[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

Adam Williams members@kalamazoolinux.org
Tue, 06 Jan 2004 08:51:40 -0500

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> |> |> I've got it almost working but right now it is allowing anyone
> |> to |>  access the shares and wont add a machine even if there is
> |> |> already a record in the machines ou.  I've been watching the
> |> logs |>  but can't find any recognizable errors. | What error do
> |> you get when you try to join the domain (I assume | thats what
> |> you mean by "add a machine")? "Access is denied"  This seems odd
> |> since it otherwise grants access without a password or anything.
> | You are using the root username and password?  You have to have a
> | root account in LDAP.  And a posixAccount already exists for the
> | machine with a unique uidNumber and VALID gidNumber?
> Hmmmm, in 2.2.8a the builtin accounts like "Administrator" weren't
> actually functional.  Are you saying that now there are some
> functional builtins?

Yes, but they need to be associated with an existing account, by
manually setting the sambaSID attribute of the sambaSamAccount
auxilliary objectclass in the object to the appropriate DOMAIN+RID
value.

> It should be no trouble to change the Admininstrators uid to 0 for a
> test.   I'll give that a try this evening.  Now if I change the
> Administrator accounts uid to 0, isn't that going to cause trouble
> when Administrator tries to log into one of the Linux boxes? Hmmmm...
> I could perhaps fix this by putting it in a different ou or something.

Don't create and administrator account.  Create an administrative group
mapped to the Administrators built in and set the sambaSID of root to
the builtin RID of the domain administrator.

> |> ~        ldap suffix = dc=j9starr,dc=net ~        ldap machine
> |> or some reason I don't remember anything about idmaps from my
> |> previous attempts at this.   Are they new?  It didn't seem to me
> |> like they were required. If they are, then perhaps my database
> |> needs further editing?
> | You don't need them unless you have trusted domains.

PDC of domain A will proxy authentication and authorization requests
from a workstation or process in domain A to the PDC of domain B to
grant transparent access to users or services in domain B to resources
in domain A.  Phweeew....

Previous message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Next message: [KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]