveira.

2012/10/23 Gémes Géza 

> 2012-10-22 20:10 keltezéssel, Marcio Oli írta:
>
>I think the question is simple, so anybody could help me with this?
>>   The questions are:
>>
>> 1. The samba PDCs and BDCs have obligation to be joined to domain?
>>
> In a samba3 (aka classic domain not)
>
>
>> 2. The "net rpc testjoin" command must to return OK in this case?
>>
> IF joined yes
>
>
>>
>> Thanks,
>> Marcio Oliveira
>>
>>
>> 2012/10/19 Marcio Oli 
>>
>>  People,
>>>
>>>
>>>  I have one PDC and a BDC on the matrix side and two BDCs on the
>>> branch
>>> office.
>>>
>>>  I don't know if it is a problem. Anybody could help me?
>>>
>>> PDC # net rpc testjoin
>>> get_schannel_session_key: could not fetch trust account password for
>>> domain 'DOMAIN_NAME'
>>> net_rpc_join_ok: failed to get schannel session key from server PDC for
>>> domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_**INFO
>>> Join to domain 'DOMAIN_NAME' is not valid:
>>> NT_STATUS_CANT_ACCESS_DOMAIN_**INFO
>>>
>>> BDCs # net rpc testjoin
>>> net_rpc_join_ok: failed to get schannel session key from server PDC for
>>> domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
>>> Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED
>>>
>>> What should I do to solve these problems?
>>>
>>>
>>> Thanks,
>>> --
>>> Marcio Oliveira.
>>> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>>>
>>>
>>
>>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  
> https://lists.samba.org/**mailman/options/samba
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

[Gémes Géza]

2012-10-22 20:10 keltezéssel, Marcio Oli írta:

  I think the question is simple, so anybody could help me with this?
  The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?

In a samba3 (aka classic domain not)


2. The "net rpc testjoin" command must to return OK in this case?

IF joined yes



Thanks,
Marcio Oliveira


2012/10/19 Marcio Oli 


People,


 I have one PDC and a BDC on the matrix side and two BDCs on the branch
office.

 I don't know if it is a problem. Anybody could help me?

PDC # net rpc testjoin
get_schannel_session_key: could not fetch trust account password for
domain 'DOMAIN_NAME'
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
Join to domain 'DOMAIN_NAME' is not valid:
NT_STATUS_CANT_ACCESS_DOMAIN_INFO

BDCs # net rpc testjoin
net_rpc_join_ok: failed to get schannel session key from server PDC for
domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED

What should I do to solve these problems?


Thanks,
--
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDCs : net rpc testjoin

[Marcio Oli]

 I think the question is simple, so anybody could help me with this?
 The questions are:

1. The samba PDCs and BDCs have obligation to be joined to domain?

2. The "net rpc testjoin" command must to return OK in this case?


Thanks,
Marcio Oliveira


2012/10/19 Marcio Oli 

> People,
>
>
> I have one PDC and a BDC on the matrix side and two BDCs on the branch
> office.
>
> I don't know if it is a problem. Anybody could help me?
>
> PDC # net rpc testjoin
> get_schannel_session_key: could not fetch trust account password for
> domain 'DOMAIN_NAME'
> net_rpc_join_ok: failed to get schannel session key from server PDC for
> domain DOMAIN_NAME. Error was NT_STATUS_CANT_ACCESS_DOMAIN_INFO
> Join to domain 'DOMAIN_NAME' is not valid:
> NT_STATUS_CANT_ACCESS_DOMAIN_INFO
>
> BDCs # net rpc testjoin
> net_rpc_join_ok: failed to get schannel session key from server PDC for
> domain DOMAIN_NAME. Error was NT_STATUS_ACCESS_DENIED
> Join to domain 'DOMAIN_NAME' is not valid: NT_STATUS_ACCESS_DENIED
>
> What should I do to solve these problems?
>
>
> Thanks,
> --
> Marcio Oliveira.
> "Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
>



-- 
Marcio Oliveira.
"Tudo concorre para o bem daqueles que amam à Deus." (Rom 8,28)
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

[Alberto Moreno]

Will be easy, but I don't want to install something that I normally
don't use to just change 1 field.
But appreciated your input thanks!!!

On Mon, May 28, 2012 at 1:37 PM, John Drescher  wrote:
>> Got it, I will give a try, thanks!!!
>>
> One easy way to do that is Ldap account manager.
>
> http://www.ldap-account-manager.org/lamcms/changelog
>
> John



-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

[John Drescher]

> Got it, I will give a try, thanks!!!
>
One easy way to do that is Ldap account manager.

http://www.ldap-account-manager.org/lamcms/changelog

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

[Alberto Moreno]

On Mon, May 28, 2012 at 2:07 AM, Andrew Bartlett  wrote:
> On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote:
>> Maybe I wasn't clear.
>>
>> In a NT4 domain, u have a option to setup on which machines a user can
>> login, this way u can know that a X user can only use his own
>> computer.
>>
>> Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.
>>
>> check this:
>>
>> pdbedit -L -v -u user1
>> smbldap_search_domain_info: Searching
>> for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
>> smbldap_open_connection: connection opened
>> ldap_connect_system: successful connection to the LDAP server
>> init_sam_from_ldap: Entry found for user: itello
>> Unix username:        user1
>> NT username:          user1
>> Account Flags:        [U          ]
>> User SID:             XXX
>> Primary Group SID:    XXX
>> Full Name:            One User
>> Home Directory:
>> HomeDir Drive:        O:
>> Logon Script:         /sbin/nologin
>> Profile Path:
>> Domain:               XXX
>> Account desc:        kITCHEN
>> Workstations:         MACHINE-X  <<<=
>> Munged dial:
>> Logon time:           Tue, 04 Jan 2011 07:08:28 PST
>> Logoff time:          never
>> Kickoff time:         never
>> Password last set:    Sat, 26 May 2012 13:07:23 PDT
>> Password can change:  Sat, 26 May 2012 13:07:23 PDT
>> Password must change: never
>> Last bad password   : 0
>> Bad password count  : 0
>> Logon hours         : FF
>>
>> As u can see the field Workstations it means that this user can only
>> login on this machine on this domain.
>> How can I change that field?
>
> If you are using LDAP, the easy option might be to change it directly in
> LDAP - just remove the ldap attribute.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
>

Got it, I will give a try, thanks!!!

-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

[Andrew Bartlett]

On Sun, 2012-05-27 at 21:15 -0700, Alberto Moreno wrote:
> Maybe I wasn't clear.
> 
> In a NT4 domain, u have a option to setup on which machines a user can
> login, this way u can know that a X user can only use his own
> computer.
> 
> Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.
> 
> check this:
> 
> pdbedit -L -v -u user1
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> init_sam_from_ldap: Entry found for user: itello
> Unix username:user1
> NT username:  user1
> Account Flags:[U  ]
> User SID: XXX
> Primary Group SID:XXX
> Full Name:One User
> Home Directory:
> HomeDir Drive:O:
> Logon Script: /sbin/nologin
> Profile Path:
> Domain:   XXX
> Account desc:kITCHEN
> Workstations: MACHINE-X  <<<=
> Munged dial:
> Logon time:   Tue, 04 Jan 2011 07:08:28 PST
> Logoff time:  never
> Kickoff time: never
> Password last set:Sat, 26 May 2012 13:07:23 PDT
> Password can change:  Sat, 26 May 2012 13:07:23 PDT
> Password must change: never
> Last bad password   : 0
> Bad password count  : 0
> Logon hours : FF
> 
> As u can see the field Workstations it means that this user can only
> login on this machine on this domain.
> How can I change that field?

If you are using LDAP, the easy option might be to change it directly in
LDAP - just remove the ldap attribute.

Andrew Bartlett

-- 
Andrew Bartletthttp://samba.org/~abartlet/
Authentication Developer, Samba Team   http://samba.org

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC How to change workstation setting?

[Alberto Moreno]

Maybe I wasn't clear.

In a NT4 domain, u have a option to setup on which machines a user can
login, this way u can know that a X user can only use his own
computer.

Once u migrate NT4 to SAMBA-LDAP, that setting goes to "Workstation" field.

check this:

pdbedit -L -v -u user1
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=X))]
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
init_sam_from_ldap: Entry found for user: itello
Unix username:user1
NT username:  user1
Account Flags:[U  ]
User SID: XXX
Primary Group SID:XXX
Full Name:One User
Home Directory:
HomeDir Drive:O:
Logon Script: /sbin/nologin
Profile Path:
Domain:   XXX
Account desc:kITCHEN
Workstations: MACHINE-X  <<<=
Munged dial:
Logon time:   Tue, 04 Jan 2011 07:08:28 PST
Logoff time:  never
Kickoff time: never
Password last set:Sat, 26 May 2012 13:07:23 PDT
Password can change:  Sat, 26 May 2012 13:07:23 PDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours : FF

As u can see the field Workstations it means that this user can only
login on this machine on this domain.
How can I change that field?

Thanks!!!

On Sun, May 27, 2012 at 4:41 PM, Dewayne Geraghty
 wrote:
> If you're asking where on the PC, its in Control Panel-> System -> Computer
> Name -> Change button.  This will help you to connect to the samba domain;
> but there is a lot more that you'll need.
>
> Also I'd recommend going to the samba 3.6 series, as there are
> configuration changes that you'll need to make from samba 3.3 to the more
> recent stream.
>
> Unfortunately you'll need to be clearer on what your problem is.
>
> Regards, Dewayne.
>



-- 
LIving the dream...
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and Windows 2003 R2

[Bob Miller]

To do cross-subnet domain control you will need to use WINS


On Fri, 2012-03-16 at 19:57 -0300, jp_listero wrote:
> Hi,
> 
> I need to join a windows 2003 R2 to a samba (3.5.7-3.5.1) PDC through
> a cisco VPN ... (nice!).
> The error at the windows :
> 
> "A doming controller for the domain MyDomain could not be contacted"
> 
> any ideas ?
> 
> thanks !
> Jp

-- 
Bob Miller
867-334-7117 / 867-633-3760
http://computerisms.ca
b...@computerisms.ca
Network, Internet, Server,
and Open Source Solutions

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[Gaiseric Vandal]

Windows clients will give preference to a BDC (if available) when 
selecting a logon server over a PDC.


On 12/08/2011 08:36 AM, Aaron E. wrote:
I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
terminal services and another 50 fat clients,,, acts as the file 
server.. roaming profiles etc... I have no issues other than the 
network card only being 100mb,, I do have a throughput issues.. but 
that is on the table..


On 12/07/2011 06:03 PM, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.








--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[John Heim]

From: "Adam Tauno Williams" 

 With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.



But one machine has to have the master copy of the user/machine database.

From the samba documentation:


* Primary Domain Controller the one that seeds the domain SAM.
* Backup Domain Controller one that obtains a copy of the domain SAM.

On my file server, I have a custom add user script that configures mail,
sets a disk quota, configures the user's profile, and several other things.
That script has to run on the file server or it can't create all the proper
directories,e tc. That's why I also made that machine the PDC. Its the only
machine with the ability to update the ldap database. If I made some other
machine the PDC, I'd have to have2 machines with the ability to update the
ldap database. In my configuration, the BDCs are also slave ldap servers. So
when a user logs into the domain, I *think* it will talk to a BDC which will
query its own copy of the ldap database, and log them on.



But if being the PDC adds significantly to the load of the file server, I
could give up on the idea of having just the one machine with the ability to
update the ldap database. Having only one machine with update abilities is
cleaner but if it doesn't work, it doesn't work.



--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[Adam Tauno Williams]

On Thu, 2011-12-08 at 08:36 -0500, Aaron E. wrote:
> I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
> terminal services and another 50 fat clients,,, acts as the file 
> server.. roaming profiles etc... I have no issues other than the network 
> card only being 100mb,, I do have a throughput issues.. but that is on 
> the table..

Our "P"DC is a virtual machine.  It search ~200 desktops and ~300 users.
That includes roaming profiles, netlogin, and some redirected folers
[some folders in the roaming profile are redirected to shares on the
server].  Backend is LDAPSAM.  Load is very low [with current-ish
version of OpenLDAP - slapd used to burn much more juice than it does
now].

Actual file-serving traffic burns up network bandwidth; but CPU and
memory requirements are surprisingly low.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[Aaron E.]

I have a s3.4 pdc with a bdc,, pdc is serving around 80 users on 
terminal services and another 50 fat clients,,, acts as the file 
server.. roaming profiles etc... I have no issues other than the network 
card only being 100mb,, I do have a throughput issues.. but that is on 
the table..


On 12/07/2011 06:03 PM, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.






--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[steve]

On 08/12/11 12:15, Adam Tauno Williams wrote:

On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that authentication
is done vs a BDC if available. I configured my new file server as the domain
PDC because I figured it would already have to run samba. I have two other
machines configured as BDCs to serve as logon servers
I'm looking for opinions on whether I'm asking for performance problems by
making my file server the PDC. Actually, this machine is already serving as
PDC but its not in production yet as a file server. So right now, its just
the domain PDC. When I log into the domain and "echo %logonserver%", it
shows that one of the BDCs was the logon server, not the PDC. It doesn't
look like the PDC has to do anything but handle joining machines to the
domain.


There really isn't an answer for your question.  The load implied by
being a DC depends on the number of clients and how heavily they are
used.  If you have only a hundred or so clients, in my experience, the
load is pretty mild [for modern hardware/networks].

With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.


Maybe what the OP is asking here is for examples. I realise that for 
security reasons admins may not be allowed to reveal their setup but it 
would be helpful to give some concrete figures of hardware, clients and 
servers that works for us.

Cheers.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[Adam Tauno Williams]

On Wed, 2011-12-07 at 17:03 -0600, John Heim wrote:
> How much of a resource hog is a PDC? My understanding is that authentication 
> is done vs a BDC if available. I configured my new file server as the domain 
> PDC because I figured it would already have to run samba. I have two other 
> machines configured as BDCs to serve as logon servers
> I'm looking for opinions on whether I'm asking for performance problems by 
> making my file server the PDC. Actually, this machine is already serving as 
> PDC but its not in production yet as a file server. So right now, its just 
> the domain PDC. When I log into the domain and "echo %logonserver%", it 
> shows that one of the BDCs was the logon server, not the PDC. It doesn't 
> look like the PDC has to do anything but handle joining machines to the 
> domain.

There really isn't an answer for your question.  The load implied by
being a DC depends on the number of clients and how heavily they are
used.  If you have only a hundred or so clients, in my experience, the
load is pretty mild [for modern hardware/networks].

With Samba3 domain control there isn't really a BDC/PDC distinction.
Every box is a PDC that operates in parallel with the other DCs.  That
is a bit different than a true NT4 domain.


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC & file server on same machine?

[steve]

On 08/12/11 00:03, John Heim wrote:

How much of a resource hog is a PDC? My understanding is that
authentication is done vs a BDC if available. I configured my new file
server as the domain PDC because I figured it would already have to run
samba. I have two other machines configured as BDCs to serve as logon
servers.

I'm looking for opinions on whether I'm asking for performance problems
by making my file server the PDC. Actually, this machine is already
serving as PDC but its not in production yet as a file server. So right
now, its just the domain PDC. When I log into the domain and "echo
%logonserver%", it shows that one of the BDCs was the logon server, not
the PDC. It doesn't look like the PDC has to do anything but handle
joining machines to the domain.




We have to work within a tight budget and can't afford a backup server. 
We serve 600 home folders and logins to 25 clients from the same box. In 
an educational environment we experience slow logons which we think is 
due to everyone logging on at once. Windows 7 logons are particularly 
bad. Looking at top you can see slapd and nmbd throw a fit for a minute 
or so. With files it's OK unless we have a group working with gimp and 
photoshop. Usually it's when everyone is doing the same thing at the 
same time e.g. when a teacher has given an instruction to do something. 
On a normal lan I don't think you'd have these situations.

HTH
Steve.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

[Linda Walsh]

Michael Wood wrote:



I didn't get the benefit of '*' added to my wbinfo...



I don't understand what you mean by this.
  

Just saw this note by Bendikt Schindler:

  

Of course, as noted earlier, my wbinfo also doesn't seem to know about
builtin SID's either .. so am having to add them...




 Original Message 
Subject:samba 3.6: "autorid" has no domain order
Date:   Fri, 12 Aug 2011 18:23:14 +0200
From:   Benedikt Schindler 
To: samba@lists.samba.org


[snip & noting multiple future snips @ random! ]

I first tried autorid with a config like this:

   winbind enum users = yes
   winbind enum groups = yes

   idmap backend = autorid
   idmap gid = 10-149
   idmap gid = 10-149
   allow trusted domains = yes

... then later

I also read the mail about the new idmapping so i also tried these
configuration:

   winbind enum users = yes
   winbind enum groups = yes
   allow trusted domains = yes

   idmap config A : backend = rid
   idmap config A : range   = 10 - 19
   idmap config A : base_rid= 1000

   idmap config B : backend  = rid
   idmap config B : range= 20 - 29
   idmap config B : base_rid = 1000
-

Then next note he says:
if i use this config:



> winbind enum users = yes
> winbind enum groups = yes
> allow trusted domains = yes
>
>idmap config * : backend = tdb
>idmap config * : range   = 7-9
>
> idmap config A : backend = rid
> idmap config A : range   = 10 - 19
> idmap config A : base_rid= 1000
>
> idmap config B : backend  = rid
> idmap config B : range= 20 - 29
> idmap config B : base_rid = 1000
  
i get folowing message from a SID of domain A: server3:~ # wbinfo -S 
S-1-5-21-1004336348-920026266-682003330-1113 failed to call wbcSidToUid: 
WBC_ERR_DOMAIN_NOT_FOUND Could not convert sid 
S-1-5-21-1004336348-920026266-682003330-1113 to uid i change this line

> allow trusted domains = no
  
server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 
failed to call wbcSidToUid: WBC_ERR_DOMAIN_NOT_FOUND Could not convert 
sid S-1-5-21-1004336348-920026266-682003330-1113 to uid it does not 
work. i change this line

>idmap config * : backend = rid
  

server3:~ # wbinfo -S S-1-5-21-1004336348-920026266-682003330-1113 100113

so it "works" ... but "getent passwd" still does not show any user.
so there is still a long way to go.

if i delete all the "idmap config * " parts it won't work again.
  --

But also if it does work i need trusted domain support. the only 
config that realy works right now, is the new "autorid".



Alot of the error he is describing I saw as well, but I didn't see the email
about the new idmapping that told about '*'...(or that it was needed.


My server thought there was 2 domains due to the case-change problem -- 
that's
why it kept looking for *, which I am guessing is supposed to be some 
type of domain locator addres.


My DB, since I'd only ever had 1 never had entries setup for 2, but when 
the name
got changed by NMB -- suddenly there 2 servers -- and calls coming in 
for Domain,

were getting refused on "DOMAIN"

That's my best explanation yet, as to what happened...


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

[Linda Walsh]

Michael Wood wrote:

Hi

On 3 August 2011 08:59, Linda Walsh  wrote:
  

Among various problems since I upgraded to 3.6 (none of which got answered
really, -- so I backgraded to 3.5.10 and started debugging from there,
considering 3.6.0 too unstable/too incompatible for 'whatever' reason...

One of the probs I had was 'root' couldn't use "net rpc"  --
kept getting auth failures.



Was this with 3.6.0 or after you downgraded again to 3.5.10?
  

Both .. haven't tried it since my servername started coming back together
(the 'mixed case' v. forced case causing parts of server not to know who it
was or similar -- (along with that param you mentioned).


Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
normal UID could do an rpc user, but didn't have the auth to the
local files to read them (so got no results back).


Steps...
1) add self to group root
2) in /var/lib/samba and /etc/samba:
find . -gid 0 -print0|xargs -0 chmod g+rw
find . -gid 0 -type d|xargs -0 chmod g+xs



You're missing a -print0 on the second one there, but I assume that's
just a copy/paste error or something.

  

Then I noted that my 'user' could no longer auth either!
Bonus!

turned on -d10 on net rpc cmd,
Noted, it was trying to look up '*' for a pw server,

'*' doesn't resolve so well on my DNS server.



What was the actual log message?  Did you find out where this '*' was
coming from?
  


   It had to do with the trusted domains -- Because part of the server
was now upcasing everything, it thought it was a different 'server' than
the mixed-case' server...so it was looking for a '*' meta server to tell it
where it's old name was...(very sad! ;-))...


It seems to me that finding out why there are no builtin SIDs might
have been a better idea than manually adding them.  But I suppose if
your idmap tdb was suspect then maybe this was indeed the best thing
to do.
  

---
   I am a bit impulsive @ times...but often, I *REALLY* want to get things
working again, on some level, as when things are badly broken,
no email, no files, no videos, no music, no programming, no homedirs
no internet, no art/wall/scan work/design...basically not good;
My Win7WS isn't at all setup to be useful w/o the server running.





/tmp/domsid:
"Administrators" sid="S-1-5-32-544" type=builtin
"Users" sid="S-1-5-32-545" type=builtin
"Domain Controllers" sid="S-1-5-32-516" type=builtin
"Guests" sid="S-1-5-32-546" type=builtin
"Power Users" sid="S-1-5-32-547" type=builtin
"Account Operators" sid="S-1-5-32-552" type=builtin



---
   I don't think the above was entirely the 'right' thing to do, even 
though

those are documented to be 'well known SIDS in the MS literature -- as
now many of those sids no longer can be added or browsed...


I'm not getting the '*' message any more, -- turning of the trusted-only
and getting my methods resolutions in the right order seems to have
helped, though now I'm getting new messages:


Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32,  0, 
class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names)
Aug 17 02:12:32 Ishtar winbindd[11885]:   Possible deadlock: Trying to 
lookup SID S-1-5-21-3-7-3 with passdb backend
Aug 17 02:12:32 Ishtar winbindd[11885]: [2011/08/17 02:12:32,  0, 
class=winbind] winbindd/winbindd_passdb.c:194(rids_to_names)
Aug 17 02:12:32 Ishtar winbindd[11885]:   Possible deadlock: Trying to 
lookup SID S-1-5-21-3-7-3 with passdb backend
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Aug 17 02:12:32 Ishtar smbd[7382]:   get_md4pw: Workstation ASTARTE$: no 
account in domain
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Aug 17 02:12:32 Ishtar smbd[7382]:   _netr_ServerAuthenticate2: failed 
to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Aug 17 02:12:32 Ishtar smbd[7382]:   get_md4pw: Workstation ASTARTE$: no 
account in domain
Aug 17 02:12:32 Ishtar smbd[7382]: [2011/08/17 02:12:32,  0, 
class=rpc_srv] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Aug 17 02:12:32 Ishtar smbd[7382]:   _netr_ServerAuthenticate2: failed 
to get machine password for account ASTARTE$: NT_STATUS_ACCESS_DENIED




These just started after I turned off that param...and some of the cases
got realigned again due to changes in resolution order.  the SID that it 
is trying
to lookup is the server's SID.  ASTARTE$, of course doesn't exist -- 
Astarte$ does.

Listed that way in /etc/passwd, and I know linux doesn't ignore case.

So that just means some part of "some"  DB needs to be cleaned up after 
being

mangled by libsmb's internal set-case code.

Still limping along...but I don't sit here and bang on samba probs, I do 
a few

things when I get id

Re: [Samba] PDC forgot it was part of domain... "official" (ha!) samba hack around to fix...

[Michael Wood]

Hi

On 3 August 2011 08:59, Linda Walsh  wrote:
> Among various problems since I upgraded to 3.6 (none of which got answered
> really, -- so I backgraded to 3.5.10 and started debugging from there,
> considering 3.6.0 too unstable/too incompatible for 'whatever' reason...
>
> One of the probs I had was 'root' couldn't use "net rpc"  --
> kept getting auth failures.

Was this with 3.6.0 or after you downgraded again to 3.5.10?

> Wasn't the passwd, -- could reset it via smbpasswd, no prob, and my
> normal UID could do an rpc user, but didn't have the auth to the
> local files to read them (so got no results back).
>
>
> Steps...
> 1) add self to group root
> 2) in /var/lib/samba and /etc/samba:
> find . -gid 0 -print0|xargs -0 chmod g+rw
> find . -gid 0 -type d|xargs -0 chmod g+xs

You're missing a -print0 on the second one there, but I assume that's
just a copy/paste error or something.

> Then I noted that my 'user' could no longer auth either!
> Bonus!
>
> turned on -d10 on net rpc cmd,
> Noted, it was trying to look up '*' for a pw server,
>
> '*' doesn't resolve so well on my DNS server.

What was the actual log message?  Did you find out where this '*' was
coming from?

> My domain name does, but it was trying to contact '*' for
> a pw server instead of using itself  (this used to work before
> I tried upgrading to 3.6, FWIW)...
>
> Anyway, explicit hackaround:
>
> added:
>    passwd server=localhost
>
> to my smb.conf.
>
> Now the PDC is smart enough to know to look up passwords on
> itself rather than going out and looking for '*', which
> "wbinfo" REALLY didn't like --
>
> lots of "*" not found messages from wbinfo...
>
> Along with the idmap tdb format becoming incompat, (or maybe that's
> the only one involved), apparently during the 'upgrade'[sic],

I'm (obviously) not one of the Samba developers, but it seems unlikely
to me that they would have made the idmap tdb in 3.6 incompatible with
the one in 3.5 unless perhaps there was an automatic upgrade when you
run 3.6.  I haven't read the release notes carefully enough, but I
don't remember something like that being mentioned.  It would be nice
if one of the Samba developers could clarify this, though :)

> I didn't get the benefit of '*' added to my wbinfo...

I don't understand what you mean by this.

> Of course, as noted earlier, my wbinfo also doesn't seem to know about
> builtin SID's either .. so am having to add them...

That's really weird.

> (writing script ...)
>
> ) {
> printf "net groupmap add %s",$_;
> }
> '

It seems to me that finding out why there are no builtin SIDs might
have been a better idea than manually adding them.  But I suppose if
your idmap tdb was suspect then maybe this was indeed the best thing
to do.

> /tmp/domsid:
> "Administrators" sid="S-1-5-32-544" type=builtin
> "Users" sid="S-1-5-32-545" type=builtin
> "Domain Controllers" sid="S-1-5-32-516" type=builtin
> "Guests" sid="S-1-5-32-546" type=builtin
> "Power Users" sid="S-1-5-32-547" type=builtin
> "Account Operators" sid="S-1-5-32-552" type=builtin
> 

Regards,
Michael

-- 
Michael Wood 
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC will create new roaming profiles but fails to load them on subsequent logons

[Frank J . Gómez]

Thanks for the suggestion, Sean, but that didn't work for me.  This config
is what finally did it:

[profiles]
admin users = @"domainadmins"
browseable = No
comment = Users profiles
create mask = 0600
csc policy = disable
directory mask = 0700
guest ok = Yes
path = /home/samba/profiles
profile acls = yes
read only = no
writable = yes
valid users = %U

As you can see, I made a few changes to the profiles share, so I'm not sure
which one actually corrected the problem, but I've got a feeling it was the
introduction of the "valid users" directive which finally allowed me to load
the profiles.

Interestingly, the files in the profile are now owned by root instead of by
the user they belong to, but despite having 600 permissions, users on the
Windows side are able to access and edit them.  Any idea why these aren't
owned by the "proper" user?  Any thoughts as to whether or not this might be
a problem later?

Thanks,
-Frank

On Tue, Jul 19, 2011 at 3:37 AM, Sean Crosby wrote:

>
> Remove the "guest ok = Yes" line, and restart samba
>
> Sean
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC will create new roaming profiles but fails to load them on subsequent logons

[Sean Crosby]

 [profiles]
>browseable = No
>comment = Users profiles
>create mask = 0600
>directory mask = 0700
>guest ok = Yes
>path = /home/samba/profiles
>profile acls = yes
>writable = yes
>
>
Remove the "guest ok = Yes" line, and restart samba

Sean
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC will create new roaming profiles but fails to load them on subsequent logons

[Frank J . Gómez]

Thanks for the response, Berni.  There's no DNS in this setup.  Clients are
able to access user homes and run logon scripts, and as you can see I'm
using the %N variable for both.  I'd guess that if server name resolution
were an issue, loading the home shares and logon scripts would fail as well.

I'm open to the idea of being wrong, though. :-)  How would I verify proper
resolution in this context?

Thanks much,
-Frank

On Mon, Jul 18, 2011 at 11:20 AM, Berni Elbourn
wrote:

> On 15/07/11 19:33, Frank J. Gómez wrote:
>
>>  logon home = \\%N\%U
>>  logon path = \\%N\profiles\%U
>>
>
> Perhaps check the server name here. Does your Dns or wins resolve it?  A
> sledge hammer would be to use an lmhost entry on the PCs.
>
> Berni
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC will create new roaming profiles but fails to load them on subsequent logons

[Berni Elbourn]

On 15/07/11 19:33, Frank J. Gómez wrote:

  logon home = \\%N\%U
  logon path = \\%N\profiles\%U


Perhaps check the server name here. Does your Dns or wins resolve it?  A 
sledge hammer would be to use an lmhost entry on the PCs.


Berni
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC + BDC + Roaming Profiles

[J. Echter]

Am 14.07.2011 16:09, schrieb John Drescher:

Whats the best method to keep the profiles in sync? Or should i use another
FileServer for the profiles?


I have always done that. There are no file shares on my PDC or BDCs.

John
i'm thinking bout using DRBD to have the files sync. i know i can't 
access them from both machines at the same time, but i would be up and 
running faster than setting up a new box.


not a good idea?
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC + BDC + Roaming Profiles

[John Drescher]

> Whats the best method to keep the profiles in sync? Or should i use another
> FileServer for the profiles?
>

I have always done that. There are no file shares on my PDC or BDCs.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC + BDC + Roaming Profiles

[Gaiseric Vandal]

On 07/14/2011 03:53 AM, J. Echter wrote:

Hi,

i have a LDAP Master / Slave setup, but my roaming profiles are lying 
on the PDC.


Whats the best method to keep the profiles in sync? Or should i use 
another FileServer for the profiles?


what do i have to check in smb.conf for having profiles on a different 
machine? do i also need to move the netlogon dir?


cheers

juergen



Caveat-  I don't currently  use roaming profiles.   I believe however 
that a user will only have one network directory for his or her roaming 
profile.Roaming profiles will sync between the user's current PC and 
the server, but not server-to-server.


According to man pdbedit you can set the profile for each user.

Profile Path:   \\BERSERKER\profile

Man page for smb.conf shows

logon path = \\PROFILESERVER\PROFILE\%U


I am guessing that the "per user" settings overrides the server default 
if you did not want all the roaming profiles on a single server.You 
may not want profiles on your PDC if you want to minimize network 
traffic or disk usage.


Each DC must have a netlogon directory.  The member servers do not. 
You do need to make sure the login scripts are the same on each DC.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] "PDC with LDAP-Samba 3.3. Now i want to install BDC"

[Gaiseric Vandal]

This should be in the documentationn in samba.org.

In general:

You need an LDAP backend for samba.   Probably should have an LDAP 
backend for unix accounts as well.


The smb.conf file be similar to PDC

# this is a DC
domain logons = yes
# but not the PDC
preferred master = no


Set the SID's to match the domain SID

net get domainsid
net setdomainsid S-1-5-21---
net setlocalsid S-1-5-21---


Join the domain

 net rpc join -S PDC -W MYDOMAIN   -U Administrator

start samba

On 07/12/2011 12:46 PM, Muqtadir Kamal wrote:

I have already a linux PDC with LDAP-Samba 3.3. Now i want to install BDC
which will work if my PDC goes down.
Pleases help me out.

Thanks
kamal


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC/wins on multiple networks

[Daniel Müller]

Hi,
you have a (Samba)domain server and it is your wins?
You just to have an entry in your win xp clients wins-server:
YourSambaWinsServer.Enable Netbios over TCP
.
That is all. No: remote announce = 192.168.5.255/WORKGROUP 
192.168.7.255/WORKGROUP
This is working for me with 3 subnets.

On Thu, 24 Mar 2011 13:25:41 -0700 (PDT), Gala Dragos
 wrote:
> Hi to everyone on the mailing list.
> 
> I have two networks at home, apart from the internet. One is the wired 
> network, LAN, and the other is the wireless network, WLAN. They need to 
> be separated, not bridged, because of hardware issues.
> 
> I am trying to setup inter-networking browsing on these networks, pc's
on
> LAN should see and browse pc's on WLAN and viceversa.
> 
> After reading the manual I have enabled wins server master and wins
proxy
> in samba configuration. However I can only see the pc's from the other
> network, but I cannot 
> browse them, windows returns an error like "network path could not be 
> found".
> 
> The samba server runs on my router box, together with the firewall
> (managed through shorewall) and dnsmasq for dhcp/dns.
> 
> 
> Below is my global smb.conf part.
> 
> [global]
>     server
>  string = Samba Server
>     interfaces = eth1, lo, wlan0
>     bind interfaces only = Yes
>     security = SHARE
>     log file = /var/log/samba/%m.log
>     max log size = 50
>     announce as = NT Workstation
>     os level = 99
>     lm interval = 10
>     preferred master = Yes
>     domain master = Yes
>     wins proxy = Yes
>     wins support = Yes
>     remote announce = 192.168.5.255/WORKGROUP
>  192.168.7.255/WORKGROUP
>     create mask = 0666
>     case sensitive = No
>     preserve case = No
>     short preserve case = No
>     hide special files = Yes
>     map hidden = Yes
>     store dos attributes = Yes
> Thanks.
>  
> 
>
--
> 
> 
> .  Microsoft broke the Volkswagen world record: Volkswagen only made 22
> million bugs!
> 
> 
> .  It is time for us to stand and cheer for the doer, the achiever, the
> one who recognizes the challenge and does something about it.
> -Vince Lombardi
> 
> 
> .  Everybody can learn how to make kids, but not everyone can raise them
> right!
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDC... what about de shared folders??

[Bayardo Rivas - Open Soluciones]

El 13/03/2011 06:14 a.m., Daniel Müller escribió:

On Fri, 11 Mar 2011 11:05:59 -0600, Bayardo Rivas - Open Soluciones
Hi,
with a bdc you will only have a authentication nothing else.
You have to have the same shares  on both pdc and bdc and have them sync
in realtime (drbd master/master or something cluster)
to keep the data for the users up.
My experencies in production PDC/LDAP BDC/LDAP are that if you do not have
a replicating wins on both. It could be when the pdc (or bdc) failes
a couple of users can login the other (who where logged on to the pc) need
to rejoin the machnie to the domain). Samba4wins will do that job.

Good Luck
Daniel


Thank you Daniel,

I have a little experience with Samba + LDAP so, any reading that you 
suggest would be great. I will post questions on the way while I work on 
configuration.


Sorry for my english.

Bayardo.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDC... what about de shared folders??

[Daniel Müller]

On Fri, 11 Mar 2011 11:05:59 -0600, Bayardo Rivas - Open Soluciones
Hi,
with a bdc you will only have a authentication nothing else.
You have to have the same shares  on both pdc and bdc and have them sync
in realtime (drbd master/master or something cluster)
to keep the data for the users up.
My experencies in production PDC/LDAP BDC/LDAP are that if you do not have
a replicating wins on both. It could be when the pdc (or bdc) failes
a couple of users can login the other (who where logged on to the pc) need
to rejoin the machnie to the domain). Samba4wins will do that job.

Good Luck
Daniel


 wrote:
> Hi,
> 
> i am new in the mailing list. I am trying to figure out my 
> configuration. I have a Samba server authenticating with /etc/passwd. We

> are planing to move to LDAP and install a BDC server. The information I 
> found googleing is always related to BDC as a backup for authentication 
> but, I am not clear about the files stored in shared folders.
> 
> I am reading (everybody recomend it) this book and the number 5 specific

> chapter 
>
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
> 
> As said, I am not sure how to give access to the shared folders (stored 
> in PDC) when it fails, because I suppose that users will authenticate 
> with the BDC server, and What about the shared folders?? Do I have to 
> sync this folders and add in the configuration of BDC the shared
folders??
> 
> Thanks for your help.
> 
> Bayardo.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDC... what about de shared folders??

[Mike Brady]

Quoting Bayardo Rivas - Open Soluciones :


Hi,

i am new in the mailing list. I am trying to figure out my  
configuration. I have a Samba server authenticating with  
/etc/passwd. We are planing to move to LDAP and install a BDC  
server. The information I
found googleing is always related to BDC as a backup for  
authentication but, I am not clear about the files stored in shared  
folders.


I am reading (everybody recomend it) this book and the number 5  
specific chapter  
http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html


As said, I am not sure how to give access to the shared folders  
(stored in PDC) when it fails, because I suppose that users will  
authenticate with the BDC server, and What about the shared  
folders?? Do I have to

sync this folders and add in the configuration of BDC the shared folders??

Thanks for your help.

Bayardo.

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba



Yes you will have to sync the folders and add them to the BDC  
configuration when they are needed.  I also suggest having a look at  
using a netbios alias and/or DFS to make the failover easer on your  
users.




--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC and BDC... what about de shared folders??

[John Drescher]

On Fri, Mar 11, 2011 at 2:08 PM, Bayardo Rivas - Open Soluciones
 wrote:
> Hi,
>
> i am new in the mailing list. I am trying to figure out my configuration. I
> have a Samba server authenticating with /etc/passwd. We are planing to move
> to LDAP and install a BDC server. The information I
> found googleing is always related to BDC as a backup for authentication but,
> I am not clear about the files stored in shared folders.
>
> I am reading (everybody recomend it) this book and the number 5 specific
> chapter
> http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/samba-bdc.html
>
> As said, I am not sure how to give access to the shared folders (stored in
> PDC) when it fails, because I suppose that users will authenticate with the
> BDC server, and What about the shared folders?? Do I have to
> sync this folders and add in the configuration of BDC the shared folders??
>

On my work network. I put no shares on the PDC or BDC but on other
member servers. My PDC and BDC actually are very small and I have
migrated them both to virtual machines as guests.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC broke after upgrade

[Mat Enders]

On Mon, Jan 17, 2011 at 9:05 AM,  wrote:

> Thanks Helmut I will check the time stamps later. I was using smbpasswd and
> that is what is called for in my smb.conf file.
> Sent on the Sprint® Now Network from my BlackBerry®
>
> -Original Message-
> From: "Helmut Hullen" 
> Sender: samba-boun...@lists.samba.org
> Date: 17 Jan 2011 14:56:00
> To: 
> Reply-To: hel...@hullen.de
> Subject: Re: [Samba] PDC broke after upgrade
>
> Hallo, Mat,
>
> Du meintest am 17.01.11:
>
> >>> Samba 3.5.6 uses "tdbsam", earlier versions have used "smbpasswd";
> >>> you should look which file ("smbpasswd" or "passdb.tdb") your old
> >>> version has used.
> >>> For converting you can use "pdbedit".
>
> >>   Danke, I will check this I am sure that is the problem as
> >>   I was
> >> using smbpasswd.  Will pdbedit convert my smbpasswd file to tdbsam?
>
>
>
> If your distribution puts "smbpasswd" into "/etc/samba/private":
>
>
> pdbedit -i smbpasswd:/etc/samba/private/smbpasswd -e
> tdbsam:/etc/samba/private/passdb.tdb
>
>
> It's a very good idea to first look into the directory and look at the
> timestamps of source and target file ... the pdbedit command overwrites
> existing files.
>
> >  Or did the upgrade convert smbpasswd to  tdbsam and all I
> > need to do is change my smb.conf?
>
> I can't see what has happened.
> Which timestamp has your "smbpasswd", which timestamp has your
> "passdb.tdb"?
>
> Or do you use LDAP? Then perhaps your system wants to use the LDAP crap
> as password backend.
>
> You can define your special backend in the "[global]" part of your
> "smb.conf".
>
> Viele Gruesse!
> Helmut
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

All seems to be working correctly now except I have to rejoin all of the
machines to the domain but that happens anytime I upgrade.

Also it seems that my users no longer have thier roaming profiles.

Here is a copy of my smb.conf

[global]
smb passwd file = /etc/samba/passdb.tdb
enable privileges = yes
logon drive = H:
domain master = yes
encrypt passwords = true
logon home = \\%L\%U
netbios name = ARDVARC
server string = Gaudior's PDC
logon script = logon.bat
local master = yes
workgroup = GAUACA
logon path = \\%L\%U\profile
os level = 99
security = user
add machine script = /usr/sbin/useradd -s /bin/false \-d /dev/null %u
preferred master = yes
domain logons = yes
hide files = /desktop.ini/
guest account = nobody
map to guest = bad user
wins support = yes

[staff]
comment = staff share drive
path = /home/staff/share
read only = no
;valid users =

[student]
comment = student share by level
path = /home/stdnt/share
read only = no

[netlogon]
comment = Net Logon Service
path = /home/netlogon
read only = yes
write list = root
;public = yes
guest ok = yes
browsable = no

[homes]
comment = Home
valid users = %S
read only = no
browsable = no


-- 
Mathew E. Enders
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC broke after upgrade

[mat . enders]

Thanks Helmut I will check the time stamps later. I was using smbpasswd and 
that is what is called for in my smb.conf file. 
Sent on the Sprint® Now Network from my BlackBerry®

-Original Message-
From: "Helmut Hullen" 
Sender: samba-boun...@lists.samba.org
Date: 17 Jan 2011 14:56:00 
To: 
Reply-To: hel...@hullen.de
Subject: Re: [Samba] PDC broke after upgrade

Hallo, Mat,

Du meintest am 17.01.11:

>>> Samba 3.5.6 uses "tdbsam", earlier versions have used "smbpasswd";
>>> you should look which file ("smbpasswd" or "passdb.tdb") your old
>>> version has used.
>>> For converting you can use "pdbedit".

>>   Danke, I will check this I am sure that is the problem as
>>   I was
>> using smbpasswd.  Will pdbedit convert my smbpasswd file to tdbsam?



If your distribution puts "smbpasswd" into "/etc/samba/private":


pdbedit -i smbpasswd:/etc/samba/private/smbpasswd -e 
tdbsam:/etc/samba/private/passdb.tdb


It's a very good idea to first look into the directory and look at the  
timestamps of source and target file ... the pdbedit command overwrites  
existing files.

>  Or did the upgrade convert smbpasswd to  tdbsam and all I
> need to do is change my smb.conf?

I can't see what has happened.
Which timestamp has your "smbpasswd", which timestamp has your  
"passdb.tdb"?

Or do you use LDAP? Then perhaps your system wants to use the LDAP crap  
as password backend.

You can define your special backend in the "[global]" part of your  
"smb.conf".

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC broke after upgrade

[Helmut Hullen]

Hallo, Mat,

Du meintest am 17.01.11:

>>> Samba 3.5.6 uses "tdbsam", earlier versions have used "smbpasswd";
>>> you should look which file ("smbpasswd" or "passdb.tdb") your old
>>> version has used.
>>> For converting you can use "pdbedit".

>>   Danke, I will check this I am sure that is the problem as
>>   I was
>> using smbpasswd.  Will pdbedit convert my smbpasswd file to tdbsam?



If your distribution puts "smbpasswd" into "/etc/samba/private":


pdbedit -i smbpasswd:/etc/samba/private/smbpasswd -e 
tdbsam:/etc/samba/private/passdb.tdb


It's a very good idea to first look into the directory and look at the  
timestamps of source and target file ... the pdbedit command overwrites  
existing files.

>  Or did the upgrade convert smbpasswd to  tdbsam and all I
> need to do is change my smb.conf?

I can't see what has happened.
Which timestamp has your "smbpasswd", which timestamp has your  
"passdb.tdb"?

Or do you use LDAP? Then perhaps your system wants to use the LDAP crap  
as password backend.

You can define your special backend in the "[global]" part of your  
"smb.conf".

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC broke after upgrade

[Mat Enders]

On Mon, Jan 17, 2011 at 5:15 AM, Mat Enders  wrote:

>
>
> On Mon, Jan 17, 2011 at 2:24 AM, Helmut Hullen  wrote:
>
>> Hallo, Mat,
>>
>> Du meintest am 16.01.11:
>>
>> > I upgraded from Debian Lenny (Samba 3.2.5) to Squeeze (Samba 3.5.6)
>> > and now my PDC does not work.
>>
>> > In the past when upgrading from one release to another all of the
>> > machine trust accounts no longer worked but I was able to just rejoin
>> > then to the domain.  Now however the join fails with unknown user and
>> > bad password.  I have always used root and roots password what am I
>> > missing?  What changed between these 2 releases?
>>
>> What tells
>>
>>testparm -s 2>/dev/null | grep passdb
>>testparm -sv 2>/dev/null | grep passdb
>>
>> The first line tells what is defined in the "smb.conf", the second tells
>> all pre-defined options too.
>>
>> Samba 3.5.6 uses "tdbsam", earlier versions have used "smbpasswd"; you
>> should look which file ("smbpasswd" or "passdb.tdb") your old version
>> has used.
>> For converting you can use "pdbedit".
>>
>> Viele Gruesse!
>> Helmut
>> --
>>
>
>  Helmut,
>
>   Danke, I will check this I am sure that is the problem as I was
> using smbpasswd.  Will pdbedit convert my smbpasswd file to tdbsam?
>
> --
> Mathew E. Enders
>

Helmut,

 Or did the upgrade convert smbpasswd to  tdbsam and all I need to
do is change my smb.conf?

-- 
Mathew E. Enders
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC broke after upgrade

[Helmut Hullen]

Hallo, Mat,

Du meintest am 16.01.11:

> I upgraded from Debian Lenny (Samba 3.2.5) to Squeeze (Samba 3.5.6)
> and now my PDC does not work.

> In the past when upgrading from one release to another all of the
> machine trust accounts no longer worked but I was able to just rejoin
> then to the domain.  Now however the join fails with unknown user and
> bad password.  I have always used root and roots password what am I
> missing?  What changed between these 2 releases?

What tells

testparm -s 2>/dev/null | grep passdb
testparm -sv 2>/dev/null | grep passdb

The first line tells what is defined in the "smb.conf", the second tells  
all pre-defined options too.

Samba 3.5.6 uses "tdbsam", earlier versions have used "smbpasswd"; you  
should look which file ("smbpasswd" or "passdb.tdb") your old version  
has used.
For converting you can use "pdbedit".

Viele Gruesse!
Helmut
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC (CentOS 5.5, Samba 3.5.6): no domain group names sent to Windows 2003 members

[Konstantin Boyandin]

Hello Denis,

Switching (in fact, downgrading a bit) to SerNet and/or other distros
will be the last resort.

So far, Samba 3.5.6 domain works quite reliably, but certain behaviour
patterns like the mentioned 'groups forgetting' are quite annoying.

I'd be glad to hear about how to handle this on permanent basis;
periodic Samba service restarts are but the temporary solution.

I will put SerNet Samba packages to test on a 'sandbox domain', but
downgrading is always undesirable path.

Thanks.
Sincerely,
Konstantin

13.12.2010 12:14, Denis Fateyev пишет:
> Hello,
> 
> Have you tried the build from SerNet?
> 
> ---
> wbr, Denis.
> 
> 
> On Mon, Dec 13, 2010 at 11:43 AM, Konstantin Boyandin
> mailto:temmo...@gmail.com>> wrote:
> 
> Hello,
> 
> After setting up Samba 3.5.6 on CentOS 5.5 (built from sources) I have
> noticed a strange problem.
> 
> Windows 2003 servers participating in this Samba domain do not receive
> domain groups list when I, say, try to assign security credentials for a
> file/folder. When I choose domain as source, search reveals only
> technical group names and individual domain users names. No domain group
> names at all.
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC (CentOS 5.5, Samba 3.5.6): no domain group names sent to Windows 2003 members

[Denis Fateyev]

Hello,

Have you tried the build from SerNet?

---
wbr, Denis.


On Mon, Dec 13, 2010 at 11:43 AM, Konstantin Boyandin wrote:

> Hello,
>
> After setting up Samba 3.5.6 on CentOS 5.5 (built from sources) I have
> noticed a strange problem.
>
> Windows 2003 servers participating in this Samba domain do not receive
> domain groups list when I, say, try to assign security credentials for a
> file/folder. When I choose domain as source, search reveals only
> technical group names and individual domain users names. No domain group
> names at all.
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC Migration

[Leonardo Carneiro]

On Wed, Aug 4, 2010 at 9:42 AM, yudi shiddiq  wrote:
> Hi all,
>
> I need help,
>
> This time i want to migrate samba PDC(backend ldap) to new machine, new 
> machine
> used different samba version but file configuration is the same,
>
> i have made new samba pdc succesfully, but i failed to migrate all account 
> from
> old machine to new machine, i have done this step to migrate acc(users and
> workstation) :
>
> - copy folder /var/lib/ldap
> - import use command "slapadd -c -l slapcat.ldif"
> - import use command "ldapadd -x -D "cn=Manager,dc=domain,dc=com" -W -f
> /home/my.ldif"
> but it still fail, cause when i use command getent passwd it shows nothing.
>
> Installed software,
> Old machine :
> - samba-3.0.20b-3.3
> - openldap2-2.2.27-6
> New Machine :
> - samba-3.4.3-10.1
> - openldap2-2.4.12
>
> Thx,
> Yudi
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

Think you need to read the change log to fix your possibly broken
smb.conf. There have been some changes from 3.0 to 3.4 that you need
to apply on your smb.conf in order to get thinks working.
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello!
So in the end LDAP has been converted with the provided conversion
script and is not a problem anymore.

For reference, we said we needed net getlocalsid but I found that also
smbpasswd -X DomainName or -S DomainName outputs the domainsid :-)
(for some reason I have no net command albeit having smbclient
installed)

Now migrating samba is a big issue to me.

So samba authenticates on /etc/samba/smbpasswd and not on LDAP as I thought...

The admin creates a LDAP user, then via webmin converts users from
unix to samba and then ssh changes smbpasswd UserName.

Silly, isn't it?

But smbpasswd database receives converted account from ldap, not unix
as /etc/passwd does not have a newly added user, it mainly keeps
computeraccounts$ with $ at the end.

So we migrated the whole thing to a 3.5.3 telling it to use a switch
for compatibility with old smbpasswd file.

It did work as \\server\shares but not quite for domain logon for non
cached passwords...
I believe nmb had not been stopped... anyway

We went for a new virtual machine with the ancient Suse 8.2 with same
rpm -qa| samba ldap  versions and copied /etc/samba and /etc/openldap
/etc/passwd+shadow and /var/lib/ldap. Should I also have taken
/var/lib/samba???

Computers do not logon but can be added to the domain and nblookup
resolves the DomainName to the DC...

Had to revert to the old physical server...

What else should I consider?

After migrating the old services to a new server (the old one is on
its final months...) I would like to change the authentication to LDAP
backend directly, is this possible or does it nees smbpasswd?

Cheers,
Giorgio

On Sun, Apr 11, 2010 at 11:54 AM, Vladimir Psenicka
 wrote:
> I found this document to upgrade from samba 2 schema to 3:
> http://samba.org/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html,
> search "New Schema". Script is in /usr/share/doc/samba-doc/examples/LDAP/
> on Ubuntu.
>
> On Sat, 10 Apr 2010 21:32:19 +0200, Giorgio Gallo 
> wrote:
>> Hi Vladimir!
>>
>> Ok for changing into sambaSamAccount but what about the sambaSID?
>> It appears to be required!
>>
>> Cheers,
>> Giorgio
>>
>> -Original Message-
>> From: Vladimir Psenicka 
>> Sent: sabato 10 aprile 2010 18.40
>> To: GG 
>> Cc: samba@lists.samba.org
>> Subject: Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to
>> latest versions on ubuntu 8.04
>>
>> Hi GG
>>
>> 1. no delete, change objectClass:sambaAccount to
>> objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
>> 2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
>> preserve rid attribute, else delete it (don't see rid in our ldif)
>> 3. make all dn:uid=uid attribute
>>
>> And after this try to import ldif ...
>>
>>
>> On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
>>> Hello,
>>>
>>> I would delete sambaAccount but all users also use samba to logon to
>>> windows machines, wouldn't this prevent them from entering the domain
>>> etc?
>>>
>>>> dn: *uid=Christian Sanvi*,dc=Sistemi
>>>> *uid: csanvi*
>>>
>>> - I see what you mean. correct uid is csanvi: shall I make all dn:
>>> uid=*uid later defined*,dc,dc,dc?
>>>
>>> - I imported user correctly with no sambaAccount but what are the
>>> consequences for usage with samba?
>>>
>>> - sambaSID = should I put here the domain SID?
>>> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
>>> sambaLMPassword = this should be like on LDAP any info?
>>> sambaNTPassword = this should be like on LDAP any info?
>>> sambaAcctFlags =
>>> sambaDomain = this should be like domain-name??
>>>
>>> The thing is I have to import LDAP and also make samba work after.
>>>
>>> - Is it possible to just import all LDAP without sambaAccount or
>>> sambaSamAccount and then add samba and domain part?
>>>
>>> Ldap is just the back end, what then needs to work is samba and domain
>> PDC
>>> etc..
>>>
>>> Giorgio
>>>
>>>
>>>
>>> On 4/9/10, Vladimir Psenicka  wrote:
>>>> Hi.
>>>>
>>>> Can you change *objectClass: sambaAccount* to *objectClass:
>>>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
>>>> requires attribute 'sambaSID' and maybee other samba* attributes. Or
>>>> delete objectClass: sambaAccount from this dn when no samba* attribute
>>>> is specified in this dn. I can't see objectClass: sambaAccount in our
>>>> Samba 3.0 samba.schema

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Giorgio Gallo]

Hi Vladimir!

Ok for changing into sambaSamAccount but what about the sambaSID?
It appears to be required!

Cheers,
Giorgio

-Original Message-
From: Vladimir Psenicka 
Sent: sabato 10 aprile 2010 18.40
To: GG 
Cc: samba@lists.samba.org
Subject: Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest 
versions on ubuntu 8.04

Hi GG

1. no delete, change objectClass:sambaAccount to
objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
preserve rid attribute, else delete it (don't see rid in our ldif)
3. make all dn:uid=uid attribute

And after this try to import ldif ...


On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
> Hello,
> 
> I would delete sambaAccount but all users also use samba to logon to
> windows machines, wouldn't this prevent them from entering the domain
> etc?
> 
>> dn: *uid=Christian Sanvi*,dc=Sistemi
>> *uid: csanvi*
> 
> - I see what you mean. correct uid is csanvi: shall I make all dn:
> uid=*uid later defined*,dc,dc,dc?
> 
> - I imported user correctly with no sambaAccount but what are the
> consequences for usage with samba?
> 
> - sambaSID = should I put here the domain SID?
> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
> sambaLMPassword = this should be like on LDAP any info?
> sambaNTPassword = this should be like on LDAP any info?
> sambaAcctFlags =
> sambaDomain = this should be like domain-name??
> 
> The thing is I have to import LDAP and also make samba work after.
> 
> - Is it possible to just import all LDAP without sambaAccount or
> sambaSamAccount and then add samba and domain part?
> 
> Ldap is just the back end, what then needs to work is samba and domain
PDC
> etc..
> 
> Giorgio
> 
> 
> 
> On 4/9/10, Vladimir Psenicka  wrote:
>> Hi.
>>
>> Can you change *objectClass: sambaAccount* to *objectClass:
>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
>> requires attribute 'sambaSID' and maybee other samba* attributes. Or
>> delete objectClass: sambaAccount from this dn when no samba* attribute
>> is specified in this dn. I can't see objectClass: sambaAccount in our
>> Samba 3.0 samba.schema.
>>
>> You can tune your old atributes (rid) in samba.schema: see HISTORICAL
>>
>>
>> Next your uid in dn must exactly be same as atribute uid
>>
>>
>> dn: *uid=Christian Sanvi*,dc=Sistemi
>> Informativi,dc=People,dc=GG-s-Domain,dc=it
>> structuralObjectClass: inetOrgPerson
>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> createTimestamp: 20030801093311Z
>> objectClass: inetOrgPerson
>> objectClass: person
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> mail: christian.sa...@gg-s-domain.it
>> mailHost: mail.GG-s-Domain.it
>> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
>> *uid: Christian Sanvi*
>> cn: csanvi
>> sn: sanvi
>> shadowMax: 9
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 1000
>> gidNumber: 100
>> homeDirectory: /home/christian
>> gecos: Christian Sanvi,,,
>> entryCSN: 2008042908:48:24Z#0x0002#0#
>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
>> modifyTimestamp: 20080429084824Z
>> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
>> shadowLastChange: 14695
>>
>>
>> This dn imported me fine (delete qmail and samba objectclass and rid
>> attribute).
>>
>>
>> Dne 9.4.2010 12:40, GG napsal(a):
>> > Hello!
>> >
>> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
>> > and slapadd the ldif; I still get the same errors though!
>> >
>> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not ok
>> > for the new version, because it imports groups correctly  dn:
>> > dc=,dc=,dc=
>> >
>> > Ideas?
>> >
>> > Cheers,
>> > Giorgio
>> >
>> > On 4/8/10, Vladimir Psenicka  wrote:
>> >> You have in gg-edited.ldif (first error on line 52):
>> >>
>> >> dn: uid=name surname,dc=Sistemi
>> >> Informativi,dc=People,dc=GG-s-Domain,dc=it
>> >> structuralObjectClass: inetOrgPerson
>> >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> >> createTimestamp: 20030801093311Z
>> >> objectClass: inetOrgPerson
>> >> objectClass: person
>> >> objectCl

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

I found this document to upgrade from samba 2 schema to 3:
http://samba.org/samba/docs/man/Samba-HOWTO-Collection/upgrading-to-3.0.html,
search "New Schema". Script is in /usr/share/doc/samba-doc/examples/LDAP/
on Ubuntu.

On Sat, 10 Apr 2010 21:32:19 +0200, Giorgio Gallo 
wrote:
> Hi Vladimir!
> 
> Ok for changing into sambaSamAccount but what about the sambaSID?
> It appears to be required!
> 
> Cheers,
> Giorgio
> 
> -Original Message-
> From: Vladimir Psenicka 
> Sent: sabato 10 aprile 2010 18.40
> To: GG 
> Cc: samba@lists.samba.org
> Subject: Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to
> latest versions on ubuntu 8.04
> 
> Hi GG
> 
> 1. no delete, change objectClass:sambaAccount to
> objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
> 2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
> preserve rid attribute, else delete it (don't see rid in our ldif)
> 3. make all dn:uid=uid attribute
> 
> And after this try to import ldif ...
> 
> 
> On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
>> Hello,
>> 
>> I would delete sambaAccount but all users also use samba to logon to
>> windows machines, wouldn't this prevent them from entering the domain
>> etc?
>> 
>>> dn: *uid=Christian Sanvi*,dc=Sistemi
>>> *uid: csanvi*
>> 
>> - I see what you mean. correct uid is csanvi: shall I make all dn:
>> uid=*uid later defined*,dc,dc,dc?
>> 
>> - I imported user correctly with no sambaAccount but what are the
>> consequences for usage with samba?
>> 
>> - sambaSID = should I put here the domain SID?
>> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
>> sambaLMPassword = this should be like on LDAP any info?
>> sambaNTPassword = this should be like on LDAP any info?
>> sambaAcctFlags =
>> sambaDomain = this should be like domain-name??
>> 
>> The thing is I have to import LDAP and also make samba work after.
>> 
>> - Is it possible to just import all LDAP without sambaAccount or
>> sambaSamAccount and then add samba and domain part?
>> 
>> Ldap is just the back end, what then needs to work is samba and domain
> PDC
>> etc..
>> 
>> Giorgio
>> 
>> 
>> 
>> On 4/9/10, Vladimir Psenicka  wrote:
>>> Hi.
>>>
>>> Can you change *objectClass: sambaAccount* to *objectClass:
>>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
>>> requires attribute 'sambaSID' and maybee other samba* attributes. Or
>>> delete objectClass: sambaAccount from this dn when no samba* attribute
>>> is specified in this dn. I can't see objectClass: sambaAccount in our
>>> Samba 3.0 samba.schema.
>>>
>>> You can tune your old atributes (rid) in samba.schema: see HISTORICAL
>>>
>>>
>>> Next your uid in dn must exactly be same as atribute uid
>>>
>>>
>>> dn: *uid=Christian Sanvi*,dc=Sistemi
>>> Informativi,dc=People,dc=GG-s-Domain,dc=it
>>> structuralObjectClass: inetOrgPerson
>>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>>> createTimestamp: 20030801093311Z
>>> objectClass: inetOrgPerson
>>> objectClass: person
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> mail: christian.sa...@gg-s-domain.it
>>> mailHost: mail.GG-s-Domain.it
>>> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
>>> *uid: Christian Sanvi*
>>> cn: csanvi
>>> sn: sanvi
>>> shadowMax: 9
>>> shadowWarning: 7
>>> loginShell: /bin/bash
>>> uidNumber: 1000
>>> gidNumber: 100
>>> homeDirectory: /home/christian
>>> gecos: Christian Sanvi,,,
>>> entryCSN: 2008042908:48:24Z#0x0002#0#
>>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
>>> modifyTimestamp: 20080429084824Z
>>> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
>>> shadowLastChange: 14695
>>>
>>>
>>> This dn imported me fine (delete qmail and samba objectclass and rid
>>> attribute).
>>>
>>>
>>> Dne 9.4.2010 12:40, GG napsal(a):
>>> > Hello!
>>> >
>>> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
>>> > and slapadd the ldif; I still get the same errors though!
>>> >
>>> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not
ok
>>> > for the new version, b

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello!

Actually I have no sambaSID.

a question: if i started off by having an ldap server and I then
wanted to add samba (so now I'd import ldif with no references to
samba), would there be the way of syncronizing from ldap to samba?

Cheers,
Gio

On 4/10/10, Vladimir Psenicka  wrote:
>
> sambaSID is unique ID for every user in domain and must be present when
> use objectclass: sambaSamAccount. Exist sambaSID in your ldif in users
> attributes?
>
> &On Sat, 10 Apr 2010 18:40:38 +0200, Vladimir Psenicka
>  wrote:
>> Hi GG
>>
>> 1. no delete, change objectClass:sambaAccount to
>> objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
>> 2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
>> preserve rid attribute, else delete it (don't see rid in our ldif)
>> 3. make all dn:uid=uid attribute
>>
>> And after this try to import ldif ...
>>
>>
>> On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
>>> Hello,
>>>
>>> I would delete sambaAccount but all users also use samba to logon to
>>> windows machines, wouldn't this prevent them from entering the domain
>>> etc?
>>>
 dn: *uid=Christian Sanvi*,dc=Sistemi
 *uid: csanvi*
>>>
>>> - I see what you mean. correct uid is csanvi: shall I make all dn:
>>> uid=*uid later defined*,dc,dc,dc?
>>>
>>> - I imported user correctly with no sambaAccount but what are the
>>> consequences for usage with samba?
>>>
>>> - sambaSID = should I put here the domain SID?
>>> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
>>> sambaLMPassword = this should be like on LDAP any info?
>>> sambaNTPassword = this should be like on LDAP any info?
>>> sambaAcctFlags =
>>> sambaDomain = this should be like domain-name??
>>>
>>> The thing is I have to import LDAP and also make samba work after.
>>>
>>> - Is it possible to just import all LDAP without sambaAccount or
>>> sambaSamAccount and then add samba and domain part?
>>>
>>> Ldap is just the back end, what then needs to work is samba and domain
>> PDC
>>> etc..
>>>
>>> Giorgio
>>>
>>>
>>>
>>> On 4/9/10, Vladimir Psenicka  wrote:
 Hi.

 Can you change *objectClass: sambaAccount* to *objectClass:
 sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
 requires attribute 'sambaSID' and maybee other samba* attributes. Or
 delete objectClass: sambaAccount from this dn when no samba* attribute
 is specified in this dn. I can't see objectClass: sambaAccount in our
 Samba 3.0 samba.schema.

 You can tune your old atributes (rid) in samba.schema: see HISTORICAL


 Next your uid in dn must exactly be same as atribute uid


 dn: *uid=Christian Sanvi*,dc=Sistemi
 Informativi,dc=People,dc=GG-s-Domain,dc=it
 structuralObjectClass: inetOrgPerson
 entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
 creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
 createTimestamp: 20030801093311Z
 objectClass: inetOrgPerson
 objectClass: person
 objectClass: posixAccount
 objectClass: shadowAccount
 mail: christian.sa...@gg-s-domain.it
 mailHost: mail.GG-s-Domain.it
 mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
 *uid: Christian Sanvi*
 cn: csanvi
 sn: sanvi
 shadowMax: 9
 shadowWarning: 7
 loginShell: /bin/bash
 uidNumber: 1000
 gidNumber: 100
 homeDirectory: /home/christian
 gecos: Christian Sanvi,,,
 entryCSN: 2008042908:48:24Z#0x0002#0#
 modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
 modifyTimestamp: 20080429084824Z
 userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
 shadowLastChange: 14695


 This dn imported me fine (delete qmail and samba objectclass and rid
 attribute).


 Dne 9.4.2010 12:40, GG napsal(a):
 > Hello!
 >
 > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
 > and slapadd the ldif; I still get the same errors though!
 >
 > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not
> ok
 > for the new version, because it imports groups correctly  dn:
 > dc=,dc=,dc=
 >
 > Ideas?
 >
 > Cheers,
 > Giorgio
 >
 > On 4/8/10, Vladimir Psenicka  wrote:
 >> You have in gg-edited.ldif (first error on line 52):
 >>
 >> dn: uid=name surname,dc=Sistemi
 >> Informativi,dc=People,dc=GG-s-Domain,dc=it
 >> structuralObjectClass: inetOrgPerson
 >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
 >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
 >> createTimestamp: 20030801093311Z
 >> objectClass: inetOrgPerson
 >> objectClass: person
 >> objectClass: sambaAccount
 >> objectClass: qmailUser
 >> objectClass: posixAccount
 >> objectClass: shadowAccount
 >>
 >> Dou you have all apropriate schemas in your slapd.conf and in
 >> /etc/ldap/schema/ on your new server? You should have all schemas
> in
 >> new
 >> slapd.conf as you had in slapd.conf o

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

sambaSID is unique ID for every user in domain and must be present when
use objectclass: sambaSamAccount. Exist sambaSID in your ldif in users
attributes?

&On Sat, 10 Apr 2010 18:40:38 +0200, Vladimir Psenicka
 wrote:
> Hi GG
> 
> 1. no delete, change objectClass:sambaAccount to
> objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
> 2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
> preserve rid attribute, else delete it (don't see rid in our ldif)
> 3. make all dn:uid=uid attribute
> 
> And after this try to import ldif ...
> 
> 
> On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
>> Hello,
>> 
>> I would delete sambaAccount but all users also use samba to logon to
>> windows machines, wouldn't this prevent them from entering the domain
>> etc?
>> 
>>> dn: *uid=Christian Sanvi*,dc=Sistemi
>>> *uid: csanvi*
>> 
>> - I see what you mean. correct uid is csanvi: shall I make all dn:
>> uid=*uid later defined*,dc,dc,dc?
>> 
>> - I imported user correctly with no sambaAccount but what are the
>> consequences for usage with samba?
>> 
>> - sambaSID = should I put here the domain SID?
>> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
>> sambaLMPassword = this should be like on LDAP any info?
>> sambaNTPassword = this should be like on LDAP any info?
>> sambaAcctFlags =
>> sambaDomain = this should be like domain-name??
>> 
>> The thing is I have to import LDAP and also make samba work after.
>> 
>> - Is it possible to just import all LDAP without sambaAccount or
>> sambaSamAccount and then add samba and domain part?
>> 
>> Ldap is just the back end, what then needs to work is samba and domain
> PDC
>> etc..
>> 
>> Giorgio
>> 
>> 
>> 
>> On 4/9/10, Vladimir Psenicka  wrote:
>>> Hi.
>>>
>>> Can you change *objectClass: sambaAccount* to *objectClass:
>>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
>>> requires attribute 'sambaSID' and maybee other samba* attributes. Or
>>> delete objectClass: sambaAccount from this dn when no samba* attribute
>>> is specified in this dn. I can't see objectClass: sambaAccount in our
>>> Samba 3.0 samba.schema.
>>>
>>> You can tune your old atributes (rid) in samba.schema: see HISTORICAL
>>>
>>>
>>> Next your uid in dn must exactly be same as atribute uid
>>>
>>>
>>> dn: *uid=Christian Sanvi*,dc=Sistemi
>>> Informativi,dc=People,dc=GG-s-Domain,dc=it
>>> structuralObjectClass: inetOrgPerson
>>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>>> createTimestamp: 20030801093311Z
>>> objectClass: inetOrgPerson
>>> objectClass: person
>>> objectClass: posixAccount
>>> objectClass: shadowAccount
>>> mail: christian.sa...@gg-s-domain.it
>>> mailHost: mail.GG-s-Domain.it
>>> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
>>> *uid: Christian Sanvi*
>>> cn: csanvi
>>> sn: sanvi
>>> shadowMax: 9
>>> shadowWarning: 7
>>> loginShell: /bin/bash
>>> uidNumber: 1000
>>> gidNumber: 100
>>> homeDirectory: /home/christian
>>> gecos: Christian Sanvi,,,
>>> entryCSN: 2008042908:48:24Z#0x0002#0#
>>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
>>> modifyTimestamp: 20080429084824Z
>>> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
>>> shadowLastChange: 14695
>>>
>>>
>>> This dn imported me fine (delete qmail and samba objectclass and rid
>>> attribute).
>>>
>>>
>>> Dne 9.4.2010 12:40, GG napsal(a):
>>> > Hello!
>>> >
>>> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
>>> > and slapadd the ldif; I still get the same errors though!
>>> >
>>> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not
ok
>>> > for the new version, because it imports groups correctly  dn:
>>> > dc=,dc=,dc=
>>> >
>>> > Ideas?
>>> >
>>> > Cheers,
>>> > Giorgio
>>> >
>>> > On 4/8/10, Vladimir Psenicka  wrote:
>>> >> You have in gg-edited.ldif (first error on line 52):
>>> >>
>>> >> dn: uid=name surname,dc=Sistemi
>>> >> Informativi,dc=People,dc=GG-s-Domain,dc=it
>>> >> structuralObjectClass: inetOrgPerson
>>> >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>>> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>>> >> createTimestamp: 20030801093311Z
>>> >> objectClass: inetOrgPerson
>>> >> objectClass: person
>>> >> objectClass: sambaAccount
>>> >> objectClass: qmailUser
>>> >> objectClass: posixAccount
>>> >> objectClass: shadowAccount
>>> >>
>>> >> Dou you have all apropriate schemas in your slapd.conf and in
>>> >> /etc/ldap/schema/ on your new server? You should have all schemas
in
>>> >> new
>>> >> slapd.conf as you had in slapd.conf on old server...qmail schema
>>> >> etc...
>>> >>
>>https://mail.prodeco.cz/roundcube/program/js/tiny_mce/themes/advanced/langs/cs.js?s=1240817786";>gt;
>> Dne 8.4.2010 11:44, GG napsal(a):
>>> >>> Hello Vladimir and NG,
>>> >>>
>>> >>> I added samba.schema and removed the "" and it imported ldif
> without
>>> >>> saying anything about groups now :-)
>>> >>>
>>> >>> There are some warnings I am attaching.
>>> >>>

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Hi GG

1. no delete, change objectClass:sambaAccount to
objectClass:sambaSamAccount in ldif, sambaAccount is deprecated
2. uncomment lines with rid in samba.schema in HISTORICAL if you want to
preserve rid attribute, else delete it (don't see rid in our ldif)
3. make all dn:uid=uid attribute

And after this try to import ldif ...


On Fri, 9 Apr 2010 17:43:45 +0200, GG  wrote:
> Hello,
> 
> I would delete sambaAccount but all users also use samba to logon to
> windows machines, wouldn't this prevent them from entering the domain
> etc?
> 
>> dn: *uid=Christian Sanvi*,dc=Sistemi
>> *uid: csanvi*
> 
> - I see what you mean. correct uid is csanvi: shall I make all dn:
> uid=*uid later defined*,dc,dc,dc?
> 
> - I imported user correctly with no sambaAccount but what are the
> consequences for usage with samba?
> 
> - sambaSID = should I put here the domain SID?
> http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
> sambaLMPassword = this should be like on LDAP any info?
> sambaNTPassword = this should be like on LDAP any info?
> sambaAcctFlags =
> sambaDomain = this should be like domain-name??
> 
> The thing is I have to import LDAP and also make samba work after.
> 
> - Is it possible to just import all LDAP without sambaAccount or
> sambaSamAccount and then add samba and domain part?
> 
> Ldap is just the back end, what then needs to work is samba and domain
PDC
> etc..
> 
> Giorgio
> 
> 
> 
> On 4/9/10, Vladimir Psenicka  wrote:
>> Hi.
>>
>> Can you change *objectClass: sambaAccount* to *objectClass:
>> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
>> requires attribute 'sambaSID' and maybee other samba* attributes. Or
>> delete objectClass: sambaAccount from this dn when no samba* attribute
>> is specified in this dn. I can't see objectClass: sambaAccount in our
>> Samba 3.0 samba.schema.
>>
>> You can tune your old atributes (rid) in samba.schema: see HISTORICAL
>>
>>
>> Next your uid in dn must exactly be same as atribute uid
>>
>>
>> dn: *uid=Christian Sanvi*,dc=Sistemi
>> Informativi,dc=People,dc=GG-s-Domain,dc=it
>> structuralObjectClass: inetOrgPerson
>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> createTimestamp: 20030801093311Z
>> objectClass: inetOrgPerson
>> objectClass: person
>> objectClass: posixAccount
>> objectClass: shadowAccount
>> mail: christian.sa...@gg-s-domain.it
>> mailHost: mail.GG-s-Domain.it
>> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
>> *uid: Christian Sanvi*
>> cn: csanvi
>> sn: sanvi
>> shadowMax: 9
>> shadowWarning: 7
>> loginShell: /bin/bash
>> uidNumber: 1000
>> gidNumber: 100
>> homeDirectory: /home/christian
>> gecos: Christian Sanvi,,,
>> entryCSN: 2008042908:48:24Z#0x0002#0#
>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
>> modifyTimestamp: 20080429084824Z
>> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
>> shadowLastChange: 14695
>>
>>
>> This dn imported me fine (delete qmail and samba objectclass and rid
>> attribute).
>>
>>
>> Dne 9.4.2010 12:40, GG napsal(a):
>> > Hello!
>> >
>> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
>> > and slapadd the ldif; I still get the same errors though!
>> >
>> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not ok
>> > for the new version, because it imports groups correctly  dn:
>> > dc=,dc=,dc=
>> >
>> > Ideas?
>> >
>> > Cheers,
>> > Giorgio
>> >
>> > On 4/8/10, Vladimir Psenicka  wrote:
>> >> You have in gg-edited.ldif (first error on line 52):
>> >>
>> >> dn: uid=name surname,dc=Sistemi
>> >> Informativi,dc=People,dc=GG-s-Domain,dc=it
>> >> structuralObjectClass: inetOrgPerson
>> >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> >> createTimestamp: 20030801093311Z
>> >> objectClass: inetOrgPerson
>> >> objectClass: person
>> >> objectClass: sambaAccount
>> >> objectClass: qmailUser
>> >> objectClass: posixAccount
>> >> objectClass: shadowAccount
>> >>
>> >> Dou you have all apropriate schemas in your slapd.conf and in
>> >> /etc/ldap/schema/ on your new server? You should have all schemas in
>> >> new
>> >> slapd.conf as you had in slapd.conf on old server...qmail schema
>> >> etc...
>> >>
>> >> Dne 8.4.2010 11:44, GG napsal(a):
>> >>> Hello Vladimir and NG,
>> >>>
>> >>> I added samba.schema and removed the "" and it imported ldif
without
>> >>> saying anything about groups now :-)
>> >>>
>> >>> There are some warnings I am attaching.
>> >>>
>> >>> It moans about
>> >>> str2entry: invalid value for attributeType objectClass #3 (syntax
>> >>> 1.3.6.1.4.1.1466.115.121.1.38)
>> >>> slapadd: could not parse entry (line=11937)
>> >>> and if I look at the ldif I find this
>> >>> dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it
>> >>>
>> >>> and other error
>> >>> slapadd: could not parse entry (line=6)
>> >>> <= str2entry: str2ad(mailHost): attribute type undefined
>> >>> this is the line in ldfi...
>https://ma

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello,

I would delete sambaAccount but all users also use samba to logon to
windows machines, wouldn't this prevent them from entering the domain
etc?

> dn: *uid=Christian Sanvi*,dc=Sistemi
> *uid: csanvi*

- I see what you mean. correct uid is csanvi: shall I make all dn:
uid=*uid later defined*,dc,dc,dc?

- I imported user correctly with no sambaAccount but what are the
consequences for usage with samba?

- sambaSID = should I put here the domain SID?
http://www.aput.net/~jheiss/samba/ldap.shtml (seems he )
sambaLMPassword = this should be like on LDAP any info?
sambaNTPassword = this should be like on LDAP any info?
sambaAcctFlags =
sambaDomain = this should be like domain-name??

The thing is I have to import LDAP and also make samba work after.

- Is it possible to just import all LDAP without sambaAccount or
sambaSamAccount and then add samba and domain part?

Ldap is just the back end, what then needs to work is samba and domain PDC etc..

Giorgio



On 4/9/10, Vladimir Psenicka  wrote:
> Hi.
>
> Can you change *objectClass: sambaAccount* to *objectClass:
> sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
> requires attribute 'sambaSID' and maybee other samba* attributes. Or
> delete objectClass: sambaAccount from this dn when no samba* attribute
> is specified in this dn. I can't see objectClass: sambaAccount in our
> Samba 3.0 samba.schema.
>
> You can tune your old atributes (rid) in samba.schema: see HISTORICAL
>
>
> Next your uid in dn must exactly be same as atribute uid
>
>
> dn: *uid=Christian Sanvi*,dc=Sistemi
> Informativi,dc=People,dc=GG-s-Domain,dc=it
> structuralObjectClass: inetOrgPerson
> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
> createTimestamp: 20030801093311Z
> objectClass: inetOrgPerson
> objectClass: person
> objectClass: posixAccount
> objectClass: shadowAccount
> mail: christian.sa...@gg-s-domain.it
> mailHost: mail.GG-s-Domain.it
> mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
> *uid: Christian Sanvi*
> cn: csanvi
> sn: sanvi
> shadowMax: 9
> shadowWarning: 7
> loginShell: /bin/bash
> uidNumber: 1000
> gidNumber: 100
> homeDirectory: /home/christian
> gecos: Christian Sanvi,,,
> entryCSN: 2008042908:48:24Z#0x0002#0#
> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
> modifyTimestamp: 20080429084824Z
> userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
> shadowLastChange: 14695
>
>
> This dn imported me fine (delete qmail and samba objectclass and rid
> attribute).
>
>
> Dne 9.4.2010 12:40, GG napsal(a):
> > Hello!
> >
> > So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
> > and slapadd the ldif; I still get the same errors though!
> >
> > Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not ok
> > for the new version, because it imports groups correctly  dn:
> > dc=,dc=,dc=
> >
> > Ideas?
> >
> > Cheers,
> > Giorgio
> >
> > On 4/8/10, Vladimir Psenicka  wrote:
> >> You have in gg-edited.ldif (first error on line 52):
> >>
> >> dn: uid=name surname,dc=Sistemi
> >> Informativi,dc=People,dc=GG-s-Domain,dc=it
> >> structuralObjectClass: inetOrgPerson
> >> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
> >> createTimestamp: 20030801093311Z
> >> objectClass: inetOrgPerson
> >> objectClass: person
> >> objectClass: sambaAccount
> >> objectClass: qmailUser
> >> objectClass: posixAccount
> >> objectClass: shadowAccount
> >>
> >> Dou you have all apropriate schemas in your slapd.conf and in
> >> /etc/ldap/schema/ on your new server? You should have all schemas in new
> >> slapd.conf as you had in slapd.conf on old server...qmail schema etc...
> >>
> >> Dne 8.4.2010 11:44, GG napsal(a):
> >>> Hello Vladimir and NG,
> >>>
> >>> I added samba.schema and removed the "" and it imported ldif without
> >>> saying anything about groups now :-)
> >>>
> >>> There are some warnings I am attaching.
> >>>
> >>> It moans about
> >>> str2entry: invalid value for attributeType objectClass #3 (syntax
> >>> 1.3.6.1.4.1.1466.115.121.1.38)
> >>> slapadd: could not parse entry (line=11937)
> >>> and if I look at the ldif I find this
> >>> dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it
> >>>
> >>> and other error
> >>> slapadd: could not parse entry (line=6)
> >>> <= str2entry: str2ad(mailHost): attribute type undefined
> >>> this is the line in ldfi...
> >>>
> >>> dn: uid=otheruid,dc=Esterni,dc=People,dc=domain,dc=it
> >>> cn: otheruid
> >>>
> >>> But the line is always the dn:
> >>> uid=someuid,dc=SomeSubDc,dc=People,dc=domain,dc=it
> >>>
> >>> but reading mailHost: I have a line in many accounts with maildir and
> >>> mail host etc that I don't need any more; shall I remove lines
> >>> containing mail attributes? (mytextools.com  is
> >>> great but I suppose there must be some regular expression too)
> >>>
> >>> I did a slapcat from destination server and it imported groups but no
> >>> actu

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Hi.

Can you change *objectClass: sambaAccount* to *objectClass:
sambaSamAccount* in whole ldif, but object class 'sambaSamAccount'
requires attribute 'sambaSID' and maybee other samba* attributes. Or
delete objectClass: sambaAccount from this dn when no samba* attribute
is specified in this dn. I can't see objectClass: sambaAccount in our
Samba 3.0 samba.schema.

You can tune your old atributes (rid) in samba.schema: see HISTORICAL


Next your uid in dn must exactly be same as atribute uid


dn: *uid=Christian Sanvi*,dc=Sistemi
Informativi,dc=People,dc=GG-s-Domain,dc=it
structuralObjectClass: inetOrgPerson
entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
createTimestamp: 20030801093311Z
objectClass: inetOrgPerson
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
mail: christian.sa...@gg-s-domain.it
mailHost: mail.GG-s-Domain.it
mailMessageStore: /var/qmail/maildirs/GG-s-Domain.it/christian.sanvi
*uid: Christian Sanvi*
cn: csanvi
sn: sanvi
shadowMax: 9
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1000
gidNumber: 100
homeDirectory: /home/christian
gecos: Christian Sanvi,,,
entryCSN: 2008042908:48:24Z#0x0002#0#
modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
modifyTimestamp: 20080429084824Z
userPassword:: e2NyeXB0fVc4Tmx0ck9pZDZhd3M=
shadowLastChange: 14695


This dn imported me fine (delete qmail and samba objectclass and rid
attribute).


Dne 9.4.2010 12:40, GG napsal(a):
> Hello!
> 
> So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
> and slapadd the ldif; I still get the same errors though!
> 
> Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not ok
> for the new version, because it imports groups correctly  dn:
> dc=,dc=,dc=
> 
> Ideas?
> 
> Cheers,
> Giorgio
> 
> On 4/8/10, Vladimir Psenicka  wrote:
>> You have in gg-edited.ldif (first error on line 52):
>>
>> dn: uid=name surname,dc=Sistemi
>> Informativi,dc=People,dc=GG-s-Domain,dc=it
>> structuralObjectClass: inetOrgPerson
>> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> createTimestamp: 20030801093311Z
>> objectClass: inetOrgPerson
>> objectClass: person
>> objectClass: sambaAccount
>> objectClass: qmailUser
>> objectClass: posixAccount
>> objectClass: shadowAccount
>>
>> Dou you have all apropriate schemas in your slapd.conf and in
>> /etc/ldap/schema/ on your new server? You should have all schemas in new
>> slapd.conf as you had in slapd.conf on old server...qmail schema etc...
>>
>> Dne 8.4.2010 11:44, GG napsal(a):
>>> Hello Vladimir and NG,
>>>
>>> I added samba.schema and removed the "" and it imported ldif without
>>> saying anything about groups now :-)
>>>
>>> There are some warnings I am attaching.
>>>
>>> It moans about
>>> str2entry: invalid value for attributeType objectClass #3 (syntax
>>> 1.3.6.1.4.1.1466.115.121.1.38)
>>> slapadd: could not parse entry (line=11937)
>>> and if I look at the ldif I find this
>>> dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it
>>>
>>> and other error
>>> slapadd: could not parse entry (line=6)
>>> <= str2entry: str2ad(mailHost): attribute type undefined
>>> this is the line in ldfi...
>>>
>>> dn: uid=otheruid,dc=Esterni,dc=People,dc=domain,dc=it
>>> cn: otheruid
>>>
>>> But the line is always the dn:
>>> uid=someuid,dc=SomeSubDc,dc=People,dc=domain,dc=it
>>>
>>> but reading mailHost: I have a line in many accounts with maildir and
>>> mail host etc that I don't need any more; shall I remove lines
>>> containing mail attributes? (mytextools.com  is
>>> great but I suppose there must be some regular expression too)
>>>
>>> I did a slapcat from destination server and it imported groups but no
>>> actual users.
>>>
>>> I removed mail alternate attibutes (not mail: as it used for creating
>>> alias from ldap into mail server) anyway the error seems to be in the
>>> DN. it needs a dn but it gives this error
>>> str2entry: invalid value for attributeType objectClass #3 (syntax
>>> 1.3.6.1.4.1.1466.115.121.1.38)
>>> slapadd: could not parse entry (line=1)
>>>
>>> importing a single user from a partial ldif..
>>>
>>>
>>> Giorgio
>>>
>>> On 4/8/10, Vladimir Psenicka >> > wrote:
 1. comments to slapd.conf:

 if slapd.conf.destination is on your new server, then you are missing
 samba schema in your slapd.conf.destination.

 slapd.conf on new server:
 
 include /etc/ldap/schema/samba.schema
 

 Get samba.schema from your current samba instalation on new server. It
 should be in somewhere in: /usr/share/doc/samba-doc/examples/LDAP/

 2. comments on error importing ldif:

 slapadd-ing.LOG:

 slapadd: dn="dc=People,dc=GG-s-Domain,dc=it" (line=26): (64) value of
 naming attribute 'dc' is not present in entry

 which is in gg-edited.ldif:

 dn: dc=People,dc=GG-s-Domain,dc=it
>>>

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello!

So I added openldap.schema and qmail.schema, deleted /var/lib/ldap/*
and slapadd the ldif; I still get the same errors though!

Being on the first line it seems as if dn: uid=,dc=,dc=,dc= is not ok
for the new version, because it imports groups correctly  dn:
dc=,dc=,dc=

Ideas?

Cheers,
Giorgio

On 4/8/10, Vladimir Psenicka  wrote:
> You have in gg-edited.ldif (first error on line 52):
>
> dn: uid=name surname,dc=Sistemi
> Informativi,dc=People,dc=GG-s-Domain,dc=it
> structuralObjectClass: inetOrgPerson
> entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
> createTimestamp: 20030801093311Z
> objectClass: inetOrgPerson
> objectClass: person
> objectClass: sambaAccount
> objectClass: qmailUser
> objectClass: posixAccount
> objectClass: shadowAccount
>
> Dou you have all apropriate schemas in your slapd.conf and in
> /etc/ldap/schema/ on your new server? You should have all schemas in new
> slapd.conf as you had in slapd.conf on old server...qmail schema etc...
>
> Dne 8.4.2010 11:44, GG napsal(a):
> > Hello Vladimir and NG,
> >
> > I added samba.schema and removed the "" and it imported ldif without
> > saying anything about groups now :-)
> >
> > There are some warnings I am attaching.
> >
> > It moans about
> > str2entry: invalid value for attributeType objectClass #3 (syntax
> > 1.3.6.1.4.1.1466.115.121.1.38)
> > slapadd: could not parse entry (line=11937)
> > and if I look at the ldif I find this
> > dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it
> >
> > and other error
> > slapadd: could not parse entry (line=6)
> > <= str2entry: str2ad(mailHost): attribute type undefined
> > this is the line in ldfi...
> >
> > dn: uid=otheruid,dc=Esterni,dc=People,dc=domain,dc=it
> > cn: otheruid
> >
> > But the line is always the dn:
> > uid=someuid,dc=SomeSubDc,dc=People,dc=domain,dc=it
> >
> > but reading mailHost: I have a line in many accounts with maildir and
> > mail host etc that I don't need any more; shall I remove lines
> > containing mail attributes? (mytextools.com  is
> > great but I suppose there must be some regular expression too)
> >
> > I did a slapcat from destination server and it imported groups but no
> > actual users.
> >
> > I removed mail alternate attibutes (not mail: as it used for creating
> > alias from ldap into mail server) anyway the error seems to be in the
> > DN. it needs a dn but it gives this error
> > str2entry: invalid value for attributeType objectClass #3 (syntax
> > 1.3.6.1.4.1.1466.115.121.1.38)
> > slapadd: could not parse entry (line=1)
> >
> > importing a single user from a partial ldif..
> >
> >
> > Giorgio
> >
> > On 4/8/10, Vladimir Psenicka  > > wrote:
> >> 1. comments to slapd.conf:
> >>
> >> if slapd.conf.destination is on your new server, then you are missing
> >> samba schema in your slapd.conf.destination.
> >>
> >> slapd.conf on new server:
> >> 
> >> include /etc/ldap/schema/samba.schema
> >> 
> >>
> >> Get samba.schema from your current samba instalation on new server. It
> >> should be in somewhere in: /usr/share/doc/samba-doc/examples/LDAP/
> >>
> >> 2. comments on error importing ldif:
> >>
> >> slapadd-ing.LOG:
> >>
> >> slapadd: dn="dc=People,dc=GG-s-Domain,dc=it" (line=26): (64) value of
> >> naming attribute 'dc' is not present in entry
> >>
> >> which is in gg-edited.ldif:
> >>
> >> dn: dc=People,dc=GG-s-Domain,dc=it
> >> objectClass: dcObject
> >> objectClass: organizationalUnit
> >> ou: "People"
> >> dc: "People"
> >> structuralObjectClass: organizationalUnit
> >> entryUUID: 067e823e-5845-1027-9dc5-fa88d05ed16f
> >> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
> >> createTimestamp: 20030801082225Z
> >> entryCSN: 2003080108:22:25Z#0x0001#0#
> >> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
> >> modifyTimestamp: 20030801082225Z
> >>
> >> Can you try delete quotes in ou: "People" and dc: "People" and try to
> >> import ldif again? Or you can try delete objectClass: dcObject and dc:
> >> "People". In our ldap we haven't objectClass: dcObject in dn:
> >> ou=Users,dc=pavouk,dc=cz
> >>
> >> my ldif:
> >>
> >> dn: ou=Users,dc=pavouk,dc=cz
> >> objectClass: organizationalUnit
> >> ou: Users
> >> structuralObjectClass: organizationalUnit
> >> entryUUID: 00014016-c3a2-1029-9d4e-9147cb3e97d5
> >> creatorsName: cn=Manager,dc=pavouk,dc=cz
> >> createTimestamp: 20050927125727Z
> >> entryCSN: 20050927125727.00Z#01#000#00
> >> modifiersName: cn=Manager,dc=pavouk,dc=cz
> >> modifyTimestamp: 20050927125727Z
> >>
> >>
> >>
> >>
> >> Dne 7.4.2010 16:14, GG napsal(a):
> >> > Hello Vladimir and anyone else reading :-) !
> >> >
> >> > Attaching these files:
> >> >
> >> > - gg-edited.ldif
> >> > - slapd.conf.destination.txt
> >> > - slapd.conf.source.txt
> >> > - ldap.conf.destination.txt
> >> > - ldap.conf.source.txt
> >> > - slapadd-ing.LOG this was the log while importing ldif
> >> >
> >> >
> >> > NET SID ETC
> >> > 

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

You have in gg-edited.ldif (first error on line 52):

dn: uid=Christian Sanvi,dc=Sistemi
Informativi,dc=People,dc=GG-s-Domain,dc=it
structuralObjectClass: inetOrgPerson
entryUUID: e969a5fc-584e-1027-9dc7-fa88d05ed16f
creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
createTimestamp: 20030801093311Z
objectClass: inetOrgPerson
objectClass: person
objectClass: sambaAccount
objectClass: qmailUser
objectClass: posixAccount
objectClass: shadowAccount

Dou you have all apropriate schemas in your slapd.conf and in
/etc/ldap/schema/ on your new server? You should have all schemas in new
slapd.conf as you had in slapd.conf on old server...qmail schema etc...

Dne 8.4.2010 11:44, GG napsal(a):
> Hello Vladimir and NG,
> 
> I added samba.schema and removed the "" and it imported ldif without
> saying anything about groups now :-)
> 
> There are some warnings I am attaching.
>  
> It moans about
> str2entry: invalid value for attributeType objectClass #3 (syntax
> 1.3.6.1.4.1.1466.115.121.1.38)
> slapadd: could not parse entry (line=11937)
> and if I look at the ldif I find this
> dn: uid=someuid,dc=Filiali,dc=People,dc=domain,dc=it
> 
> and other error
> slapadd: could not parse entry (line=6)
> <= str2entry: str2ad(mailHost): attribute type undefined
> this is the line in ldfi...
> 
> dn: uid=otheruid,dc=Esterni,dc=People,dc=domain,dc=it
> cn: otheruid
>  
> But the line is always the dn:
> uid=someuid,dc=SomeSubDc,dc=People,dc=domain,dc=it
>  
> but reading mailHost: I have a line in many accounts with maildir and
> mail host etc that I don't need any more; shall I remove lines
> containing mail attributes? (mytextools.com  is
> great but I suppose there must be some regular expression too)
>  
> I did a slapcat from destination server and it imported groups but no
> actual users.
>  
> I removed mail alternate attibutes (not mail: as it used for creating
> alias from ldap into mail server) anyway the error seems to be in the
> DN. it needs a dn but it gives this error 
> str2entry: invalid value for attributeType objectClass #3 (syntax
> 1.3.6.1.4.1.1466.115.121.1.38)
> slapadd: could not parse entry (line=1)
>  
> importing a single user from a partial ldif..
>  
>  
> Giorgio 
>  
> On 4/8/10, Vladimir Psenicka  > wrote:
>> 1. comments to slapd.conf:
>>
>> if slapd.conf.destination is on your new server, then you are missing
>> samba schema in your slapd.conf.destination.
>>
>> slapd.conf on new server:
>> 
>> include /etc/ldap/schema/samba.schema
>> 
>>
>> Get samba.schema from your current samba instalation on new server. It
>> should be in somewhere in: /usr/share/doc/samba-doc/examples/LDAP/
>>
>> 2. comments on error importing ldif:
>>
>> slapadd-ing.LOG:
>>
>> slapadd: dn="dc=People,dc=GG-s-Domain,dc=it" (line=26): (64) value of
>> naming attribute 'dc' is not present in entry
>>
>> which is in gg-edited.ldif:
>>
>> dn: dc=People,dc=GG-s-Domain,dc=it
>> objectClass: dcObject
>> objectClass: organizationalUnit
>> ou: "People"
>> dc: "People"
>> structuralObjectClass: organizationalUnit
>> entryUUID: 067e823e-5845-1027-9dc5-fa88d05ed16f
>> creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
>> createTimestamp: 20030801082225Z
>> entryCSN: 2003080108:22:25Z#0x0001#0#
>> modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
>> modifyTimestamp: 20030801082225Z
>>
>> Can you try delete quotes in ou: "People" and dc: "People" and try to
>> import ldif again? Or you can try delete objectClass: dcObject and dc:
>> "People". In our ldap we haven't objectClass: dcObject in dn:
>> ou=Users,dc=pavouk,dc=cz
>>
>> my ldif:
>>
>> dn: ou=Users,dc=pavouk,dc=cz
>> objectClass: organizationalUnit
>> ou: Users
>> structuralObjectClass: organizationalUnit
>> entryUUID: 00014016-c3a2-1029-9d4e-9147cb3e97d5
>> creatorsName: cn=Manager,dc=pavouk,dc=cz
>> createTimestamp: 20050927125727Z
>> entryCSN: 20050927125727.00Z#01#000#00
>> modifiersName: cn=Manager,dc=pavouk,dc=cz
>> modifyTimestamp: 20050927125727Z
>>
>>
>>
>>
>> Dne 7.4.2010 16:14, GG napsal(a):
>> > Hello Vladimir and anyone else reading :-) !
>> >
>> > Attaching these files:
>> >
>> > - gg-edited.ldif
>> > - slapd.conf.destination.txt
>> > - slapd.conf.source.txt
>> > - ldap.conf.destination.txt
>> > - ldap.conf.source.txt
>> > - slapadd-ing.LOG this was the log while importing ldif
>> >
>> >
>> > NET SID ETC
>> > net setlocalsid
> S-1-5-21-1168...-..-...2
>> > net setdomainsid
> S-1-5-21-1168...-..-...1
>> >
>> > does net setlocal and domain sid have sense or should it be
>> > net setdomainsid
>> > twice with different sids?
>> >
>> > Thanks very much!
>> >
>> > Giorgio
>> >
>> > On 4/6/10, Vladimir Psenicka  > wrote:
>> >> Hi Gorgio
>> >>
>> >> Dne 2.4.2010 17:01, GG napsal(a):
>> >>> Hi all,
>> >>>
>> >>> So I have
>> >>> openldap2-2.1.12-74
>> >>> samba-2.2.7a-72
>> >>>
>> >>> I wo

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

1. comments to slapd.conf:

if slapd.conf.destination is on your new server, then you are missing
samba schema in your slapd.conf.destination.

slapd.conf on new server:

include /etc/ldap/schema/samba.schema


Get samba.schema from your current samba instalation on new server. It
should be in somewhere in: /usr/share/doc/samba-doc/examples/LDAP/

2. comments on error importing ldif:

slapadd-ing.LOG:

slapadd: dn="dc=People,dc=GG-s-Domain,dc=it" (line=26): (64) value of
naming attribute 'dc' is not present in entry

which is in gg-edited.ldif:

dn: dc=People,dc=GG-s-Domain,dc=it
objectClass: dcObject
objectClass: organizationalUnit
ou: "People"
dc: "People"
structuralObjectClass: organizationalUnit
entryUUID: 067e823e-5845-1027-9dc5-fa88d05ed16f
creatorsName: cn=Manager,dc=GG-s-Domain,dc=it
createTimestamp: 20030801082225Z
entryCSN: 2003080108:22:25Z#0x0001#0#
modifiersName: cn=Manager,dc=GG-s-Domain,dc=it
modifyTimestamp: 20030801082225Z

Can you try delete quotes in ou: "People" and dc: "People" and try to
import ldif again? Or you can try delete objectClass: dcObject and dc:
"People". In our ldap we haven't objectClass: dcObject in dn:
ou=Users,dc=pavouk,dc=cz

my ldif:

dn: ou=Users,dc=pavouk,dc=cz
objectClass: organizationalUnit
ou: Users
structuralObjectClass: organizationalUnit
entryUUID: 00014016-c3a2-1029-9d4e-9147cb3e97d5
creatorsName: cn=Manager,dc=pavouk,dc=cz
createTimestamp: 20050927125727Z
entryCSN: 20050927125727.00Z#01#000#00
modifiersName: cn=Manager,dc=pavouk,dc=cz
modifyTimestamp: 20050927125727Z




Dne 7.4.2010 16:14, GG napsal(a):
> Hello Vladimir and anyone else reading :-) !
> 
> Attaching these files:
> 
> - gg-edited.ldif
> - slapd.conf.destination.txt
> - slapd.conf.source.txt
> - ldap.conf.destination.txt
> - ldap.conf.source.txt
> - slapadd-ing.LOG this was the log while importing ldif
> 
> 
> NET SID ETC
> net setlocalsid S-1-5-21-1168...-..-...2
> net setdomainsid S-1-5-21-1168...-..-...1
> 
> does net setlocal and domain sid have sense or should it be
> net setdomainsid
> twice with different sids?
> 
> Thanks very much!
> 
> Giorgio
> 
> On 4/6/10, Vladimir Psenicka  wrote:
>> Hi Gorgio
>>
>> Dne 2.4.2010 17:01, GG napsal(a):
>>> Hi all,
>>>
>>> So I have
>>> openldap2-2.1.12-74
>>> samba-2.2.7a-72
>>>
>>> I would like to migrate this existing PDC service to a new server and
>>> to current production / stable releases (especially for windows 7
>>> joining to the domain).
>>>
>>> New server is Debian Lenny stable.
>>>
>>> I have exported the domain SID, and ldap.ldif
>>>
>>> Now lets get down to it :-)
>>> Before importing should I do something about organizational units and so? 
>>> How?
>>>
 Import only data to LDAP no configs (slapcat->slapadd)
>>>  slapadd -c -l slapcat.ldif
>>> I did this but attached errors showed up.
>>>
>>> Error, entries missing!
>>>   entry 3: dc=people,dc=ExampleDomain,dc=it
>>>   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it
>>
>> Can you post first 100 lines of your ldif you try to import? You
>> probably missing some base ldif.
>>
>>>
>>>
>>> I know nothing about ldap, but my ldap is probably missing some pre
>>> required settings ? :-/
>>>
>>
>> Can you post slapd.conf also?
>>
>>
>>> Cheers!
>>> Giorgio
>>>
 Configs yes, live data no, but if you have ldap it *should* be enough to
 import ldif from old server, configure samba to use ldap and run smbpasswd
 -W to store ldap admin dn pass to secrets.tdb. After that you can test if
 samba see imported users in ldap (pdbedit -L).
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 3/27/10, Vladimir Psenicka  wrote:
 On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
> wow I made it!
>
> I copied net and all the libs it complained about from another suse
> server which was not missing it :-)
>
> [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
>   Unknown parameter encountered: "domain admin group"
> [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
>   Ignoring unknown parameter "domain admin group"
> SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
>  is: S-1-5-21-1bla bla
> SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
>
> Which shall I import?
>

 Import both for sure:-). First is localsid, second is domainsid

> So now back to mail number 2 :-)
>
> LDAP: I exported ldif :-) now
> I copied /etc/groups passwd shadow aliases
>
> now on the new server:
>
> how do I import LDAP and all its configs,
> samba and all its configs are only in smb.conf?
>
 Import only data to LDAP no configs (slapcat->slapadd)
 Configs yes, live data no, but if you have ldap it *should* be enough to
 import ldif from old server, configure samba to use ldap and run smbpasswd
 -W to store ldap admin dn pass to secrets.tdb. After that you can tes

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

you are right! please excuse me I misread!

Giorgio

On 4/7/10, Gaiseric Vandal  wrote:
> They should be the same SID.   The SID of a DC should the same as the SID of
> the domain itself.  And if you had multiple DC's they should all have the
> same SID.
>
> At least that is what I have and it seems to work for me.
>
>
>
>
> On 04/07/2010 10:14 AM, GG wrote:
> > Hello Vladimir and anyone else reading :-) !
> >
> > Attaching these files:
> >
> > - gg-edited.ldif
> > - slapd.conf.destination.txt
> > - slapd.conf.source.txt
> > - ldap.conf.destination.txt
> > - ldap.conf.source.txt
> > - slapadd-ing.LOG this was the log while importing ldif
> >
> >
> > NET SID ETC
> > net setlocalsid
> S-1-5-21-1168...-..-...2
> > net setdomainsid
> S-1-5-21-1168...-..-...1
> >
> > does net setlocal and domain sid have sense or should it be
> > net setdomainsid
> > twice with different sids?
> >
> > Thanks very much!
> >
> > Giorgio
> >
> > On 4/6/10, Vladimir
> Psenicka  wrote:
> >
> >
> > > Hi Gorgio
> > >
> > > Dne 2.4.2010 17:01, GG napsal(a):
> > >
> > >
> > > > Hi all,
> > > >
> > > > So I have
> > > > openldap2-2.1.12-74
> > > > samba-2.2.7a-72
> > > >
> > > > I would like to migrate this existing PDC service to a new server and
> > > > to current production / stable releases (especially for windows 7
> > > > joining to the domain).
> > > >
> > > > New server is Debian Lenny stable.
> > > >
> > > > I have exported the domain SID, and ldap.ldif
> > > >
> > > > Now lets get down to it :-)
> > > > Before importing should I do something about organizational units and
> so? How?
> > > >
> > > >
> > > >
> > > > > Import only data to LDAP no configs (slapcat->slapadd)
> > > > >
> > > > >
> > > >  slapadd -c -l slapcat.ldif
> > > > I did this but attached errors showed up.
> > > >
> > > > Error, entries missing!
> > > >   entry 3: dc=people,dc=ExampleDomain,dc=it
> > > >   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it
> > > >
> > > >
> > > Can you post first 100 lines of your ldif you try to import? You
> > > probably missing some base ldif.
> > >
> > >
> > >
> > > >
> > > > I know nothing about ldap, but my ldap is probably missing some pre
> > > > required settings ? :-/
> > > >
> > > >
> > > >
> > > Can you post slapd.conf also?
> > >
> > >
> > >
> > >
> > > > Cheers!
> > > > Giorgio
> > > >
> > > >
> > > >
> > > > > Configs yes, live data no, but if you have ldap it *should* be
> enough to
> > > > > import ldif from old server, configure samba to use ldap and run
> smbpasswd
> > > > > -W to store ldap admin dn pass to secrets.tdb. After that you can
> test if
> > > > > samba see imported users in ldap (pdbedit -L).
> > > > >
> > > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > On 3/27/10, Vladimir
> Psenicka  wrote:
> > > >
> > > >
> > > > > On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
> > > > >
> > > > >
> > > > > > wow I made it!
> > > > > >
> > > > > > I copied net and all the libs it complained about from another
> suse
> > > > > > server which was not missing it :-)
> > > > > >
> > > > > > [2010/03/26 15:07:37, 0]
> param/loadparm.c:map_parameter(2435)
> > > > > >   Unknown parameter encountered: "domain admin group"
> > > > > > [2010/03/26 15:07:37, 0]
> param/loadparm.c:lp_do_parameter(3125)
> > > > > >   Ignoring unknown parameter "domain admin group"
> > > > > > SID for domain
> ThisIsLikeTheHostNameOrMaybeAtestDomain???
> > > > > >  is: S-1-5-21-1bla bla
> > > > > > SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
> > > > > >
> > > > > > Which shall I import?
> > > > > >
> > > > > >
> > > > > >
> > > > > Import both for sure:-). First is localsid, second is domainsid
> > > > >
> > > > >
> > > > >
> > > > > > So now back to mail number 2 :-)
> > > > > >
> > > > > > LDAP: I exported ldif :-) now
> > > > > > I copied /etc/groups passwd shadow aliases
> > > > > >
> > > > > > now on the new server:
> > > > > >
> > > > > > how do I import LDAP and all its configs,
> > > > > > samba and all its configs are only in smb.conf?
> > > > > >
> > > > > >
> > > > > >
> > > > > Import only data to LDAP no configs (slapcat->slapadd)
> > > > > Configs yes, live data no, but if you have ldap it *should* be
> enough to
> > > > > import ldif from old server, configure samba to use ldap and run
> smbpasswd
> > > > > -W to store ldap admin dn pass to secrets.tdb. After that you can
> test if
> > > > > samba see imported users in ldap (pdbedit -L).
> > > > >
> > > > >
> > > > >
> > > > > > :-)
> > > > > > Giorgio
> > > > > >
> > > > > >
> > > > > >
> > > > > > On 3/26/10, Vladimir
> Psenicka  wrote:
> > > > > >
> > > > > >
> > > > > > > Paste ldap admin dn or ldap suffix in your smb.conf
> > > > > > >
> > > > > > > Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> > > > > > >
> > > > > > >
> > > > > > > > try this:
> > > > > > > >
> > > > > > > > ldapsearch -x -h localhost -D
> "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> > > > > > > >
> "sambaDomainN

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Gaiseric Vandal]

They should be the same SID.   The SID of a DC should the same as the 
SID of the domain itself.  And if you had multiple DC's they should all 
have the same SID.


At least that is what I have and it seems to work for me.



On 04/07/2010 10:14 AM, GG wrote:

Hello Vladimir and anyone else reading :-) !

Attaching these files:

- gg-edited.ldif
- slapd.conf.destination.txt
- slapd.conf.source.txt
- ldap.conf.destination.txt
- ldap.conf.source.txt
- slapadd-ing.LOG this was the log while importing ldif


NET SID ETC
net setlocalsid S-1-5-21-1168...-..-...2
net setdomainsid S-1-5-21-1168...-..-...1

does net setlocal and domain sid have sense or should it be
net setdomainsid
twice with different sids?

Thanks very much!

Giorgio

On 4/6/10, Vladimir Psenicka  wrote:
   

Hi Gorgio

Dne 2.4.2010 17:01, GG napsal(a):
 

Hi all,

So I have
openldap2-2.1.12-74
samba-2.2.7a-72

I would like to migrate this existing PDC service to a new server and
to current production / stable releases (especially for windows 7
joining to the domain).

New server is Debian Lenny stable.

I have exported the domain SID, and ldap.ldif

Now lets get down to it :-)
Before importing should I do something about organizational units and so? How?

   

Import only data to LDAP no configs (slapcat->slapadd)
 

  slapadd -c -l slapcat.ldif
I did this but attached errors showed up.

Error, entries missing!
   entry 3: dc=people,dc=ExampleDomain,dc=it
   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it
   

Can you post first 100 lines of your ldif you try to import? You
probably missing some base ldif.

 


I know nothing about ldap, but my ldap is probably missing some pre
required settings ? :-/

   

Can you post slapd.conf also?


 

Cheers!
Giorgio

   

Configs yes, live data no, but if you have ldap it *should* be enough to
import ldif from old server, configure samba to use ldap and run smbpasswd
-W to store ldap admin dn pass to secrets.tdb. After that you can test if
samba see imported users in ldap (pdbedit -L).
 






On 3/27/10, Vladimir Psenicka  wrote:
   

On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
 

wow I made it!

I copied net and all the libs it complained about from another suse
server which was not missing it :-)

[2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
   Unknown parameter encountered: "domain admin group"
[2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
   Ignoring unknown parameter "domain admin group"
SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
  is: S-1-5-21-1bla bla
SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla

Which shall I import?

   

Import both for sure:-). First is localsid, second is domainsid

 

So now back to mail number 2 :-)

LDAP: I exported ldif :-) now
I copied /etc/groups passwd shadow aliases

now on the new server:

how do I import LDAP and all its configs,
samba and all its configs are only in smb.conf?

   

Import only data to LDAP no configs (slapcat->slapadd)
Configs yes, live data no, but if you have ldap it *should* be enough to
import ldif from old server, configure samba to use ldap and run smbpasswd
-W to store ldap admin dn pass to secrets.tdb. After that you can test if
samba see imported users in ldap (pdbedit -L).

 

:-)
Giorgio



On 3/26/10, Vladimir Psenicka  wrote:
   

Paste ldap admin dn or ldap suffix in your smb.conf

Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
 

try this:

ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
"sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"

Dne 26.3.2010 15:00, GG napsal(a):
   

Hello!

I'm stuck on getdomainsid: Net command is missing even though libs
 

and
 

smbclient are installed.

I tried this:
# ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
"sambaDomainName=WORKGROUP,dc=domain,dc=it"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
I used WORKGROUP as it is the domain we use on pcs and the only one
defined in smb.conf

I also tried using my pdc HOSTNAME

and this was returned
# LDAPv3
# base  with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

Any way to get through this or how to use net command? Maybe
 

updating
 

samba-client?

I tried rpm -i samba-client but it says
file /usr/share/man/man1/smbclient.1.gz from install of
samba-client-2.2.12-1.suse82 conflicts with file from package
samba-client-2.2.7a-72 when trying to rpm -i
 

samba-client-

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello Vladimir and anyone else reading :-) !

Attaching these files:

- gg-edited.ldif
- slapd.conf.destination.txt
- slapd.conf.source.txt
- ldap.conf.destination.txt
- ldap.conf.source.txt
- slapadd-ing.LOG this was the log while importing ldif


NET SID ETC
net setlocalsid S-1-5-21-1168...-..-...2
net setdomainsid S-1-5-21-1168...-..-...1

does net setlocal and domain sid have sense or should it be
net setdomainsid
twice with different sids?

Thanks very much!

Giorgio

On 4/6/10, Vladimir Psenicka  wrote:
> Hi Gorgio
>
> Dne 2.4.2010 17:01, GG napsal(a):
> > Hi all,
> >
> > So I have
> > openldap2-2.1.12-74
> > samba-2.2.7a-72
> >
> > I would like to migrate this existing PDC service to a new server and
> > to current production / stable releases (especially for windows 7
> > joining to the domain).
> >
> > New server is Debian Lenny stable.
> >
> > I have exported the domain SID, and ldap.ldif
> >
> > Now lets get down to it :-)
> > Before importing should I do something about organizational units and so? 
> > How?
> >
> >> Import only data to LDAP no configs (slapcat->slapadd)
> >  slapadd -c -l slapcat.ldif
> > I did this but attached errors showed up.
> >
> > Error, entries missing!
> >   entry 3: dc=people,dc=ExampleDomain,dc=it
> >   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it
>
> Can you post first 100 lines of your ldif you try to import? You
> probably missing some base ldif.
>
> >
> >
> > I know nothing about ldap, but my ldap is probably missing some pre
> > required settings ? :-/
> >
>
> Can you post slapd.conf also?
>
>
> > Cheers!
> > Giorgio
> >
> >> Configs yes, live data no, but if you have ldap it *should* be enough to
> >> import ldif from old server, configure samba to use ldap and run smbpasswd
> >> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> >> samba see imported users in ldap (pdbedit -L).
> >
> >
> >
> >
> >
> >
> > On 3/27/10, Vladimir Psenicka  wrote:
> >> On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
> >>> wow I made it!
> >>>
> >>> I copied net and all the libs it complained about from another suse
> >>> server which was not missing it :-)
> >>>
> >>> [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
> >>>   Unknown parameter encountered: "domain admin group"
> >>> [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
> >>>   Ignoring unknown parameter "domain admin group"
> >>> SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
> >>>  is: S-1-5-21-1bla bla
> >>> SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
> >>>
> >>> Which shall I import?
> >>>
> >>
> >> Import both for sure:-). First is localsid, second is domainsid
> >>
> >>> So now back to mail number 2 :-)
> >>>
> >>> LDAP: I exported ldif :-) now
> >>> I copied /etc/groups passwd shadow aliases
> >>>
> >>> now on the new server:
> >>>
> >>> how do I import LDAP and all its configs,
> >>> samba and all its configs are only in smb.conf?
> >>>
> >> Import only data to LDAP no configs (slapcat->slapadd)
> >> Configs yes, live data no, but if you have ldap it *should* be enough to
> >> import ldif from old server, configure samba to use ldap and run smbpasswd
> >> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> >> samba see imported users in ldap (pdbedit -L).
> >>
> >>> :-)
> >>> Giorgio
> >>>
> >>>
> >>>
> >>> On 3/26/10, Vladimir Psenicka  wrote:
>  Paste ldap admin dn or ldap suffix in your smb.conf
> 
>  Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> > try this:
> >
> > ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> > "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
> >
> > Dne 26.3.2010 15:00, GG napsal(a):
> >> Hello!
> >>
> >> I'm stuck on getdomainsid: Net command is missing even though libs
> >> and
> >> smbclient are installed.
> >>
> >> I tried this:
> >> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
> >> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
> >> Enter LDAP Password:
> >> # extended LDIF
> >> #
> >> # LDAPv3
> >> # base  with scope sub
> >> # filter: (objectclass=*)
> >> # requesting: ALL
> >> #
> >>
> >> # search result
> >> search: 2
> >> result: 34 Invalid DN syntax
> >> text: invalid DN
> >>
> >> # numResponses: 1
> >>
> >> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
> >> I used WORKGROUP as it is the domain we use on pcs and the only one
> >> defined in smb.conf
> >>
> >> I also tried using my pdc HOSTNAME
> >>
> >> and this was returned
> >> # LDAPv3
> >> # base  with scope sub
> >> # filter: (objectclass=*)
> >> # requesting: ALL
> >> #
> >>
> >> # search result
> >> search: 2
> >> result: 34 Invalid DN syntax
> >> text: invalid DN
> >>
> >> # numR

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Hi Gorgio

Dne 2.4.2010 17:01, GG napsal(a):
> Hi all,
> 
> So I have
> openldap2-2.1.12-74
> samba-2.2.7a-72
> 
> I would like to migrate this existing PDC service to a new server and
> to current production / stable releases (especially for windows 7
> joining to the domain).
> 
> New server is Debian Lenny stable.
> 
> I have exported the domain SID, and ldap.ldif
> 
> Now lets get down to it :-)
> Before importing should I do something about organizational units and so? How?
> 
>> Import only data to LDAP no configs (slapcat->slapadd)
>  slapadd -c -l slapcat.ldif
> I did this but attached errors showed up.
> 
> Error, entries missing!
>   entry 3: dc=people,dc=ExampleDomain,dc=it
>   entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it

Can you post first 100 lines of your ldif you try to import? You
probably missing some base ldif.

> 
> 
> I know nothing about ldap, but my ldap is probably missing some pre
> required settings ? :-/
> 

Can you post slapd.conf also?


> Cheers!
> Giorgio
> 
>> Configs yes, live data no, but if you have ldap it *should* be enough to
>> import ldif from old server, configure samba to use ldap and run smbpasswd
>> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
>> samba see imported users in ldap (pdbedit -L).
> 
> 
> 
> 
> 
> 
> On 3/27/10, Vladimir Psenicka  wrote:
>> On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
>>> wow I made it!
>>>
>>> I copied net and all the libs it complained about from another suse
>>> server which was not missing it :-)
>>>
>>> [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
>>>   Unknown parameter encountered: "domain admin group"
>>> [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
>>>   Ignoring unknown parameter "domain admin group"
>>> SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
>>>  is: S-1-5-21-1bla bla
>>> SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
>>>
>>> Which shall I import?
>>>
>>
>> Import both for sure:-). First is localsid, second is domainsid
>>
>>> So now back to mail number 2 :-)
>>>
>>> LDAP: I exported ldif :-) now
>>> I copied /etc/groups passwd shadow aliases
>>>
>>> now on the new server:
>>>
>>> how do I import LDAP and all its configs,
>>> samba and all its configs are only in smb.conf?
>>>
>> Import only data to LDAP no configs (slapcat->slapadd)
>> Configs yes, live data no, but if you have ldap it *should* be enough to
>> import ldif from old server, configure samba to use ldap and run smbpasswd
>> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
>> samba see imported users in ldap (pdbedit -L).
>>
>>> :-)
>>> Giorgio
>>>
>>>
>>>
>>> On 3/26/10, Vladimir Psenicka  wrote:
 Paste ldap admin dn or ldap suffix in your smb.conf

 Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> try this:
>
> ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
>
> Dne 26.3.2010 15:00, GG napsal(a):
>> Hello!
>>
>> I'm stuck on getdomainsid: Net command is missing even though libs
>> and
>> smbclient are installed.
>>
>> I tried this:
>> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
>> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 34 Invalid DN syntax
>> text: invalid DN
>>
>> # numResponses: 1
>>
>> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
>> I used WORKGROUP as it is the domain we use on pcs and the only one
>> defined in smb.conf
>>
>> I also tried using my pdc HOSTNAME
>>
>> and this was returned
>> # LDAPv3
>> # base  with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 34 Invalid DN syntax
>> text: invalid DN
>>
>> # numResponses: 1
>>
>> Any way to get through this or how to use net command? Maybe
>> updating
>> samba-client?
>>
>> I tried rpm -i samba-client but it says
>> file /usr/share/man/man1/smbclient.1.gz from install of
>> samba-client-2.2.12-1.suse82 conflicts with file from package
>> samba-client-2.2.7a-72 when trying to rpm -i
>> samba-client-2.2.12-1.rpm
>>
>> I found also the original package but it says it is already
>> installed.
>>
>> What happens if I remove samba-client and reinstall it soon after on
>> the production pdc?
>>
>>
>> Giorgio
>>
>> On 3/26/10, Vladimir Psenicka  wrote:
>>> Dne 26.3.2010 13:50, GG napsal(a):
 Hello!

>> Have you samba-client package installed?
>>

 yes I do at least smbclient is there! but no net c

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hi all,

So I have
openldap2-2.1.12-74
samba-2.2.7a-72

I would like to migrate this existing PDC service to a new server and
to current production / stable releases (especially for windows 7
joining to the domain).

New server is Debian Lenny stable.

I have exported the domain SID, and ldap.ldif

Now lets get down to it :-)
Before importing should I do something about organizational units and so? How?

> Import only data to LDAP no configs (slapcat->slapadd)
 slapadd -c -l slapcat.ldif
I did this but attached errors showed up.

Error, entries missing!
  entry 3: dc=people,dc=ExampleDomain,dc=it
  entry 4: dc=groups,dc=people,dc=ExampleDomain,dc=it


I know nothing about ldap, but my ldap is probably missing some pre
required settings ? :-/

Cheers!
Giorgio

> Configs yes, live data no, but if you have ldap it *should* be enough to
> import ldif from old server, configure samba to use ldap and run smbpasswd
> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> samba see imported users in ldap (pdbedit -L).






On 3/27/10, Vladimir Psenicka  wrote:
> On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
> > wow I made it!
> >
> > I copied net and all the libs it complained about from another suse
> > server which was not missing it :-)
> >
> > [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
> >   Unknown parameter encountered: "domain admin group"
> > [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
> >   Ignoring unknown parameter "domain admin group"
> > SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
> >  is: S-1-5-21-1bla bla
> > SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
> >
> > Which shall I import?
> >
>
> Import both for sure:-). First is localsid, second is domainsid
>
> > So now back to mail number 2 :-)
> >
> > LDAP: I exported ldif :-) now
> > I copied /etc/groups passwd shadow aliases
> >
> > now on the new server:
> >
> > how do I import LDAP and all its configs,
> > samba and all its configs are only in smb.conf?
> >
> Import only data to LDAP no configs (slapcat->slapadd)
> Configs yes, live data no, but if you have ldap it *should* be enough to
> import ldif from old server, configure samba to use ldap and run smbpasswd
> -W to store ldap admin dn pass to secrets.tdb. After that you can test if
> samba see imported users in ldap (pdbedit -L).
>
> > :-)
> > Giorgio
> >
> >
> >
> > On 3/26/10, Vladimir Psenicka  wrote:
> >> Paste ldap admin dn or ldap suffix in your smb.conf
> >>
> >> Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> >> > try this:
> >> >
> >> > ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> >> > "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
> >> >
> >> > Dne 26.3.2010 15:00, GG napsal(a):
> >> >> Hello!
> >> >>
> >> >> I'm stuck on getdomainsid: Net command is missing even though libs
> and
> >> >> smbclient are installed.
> >> >>
> >> >> I tried this:
> >> >> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
> >> >> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
> >> >> Enter LDAP Password:
> >> >> # extended LDIF
> >> >> #
> >> >> # LDAPv3
> >> >> # base  with scope sub
> >> >> # filter: (objectclass=*)
> >> >> # requesting: ALL
> >> >> #
> >> >>
> >> >> # search result
> >> >> search: 2
> >> >> result: 34 Invalid DN syntax
> >> >> text: invalid DN
> >> >>
> >> >> # numResponses: 1
> >> >>
> >> >> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
> >> >> I used WORKGROUP as it is the domain we use on pcs and the only one
> >> >> defined in smb.conf
> >> >>
> >> >> I also tried using my pdc HOSTNAME
> >> >>
> >> >> and this was returned
> >> >> # LDAPv3
> >> >> # base  with scope sub
> >> >> # filter: (objectclass=*)
> >> >> # requesting: ALL
> >> >> #
> >> >>
> >> >> # search result
> >> >> search: 2
> >> >> result: 34 Invalid DN syntax
> >> >> text: invalid DN
> >> >>
> >> >> # numResponses: 1
> >> >>
> >> >> Any way to get through this or how to use net command? Maybe
> updating
> >> >> samba-client?
> >> >>
> >> >> I tried rpm -i samba-client but it says
> >> >> file /usr/share/man/man1/smbclient.1.gz from install of
> >> >> samba-client-2.2.12-1.suse82 conflicts with file from package
> >> >> samba-client-2.2.7a-72 when trying to rpm -i
> samba-client-2.2.12-1.rpm
> >> >>
> >> >> I found also the original package but it says it is already
> installed.
> >> >>
> >> >> What happens if I remove samba-client and reinstall it soon after on
> >> >> the production pdc?
> >> >>
> >> >>
> >> >> Giorgio
> >> >>
> >> >> On 3/26/10, Vladimir Psenicka  wrote:
> >> >>> Dne 26.3.2010 13:50, GG napsal(a):
> >>  Hello!
> >> 
> >> >> Have you samba-client package installed?
> >> >>
> >> 
> >>  yes I do at least smbclient is there! but no net command :-/
> >> 
> >> >> pavouk\pseni...@psenicka:~> rpm -qf `which net`
> >> >> samba-client-3.5.1-4.1.x86_64
> >> 
> >>  So here are the issues encountered...
> >>  file /us

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

On Fri, 26 Mar 2010 15:32:50 +0100, GG  wrote:
> wow I made it!
> 
> I copied net and all the libs it complained about from another suse
> server which was not missing it :-)
> 
> [2010/03/26 15:07:37, 0] param/loadparm.c:map_parameter(2435)
>   Unknown parameter encountered: "domain admin group"
> [2010/03/26 15:07:37, 0] param/loadparm.c:lp_do_parameter(3125)
>   Ignoring unknown parameter "domain admin group"
> SID for domain ThisIsLikeTheHostNameOrMaybeAtestDomain???
>  is: S-1-5-21-1bla bla
> SID for domain THISISMYDOMAIN is: S-1-5-other-bla bla
> 
> Which shall I import?
> 

Import both for sure:-). First is localsid, second is domainsid

> So now back to mail number 2 :-)
> 
> LDAP: I exported ldif :-) now
> I copied /etc/groups passwd shadow aliases
> 
> now on the new server:
> 
> how do I import LDAP and all its configs,
> samba and all its configs are only in smb.conf?
> 
Import only data to LDAP no configs (slapcat->slapadd)
Configs yes, live data no, but if you have ldap it *should* be enough to
import ldif from old server, configure samba to use ldap and run smbpasswd
-W to store ldap admin dn pass to secrets.tdb. After that you can test if
samba see imported users in ldap (pdbedit -L).

> :-)
> Giorgio
> 
> 
> 
> On 3/26/10, Vladimir Psenicka  wrote:
>> Paste ldap admin dn or ldap suffix in your smb.conf
>>
>> Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
>> > try this:
>> >
>> > ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
>> > "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
>> >
>> > Dne 26.3.2010 15:00, GG napsal(a):
>> >> Hello!
>> >>
>> >> I'm stuck on getdomainsid: Net command is missing even though libs
and
>> >> smbclient are installed.
>> >>
>> >> I tried this:
>> >> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
>> >> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
>> >> Enter LDAP Password:
>> >> # extended LDIF
>> >> #
>> >> # LDAPv3
>> >> # base  with scope sub
>> >> # filter: (objectclass=*)
>> >> # requesting: ALL
>> >> #
>> >>
>> >> # search result
>> >> search: 2
>> >> result: 34 Invalid DN syntax
>> >> text: invalid DN
>> >>
>> >> # numResponses: 1
>> >>
>> >> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
>> >> I used WORKGROUP as it is the domain we use on pcs and the only one
>> >> defined in smb.conf
>> >>
>> >> I also tried using my pdc HOSTNAME
>> >>
>> >> and this was returned
>> >> # LDAPv3
>> >> # base  with scope sub
>> >> # filter: (objectclass=*)
>> >> # requesting: ALL
>> >> #
>> >>
>> >> # search result
>> >> search: 2
>> >> result: 34 Invalid DN syntax
>> >> text: invalid DN
>> >>
>> >> # numResponses: 1
>> >>
>> >> Any way to get through this or how to use net command? Maybe
updating
>> >> samba-client?
>> >>
>> >> I tried rpm -i samba-client but it says
>> >> file /usr/share/man/man1/smbclient.1.gz from install of
>> >> samba-client-2.2.12-1.suse82 conflicts with file from package
>> >> samba-client-2.2.7a-72 when trying to rpm -i
samba-client-2.2.12-1.rpm
>> >>
>> >> I found also the original package but it says it is already
installed.
>> >>
>> >> What happens if I remove samba-client and reinstall it soon after on
>> >> the production pdc?
>> >>
>> >>
>> >> Giorgio
>> >>
>> >> On 3/26/10, Vladimir Psenicka  wrote:
>> >>> Dne 26.3.2010 13:50, GG napsal(a):
>>  Hello!
>> 
>> >> Have you samba-client package installed?
>> >>
>> 
>>  yes I do at least smbclient is there! but no net command :-/
>> 
>> >> pavouk\pseni...@psenicka:~> rpm -qf `which net`
>> >> samba-client-3.5.1-4.1.x86_64
>> 
>>  So here are the issues encountered...
>>  file /usr/share/man/man1/smbclient.1.gz from install of
>>  samba-client-2.2.12-1.suse82 conflicts with file from package
>>  samba-client-2.2.7a-72 when trying to rpm -i
>>  samba-client-2.2.12-1.rpm
>>  I found on net...
>> 
>> >>
>> >> or you can dig domainsid from ldap
>> 
>>  This sounds interesting! How do I do that?
>> 
>> >>>
>> >>> modify to your needs (domain):
>> >>>
>> >>> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
>> >>> "sambaDomainName=domain,dc=domain,dc=cz"
>> >>>
>> >>> sambaSID: is your domainsid
>> >>>
>> >>> or you can use phpldapadmin to manage you ldap from browser
>> >>>
>>  Thanks very much!
>>  Giorgio
>> 
>>  On 3/26/10, GG  wrotehttps://mail.prodeco.cz/roundcube/program/js/tiny_mce/themes/advanced/langs/cs.js?s=1240817786";>:
>> > Hi!
>> >
>> > I'll be at it in a few minutes installing samba client / net
>> > command :-)
>> >
>> > I have a question about the samba sernet repos:
>> > Shall I apt-get remove samba and use
>> > http://enterprisesamba.com/index.php?id=148 +
>> > http://enterprisesamba.com/index.php?id=56
>> >  instead from start?
>> >
>> > What is the real advantage of sernet? What about installing
>> > official
>> > samba.org packages, are there diffe

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Paste ldap admin dn or ldap suffix in your smb.conf

Dne 26.3.2010 15:24, Vladimir Psenicka napsal(a):
> try this:
> 
> ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
> "sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"
> 
> Dne 26.3.2010 15:00, GG napsal(a):
>> Hello!
>>
>> I'm stuck on getdomainsid: Net command is missing even though libs and
>> smbclient are installed.
>>
>> I tried this:
>> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
>> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
>> Enter LDAP Password:
>> # extended LDIF
>> #
>> # LDAPv3
>> # base  with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 34 Invalid DN syntax
>> text: invalid DN
>>
>> # numResponses: 1
>>
>> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
>> I used WORKGROUP as it is the domain we use on pcs and the only one
>> defined in smb.conf
>>
>> I also tried using my pdc HOSTNAME
>>
>> and this was returned
>> # LDAPv3
>> # base  with scope sub
>> # filter: (objectclass=*)
>> # requesting: ALL
>> #
>>
>> # search result
>> search: 2
>> result: 34 Invalid DN syntax
>> text: invalid DN
>>
>> # numResponses: 1
>>
>> Any way to get through this or how to use net command? Maybe updating
>> samba-client?
>>
>> I tried rpm -i samba-client but it says
>> file /usr/share/man/man1/smbclient.1.gz from install of
>> samba-client-2.2.12-1.suse82 conflicts with file from package
>> samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
>>
>> I found also the original package but it says it is already installed.
>>
>> What happens if I remove samba-client and reinstall it soon after on
>> the production pdc?
>>
>>
>> Giorgio
>>
>> On 3/26/10, Vladimir Psenicka  wrote:
>>> Dne 26.3.2010 13:50, GG napsal(a):
 Hello!

>> Have you samba-client package installed?
>>

 yes I do at least smbclient is there! but no net command :-/

>> pavouk\pseni...@psenicka:~> rpm -qf `which net`
>> samba-client-3.5.1-4.1.x86_64

 So here are the issues encountered...
 file /usr/share/man/man1/smbclient.1.gz from install of
 samba-client-2.2.12-1.suse82 conflicts with file from package
 samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
 I found on net...

>>
>> or you can dig domainsid from ldap

 This sounds interesting! How do I do that?

>>>
>>> modify to your needs (domain):
>>>
>>> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
>>> "sambaDomainName=domain,dc=domain,dc=cz"
>>>
>>> sambaSID: is your domainsid
>>>
>>> or you can use phpldapadmin to manage you ldap from browser
>>>
 Thanks very much!
 Giorgio

 On 3/26/10, GG  wrote:
> Hi!
>
> I'll be at it in a few minutes installing samba client / net command :-)
>
> I have a question about the samba sernet repos:
> Shall I apt-get remove samba and use
> http://enterprisesamba.com/index.php?id=148 +
> http://enterprisesamba.com/index.php?id=56
>  instead from start?
>
> What is the real advantage of sernet? What about installing official
> samba.org packages, are there differences with sernet (stability?) or
> is it just a more liberal repository?
>
> Also I read
 Ensure that all local user and group accounts that are used by samba
 have the same uid/gid.
>
> Shall I copy /etc/shadow and /etc/passwd over? other files for groups
> and users?
>
> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
>  --recursive --times --perms --links  \
>  --owner --group --devices --specials \
>  --exclude-from '/root/exclude.txt (if any, not in this case as
> I'm only syncing data dir)' \
>  r...@old_pdc:/DATA /DATA
>
> This should bring over every attribute set on files... correct?
>
> [[[did only partially in one case: I set up a twin install (fresh
> install then live cd and full rsync and after that I kept mbr, but
> changed /boot and the /ect/fstab settings) and the server started
> etc.. LDAP did not work though: authentication was not available...
> So I must be missing something or this rsync parameter set must be
> missing something.. I had disconnected old PDC, set same IP and
> hostname to the VM well this worked well for other virtualizations and
> in this PDC I need to upgrade to win7 compatible samba version anyway
> :-)
> This was another story but just to share it as it is an excellent way
> of migrating sometimes specially for machines you do not master and
> this is my case very often.]]]
>
> Cheers,
> Giorgio
>
> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
>  wrote:
>> Hi
>>
>> Dne 25.3.2010 17:41, GG napsal(a):
>>> Hello Vladimir, John and all the NG :-)
>>> Thanks so much for answering. I reall

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

try this:

ldapsearch -x -h localhost -D "cn=Manager,dc=WORKGROUP,dc=it" -W -b
"sambaDomainName=WORKGROUP,dc=WORKGROUP,dc=it"

Dne 26.3.2010 15:00, GG napsal(a):
> Hello!
> 
> I'm stuck on getdomainsid: Net command is missing even though libs and
> smbclient are installed.
> 
> I tried this:
> # ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
> "sambaDomainName=WORKGROUP,dc=domain,dc=it"
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base  with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 34 Invalid DN syntax
> text: invalid DN
> 
> # numResponses: 1
> 
> So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
> I used WORKGROUP as it is the domain we use on pcs and the only one
> defined in smb.conf
> 
> I also tried using my pdc HOSTNAME
> 
> and this was returned
> # LDAPv3
> # base  with scope sub
> # filter: (objectclass=*)
> # requesting: ALL
> #
> 
> # search result
> search: 2
> result: 34 Invalid DN syntax
> text: invalid DN
> 
> # numResponses: 1
> 
> Any way to get through this or how to use net command? Maybe updating
> samba-client?
> 
> I tried rpm -i samba-client but it says
> file /usr/share/man/man1/smbclient.1.gz from install of
> samba-client-2.2.12-1.suse82 conflicts with file from package
> samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
> 
> I found also the original package but it says it is already installed.
> 
> What happens if I remove samba-client and reinstall it soon after on
> the production pdc?
> 
> 
> Giorgio
> 
> On 3/26/10, Vladimir Psenicka  wrote:
>> Dne 26.3.2010 13:50, GG napsal(a):
>>> Hello!
>>>
> Have you samba-client package installed?
>
>>>
>>> yes I do at least smbclient is there! but no net command :-/
>>>
> pavouk\pseni...@psenicka:~> rpm -qf `which net`
> samba-client-3.5.1-4.1.x86_64
>>>
>>> So here are the issues encountered...
>>> file /usr/share/man/man1/smbclient.1.gz from install of
>>> samba-client-2.2.12-1.suse82 conflicts with file from package
>>> samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
>>> I found on net...
>>>
>
> or you can dig domainsid from ldap
>>>
>>> This sounds interesting! How do I do that?
>>>
>>
>> modify to your needs (domain):
>>
>> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
>> "sambaDomainName=domain,dc=domain,dc=cz"
>>
>> sambaSID: is your domainsid
>>
>> or you can use phpldapadmin to manage you ldap from browser
>>
>>> Thanks very much!
>>> Giorgio
>>>
>>> On 3/26/10, GG  wrote:
 Hi!

 I'll be at it in a few minutes installing samba client / net command :-)

 I have a question about the samba sernet repos:
 Shall I apt-get remove samba and use
 http://enterprisesamba.com/index.php?id=148 +
 http://enterprisesamba.com/index.php?id=56
  instead from start?

 What is the real advantage of sernet? What about installing official
 samba.org packages, are there differences with sernet (stability?) or
 is it just a more liberal repository?

 Also I read
>>> Ensure that all local user and group accounts that are used by samba
>>> have the same uid/gid.

 Shall I copy /etc/shadow and /etc/passwd over? other files for groups
 and users?

 I use rsync --verbose  --progress --stats --compress --rsh=ssh \
  --recursive --times --perms --links  \
  --owner --group --devices --specials \
  --exclude-from '/root/exclude.txt (if any, not in this case as
 I'm only syncing data dir)' \
  r...@old_pdc:/DATA /DATA

 This should bring over every attribute set on files... correct?

 [[[did only partially in one case: I set up a twin install (fresh
 install then live cd and full rsync and after that I kept mbr, but
 changed /boot and the /ect/fstab settings) and the server started
 etc.. LDAP did not work though: authentication was not available...
 So I must be missing something or this rsync parameter set must be
 missing something.. I had disconnected old PDC, set same IP and
 hostname to the VM well this worked well for other virtualizations and
 in this PDC I need to upgrade to win7 compatible samba version anyway
 :-)
 This was another story but just to share it as it is an excellent way
 of migrating sometimes specially for machines you do not master and
 this is my case very often.]]]

 Cheers,
 Giorgio

 On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
  wrote:
> Hi
>
> Dne 25.3.2010 17:41, GG napsal(a):
>> Hello Vladimir, John and all the NG :-)
>> Thanks so much for answering. I really hoped someone would :-)
>>
>> So I installed Debian latest stable netinst on the future production
>> server and here are my issues in the quotes :-( no net command on my
>> suse 8.2
>>
>> Cheers :-)
>> Giorgio
>>
>

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello!

I'm stuck on getdomainsid: Net command is missing even though libs and
smbclient are installed.

I tried this:
# ldapsearch -x -h localhost -D "cn=Manager,dc=domain,dc=it" -W -b
"sambaDomainName=WORKGROUP,dc=domain,dc=it"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base  with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

So: I'm not sure what is sambaDomainName=domain,dc=domain,dc=it...
I used WORKGROUP as it is the domain we use on pcs and the only one
defined in smb.conf

I also tried using my pdc HOSTNAME

and this was returned
# LDAPv3
# base  with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# search result
search: 2
result: 34 Invalid DN syntax
text: invalid DN

# numResponses: 1

Any way to get through this or how to use net command? Maybe updating
samba-client?

I tried rpm -i samba-client but it says
file /usr/share/man/man1/smbclient.1.gz from install of
samba-client-2.2.12-1.suse82 conflicts with file from package
samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm

I found also the original package but it says it is already installed.

What happens if I remove samba-client and reinstall it soon after on
the production pdc?


Giorgio

On 3/26/10, Vladimir Psenicka  wrote:
> Dne 26.3.2010 13:50, GG napsal(a):
> > Hello!
> >
> >>> Have you samba-client package installed?
> >>>
> >
> > yes I do at least smbclient is there! but no net command :-/
> >
> >>> pavouk\pseni...@psenicka:~> rpm -qf `which net`
> >>> samba-client-3.5.1-4.1.x86_64
> >
> > So here are the issues encountered...
> > file /usr/share/man/man1/smbclient.1.gz from install of
> > samba-client-2.2.12-1.suse82 conflicts with file from package
> > samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
> > I found on net...
> >
> >>>
> >>> or you can dig domainsid from ldap
> >
> > This sounds interesting! How do I do that?
> >
>
> modify to your needs (domain):
>
> ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
> "sambaDomainName=domain,dc=domain,dc=cz"
>
> sambaSID: is your domainsid
>
> or you can use phpldapadmin to manage you ldap from browser
>
> > Thanks very much!
> > Giorgio
> >
> > On 3/26/10, GG  wrote:
> >> Hi!
> >>
> >> I'll be at it in a few minutes installing samba client / net command :-)
> >>
> >> I have a question about the samba sernet repos:
> >> Shall I apt-get remove samba and use
> >> http://enterprisesamba.com/index.php?id=148 +
> >> http://enterprisesamba.com/index.php?id=56
> >>  instead from start?
> >>
> >> What is the real advantage of sernet? What about installing official
> >> samba.org packages, are there differences with sernet (stability?) or
> >> is it just a more liberal repository?
> >>
> >> Also I read
> > Ensure that all local user and group accounts that are used by samba
> > have the same uid/gid.
> >>
> >> Shall I copy /etc/shadow and /etc/passwd over? other files for groups
> >> and users?
> >>
> >> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
> >>  --recursive --times --perms --links  \
> >>  --owner --group --devices --specials \
> >>  --exclude-from '/root/exclude.txt (if any, not in this case as
> >> I'm only syncing data dir)' \
> >>  r...@old_pdc:/DATA /DATA
> >>
> >> This should bring over every attribute set on files... correct?
> >>
> >> [[[did only partially in one case: I set up a twin install (fresh
> >> install then live cd and full rsync and after that I kept mbr, but
> >> changed /boot and the /ect/fstab settings) and the server started
> >> etc.. LDAP did not work though: authentication was not available...
> >> So I must be missing something or this rsync parameter set must be
> >> missing something.. I had disconnected old PDC, set same IP and
> >> hostname to the VM well this worked well for other virtualizations and
> >> in this PDC I need to upgrade to win7 compatible samba version anyway
> >> :-)
> >> This was another story but just to share it as it is an excellent way
> >> of migrating sometimes specially for machines you do not master and
> >> this is my case very often.]]]
> >>
> >> Cheers,
> >> Giorgio
> >>
> >> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
> >>  wrote:
> >>> Hi
> >>>
> >>> Dne 25.3.2010 17:41, GG napsal(a):
>  Hello Vladimir, John and all the NG :-)
>  Thanks so much for answering. I really hoped someone would :-)
> 
>  So I installed Debian latest stable netinst on the future production
>  server and here are my issues in the quotes :-( no net command on my
>  suse 8.2
> 
>  Cheers :-)
>  Giorgio
> 
> 
> > On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
> >> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
> >> What about Debian Stable with Sernet samba repo, where you can choose
> >> Samba 3.4.x or 3.5.x
> >>
> >> My hints on migrating to 

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Dne 26.3.2010 13:50, GG napsal(a):
> Hello!
> 
>>> Have you samba-client package installed?
>>>
> 
> yes I do at least smbclient is there! but no net command :-/
> 
>>> pavouk\pseni...@psenicka:~> rpm -qf `which net`
>>> samba-client-3.5.1-4.1.x86_64
> 
> So here are the issues encountered...
> file /usr/share/man/man1/smbclient.1.gz from install of
> samba-client-2.2.12-1.suse82 conflicts with file from package
> samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
> I found on net...
> 
>>>
>>> or you can dig domainsid from ldap
> 
> This sounds interesting! How do I do that?
> 

modify to your needs (domain):

ldapsearch -x -h ldap -D "cn=admin,dc=domain,dc=cz" -W -b
"sambaDomainName=domain,dc=domain,dc=cz"

sambaSID: is your domainsid

or you can use phpldapadmin to manage you ldap from browser

> Thanks very much!
> Giorgio
> 
> On 3/26/10, GG  wrote:
>> Hi!
>>
>> I'll be at it in a few minutes installing samba client / net command :-)
>>
>> I have a question about the samba sernet repos:
>> Shall I apt-get remove samba and use
>> http://enterprisesamba.com/index.php?id=148 +
>> http://enterprisesamba.com/index.php?id=56
>>  instead from start?
>>
>> What is the real advantage of sernet? What about installing official
>> samba.org packages, are there differences with sernet (stability?) or
>> is it just a more liberal repository?
>>
>> Also I read
> Ensure that all local user and group accounts that are used by samba
> have the same uid/gid.
>>
>> Shall I copy /etc/shadow and /etc/passwd over? other files for groups
>> and users?
>>
>> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
>>  --recursive --times --perms --links  \
>>  --owner --group --devices --specials \
>>  --exclude-from '/root/exclude.txt (if any, not in this case as
>> I'm only syncing data dir)' \
>>  r...@old_pdc:/DATA /DATA
>>
>> This should bring over every attribute set on files... correct?
>>
>> [[[did only partially in one case: I set up a twin install (fresh
>> install then live cd and full rsync and after that I kept mbr, but
>> changed /boot and the /ect/fstab settings) and the server started
>> etc.. LDAP did not work though: authentication was not available...
>> So I must be missing something or this rsync parameter set must be
>> missing something.. I had disconnected old PDC, set same IP and
>> hostname to the VM well this worked well for other virtualizations and
>> in this PDC I need to upgrade to win7 compatible samba version anyway
>> :-)
>> This was another story but just to share it as it is an excellent way
>> of migrating sometimes specially for machines you do not master and
>> this is my case very often.]]]
>>
>> Cheers,
>> Giorgio
>>
>> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
>>  wrote:
>>> Hi
>>>
>>> Dne 25.3.2010 17:41, GG napsal(a):
 Hello Vladimir, John and all the NG :-)
 Thanks so much for answering. I really hoped someone would :-)

 So I installed Debian latest stable netinst on the future production
 server and here are my issues in the quotes :-( no net command on my
 suse 8.2

 Cheers :-)
 Giorgio


> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
>> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
>> What about Debian Stable with Sernet samba repo, where you can choose
>> Samba 3.4.x or 3.5.x
>>
>> My hints on migrating to new server:
>>
>> 1. install new server (Samba,ldap etc.)

 done :-) Debian Stable netinst

>> 2. set same hostname on new server
 My ignorance comes out :-)
 Must I set it different from the production server as FW points
 production.domain.com - I have clients using DNS=oldPDC and PDC
 forwards queries to FW. FW has pdc.domain.com defined to point to lan
 ip.

>>>
>>> Ok, can be changed later
>>>
>> 3. export ldap data from old server and import them to new server

 slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
 OK

> Ensure that all local user and group accounts that are used by samba
> have the same uid/gid.
 my ignorance again... another hint?
>
>> 4. export SID (net getlocalsid) and set it on new server (net
>> setlocalsid oldsid)
>
> Note:
>  net getdomainsid (on old server)
>  net setdomainsid (on new server)
 thanks :-)

 # net getdomainsid
 -bash: net: command not found :-( and not found in yast

 I understand it has to do with extracting the sid from
 /etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
 has now net package and googling net is.. well wow!

>>>
>>> Have you samba-client package installed?
>>>
>>> pavouk\pseni...@psenicka:~> rpm -qf `which net`
>>> samba-client-3.5.1-4.1.x86_64
>>>
>>> or you can dig domainsid from ldap
>>>
>> 5. configure samba on new server as PDC with ldap and shares in smb.conf
>> from old samba smb.conf

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello!

> > Have you samba-client package installed?
> >

yes I do at least smbclient is there! but no net command :-/

> > pavouk\pseni...@psenicka:~> rpm -qf `which net`
> > samba-client-3.5.1-4.1.x86_64

So here are the issues encountered...
file /usr/share/man/man1/smbclient.1.gz from install of
samba-client-2.2.12-1.suse82 conflicts with file from package
samba-client-2.2.7a-72 when trying to rpm -i samba-client-2.2.12-1.rpm
I found on net...

> >
> > or you can dig domainsid from ldap

This sounds interesting! How do I do that?

Thanks very much!
Giorgio

On 3/26/10, GG  wrote:
> Hi!
>
> I'll be at it in a few minutes installing samba client / net command :-)
>
> I have a question about the samba sernet repos:
> Shall I apt-get remove samba and use
> http://enterprisesamba.com/index.php?id=148 +
> http://enterprisesamba.com/index.php?id=56
>  instead from start?
>
> What is the real advantage of sernet? What about installing official
> samba.org packages, are there differences with sernet (stability?) or
> is it just a more liberal repository?
>
> Also I read
> >>> Ensure that all local user and group accounts that are used by samba
> >>> have the same uid/gid.
>
> Shall I copy /etc/shadow and /etc/passwd over? other files for groups
> and users?
>
> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
>  --recursive --times --perms --links  \
>  --owner --group --devices --specials \
>  --exclude-from '/root/exclude.txt (if any, not in this case as
> I'm only syncing data dir)' \
>  r...@old_pdc:/DATA /DATA
>
> This should bring over every attribute set on files... correct?
>
> [[[did only partially in one case: I set up a twin install (fresh
> install then live cd and full rsync and after that I kept mbr, but
> changed /boot and the /ect/fstab settings) and the server started
> etc.. LDAP did not work though: authentication was not available...
> So I must be missing something or this rsync parameter set must be
> missing something.. I had disconnected old PDC, set same IP and
> hostname to the VM well this worked well for other virtualizations and
> in this PDC I need to upgrade to win7 compatible samba version anyway
> :-)
> This was another story but just to share it as it is an excellent way
> of migrating sometimes specially for machines you do not master and
> this is my case very often.]]]
>
> Cheers,
> Giorgio
>
> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
>  wrote:
> > Hi
> >
> > Dne 25.3.2010 17:41, GG napsal(a):
> >> Hello Vladimir, John and all the NG :-)
> >> Thanks so much for answering. I really hoped someone would :-)
> >>
> >> So I installed Debian latest stable netinst on the future production
> >> server and here are my issues in the quotes :-( no net command on my
> >> suse 8.2
> >>
> >> Cheers :-)
> >> Giorgio
> >>
> >>
> >>> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
>  On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
>  What about Debian Stable with Sernet samba repo, where you can choose
>  Samba 3.4.x or 3.5.x
> 
>  My hints on migrating to new server:
> 
>  1. install new server (Samba,ldap etc.)
> >>
> >> done :-) Debian Stable netinst
> >>
>  2. set same hostname on new server
> >> My ignorance comes out :-)
> >> Must I set it different from the production server as FW points
> >> production.domain.com - I have clients using DNS=oldPDC and PDC
> >> forwards queries to FW. FW has pdc.domain.com defined to point to lan
> >> ip.
> >>
> >
> > Ok, can be changed later
> >
>  3. export ldap data from old server and import them to new server
> >>
> >> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
> >> OK
> >>
> >>> Ensure that all local user and group accounts that are used by samba
> >>> have the same uid/gid.
> >> my ignorance again... another hint?
> >>>
>  4. export SID (net getlocalsid) and set it on new server (net
>  setlocalsid oldsid)
> >>>
> >>> Note:
> >>>  net getdomainsid (on old server)
> >>>  net setdomainsid (on new server)
> >> thanks :-)
> >>
> >> # net getdomainsid
> >> -bash: net: command not found :-( and not found in yast
> >>
> >> I understand it has to do with extracting the sid from
> >> /etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
> >> has now net package and googling net is.. well wow!
> >>
> >
> > Have you samba-client package installed?
> >
> > pavouk\pseni...@psenicka:~> rpm -qf `which net`
> > samba-client-3.5.1-4.1.x86_64
> >
> > or you can dig domainsid from ldap
> >
>  5. configure samba on new server as PDC with ldap and shares in smb.conf
>  from old samba smb.conf (check with testparm)
> >>
> >> I see it only contains shares so I bet smb.conf would just keep all
> >> the old settings rigth? /DATA will be rsynced
> >>
> >
> > Maybe smb.conf from Samba2 is too different from Samba 3. I will keep
> > current smb.conf on new server and add only shares from old smb.conf to
> > new smb.conf.
> >
>  6.

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Dne 26.3.2010 10:59, GG napsal(a):
> Hi!
> 
> I'll be at it in a few minutes installing samba client / net command :-)
> 
> I have a question about the samba sernet repos:
> Shall I apt-get remove samba and use
> http://enterprisesamba.com/index.php?id=148 +
> http://enterprisesamba.com/index.php?id=56
>  instead from start?
> 

Yes, you should remove Debian samba packages and install sernet-samba
packages.

> What is the real advantage of sernet? What about installing official
> samba.org packages, are there differences with sernet (stability?) or
> is it just a more liberal repository?

I don't know how much are samba.org repositories updated, but sernet
repos seems to be updated often. Maybe somebody can explain this better.

> 
> Also I read
 Ensure that all local user and group accounts that are used by samba
 have the same uid/gid.
> 
> Shall I copy /etc/shadow and /etc/passwd over? other files for groups
> and users?
> 
> I use rsync --verbose  --progress --stats --compress --rsh=ssh \
>   --recursive --times --perms --links  \
>   --owner --group --devices --specials \
>   --exclude-from '/root/exclude.txt (if any, not in this case as
> I'm only syncing data dir)' \
>   r...@old_pdc:/DATA /DATA
> 
> This should bring over every attribute set on files... correct?

Yes

> 
> [[[did only partially in one case: I set up a twin install (fresh
> install then live cd and full rsync and after that I kept mbr, but
> changed /boot and the /ect/fstab settings) and the server started
> etc.. LDAP did not work though: authentication was not available...
> So I must be missing something or this rsync parameter set must be
> missing something.. I had disconnected old PDC, set same IP and
> hostname to the VM well this worked well for other virtualizations and
> in this PDC I need to upgrade to win7 compatible samba version anyway
> :-)
> This was another story but just to share it as it is an excellent way
> of migrating sometimes specially for machines you do not master and
> this is my case very often.]]]
> 
> Cheers,
> Giorgio
> 
> On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
>  wrote:
>> Hi
>>
>> Dne 25.3.2010 17:41, GG napsal(a):
>>> Hello Vladimir, John and all the NG :-)
>>> Thanks so much for answering. I really hoped someone would :-)
>>>
>>> So I installed Debian latest stable netinst on the future production
>>> server and here are my issues in the quotes :-( no net command on my
>>> suse 8.2
>>>
>>> Cheers :-)
>>> Giorgio
>>>
>>>
 On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
> What about Debian Stable with Sernet samba repo, where you can choose
> Samba 3.4.x or 3.5.x
>
> My hints on migrating to new server:
>
> 1. install new server (Samba,ldap etc.)
>>>
>>> done :-) Debian Stable netinst
>>>
> 2. set same hostname on new server
>>> My ignorance comes out :-)
>>> Must I set it different from the production server as FW points
>>> production.domain.com - I have clients using DNS=oldPDC and PDC
>>> forwards queries to FW. FW has pdc.domain.com defined to point to lan
>>> ip.
>>>
>>
>> Ok, can be changed later
>>
> 3. export ldap data from old server and import them to new server
>>>
>>> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
>>> OK
>>>
 Ensure that all local user and group accounts that are used by samba
 have the same uid/gid.
>>> my ignorance again... another hint?

> 4. export SID (net getlocalsid) and set it on new server (net
> setlocalsid oldsid)

 Note:
  net getdomainsid (on old server)
  net setdomainsid (on new server)
>>> thanks :-)
>>>
>>> # net getdomainsid
>>> -bash: net: command not found :-( and not found in yast
>>>
>>> I understand it has to do with extracting the sid from
>>> /etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
>>> has now net package and googling net is.. well wow!
>>>
>>
>> Have you samba-client package installed?
>>
>> pavouk\pseni...@psenicka:~> rpm -qf `which net`
>> samba-client-3.5.1-4.1.x86_64
>>
>> or you can dig domainsid from ldap
>>
> 5. configure samba on new server as PDC with ldap and shares in smb.conf
> from old samba smb.conf (check with testparm)
>>>
>>> I see it only contains shares so I bet smb.conf would just keep all
>>> the old settings rigth? /DATA will be rsynced
>>>
>>
>> Maybe smb.conf from Samba2 is too different from Samba 3. I will keep
>> current smb.conf on new server and add only shares from old smb.conf to
>> new smb.conf.
>>
> 6. stop samba on old server
> 7. copy all data (with perms) and netlogon share to new server
> 8. stop old server
> 9. start samba on new server a check everything is working fine (domain
> logon from windows box, shares and perms)
>
> This can be done best when no users are logged in samba (maybe at 
> weekend?)
>
> P.S. We have ubuntu 8.04 as PDC and Wi

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hi!

I'll be at it in a few minutes installing samba client / net command :-)

I have a question about the samba sernet repos:
Shall I apt-get remove samba and use
http://enterprisesamba.com/index.php?id=148 +
http://enterprisesamba.com/index.php?id=56
 instead from start?

What is the real advantage of sernet? What about installing official
samba.org packages, are there differences with sernet (stability?) or
is it just a more liberal repository?

Also I read
>>> Ensure that all local user and group accounts that are used by samba
>>> have the same uid/gid.

Shall I copy /etc/shadow and /etc/passwd over? other files for groups
and users?

I use rsync --verbose  --progress --stats --compress --rsh=ssh \
  --recursive --times --perms --links  \
  --owner --group --devices --specials \
  --exclude-from '/root/exclude.txt (if any, not in this case as
I'm only syncing data dir)' \
  r...@old_pdc:/DATA /DATA

This should bring over every attribute set on files... correct?

[[[did only partially in one case: I set up a twin install (fresh
install then live cd and full rsync and after that I kept mbr, but
changed /boot and the /ect/fstab settings) and the server started
etc.. LDAP did not work though: authentication was not available...
So I must be missing something or this rsync parameter set must be
missing something.. I had disconnected old PDC, set same IP and
hostname to the VM well this worked well for other virtualizations and
in this PDC I need to upgrade to win7 compatible samba version anyway
:-)
This was another story but just to share it as it is an excellent way
of migrating sometimes specially for machines you do not master and
this is my case very often.]]]

Cheers,
Giorgio

On Fri, Mar 26, 2010 at 9:14 AM, Vladimir Psenicka
 wrote:
> Hi
>
> Dne 25.3.2010 17:41, GG napsal(a):
>> Hello Vladimir, John and all the NG :-)
>> Thanks so much for answering. I really hoped someone would :-)
>>
>> So I installed Debian latest stable netinst on the future production
>> server and here are my issues in the quotes :-( no net command on my
>> suse 8.2
>>
>> Cheers :-)
>> Giorgio
>>
>>
>>> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
 On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
 What about Debian Stable with Sernet samba repo, where you can choose
 Samba 3.4.x or 3.5.x

 My hints on migrating to new server:

 1. install new server (Samba,ldap etc.)
>>
>> done :-) Debian Stable netinst
>>
 2. set same hostname on new server
>> My ignorance comes out :-)
>> Must I set it different from the production server as FW points
>> production.domain.com - I have clients using DNS=oldPDC and PDC
>> forwards queries to FW. FW has pdc.domain.com defined to point to lan
>> ip.
>>
>
> Ok, can be changed later
>
 3. export ldap data from old server and import them to new server
>>
>> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
>> OK
>>
>>> Ensure that all local user and group accounts that are used by samba
>>> have the same uid/gid.
>> my ignorance again... another hint?
>>>
 4. export SID (net getlocalsid) and set it on new server (net
 setlocalsid oldsid)
>>>
>>> Note:
>>>  net getdomainsid (on old server)
>>>  net setdomainsid (on new server)
>> thanks :-)
>>
>> # net getdomainsid
>> -bash: net: command not found :-( and not found in yast
>>
>> I understand it has to do with extracting the sid from
>> /etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
>> has now net package and googling net is.. well wow!
>>
>
> Have you samba-client package installed?
>
> pavouk\pseni...@psenicka:~> rpm -qf `which net`
> samba-client-3.5.1-4.1.x86_64
>
> or you can dig domainsid from ldap
>
 5. configure samba on new server as PDC with ldap and shares in smb.conf
 from old samba smb.conf (check with testparm)
>>
>> I see it only contains shares so I bet smb.conf would just keep all
>> the old settings rigth? /DATA will be rsynced
>>
>
> Maybe smb.conf from Samba2 is too different from Samba 3. I will keep
> current smb.conf on new server and add only shares from old smb.conf to
> new smb.conf.
>
 6. stop samba on old server
 7. copy all data (with perms) and netlogon share to new server
 8. stop old server
 9. start samba on new server a check everything is working fine (domain
 logon from windows box, shares and perms)

 This can be done best when no users are logged in samba (maybe at weekend?)

 P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain
>>
>> thanks I move to Debian with ease :-) ubuntu is a great deb derived right?
>>
> Ubuntu 8.04 LTS is now older than Debian Stable. When Ubuntu 10.04 LTS
> comes out this will be no longer truth.
>
>>> Check http://wiki.samba.org for info regarding Windows 7.
>>>
>>> Cheers,
>>> John T.
>>>
 Dne 25.3.2010 01:05, GG napsal(a):
> Hello Vladimir and hi all,
>
> Thanks very much for replying!
>
> Any

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Hi

Dne 25.3.2010 17:41, GG napsal(a):
> Hello Vladimir, John and all the NG :-)
> Thanks so much for answering. I really hoped someone would :-)
> 
> So I installed Debian latest stable netinst on the future production
> server and here are my issues in the quotes :-( no net command on my
> suse 8.2
> 
> Cheers :-)
> Giorgio
> 
> 
>> On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
>>> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
>>> What about Debian Stable with Sernet samba repo, where you can choose
>>> Samba 3.4.x or 3.5.x
>>>
>>> My hints on migrating to new server:
>>>
>>> 1. install new server (Samba,ldap etc.)
> 
> done :-) Debian Stable netinst
> 
>>> 2. set same hostname on new server
> My ignorance comes out :-)
> Must I set it different from the production server as FW points
> production.domain.com - I have clients using DNS=oldPDC and PDC
> forwards queries to FW. FW has pdc.domain.com defined to point to lan
> ip.
> 

Ok, can be changed later

>>> 3. export ldap data from old server and import them to new server
> 
> slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
> OK
> 
>> Ensure that all local user and group accounts that are used by samba
>> have the same uid/gid.
> my ignorance again... another hint?
>>
>>> 4. export SID (net getlocalsid) and set it on new server (net
>>> setlocalsid oldsid)
>>
>> Note:
>>  net getdomainsid (on old server)
>>  net setdomainsid (on new server)
> thanks :-)
> 
> # net getdomainsid
> -bash: net: command not found :-( and not found in yast
> 
> I understand it has to do with extracting the sid from
> /etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
> has now net package and googling net is.. well wow!
> 

Have you samba-client package installed?

pavouk\pseni...@psenicka:~> rpm -qf `which net`
samba-client-3.5.1-4.1.x86_64

or you can dig domainsid from ldap

>>> 5. configure samba on new server as PDC with ldap and shares in smb.conf
>>> from old samba smb.conf (check with testparm)
> 
> I see it only contains shares so I bet smb.conf would just keep all
> the old settings rigth? /DATA will be rsynced
> 

Maybe smb.conf from Samba2 is too different from Samba 3. I will keep
current smb.conf on new server and add only shares from old smb.conf to
new smb.conf.

>>> 6. stop samba on old server
>>> 7. copy all data (with perms) and netlogon share to new server
>>> 8. stop old server
>>> 9. start samba on new server a check everything is working fine (domain
>>> logon from windows box, shares and perms)
>>>
>>> This can be done best when no users are logged in samba (maybe at weekend?)
>>>
>>> P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain
> 
> thanks I move to Debian with ease :-) ubuntu is a great deb derived right?
> 
Ubuntu 8.04 LTS is now older than Debian Stable. When Ubuntu 10.04 LTS
comes out this will be no longer truth.

>> Check http://wiki.samba.org for info regarding Windows 7.
>>
>> Cheers,
>> John T.
>>
>>> Dne 25.3.2010 01:05, GG napsal(a):
 Hello Vladimir and hi all,

 Thanks very much for replying!

 Any suggested os? I'd go for debian or what advised, I just happen to
 know ubuntu more...


 Any strategy or hint on migrating from ancient ldap + samba to a new 
 server?
 Already tried rsyncing (using all options to keep perms and attributes
 grp  own mod etc) on a twin v-machine but server starts and the ldap
 auth fails to work :-(

 I'm a bit stuck at the moment :-( and I have posponed the problem for
 too long grrr

 Giorgio

 On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
  wrote:
> Dne 23.3.2010 15:48, Giorgio napsal(a):
>> Hello,
>> Hopefully I'm in the right place asking for help :-)
>>
>> I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
>> latest samba versions, I would like to use an ubuntu 8.04 virtual 
>> machine.
>>
>> The domain is in production on the physical server, to be dismissed after
>> migration. It is also the file server!!! so /DATA/ has all shared and
>> permission driven file access..
>>
>> I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html 
>> but
>> I realize I am in a different scenario...
>>
>> Production so no errors are admitted :-(, migration to new os and 
>> versions..
>> all at once?
>>
>> I have a dump of the physical server (dd sda mbr and single partitions :)
>> plus an rsync with all permissions daily backup, just to be safe ;)
>>
>>
>> What would you guru's suggest as a strategy?
>>
>> Can I create a new server and add it as secondary domain controller and 
>> then
>> once the replica is up? I'd feel quite comfortable with this method.
>>
>> BTW I need a new version of samba as they have already bought Windows 7
>> boxes (without asking if they were supported arrgh).
>>
>>

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello Vladimir, John and all the NG :-)
Thanks so much for answering. I really hoped someone would :-)

So I installed Debian latest stable netinst on the future production
server and here are my issues in the quotes :-( no net command on my
suse 8.2

Cheers :-)
Giorgio


>On Thu, Mar 25, 2010 at 14:00, John H Terpstra <*...@samba.org> wrote:
>> On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
> > What about Debian Stable with Sernet samba repo, where you can choose
> > Samba 3.4.x or 3.5.x
> >
> > My hints on migrating to new server:
> >
> > 1. install new server (Samba,ldap etc.)

done :-) Debian Stable netinst

> > 2. set same hostname on new server
My ignorance comes out :-)
Must I set it different from the production server as FW points
production.domain.com - I have clients using DNS=oldPDC and PDC
forwards queries to FW. FW has pdc.domain.com defined to point to lan
ip.

> > 3. export ldap data from old server and import them to new server

slapcat -f /etc/openldap/ldap.conf -l /ldap.ldif
OK

> Ensure that all local user and group accounts that are used by samba
> have the same uid/gid.
my ignorance again... another hint?
>
> > 4. export SID (net getlocalsid) and set it on new server (net
> > setlocalsid oldsid)
>
> Note:
>  net getdomainsid (on old server)
>  net setdomainsid (on new server)
thanks :-)

# net getdomainsid
-bash: net: command not found :-( and not found in yast

I understand it has to do with extracting the sid from
/etc/samba/secrets.tdb but how do I install the command? suse 8.2 yast
has now net package and googling net is.. well wow!

> > 5. configure samba on new server as PDC with ldap and shares in smb.conf
> > from old samba smb.conf (check with testparm)

I see it only contains shares so I bet smb.conf would just keep all
the old settings rigth? /DATA will be rsynced

> > 6. stop samba on old server
> > 7. copy all data (with perms) and netlogon share to new server
> > 8. stop old server
> > 9. start samba on new server a check everything is working fine (domain
> > logon from windows box, shares and perms)
> >
> > This can be done best when no users are logged in samba (maybe at weekend?)
> >
> > P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain

thanks I move to Debian with ease :-) ubuntu is a great deb derived right?

> Check http://wiki.samba.org for info regarding Windows 7.
>
> Cheers,
> John T.
>
> > Dne 25.3.2010 01:05, GG napsal(a):
> >> Hello Vladimir and hi all,
> >>
> >> Thanks very much for replying!
> >>
> >> Any suggested os? I'd go for debian or what advised, I just happen to
> >> know ubuntu more...
> >>
> >>
> >> Any strategy or hint on migrating from ancient ldap + samba to a new 
> >> server?
> >> Already tried rsyncing (using all options to keep perms and attributes
> >> grp  own mod etc) on a twin v-machine but server starts and the ldap
> >> auth fails to work :-(
> >>
> >> I'm a bit stuck at the moment :-( and I have posponed the problem for
> >> too long grrr
> >>
> >> Giorgio
> >>
> >> On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
> >>  wrote:
> >>> Dne 23.3.2010 15:48, Giorgio napsal(a):
>  Hello,
>  Hopefully I'm in the right place asking for help :-)
> 
>  I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
>  latest samba versions, I would like to use an ubuntu 8.04 virtual 
>  machine.
> 
>  The domain is in production on the physical server, to be dismissed after
>  migration. It is also the file server!!! so /DATA/ has all shared and
>  permission driven file access..
> 
>  I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html 
>  but
>  I realize I am in a different scenario...
> 
>  Production so no errors are admitted :-(, migration to new os and 
>  versions..
>  all at once?
> 
>  I have a dump of the physical server (dd sda mbr and single partitions :)
>  plus an rsync with all permissions daily backup, just to be safe ;)
> 
> 
>  What would you guru's suggest as a strategy?
> 
>  Can I create a new server and add it as secondary domain controller and 
>  then
>  once the replica is up? I'd feel quite comfortable with this method.
> 
>  BTW I need a new version of samba as they have already bought Windows 7
>  boxes (without asking if they were supported arrgh).
> 
>  Thanks to all of you who read or answered :-)
> 
>  Gio
> >>>
> >>> Hi.
> >>>
> >>> Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain,
> >>> because of old Samba version. Samba 3.4.x or 3.5.x is recommended for
> >>> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu.
> >>>
> >>> --
> >>> Vladimir Psenicka
> >>> --
> >>> To unsubscribe from this list go to the following URL and read the
> >>> instructions:  https://lists.samba.org/mailman/options/samba
> >>>
> >
> >
>
> --
> To unsubscribe from this list go to the following URL and read the

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[John H Terpstra]

On 03/25/2010 03:33 AM, Vladimir Psenicka wrote:
> What about Debian Stable with Sernet samba repo, where you can choose
> Samba 3.4.x or 3.5.x
> 
> My hints on migrating to new server:
> 
> 1. install new server (Samba,ldap etc.)
> 2. set same hostname on new server
> 3. export ldap data from old server and import them to new server

Ensure that all local user and group accounts that are used by samba
have the same uid/gid.

> 4. export SID (net getlocalsid) and set it on new server (net
> setlocalsid oldsid)

Note:
  net getdomainsid (on old server)
  net setdomainsid (on new server)

> 5. configure samba on new server as PDC with ldap and shares in smb.conf
> from old samba smb.conf (check with testparm)
> 6. stop samba on old server
> 7. copy all data (with perms) and netlogon share to new server
> 8. stop old server
> 9. start samba on new server a check everything is working fine (domain
> logon from windows box, shares and perms)
> 
> This can be done best when no users are logged in samba (maybe at weekend?)
> 
> P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain

Check http://wiki.samba.org for info regarding Windows 7.

Cheers,
John T.

> Dne 25.3.2010 01:05, GG napsal(a):
>> Hello Vladimir and hi all,
>>
>> Thanks very much for replying!
>>
>> Any suggested os? I'd go for debian or what advised, I just happen to
>> know ubuntu more...
>>
>>
>> Any strategy or hint on migrating from ancient ldap + samba to a new server?
>> Already tried rsyncing (using all options to keep perms and attributes
>> grp  own mod etc) on a twin v-machine but server starts and the ldap
>> auth fails to work :-(
>>
>> I'm a bit stuck at the moment :-( and I have posponed the problem for
>> too long grrr
>>
>> Giorgio
>>
>> On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
>>  wrote:
>>> Dne 23.3.2010 15:48, Giorgio napsal(a):
 Hello,
 Hopefully I'm in the right place asking for help :-)

 I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
 latest samba versions, I would like to use an ubuntu 8.04 virtual machine.

 The domain is in production on the physical server, to be dismissed after
 migration. It is also the file server!!! so /DATA/ has all shared and
 permission driven file access..

 I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html 
 but
 I realize I am in a different scenario...

 Production so no errors are admitted :-(, migration to new os and 
 versions..
 all at once?

 I have a dump of the physical server (dd sda mbr and single partitions :)
 plus an rsync with all permissions daily backup, just to be safe ;)


 What would you guru's suggest as a strategy?

 Can I create a new server and add it as secondary domain controller and 
 then
 once the replica is up? I'd feel quite comfortable with this method.

 BTW I need a new version of samba as they have already bought Windows 7
 boxes (without asking if they were supported arrgh).

 Thanks to all of you who read or answered :-)

 Gio
>>>
>>> Hi.
>>>
>>> Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain,
>>> because of old Samba version. Samba 3.4.x or 3.5.x is recommended for
>>> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu.
>>>
>>> --
>>> Vladimir Psenicka
>>> --
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/options/samba
>>>
> 
> 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

What about Debian Stable with Sernet samba repo, where you can choose
Samba 3.4.x or 3.5.x

My hints on migrating to new server:

1. install new server (Samba,ldap etc.)
2. set same hostname on new server
3. export ldap data from old server and import them to new server
4. export SID (net getlocalsid) and set it on new server (net
setlocalsid oldsid)
5. configure samba on new server as PDC with ldap and shares in smb.conf
from old samba smb.conf (check with testparm)
6. stop samba on old server
7. copy all data (with perms) and netlogon share to new server
8. stop old server
9. start samba on new server a check everything is working fine (domain
logon from windows box, shares and perms)

This can be done best when no users are logged in samba (maybe at weekend?)

P.S. We have ubuntu 8.04 as PDC and Windows 7 can't join to domain

Dne 25.3.2010 01:05, GG napsal(a):
> Hello Vladimir and hi all,
> 
> Thanks very much for replying!
> 
> Any suggested os? I'd go for debian or what advised, I just happen to
> know ubuntu more...
> 
> 
> Any strategy or hint on migrating from ancient ldap + samba to a new server?
> Already tried rsyncing (using all options to keep perms and attributes
> grp  own mod etc) on a twin v-machine but server starts and the ldap
> auth fails to work :-(
> 
> I'm a bit stuck at the moment :-( and I have posponed the problem for
> too long grrr
> 
> Giorgio
> 
> On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
>  wrote:
>> Dne 23.3.2010 15:48, Giorgio napsal(a):
>>> Hello,
>>> Hopefully I'm in the right place asking for help :-)
>>>
>>> I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
>>> latest samba versions, I would like to use an ubuntu 8.04 virtual machine.
>>>
>>> The domain is in production on the physical server, to be dismissed after
>>> migration. It is also the file server!!! so /DATA/ has all shared and
>>> permission driven file access..
>>>
>>> I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html but
>>> I realize I am in a different scenario...
>>>
>>> Production so no errors are admitted :-(, migration to new os and versions..
>>> all at once?
>>>
>>> I have a dump of the physical server (dd sda mbr and single partitions :)
>>> plus an rsync with all permissions daily backup, just to be safe ;)
>>>
>>>
>>> What would you guru's suggest as a strategy?
>>>
>>> Can I create a new server and add it as secondary domain controller and then
>>> once the replica is up? I'd feel quite comfortable with this method.
>>>
>>> BTW I need a new version of samba as they have already bought Windows 7
>>> boxes (without asking if they were supported arrgh).
>>>
>>> Thanks to all of you who read or answered :-)
>>>
>>> Gio
>>
>> Hi.
>>
>> Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain,
>> because of old Samba version. Samba 3.4.x or 3.5.x is recommended for
>> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu.
>>
>> --
>> Vladimir Psenicka
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>


-- 
Vladimir Psenicka
IT system engineer
PRODECO, a.s.
Tel.: 417 633 762
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[GG]

Hello Vladimir and hi all,

Thanks very much for replying!

Any suggested os? I'd go for debian or what advised, I just happen to
know ubuntu more...


Any strategy or hint on migrating from ancient ldap + samba to a new server?
Already tried rsyncing (using all options to keep perms and attributes
grp  own mod etc) on a twin v-machine but server starts and the ldap
auth fails to work :-(

I'm a bit stuck at the moment :-( and I have posponed the problem for
too long grrr

Giorgio

On Wed, Mar 24, 2010 at 9:20 AM, Vladimir Psenicka
 wrote:
> Dne 23.3.2010 15:48, Giorgio napsal(a):
>> Hello,
>> Hopefully I'm in the right place asking for help :-)
>>
>> I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
>> latest samba versions, I would like to use an ubuntu 8.04 virtual machine.
>>
>> The domain is in production on the physical server, to be dismissed after
>> migration. It is also the file server!!! so /DATA/ has all shared and
>> permission driven file access..
>>
>> I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html but
>> I realize I am in a different scenario...
>>
>> Production so no errors are admitted :-(, migration to new os and versions..
>> all at once?
>>
>> I have a dump of the physical server (dd sda mbr and single partitions :)
>> plus an rsync with all permissions daily backup, just to be safe ;)
>>
>>
>> What would you guru's suggest as a strategy?
>>
>> Can I create a new server and add it as secondary domain controller and then
>> once the replica is up? I'd feel quite comfortable with this method.
>>
>> BTW I need a new version of samba as they have already bought Windows 7
>> boxes (without asking if they were supported arrgh).
>>
>> Thanks to all of you who read or answered :-)
>>
>> Gio
>
> Hi.
>
> Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain,
> because of old Samba version. Samba 3.4.x or 3.5.x is recommended for
> Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu.
>
> --
> Vladimir Psenicka
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC migration from suse 8.2 - samba 2.2.7 ldap - to latest versions on ubuntu 8.04

[Vladimir Psenicka]

Dne 23.3.2010 15:48, Giorgio napsal(a):
> Hello,
> Hopefully I'm in the right place asking for help :-)
> 
> I need to move from an old physical Suse 8.2 - samba 2.2.7 + ldap - to
> latest samba versions, I would like to use an ubuntu 8.04 virtual machine.
> 
> The domain is in production on the physical server, to be dismissed after
> migration. It is also the file server!!! so /DATA/ has all shared and
> permission driven file access..
> 
> I was following https://help.ubuntu.com/8.10/serverguide/C/samba-dc.html but
> I realize I am in a different scenario...
> 
> Production so no errors are admitted :-(, migration to new os and versions..
> all at once?
> 
> I have a dump of the physical server (dd sda mbr and single partitions :)
> plus an rsync with all permissions daily backup, just to be safe ;)
> 
> 
> What would you guru's suggest as a strategy?
> 
> Can I create a new server and add it as secondary domain controller and then
> once the replica is up? I'd feel quite comfortable with this method.
> 
> BTW I need a new version of samba as they have already bought Windows 7
> boxes (without asking if they were supported arrgh).
> 
> Thanks to all of you who read or answered :-)
> 
> Gio

Hi.

Ubuntu 8.10 is bad idea if you will be connecting Windows 7 into domain,
because of old Samba version. Samba 3.4.x or 3.5.x is recommended for
Win7. Wait for Ubuntu 10.04 LTS (next month) if you want Ubuntu.

-- 
Vladimir Psenicka
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ham,Re: samba PDC upgrade from 3.2.5 to 3.4.7

[Leonardo Carneiro - Veltrac]

Hi John. It worked well just before the upgrade. I'm not saying that

this is correct, but is the reason why users aren't accessing? Also, 
should'n this give some specific error in the logs?


Tks in advance.

John H Terpstra wrote:

On 03/23/2010 02:35 PM, Leonardo Carneiro - Veltrac wrote:
  

Hi Dale and others. I had already checked the release notes. Only users
in eth0 (192.168.0.x) are having trouble. Here is some info and some logs:

smb.conf:


   [global]
   workgroup = DOMINIO
   netbios name = DOMINIO



It is not at all surprizing that users are having difficulty accessing
this server!  It's workgroup name and hostname are the SAME!

Please read the Samba-HOWTO.  These two names MUST differ.

What you have is broken.

- John T.


  

   server string = Samba Server
   hosts allow = 192.168.1. 192.168.0. 127.
   smb ports = 139
   load printers = no
   log file = /var/log/samba/%m.log
   max log size = 50
   log level = 2 winbind:3
   security = user
   encrypt passwords = true
   username map = /etc/samba/smbusers
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   interfaces = eth0 eth1
   local master = yes
   os level = 90
   domain master = yes
   preferred master = yes
   domain logons = yes
   logon script = %G.bat
   logon path =
   name resolve order = wins bcast lmhosts
   wins support = yes
   dns proxy = no
   ldap passwd sync = yes
   ldap ssl = off
   ldap delete dn = yes
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap admin dn = cn=root,dc=dominio,dc=com,dc=br
   ldap suffix = dc=dominio,dc=com,dc=br
   ldap group suffix = ou=Grupos
   ldap user suffix = ou=Usuarios
   ldap machine suffix = ou=Computadores
   ldap idmap suffix = ou=ldapidmapsuffix
   idmap backend = ldap://127.0.0.1
   idmap alloc backend = ldap
   idmap alloc config : ldap_user_dn = cn=root,dc=dominio,dc=com,dc=br
   idmap alloc config : ldap_base_dn =
   ou=Usuarios,dc=dominio,dc=com,dc=br
   idmap alloc config : ldap_url = ldap://127.0.0.1
   idmap uid = 1-2
   idmap gid = 1-2
   enable privileges = yes
   nt acl support = yes
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   delete user script = /usr/sbin/smbldap-userdel "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x
   "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   dos charset = CP850
   Unix charset = ISO8859-1
   admin users = root
   time server = yes
   template shell = /bin/false
   winbind use default domain = no
   map acl inherit = Yes





Dale Schroeder wrote:


On 03/23/2010 1:48 PM, Leonardo Carneiro - Veltrac wrote:
  

Also, i found out that only users running windows xp in one of the
two interfaces that samba is being accessed are having this trouble.

Leonardo Carneiro - Veltrac wrote:


Hello everyone.

Yesterday i did an almost painless upgrade from samba pdc from 3.2.5
to 3.4.7. I'm running in a Debian Lenny (upgraded from the original
package to the backported one).

After a few tweaks i found on the web my users, including those who
run win7, where able to log in the domain. But now the cannot access
the shared folders on the server. Some users can't even open the
server share list.

There is any major change that prevent users to access the shares
that i'm skipping it?

Tks in advance and sorry for my poor english.
  

You could check the release notes for changes:
http://www.samba.org/samba/history/ ,
or consider posting your smb.conf.

Dale

  



  




--

*Leonardo de Souza Carneiro*
*Veltrac - Tecnologia em Logística.*
lscarne...@veltrac.com.br 
http://www.veltrac.com.br 
/Fone Com.: (43)2105-5011/
/R. Pará 162 - CENTRO/
/Londrina- PR/
/Cep: 86010-450/

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ham,Re: samba PDC upgrade from 3.2.5 to 3.4.7

[Leonardo Carneiro - Veltrac]

Hi Dale and others. I had already checked the release notes. Only users 
in eth0 (192.168.0.x) are having trouble. Here is some info and some logs:


smb.conf:


   [global]
   workgroup = DOMINIO
   netbios name = DOMINIO
   server string = Samba Server
   hosts allow = 192.168.1. 192.168.0. 127.
   smb ports = 139
   load printers = no
   log file = /var/log/samba/%m.log
   max log size = 50
   log level = 2 winbind:3
   security = user
   encrypt passwords = true
   username map = /etc/samba/smbusers
   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
   interfaces = eth0 eth1
   local master = yes
   os level = 90
   domain master = yes
   preferred master = yes
   domain logons = yes
   logon script = %G.bat
   logon path =
   name resolve order = wins bcast lmhosts
   wins support = yes
   dns proxy = no
   ldap passwd sync = yes
   ldap ssl = off
   ldap delete dn = yes
   passdb backend = ldapsam:ldap://127.0.0.1/
   ldap admin dn = cn=root,dc=dominio,dc=com,dc=br
   ldap suffix = dc=dominio,dc=com,dc=br
   ldap group suffix = ou=Grupos
   ldap user suffix = ou=Usuarios
   ldap machine suffix = ou=Computadores
   ldap idmap suffix = ou=ldapidmapsuffix
   idmap backend = ldap://127.0.0.1
   idmap alloc backend = ldap
   idmap alloc config : ldap_user_dn = cn=root,dc=dominio,dc=com,dc=br
   idmap alloc config : ldap_base_dn =
   ou=Usuarios,dc=dominio,dc=com,dc=br
   idmap alloc config : ldap_url = ldap://127.0.0.1
   idmap uid = 1-2
   idmap gid = 1-2
   enable privileges = yes
   nt acl support = yes
   add machine script = /usr/sbin/smbldap-useradd -w "%u"
   add user script = /usr/sbin/smbldap-useradd -m "%u"
   delete user script = /usr/sbin/smbldap-userdel "%u"
   add group script = /usr/sbin/smbldap-groupadd -p "%g"
   delete group script = /usr/sbin/smbldap-groupdel "%g"
   add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/sbin/smbldap-groupmod -x
   "%u" "%g"
   set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
   dos charset = CP850
   Unix charset = ISO8859-1
   admin users = root
   time server = yes
   template shell = /bin/false
   winbind use default domain = no
   map acl inherit = Yes





Dale Schroeder wrote:

On 03/23/2010 1:48 PM, Leonardo Carneiro - Veltrac wrote:
Also, i found out that only users running windows xp in one of the 
two interfaces that samba is being accessed are having this trouble.


Leonardo Carneiro - Veltrac wrote:

Hello everyone.

Yesterday i did an almost painless upgrade from samba pdc from 3.2.5 
to 3.4.7. I'm running in a Debian Lenny (upgraded from the original 
package to the backported one).


After a few tweaks i found on the web my users, including those who 
run win7, where able to log in the domain. But now the cannot access 
the shared folders on the server. Some users can't even open the 
server share list.


There is any major change that prevent users to access the shares 
that i'm skipping it?


Tks in advance and sorry for my poor english.
You could check the release notes for changes: 
http://www.samba.org/samba/history/ ,

or consider posting your smb.conf.

Dale


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] ham,Re: samba PDC upgrade from 3.2.5 to 3.4.7

[Dale Schroeder]

On 03/23/2010 1:48 PM, Leonardo Carneiro - Veltrac wrote:
Also, i found out that only users running windows xp in one of the two 
interfaces that samba is being accessed are having this trouble.


Leonardo Carneiro - Veltrac wrote:

Hello everyone.

Yesterday i did an almost painless upgrade from samba pdc from 3.2.5 
to 3.4.7. I'm running in a Debian Lenny (upgraded from the original 
package to the backported one).


After a few tweaks i found on the web my users, including those who 
run win7, where able to log in the domain. But now the cannot access 
the shared folders on the server. Some users can't even open the 
server share list.


There is any major change that prevent users to access the shares 
that i'm skipping it?


Tks in advance and sorry for my poor english.
You could check the release notes for changes: 
http://www.samba.org/samba/history/ ,

or consider posting your smb.conf.

Dale
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail (Bino Oetomo)

[Bino Oetomo]

Dear James, Dale, and ALL

Thankyou for your enlightment

Now I set things as you sugested, directories with 770 and files with 660

Case solved

Sincerely
-bino-

James Kosin wrote:

Bino,

The permissions should be 770 for directories.  They need execute
privileges for directories to be able to get access to the directories.
You should be able to set the files for 660 though I don't believe it
will keep windows from executing a file.
  


Dale Schroeder wrote:

From your previous email, it sounds like you want is ==>

create mode = 660
directory mode = 770


Dale


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail (Bino Oetomo)

[James Kosin]

Bino,

The permissions should be 770 for directories.  They need execute
privileges for directories to be able to get access to the directories.
You should be able to set the files for 660 though I don't believe it
will keep windows from executing a file.

With 'force' before 'create mask' or 'directory mask' allows you to set
bits.  You should have 'create mask 660' to force files (other than
directories) to not allow setting of the execute bit.  And directories
should usually be 'force directory mask 770' with maybe a 'directory
mask 770' before this to prevent anyone allowing a directory to be
read/writeable by everyone.

James



-Original Message-
From: samba-boun...@lists.samba.org
[mailto:samba-boun...@lists.samba.org] On Behalf Of
samba-requ...@lists.samba.org
Sent: Wednesday, January 06, 2010 2:00 PM
To: samba@lists.samba.org
Subject: samba Digest, Vol 85, Issue 6


--

Message: 1
Date: Wed, 06 Jan 2010 08:51:33 +0700
From: Bino Oetomo 
To: ?? 
Cc: samba@lists.samba.org
Subject: Re: [Samba] PDC directory permission fail
Message-ID: <4b43eca5.1010...@indoakses-online.com>
Content-Type: text/plain; charset=KOI8-R; format=flowed

Dear Serg and All
?? wrote:
> Hello, Bino!
>
>   
>> I use webmin to do the samba PDC configuration
>> 
> IMHO, insuffisient
>   
Agree ...
I did some direct edit to conf file

>> [warehouse]
>> comment = Files of warehouse
>> writeable = yes
>> path = /hdd2/samba/groupfiles/warehouse
>>
>> when I create that share via webmin i use option :
>> a. mode : 775
>> b. Create user : Root
>> c. Create Group : warehouse.
>>
>> 4. From my XP station , I login to that domain with user name "wh01",

>> the results is :
>> a. Successfull login
>> b. wh01 can create a file in the home directory (/home/wh01)
>> 
>
>   
>> But, wh01 can not write file to share "warehouse"
>> 
> Which permission to the new file? May be 644? :)
> IMHO, user have right to write directory, but have not right to write
file.
> Look man smb.conf for "force create mode", "force directory mode" or
http://wiki.samba.org/index.php/Frequently_Asked_Questions#inherit_permi
ssions
>
>   

Thankyou for your enlightment

I read that documentation, but I don't want uuser to be able to execute 
things in directory
So I chage the share to :
[warehouse]
create mode = 660
path = /hdd2/samba/groupfiles/warehouse
directory mode = 660
force group = warehouse

(and the dircory is auto created with user:group as root:warehouse)

Still the user with group "warehouse" can not access (event just "open")

the directory

so I try to delete the share ... manualy remove the dir , and re create 
the share (and dir) with :
[warehouse]
create mode = 760
path = /hdd2/samba/groupfiles/warehouse
directory mode = 760
force group = warehouse

Still the user with group "warehouse" can not access (event just "open")

the directory

Again,  I try to delete the share ... manualy remove the dir , and re 
create the share (and dir) with :
[warehouse]
create mode = 770
path = /hdd2/samba/groupfiles/warehouse
directory mode = 770
force group = warehouse


And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?

Why we need the "execute" bit in directory permission just to let the 
user to "read and write only" ?

Just fyi, my system is based on :
++ Ubuntu Jaunty
++ Samba 3.32

Sincerely
-bino-

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail

[Dale Schroeder]

On 01/05/2010 10:00 PM, Bino Oetomo wrote:

Dear Brian and all

Thankyou for your fast enlightment

Brian H. Nelson wrote:

Bino Oetomo wrote:

And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?


Why we need the "execute" bit in directory permission just to let 
the user to "read and write only" ?


That is how UNIX filesystem permissions work. 'Execute' on a 
directory allows traversal of (ie access into) the directory.


Understood.
I Knew that for every "execute" will need "read", thats why every 
allow-execute will consequently allow-read.


But how if i need allo-write (consequently will allow-read) + 
deny-execute ?

AFAIK it will "6" or "2" in permission bit, right ?


From your previous email, it sounds like you want is ==>

create mode = 660
directory mode = 770

For other control parameters, see the "force" parameters regarding 
create/directory/security.


For Ubuntu:
Having the swat and samba-doc packages installed provides an excellent 
way to see all the
available parameters with a corresponding link to an explanation of what 
each does, and

what its default value is.

Dale




Sincerely
-bino-

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail

[Bino Oetomo]

Dear Brian and all

Thankyou for your fast enlightment

Brian H. Nelson wrote:

Bino Oetomo wrote:

And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?


Why we need the "execute" bit in directory permission just to let the 
user to "read and write only" ?




That is how UNIX filesystem permissions work. 'Execute' on a directory 
allows traversal of (ie access into) the directory.





Understood.
I Knew that for every "execute" will need "read", thats why every 
allow-execute will consequently allow-read.



But how if i need allo-write (consequently will allow-read) + deny-execute ?
AFAIK it will "6" or "2" in permission bit, right ?


Sincerely
-bino-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail

[Brian H. Nelson]

Bino Oetomo wrote:

And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?


Why we need the "execute" bit in directory permission just to let the 
user to "read and write only" ?




That is how UNIX filesystem permissions work. 'Execute' on a directory 
allows traversal of (ie access into) the directory.


From Wikipedia (http://en.wikipedia.org/wiki/File_system_permissions):
There are three specific permissions on Unix-like systems that apply to 
each class:
   * The read permission, which grants the ability to read a file. When 
set for a directory, this permission grants the ability to read the 
names of files in the directory (but not to find out any further 
information about them such as contents, file type, size, ownership, 
permissions, etc.)
   * The write permission, which grants the ability to modify a file. 
When set for a directory, this permission grants the ability to modify 
entries in the directory. This includes creating files, deleting files, 
and renaming files.
   * The execute permission, which grants the ability to execute a 
file. This permission must be set for executable binaries (for example, 
a compiled c++ program) or shell scripts (for example, a Perl program) 
in order to allow the operating system to run them. When set for a 
directory, this permission grants the ability to traverse its tree in 
order to access files or subdirectories, but not see files inside the 
directory (unless read is set).



Search Google for "unix permissions" if you need more understanding.

-Brian

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail

[Bino Oetomo]

Dear Serg and All
Сергей wrote:

Hello, Bino!

  

I use webmin to do the samba PDC configuration


IMHO, insuffisient
  

Agree ...
I did some direct edit to conf file


[warehouse]
comment = Files of warehouse
writeable = yes
path = /hdd2/samba/groupfiles/warehouse

when I create that share via webmin i use option :
a. mode : 775
b. Create user : Root
c. Create Group : warehouse.

4. From my XP station , I login to that domain with user name "wh01", 
the results is :

a. Successfull login
b. wh01 can create a file in the home directory (/home/wh01)



  

But, wh01 can not write file to share "warehouse"


Which permission to the new file? May be 644? :)
IMHO, user have right to write directory, but have not right to write file.
Look man smb.conf for "force create mode", "force directory mode" or 
http://wiki.samba.org/index.php/Frequently_Asked_Questions#inherit_permissions

  


Thankyou for your enlightment

I read that documentation, but I don't want uuser to be able to execute 
things in directory

So I chage the share to :
[warehouse]
   create mode = 660
   path = /hdd2/samba/groupfiles/warehouse
   directory mode = 660
   force group = warehouse

(and the dircory is auto created with user:group as root:warehouse)

Still the user with group "warehouse" can not access (event just "open") 
the directory


so I try to delete the share ... manualy remove the dir , and re create 
the share (and dir) with :

[warehouse]
   create mode = 760
   path = /hdd2/samba/groupfiles/warehouse
   directory mode = 760
   force group = warehouse

Still the user with group "warehouse" can not access (event just "open") 
the directory


Again,  I try to delete the share ... manualy remove the dir , and re 
create the share (and dir) with :

[warehouse]
   create mode = 770
   path = /hdd2/samba/groupfiles/warehouse
   directory mode = 770
   force group = warehouse


And ... voila ... the user can access (read-write) into the shares ...
But it'll means that the user can also "execute" somethings inside 
directory ... right ?


Why we need the "execute" bit in directory permission just to let the 
user to "read and write only" ?


Just fyi, my system is based on :
++ Ubuntu Jaunty
++ Samba 3.32

Sincerely
-bino-
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC directory permission fail

[Сергей]

Hello, Bino!

> I use webmin to do the samba PDC configuration
IMHO, insuffisient
> 
> [warehouse]
> comment = Files of warehouse
> writeable = yes
> path = /hdd2/samba/groupfiles/warehouse
> 
> when I create that share via webmin i use option :
> a. mode : 775
> b. Create user : Root
> c. Create Group : warehouse.
> 
> 4. From my XP station , I login to that domain with user name "wh01", 
> the results is :
> a. Successfull login
> b. wh01 can create a file in the home directory (/home/wh01)

> 
> But, wh01 can not write file to share "warehouse"
Which permission to the new file? May be 644? :)
IMHO, user have right to write directory, but have not right to write file.
Look man smb.conf for "force create mode", "force directory mode" or 
http://wiki.samba.org/index.php/Frequently_Asked_Questions#inherit_permissions

Bye. Serg


-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC witch LDAP and machine account lookup

[Stefan Michalsky]

Hi again,

so it looks like something with adding machine accounts manually does not
work for me.
After reconfiguring the smbldap tools and removing the computer (farbwahl06)
from the
domain i added it again. The automatically created machine account works
fine and i
am able to logon to the domain.

The differences between the pdbedit outputs have not been that big but big
enough to
make trouble i guess.

Thanks for your help Bruno.

Regards
Stefan



-Ursprüngliche Nachricht-
Von: Bruno MACADRE [mailto:bruno.maca...@univ-rouen.fr] 
Gesendet: Donnerstag, 1. Oktober 2009 22:10
An: Stefan Michalsky
Betreff: Re: [Samba] PDC witch LDAP and machine account lookup

Hi,

It looks strange... I've you tried to increase your log level 
(specially on tdb and passdb). Something like :
log level = 2 tdb:5 passdb:5

And look for any strange behavior when you try to log onto 
farbwhal06 or when you try to join it to the domain.

I don't use smbldap-tools so i can help you with this, for me adding 
a machine to the LDAP is like adding a user, the only difference is that 
the username (uid for LDAP) finish with a $

If you try :
# pdbedit -v farbwahl06$
and
# pdbedit -v farbwahl04$

Look for any difference between the 2 results !

Regards,
Bruno
   
Stefan Michalsky a écrit :
> Hey Bruno,
>
> it seems that the problem is something else. I tested on one computer
> (farbwahl06 - WinXP Pro Client)
> most of the time. But i have another machine to test (farbwahl04 -
WinVista
> client).
> I moved the machine account for farbwahl04 from People to Computers and
> everything
> works fine. So i tried all variants for farbwahl06 (account in People and
> Computers,
> changed suffixes and so on) and the machine account for farbwahl06 seems
to
> be
> broken. I tried to create a new one, but this doesn't help too.
>
> So how do you create machine accounts? Perhaps i am missing something.
> Adding machine
> accounts automatically doesn't work too by the way. The Samba server is a
> gentoo (Linux version 2.6.23-hardened-r12).
>
> Please find attached my smb.conf (farbwahl04 is working with this) ***
REMOVED ***
>
>   
>
> Kind regards,
> Stefan
>
>
>
> -Ursprüngliche Nachricht-
> Von: Bruno MACADRE [mailto:bruno.maca...@univ-rouen.fr] 
> Gesendet: Donnerstag, 1. Oktober 2009 17:51
> An: Stefan Michalsky
> Betreff: Re: [Samba] PDC witch LDAP and machine account lookup
>
> Stefan Michalsky a écrit :
>   
>> Hey all,
>>
>> i do have the following problem: i set up a PDC with Samba with an LDAP
>> backend. Everything works fine but the machine account lookup. If i try
to
>> logon to the domain i have to create the machine account in
>> ou=People,dc=testing,dc=de. Everything works fine with this. But if i
>> 
> create
>   
>> the machine account in ou=Computers,dc=testing,dc=de and change all
>> 
> suffixes
>   
>> according to this the search performed looks like this in slapd log file:
>>
>> Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
>> 
> base="ou=People,dc=testing,dc=de"
>   
>> scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_
>>
>> So where is the mistake? I found some forum posts but all with no
answers.
>> Is it a configuration issue or a software problem?
>>
>> Thanks
>>
>> Stefan
>>
>> 
> Hi,
>
>   Are you sure that your "ldap machine suffix" is changed to "ldap
> machine suffix = ou=Computers" ?
>
>   Can you show your smb.conf when you want to have machine account in
> ou=Computers ?
>
>   Regards,
>   Bruno
>
>   

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC witch LDAP and machine account lookup

[Stefan Michalsky]

Hey Bruno,

it seems that the problem is something else. I tested on one computer
(farbwahl06 - WinXP Pro Client)
most of the time. But i have another machine to test (farbwahl04 - WinVista
client).
I moved the machine account for farbwahl04 from People to Computers and
everything
works fine. So i tried all variants for farbwahl06 (account in People and
Computers,
changed suffixes and so on) and the machine account for farbwahl06 seems to
be
broken. I tried to create a new one, but this doesn't help too.

So how do you create machine accounts? Perhaps i am missing something.
Adding machine
accounts automatically doesn't work too by the way. The Samba server is a
gentoo (Linux version 2.6.23-hardened-r12).

Please find attached my smb.conf (farbwahl04 is working with this)

>>>
[global]
dos charset = 850
unix charset = ISO8859-1
workgroup = TEST-DOMAIN
interfaces = eth0
map to guest = Bad User
passdb backend = ldapsam:ldap://localhost
username map = /etc/samba/smbusers
log level = 10
log file = /var/log/samba/log.%m
max log size = 5
add user script = /usr/sbin/smbldap-useradd -a -d '/home/%u' -m -g
'Domain Users' '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/sbin/smbldap-userdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -g
'Domain Computers' -c 'Machine Account' -s /bin/false '%u'
logon path = \\%L\Profiles\%U
logon drive = w:
logon home = \\%L\%U
logon script = logonscripts\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=smbadmin,ou=People,dc=testing,dc=de
ldap group suffix = ou=Groups
ldap idmap suffix = cn=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=testing,dc=de
ldap user suffix = ou=People
winbind separator = #
winbind use default domain = Yes
hosts allow = 192.168.2.

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/__netlogon__
admin users = root
read only = No
browseable = No
preexec = /home/__netlogon__/genlogon.pl %U %m

[Profiles]
comment = For Windows Profile
path = /var/lib/samba/profiles/%U
read only = No
profile acls = Yes
browseable = No
create mask = 0600
directory mask = 0700

[public]
path = /home/__public__
force user = public
force group = public
read only = No

[sharehome]
path = /home/share
read only = No

[sharesrc]
path = /usr/src
read only = No

[backup]
comment = The folder for backups
path = /home/backup
force user = backupexternal
force group = backup
read only = No
guest ok = Yes

[Projekt_A]
comment = For the Project A
path = /home/projekt_a
directory mask = 0770
force group = Projekt A
force create mode = 0770
force directory mode = 0770
read only = No
guest ok = No
browsable = No
hide unreadable = Yes
read list = @projekt_a_read
<<<

Kind regards,
Stefan



-Ursprüngliche Nachricht-
Von: Bruno MACADRE [mailto:bruno.maca...@univ-rouen.fr] 
Gesendet: Donnerstag, 1. Oktober 2009 17:51
An: Stefan Michalsky
Betreff: Re: [Samba] PDC witch LDAP and machine account lookup

Stefan Michalsky a écrit :
> Hey all,
> 
> i do have the following problem: i set up a PDC with Samba with an LDAP
> backend. Everything works fine but the machine account lookup. If i try to
> logon to the domain i have to create the machine account in
> ou=People,dc=testing,dc=de. Everything works fine with this. But if i
create
> the machine account in ou=Computers,dc=testing,dc=de and change all
suffixes
> according to this the search performed looks like this in slapd log file:
> 
> Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
base="ou=People,dc=testing,dc=de"
> scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_
> 
> So where is the mis

Re: [Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]

[Henrik Dige Semark]

Henrik Dige Semark skrev:

 Adam Tauno WIlliams skrev:
 

[2009/08/14 18:22:24,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
 pdb_get_group_sid: Failed to find Unix account for DomAdmin
[2009/08/14 18:22:24,  1] auth/auth_util.c:make_server_info_sam(562)
 User DomAdmin in passdb, but getpwnam() fails!



I don't know why it is looking for a "DomAdmin" account. Perhaps your
directory is not fully initialized?  Loaded with the required users,
etc...
  
DomAdmin, is a Domain-administrator accaunt I have created instead of 
"admin" ore "root"
I have ran "smbldap-populate -u 1 -g 1 -a admin -g guest" and 
it populates LDAP with all the default users and groupes windows need 
to be able to join.

-u uidNumber  first uidNumber to allocate (default: 1000)
-g gidNumber  first uidNumber to allocate (default: 1000)
-a user   administrator login name (default: root)
-b user   guest login name (default: nobody)
 
Error: modifications require authentication at 
/usr/share/perl5/smbldap_tools.pm line 1083.
[2009/08/14 18:22:48,  0] 
passdb/pdb_interface.c:pdb_default_create_user(336)
 _samr_create_user: Running the command `/usr/sbin/smbldap-useradd 
-t 0 -w -i "hds$"' gave 127



I don't use smblap-tools but this looks like they don't have sufficient
config to authenticate to the DSA.
  
Don't know what the problem is with smbldap-useradd, but when I run 
the command alone it creates a windows machine user:

# smbldap-useradd -w -i testcomputer
New password : 1234
Retype new password : 1234
*failed to add entry: structural object class modification from 
'account' to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd 
line 311,  line 2. *


I have the schemas that provite account and inetOrgPerson

# smbldap-useradd -?
(c) Jerome Tournier - (jtourn...@gmail.com)- Licensed under the GPL
Usage: /usr/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username
 -ais a Windows User (otherwise, Posix stuff only)
 -bis a AIX User
 -cgecos
 -dhome
 -ggid
 -iis a trust account (Windows Workstation)
 -kskeleton dir (with -m)
 -mcreates home directory and copies /etc/skel
 -ndo not create a group
 -oadd the user in the organizational unit (relative to the user 
suffix. Ex: 'ou=admin,ou=all')

 -uuid
 -sshell
 -ttime. Wait 'time' seconds before exiting (when adding Windows 
Workstation)

 -wis a Windows Workstation (otherwise, Posix stuff only)
 -Acan change password ? 0 if no, 1 if yes
 -Bmust change password ? 0 if no, 1 if yes
 -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes')
 -DsambaHomeDrive (letter associated with home share, like 'H:')
 -EsambaLogonScript (DOS script to execute on login)
 -FsambaProfilePath (profile directory, like 
'\\PDC-SRV\profiles\foo')

 -Gsupplementary comma-separated groups
 -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
 -Mlocal mailAddress (comma seperated)
 -Ngiven name
 -Pends by invoking smbldap-passwd
 -Ssurname (Family name)
 -TmailToAddress (forward address) (comma seperated)
 -?show this help message

Mike Eggleston skrev:

   I'm not at work and am unable to compare your configuration with
   my production configuration. I have a similar environment, though,
   and found for windows boxes I needed to create the account in LDAP
   first (I use smbldap-adduser ...), then I must also add my samba
   server as a WINS server to the windows box, then I can join the
   windows box to my samba pdc domain.

   Mike

I have now tryed to set my server as wins-server - still samme problem



More info:
There is something I don't understand when I try to join the domain 
there is no traffic to LDAP at all, but when i do

# wbinfo -u
guest
domadmin

# wbinfo -g
domain admins
domain users
domain guests
domain computers
BUILTIN%users

# wbinfo --ping
Ping to winbindd succeeded

It looks up in LDAP just fine, so the link is apparently working fine

--
Med Venlig Hilsen / Best regards
Henrik Dige Semark 


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]

[Henrik Dige Semark]

 Adam Tauno WIlliams skrev:
I'm trying to move my existing MS-AD over to SAMBA, the place I'm 



So you have an AD domain?  Samba 3.x does not provide an AD domain, it
provides an NT domains, so your requirement of "everything keeps running
in the same or almost the same way" cannot be met.  Unless you want to
try Samba 4.
  
We are not using the AD-functionalitys so what I ment was that my 
windows-clients is able to join the domain, and user-validate.
  
When I try to join a Windows Vista Ultimate ore Windows XP Pro to the 
domain it takes 30 sec and then it says "The machine account dos not 
exist" but as I understand that is what
"add machine script = /usr/sbin/smbldap-useradd -t 0 -w -i "%u"" has to 
do right ?



It is supposed to, yes.

  

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192



Get rid of all the "socket options" stuff.  Are you using an old HOWTO
or some crap Wiki entry from somewhere?  Setting this directive is an
OLD habit and very obsolete.  Use only the Samba HOWTO and By-Example as
provided on Samba docs.  Assume everything else on the Internet is
obsolete and out-of-date, because it most likely is.
  
It was en the example file for smbldatp-tools Domain config. I have 
removed it now, but still now differance
  

[2009/08/14 18:22:24,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
 pdb_get_group_sid: Failed to find Unix account for DomAdmin
[2009/08/14 18:22:24,  1] auth/auth_util.c:make_server_info_sam(562)
 User DomAdmin in passdb, but getpwnam() fails!



I don't know why it is looking for a "DomAdmin" account. Perhaps your
directory is not fully initialized?  Loaded with the required users,
etc...
  
DomAdmin, is a Domain-administrator accaunt I have created instead of 
"admin" ore "root"
I have ran "smbldap-populate -u 1 -g 1 -a admin -g guest" and it 
populates LDAP with all the default users and groupes windows need to be 
able to join.

-u uidNumber  first uidNumber to allocate (default: 1000)
-g gidNumber  first uidNumber to allocate (default: 1000)
-a user   administrator login name (default: root)
-b user   guest login name (default: nobody)
  
Error: modifications require authentication at 
/usr/share/perl5/smbldap_tools.pm line 1083.
[2009/08/14 18:22:48,  0] 
passdb/pdb_interface.c:pdb_default_create_user(336)
 _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 0 
-w -i "hds$"' gave 127



I don't use smblap-tools but this looks like they don't have sufficient
config to authenticate to the DSA.
  
Don't know what the problem is with smbldap-useradd, but when I run the 
command alone it creates a windows machine user:

# smbldap-useradd -w -i testcomputer
New password : 1234
Retype new password : 1234
failed to add entry: structural object class modification from 'account' 
to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311, 
 line 2.


I have the schemas that provite account and inetOrgPerson

# smbldap-useradd -?
(c) Jerome Tournier - (jtourn...@gmail.com)- Licensed under the GPL
Usage: /usr/sbin/smbldap-useradd [-awmugdsckABCDEFGHMNPST?] username
 -ais a Windows User (otherwise, Posix stuff only)
 -bis a AIX User
 -cgecos
 -dhome
 -ggid
 -iis a trust account (Windows Workstation)
 -kskeleton dir (with -m)
 -mcreates home directory and copies /etc/skel
 -ndo not create a group
 -oadd the user in the organizational unit (relative to the user 
suffix. Ex: 'ou=admin,ou=all')

 -uuid
 -sshell
 -ttime. Wait 'time' seconds before exiting (when adding Windows 
Workstation)

 -wis a Windows Workstation (otherwise, Posix stuff only)
 -Acan change password ? 0 if no, 1 if yes
 -Bmust change password ? 0 if no, 1 if yes
 -CsambaHomePath (SMB home share, like '\\PDC-SRV\homes')
 -DsambaHomeDrive (letter associated with home share, like 'H:')
 -EsambaLogonScript (DOS script to execute on login)
 -FsambaProfilePath (profile directory, like '\\PDC-SRV\profiles\foo')
 -Gsupplementary comma-separated groups
 -HsambaAcctFlags (samba account control bits like '[NDHTUMWSLKI]')
 -Mlocal mailAddress (comma seperated)
 -Ngiven name
 -Pends by invoking smbldap-passwd
 -Ssurname (Family name)
 -TmailToAddress (forward address) (comma seperated)
 -?show this help message

Mike Eggleston skrev:

   I'm not at work and am unable to compare your configuration with
   my production configuration. I have a similar environment, though,
   and found for windows boxes I needed to create the account in LDAP
   first (I use smbldap-adduser ...), then I must also add my samba
   server as a WINS server to the windows box, then I can join the
   windows box to my samba pdc domain.

   Mike
 


I have now tryed to set my server as wins-server - still samme problem

--
Med Venlig Hilsen / Best regards
Henrik Dige Semark 


--
To unsubscribe from this list go to the following URL and read the
instruc

[Samba] [Fwd: Re: Samba PDC + OpenLDAP (Debian Lenny)]

[Henrik Dige Semark]

Sorry to Adam Tauno WIlliams for sending direct.

--
Med Venlig Hilsen / Best regards
Henrik Dige Semark 

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC -> BDC Question

[John Drescher]

On Thu, Jun 25, 2009 at 3:58 PM, Nick Pappin wrote:
> Ok but how do I keep the pdc and the bdc in sync, for example the
> account_policy.tdb file has all of the account policy stuff in it now I
> assume that I could take this tdb file and move it to another domain for all
> it cares and still keep all fo my policy settings. So changes file just mean
> that the file needs to be moved to all of the other servers or does it even
> matter if this file is the same on the pdc and the bdc because the bdc
> doesnt do account policy enforcement. However how does this effect the other
> files such as ntdrivers.tdb or registry.tdb.
>

Ahh. I see. I have no policy settings other than the settings in ldap.

John
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC -> BDC Question

[Adam Williams]

i'd just copy over everything in /etc/samba, and /var/lib/samba.  and 
also run net getlocalsid and net getdomainsid and write down the number 
strings, and use net setlocalsid/setdomainsid on the new server.


Nick Pappin wrote:

Hi Everyone,
 I was wondering I am setting up a BDC at another physically separate
location on a different subnet, and I am currently working on what files I
need to have copied between the computers and which need to be made on each
server. The specific question I am dealing with is what TDB files I need to
replicate filesystems between the two servers.  Below is a list of what the
files I see in my samba directory are:

account_policy.tdb
ntdrivers.tdb
ntforms.tdb
share_info.tdb
group_mapping.ldb
ntprinters.tdb
registry.tdb
wins.dat
private/schannel_store.tdb
private/secrets.tdb

I am wondering first which of these need to be replicated from server to
server and which need to be unique to each server? For instance I know that
account_policy.tdb can be replicated and needs to be because it holds all of
the account policy information. The second thing I am wondering is what does
each of these files do? I was hoping that someone could do a brief sentence
or two about what each of these files do. Thanks for the help.

--
W. Nick Pappin
  


--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC -> BDC Question

[Nick Pappin]

Ok but how do I keep the pdc and the bdc in sync, for example the
account_policy.tdb file has all of the account policy stuff in it now I
assume that I could take this tdb file and move it to another domain for all
it cares and still keep all fo my policy settings. So changes file just mean
that the file needs to be moved to all of the other servers or does it even
matter if this file is the same on the pdc and the bdc because the bdc
doesnt do account policy enforcement. However how does this effect the other
files such as ntdrivers.tdb or registry.tdb.

--
W. Nick Pappin
IT Staff
Latah Federal Credit Union
208.874.4394


On Thu, Jun 25, 2009 at 11:55 AM, John Drescher wrote:

> On Thu, Jun 25, 2009 at 2:44 PM, Nick Pappin  wrote:
> >
> > I have a full ldap backend so the bdc is the slave to the pdc. I am just
> > wondering what I can copy I found a list at
> > http://wiki.samba.org/index.php/Frequently_Asked_Questions of what all
> of
> > the tdb's have in them but it isn't really clear what is server agnostic
> and
> > which is needs to be individual to each server. So I am wondering how
> should
> > I be copying these from my pdc should I just have the pdc overwrite
> > everything or should I have the bdc create the files as well and have it
> run
> > with its own files?
>
> When you are using ldap you generally have separate files for these
> and all of them except secrets.tdb can be deleted and the pdc/bdc will
> create a new one. Well that is at least what I have found in my 6+
> years with samba.
>
> --
> John M. Drescher
>
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC -> BDC Question

[John Drescher]

On Thu, Jun 25, 2009 at 2:44 PM, Nick Pappin  wrote:
>
> I have a full ldap backend so the bdc is the slave to the pdc. I am just
> wondering what I can copy I found a list at
> http://wiki.samba.org/index.php/Frequently_Asked_Questions of what all of
> the tdb's have in them but it isn't really clear what is server agnostic and
> which is needs to be individual to each server. So I am wondering how should
> I be copying these from my pdc should I just have the pdc overwrite
> everything or should I have the bdc create the files as well and have it run
> with its own files?

When you are using ldap you generally have separate files for these
and all of them except secrets.tdb can be deleted and the pdc/bdc will
create a new one. Well that is at least what I have found in my 6+
years with samba.

--
John M. Drescher
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

Re: [Samba] PDC -> BDC Question

[Nick Pappin]

I have a full ldap backend so the bdc is the slave to the pdc. I am just
wondering what I can copy I found a list at
http://wiki.samba.org/index.php/Frequently_Asked_Questions of what all of
the tdb's have in them but it isn't really clear what is server agnostic and
which is needs to be individual to each server. So I am wondering how should
I be copying these from my pdc should I just have the pdc overwrite
everything or should I have the bdc create the files as well and have it run
with its own files?

--
W. Nick Pappin

On Thu, Jun 25, 2009 at 1:55 AM, Daniel Müller wrote:

> Hello Nick,
>
> I do not think it is possible to just copy files like this from one to the
> other samba.
> You can do the copy job with rsync or scp.
> I made a samba PDC and BDC with ldap master ldap slave. So on both servers
> are the same users
> Groups etc.
> Both machines must have the same SID
>
>
> Greetings
> Daniel
> -Ursprüngliche Nachricht-
> Von: samba-bounces+mueller=tropenklinik...@lists.samba.org
> [mailto:samba-bounces+mueller =tropenklinik.de@
> lists.samba.org] Im Auftrag
> von Nick Pappin
> Gesendet: Dienstag, 23. Juni 2009 22:52
> An: samba@lists.samba.org
> Betreff: [Samba] PDC -> BDC Question
>
> Hi Everyone,
> I was wondering I am setting up a BDC at another physically separate
> location on a different subnet, and I am currently working on what files I
> need to have copied between the computers and which need to be made on each
> server. The specific question I am dealing with is what TDB files I need to
> replicate filesystems between the two servers.  Below is a list of what the
> files I see in my samba directory are:
>
> account_policy.tdb
> ntdrivers.tdb
> ntforms.tdb
> share_info.tdb
> group_mapping.ldb
> ntprinters.tdb
> registry.tdb
> wins.dat
> private/schannel_store.tdb
> private/secrets.tdb
>
> I am wondering first which of these need to be replicated from server to
> server and which need to be unique to each server? For instance I know that
> account_policy.tdb can be replicated and needs to be because it holds all
> of
> the account policy information. The second thing I am wondering is what
> does
> each of these files do? I was hoping that someone could do a brief sentence
> or two about what each of these files do. Thanks for the help.
>
> --
> W. Nick Pappin
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba