[KLUG Members] Help for
upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Adam Williams
members@kalamazoolinux.org
Fri, 23 Jan 2004 06:54:25 -0500
> | Ah ha! Your getting this while attempting to join the domain?
> | 1.) You have a posixAccount object the corresponds to the [%m || "$"]?
> Huh? You mean a machine account? Yes and no it is not also a
> sambaSamAccount.
Right it shouldn't be. When you execute the domain join the
posixAccount machine object will become a sambaSamAccount object - Samba
will add the stuff. The posixAccount must preexist (well it can be
created by scripts, but one thing at a time).
> | 2.) That posixAccount is NOT also a sambaSamAccount
The way it should *START*. Once you've joined it should be one.
> | 3.) That object is under you ou=System Accounts or equivalent ou
> The client machine's name is kaliklak. The dn is:
> uid=kaliklak$,ou=Computers,dc=j9starr,dc=net
Right, that looks normal.
> | --What ldap machine suffix = says
> | 4.) Your logged into the workstation as the **LOCAL** Administrator
> Don't I have to if I don't have domain membership yet set up on the
> client box?
You have to acquire domain membership, you do that via the LOCAL
Administrator account.
> | 5.) You've made NONE/ZERO/ZIP network connections before attempting to
> | join the domian?
> | i.e. You boot, login, and attempt to join the domain with NO
> | intermediary steps.
> I restarted the server assumeing that this would sever any connections.
Nope, that won't work. The CIFS client may detect a server bounce and
simply (and silently) re-establish connections. You always need to
reboot the workstation before attempting to join a domain.
> | 6.) "net getlocalsid" on the purported PDC returns a PDC like SID?
> | -->[root@littleboy /root]# net getlocalsid
> | -->SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> | --See the lack of a RID
> [root@enigma root]# net3 getlocalsid
> SID for domain ENIGMA is: S-1-5-21-1825057718-3407101348-4194330872
> [root@enigma root]#
OK.
> | 7.) You have a uid=root object in your Dit and that object ***IS** a
> | sambaSamAccount (it's RID doesn't matter, should be 1000 following
> | normal conventions, but whatever).
> | -->[root@littleboy /root]# pdbedit -u root
> | -->root:0:root
> | --It is OK for root to also be in /etc/passwd, don't worry about it.
> I don't have access to pbedit. What package is it part of?
pdbedit comes with Samba 3.x.x. If you don't have it your packages are
broken.
> I currently do not have a uid=root in my DIT. I suppose I would have to
> put it in ou=People so samba can find it?
I suppose, it depends on how you have your Dit setup.
> [root@enigma samba3]# grep People smb.conf
> ldap user suffix = ou=People
> Hmmm... I would really rather not put it in a place where it can be seen
> by linux though. I suppose I could create a sub ou under People. That
Thats why we have "ou=System Accounts", for stuff like root, apache,
mail, bie, etc... we chose this route over "ou=Computers".
People in People (People may or may not be users). Accounts that aren't
people (really just 'security contexts') are in "System Accounts".
> might hide it from Linux but is samba doing a sub tree search of ou
> People or not?
I'd assume yes.
> Will fix.
> | 8.) root is a memberuid attribute of your Domain Administrators group.
> | (or the root account object's dn is a member attribute of the group
> | object if your using RFC2307bis).
> I have no idea what RFC is what. I'll create uid=root sambaSamAccount
> and add it to Domain Administrators.
What does a group object look like. If it has memberuid=xxx then you
are using RFC2307, if it has member=uid=root,.... (values are DNs) you
are using RFC2307bis. We are currently migrating to RFC2307bis since it
has several subtle advantages.
> | -->[root@littleboy /root]# id root
> | -->uid=0(root) gid=0(root)
> | -->groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),
> | -->*****4(admins)***** <- the Domain Administrators group
> [root@enigma samba3]# id root
> uid=0(root) gid=0(root) groups=0(root)
> But then it is already known that I have to fix this.
> | 9.) Your domain administrators group has a SID of PDC-SID || "-512"
> | -->[root@littleboy /root]# net groupmap list | grep Admin
> | -->Domain Admins (S-1-5-21-2037442776-3290224752-88127236-512) -> admins
> | --And of course, this SID does match the PDC SID?
> dn: uid=Administrator,ou=People,dc=j9starr,dc=net
> sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-512
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-500
OK.
> | 10.) You have WIS support enabled on the PDC and the client has that set
> | as the WINS server?
> [root@enigma samba3]# grep wins smb.conf
> # the default order is "host lmhosts wins bcast". "host" means use the unix
> ; name resolve order = wins lmhosts bcast
> ~ wins support = yes
> ; wins server = w.x.y.z
> ; wins proxy = yes
> [root@enigma samba3]#
> I've never needed to mess with this before on the client. Is this
> something new?
Are you giving it the WINS address via DHCP. You really want to enable
WINS.