Container for computer account [WAS Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Tuesday, December 30, 2003, 11:19:48 AM, Craig wrote: > On Mon, 2003-12-29 at 11:37, Sharp, Clint wrote: >> Quotes are required around the two ldap:// URIs AFAIK. I've not used AS >> 3, but on 8 I've always built from Source RPM as I've also added ACL >> support (pretty easy with the Redhat kernels, and even though they say >> it's not stable, I've yet to have any problems with it). I'd go grab >> Samba 3.0.1 source RPMs from the Samba website and build from there, or >> even upgrade to 3.0.1 from the Redhat RPMs on the Samba site, as those >> are known to have proper LDAP support included. > --- > It's a bit vague (changelog's for various changes since 3.0.0) but > apparently they've fixed 'more' ldap group mappings > searches...undoubtedly good - does that mean that it would be safe to > have Computers in their own ou or even with 3.0.1 would they still have > to be in ou=People? I'm using separate container for computer account and it works with samba 3.x. With ldap, it don't matter where you put the entry as long as you user correct base and filter you'll find that object, is it correct? ldap machine suffix = ou=computer ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) also in /etc/ldap.conf, dont put filter on nss_base_passwd and nss_base_shadow. --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Mon, 29 Dec 2003, Craig White wrote: > On Mon, 2003-12-29 at 11:37, Sharp, Clint wrote: > > Quotes are required around the two ldap:// URIs AFAIK. I've not used AS > > 3, but on 8 I've always built from Source RPM as I've also added ACL > > support (pretty easy with the Redhat kernels, and even though they say > > it's not stable, I've yet to have any problems with it). I'd go grab > > Samba 3.0.1 source RPMs from the Samba website and build from there, or > > even upgrade to 3.0.1 from the Redhat RPMs on the Samba site, as those > > are known to have proper LDAP support included. > --- > It's a bit vague (changelog's for various changes since 3.0.0) but > apparently they've fixed 'more' ldap group mappings > searches...undoubtedly good - does that mean that it would be safe to > have Computers in their own ou or even with 3.0.1 would they still have > to be in ou=People? No. The search facility has not been fixed in 3.0.1. You should still use the People container for Machine accounts with 3.0.1. - John T. > > I haven't a clue where AS 3 fits in RH 8/9 scheme - me thinks more like > 9. I have been reticent to add 'value' to the Red Hat offering but ended > up compiling Netatalk and Webmin from source since they aren't > supported. I am gonna have to think about this one... > > Thanks, > > Craig > > -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Monday, December 29, 2003, 10:08:16 PM, Clint wrote: > Passdb backend = ldapsam:"ldap://master ldap://slave"; works just fine > for me. I have the passwd program set to /usr/bin/passwd and Samba > updates the Samba related entries in the Master LDAP (with passwd > updating the posixAccount related entries). Took me a while to find the > ldapsam:"ldap://master ldap://slave"; workaround too, but it's worked > flawlessly for me in production since. Could you try (on PDC) : Passdb backend = ldapsam:"ldap://slave ldap://master"; since what I want is PDC -> slave ldap server --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Mon, 2003-12-29 at 11:37, Sharp, Clint wrote: > Quotes are required around the two ldap:// URIs AFAIK. I've not used AS > 3, but on 8 I've always built from Source RPM as I've also added ACL > support (pretty easy with the Redhat kernels, and even though they say > it's not stable, I've yet to have any problems with it). I'd go grab > Samba 3.0.1 source RPMs from the Samba website and build from there, or > even upgrade to 3.0.1 from the Redhat RPMs on the Samba site, as those > are known to have proper LDAP support included. --- It's a bit vague (changelog's for various changes since 3.0.0) but apparently they've fixed 'more' ldap group mappings searches...undoubtedly good - does that mean that it would be safe to have Computers in their own ou or even with 3.0.1 would they still have to be in ou=People? I haven't a clue where AS 3 fits in RH 8/9 scheme - me thinks more like 9. I have been reticent to add 'value' to the Red Hat offering but ended up compiling Netatalk and Webmin from source since they aren't supported. I am gonna have to think about this one... Thanks, Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Mon, 29 Dec 2003, Craig White wrote: > On Mon, 2003-12-29 at 08:08, Sharp, Clint wrote: > > > Passdb backend = ldapsam:"ldap://master ldap://slave"; works just fine > > for me. I have the passwd program set to /usr/bin/passwd and Samba > > updates the Samba related entries in the Master LDAP (with passwd > > updating the posixAccount related entries). Took me a while to find the > > ldapsam:"ldap://master ldap://slave"; workaround too, but it's worked > > flawlessly for me in production since. > > perhaps this is a problem with only the version of Samba 3 that shipped > in Red Hat AS 3 but if I put in... > > passdb backend = ldapsam:ldap://localhost/ ldap://slave/ You must delimit the two instances with double quotes as follows" passdb backend = ldapsam:"ldap://master ldap://slave"; > > I end up with the following in /var/log/samba/log.smbd... > > [2003/12/29 10:04:58, 0] > passdb/pdb_interface.c:make_pdb_methods_name(447) > No builtin nor plugin backend for ldap found > Correct. It sees the second entry (the one after the space) as a request for another backend, not as the same backend as the one specified by ldapsam:ldap://master. > Official Samba-3 Howto also states that default (meaning undeclared > value) for ldap ssl = Start_tls but that doesn't seem to be the case. Page reference please - I need to fix that. The default is: ldap ssl = Yep, that is a blank. This is output from Saturday's CVS tree: [EMAIL PROTECTED]:~/Samba.Org> testparm -s -v | grep ldap Load smb config files from /etc/samba/smb.conf Can't find include file /etc/samba/machine. Processing section "[homes]" Processing section "[print$]" Processing section "[netlogon]" Processing section "[Profiles]" Processing section "[printers]" Processing section "[media]" Processing section "[data]" Processing section "[cdr]" Processing section "[apps]" Loaded services file OK. ldap suffix = ldap machine suffix = ldap user suffix = ldap group suffix = ldap idmap suffix = ldap filter = (uid=%u) ldap admin dn = ldap ssl = ldap passwd sync = no ldap delete dn = No ldap replication sleep = 1000 - John T. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Quotes are required around the two ldap:// URIs AFAIK. I've not used AS 3, but on 8 I've always built from Source RPM as I've also added ACL support (pretty easy with the Redhat kernels, and even though they say it's not stable, I've yet to have any problems with it). I'd go grab Samba 3.0.1 source RPMs from the Samba website and build from there, or even upgrade to 3.0.1 from the Redhat RPMs on the Samba site, as those are known to have proper LDAP support included. Clint > -Original Message- > perhaps this is a problem with only the version of Samba 3 > that shipped in Red Hat AS 3 but if I put in... > > passdb backend = ldapsam:ldap://localhost/ ldap://slave/ > > I end up with the following in /var/log/samba/log.smbd... > > [2003/12/29 10:04:58, 0] > passdb/pdb_interface.c:make_pdb_methods_name(447) > No builtin nor plugin backend for ldap found > > Official Samba-3 Howto also states that default (meaning undeclared > value) for ldap ssl = Start_tls but that doesn't seem to be the case. > > Craig > > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Mon, 2003-12-29 at 08:08, Sharp, Clint wrote: > Passdb backend = ldapsam:"ldap://master ldap://slave"; works just fine > for me. I have the passwd program set to /usr/bin/passwd and Samba > updates the Samba related entries in the Master LDAP (with passwd > updating the posixAccount related entries). Took me a while to find the > ldapsam:"ldap://master ldap://slave"; workaround too, but it's worked > flawlessly for me in production since. perhaps this is a problem with only the version of Samba 3 that shipped in Red Hat AS 3 but if I put in... passdb backend = ldapsam:ldap://localhost/ ldap://slave/ I end up with the following in /var/log/samba/log.smbd... [2003/12/29 10:04:58, 0] passdb/pdb_interface.c:make_pdb_methods_name(447) No builtin nor plugin backend for ldap found Official Samba-3 Howto also states that default (meaning undeclared value) for ldap ssl = Start_tls but that doesn't seem to be the case. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
RE: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
> -Original Message- > Tried what? ;-) > > Setup : >unix password sync = yes >passwd program = /usr/local/sbin/ldap-passwd.pl %u > > Note: ldap-passwd.pl is custom script to modify userpassword > attribute, > modify master server/able to chase referral if any. > > BDC -> Slave Openldap: > > 1. ldapmanager as replica account. > User was able to change password from Win WS. > ldap-passwd.pl update master, samba update slave. > > 2. ldapmanager not as replica account. > - user unable to change password, err from Windows is "you > did not have permision to change your password". > - run smbpasswd to change user password also giving error. > > but i did not try : > passdb backend = ldapsam:"ldap://slave ldap://master"; > Will it solve my problem? > > Another question: > On what interval client changed their machine password? is it > triggered forn client or server? > > > --beast Passdb backend = ldapsam:"ldap://master ldap://slave"; works just fine for me. I have the passwd program set to /usr/bin/passwd and Samba updates the Samba related entries in the Master LDAP (with passwd updating the posixAccount related entries). Took me a while to find the ldapsam:"ldap://master ldap://slave"; workaround too, but it's worked flawlessly for me in production since. Clint -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Monday, December 29, 2003, 5:52:20 PM, Andrew wrote: > Have you actually tried this? Really, we are not in the buisness of > creating solutions that simply don't work. Many production sites > (mind included) rely on our LDAP code, including the bahaviour that > allows DCs to bind to slave ldap servers, rebinding to the mster when > required. Indeed, we recently intergrated the 'ldap replication > sleep' parmaeter to assist in this process. Tried what? ;-) Setup : unix password sync = yes passwd program = /usr/local/sbin/ldap-passwd.pl %u Note: ldap-passwd.pl is custom script to modify userpassword attribute, modify master server/able to chase referral if any. BDC -> Slave Openldap: 1. ldapmanager as replica account. User was able to change password from Win WS. ldap-passwd.pl update master, samba update slave. 2. ldapmanager not as replica account. - user unable to change password, err from Windows is "you did not have permision to change your password". - run smbpasswd to change user password also giving error. but i did not try : passdb backend = ldapsam:"ldap://slave ldap://master"; Will it solve my problem? Another question: On what interval client changed their machine password? is it triggered forn client or server? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Mon, Dec 29, 2003 at 04:34:02PM +0700, Beast wrote: > Saturday, December 27, 2003, 1:45:33 PM, Andrew wrote: > > > On Sat, 2003-12-27 at 15:51, Beast wrote: > >> Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote: > > >> If I put PDC in slave ldap, is this means that it will update the > >> slave (because samaba will bind as ldap-root which has authority of > >> updating this replica)? > >> No way to prevent samba to using other ldap account to update the > >> directory? > > > You should never list the Manager account as the replicator. Instead, > > create a new account, and use it only for the replication. That way, > > everybody who is not the replicator account will be forced to talk to > > the master. > > This is expected behaviour :-) > as long as openldap did not support multimaster or samba can not > chasing update referral, i have to live with un-synch sambapassword > attributes in ldap :-( Have you actually tried this? Really, we are not in the buisness of creating solutions that simply don't work. Many production sites (mind included) rely on our LDAP code, including the bahaviour that allows DCs to bind to slave ldap servers, rebinding to the mster when required. Indeed, we recently intergrated the 'ldap replication sleep' parmaeter to assist in this process. Andrew Bartlet -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Saturday, December 27, 2003, 1:45:33 PM, Andrew wrote: > On Sat, 2003-12-27 at 15:51, Beast wrote: >> Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote: >> If I put PDC in slave ldap, is this means that it will update the >> slave (because samaba will bind as ldap-root which has authority of >> updating this replica)? >> No way to prevent samba to using other ldap account to update the >> directory? > You should never list the Manager account as the replicator. Instead, > create a new account, and use it only for the replication. That way, > everybody who is not the replicator account will be forced to talk to > the master. This is expected behaviour :-) as long as openldap did not support multimaster or samba can not chasing update referral, i have to live with un-synch sambapassword attributes in ldap :-( --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Sat, 27 Dec 2003, Beast wrote: > Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote: > > > On Sat, 2003-12-27 at 07:10, Information Technology wrote: > >> > >> My goal is to rebuild my PDC as I mentioned earlier. I stated in another > >> thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the > >> shares; then, move the user and system accounts into LDAP. Once the PDC is > >> rebuild and I need to transfer control back, It should be simple to move the > >> LDAP first, point the new Samba to the new primary LDAP, and demote the > >> temporary PDC back down to BDC. > > > And to make it a real BDC, setup an LDAP slave. > > If I put PDC in slave ldap, is this means that it will update the > slave (because samaba will bind as ldap-root which has authority of > updating this replica)? > No way to prevent samba to using other ldap account to update the > directory? Have you trtied this? Did you monitor it using ethereal? If not, I recommend that you do this. -- John H Terpstra Email: [EMAIL PROTECTED] -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Sat, 2003-12-27 at 15:51, Beast wrote: > Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote: > > > On Sat, 2003-12-27 at 07:10, Information Technology wrote: > >> > >> My goal is to rebuild my PDC as I mentioned earlier. I stated in another > >> thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the > >> shares; then, move the user and system accounts into LDAP. Once the PDC is > >> rebuild and I need to transfer control back, It should be simple to move the > >> LDAP first, point the new Samba to the new primary LDAP, and demote the > >> temporary PDC back down to BDC. > > > And to make it a real BDC, setup an LDAP slave. > > If I put PDC in slave ldap, is this means that it will update the > slave (because samaba will bind as ldap-root which has authority of > updating this replica)? > No way to prevent samba to using other ldap account to update the > directory? You should never list the Manager account as the replicator. Instead, create a new account, and use it only for the replication. That way, everybody who is not the replicator account will be forced to talk to the master. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
Saturday, December 27, 2003, 5:41:37 AM, Andrew wrote: > On Sat, 2003-12-27 at 07:10, Information Technology wrote: >> >> My goal is to rebuild my PDC as I mentioned earlier. I stated in another >> thread my plan was to create a 3.0.1 BDC; tranfer the accounts; transfer the >> shares; then, move the user and system accounts into LDAP. Once the PDC is >> rebuild and I need to transfer control back, It should be simple to move the >> LDAP first, point the new Samba to the new primary LDAP, and demote the >> temporary PDC back down to BDC. > And to make it a real BDC, setup an LDAP slave. If I put PDC in slave ldap, is this means that it will update the slave (because samaba will bind as ldap-root which has authority of updating this replica)? No way to prevent samba to using other ldap account to update the directory? --beast -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Transfering Machine Accounts / MACHINE.SID
On Sat, 2003-12-20 at 05:53, Kevin Fries wrote: > Kevin Fries wrote: > > > I have a Samba 2.2.7 PDC, and I am now trying to set up a new 3.0.1 > > server. I want this machine to act as a BDC initially and replicate all > > the > > accounts over. Unfoutunetly, this is not a supported configuration, for live clients. If, while the 'BDC' is operational, a machine changes it's machine account password, then it is possible for it to be changed on the BDC, but not the PDC. > > When I followed the howto it said to use smbpasswd -S to > > transfer the machine SID and then to replicate the smbpasswd file to the > > new server. This has caused two major problems: > > > > 1) the smbpasswd command does not support the -S option In 3.0? That is because that option moved to 'net' as 'net getlocalsid' and 'net setlocalsid' (I think, read the BDC doco in the HOWTO). > > 2) My user accounts transfered to the new machine, but not the machine > > trust accounts. > > OK, found this one. I forgot to move the posix accounts over to the new > machines and Samba silently ignored the accounts. pdbedit on the other > hand screamed bloody murder. Added PosixAccount to my machine entries in > the new LDAP server, and Samba 3 found them thanks to nss_ldap. > > However, I still do not have a MACHINE.SID file because the smbpasswd > command does not work as advertised. Is it OK to just copy that file from > the old machine? If you don't have a secrets.tdb, then we will read that file on startup. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba