[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?

[Adam Williams]

> | Ah ha!  Your getting this while attempting to join the domain?
> | 1.) You have a posixAccount object the corresponds to the [%m || "$"]?
> Huh? You mean a machine account? Yes and no it is not also a
> sambaSamAccount.

Right it shouldn't be.  When you execute the domain join the
posixAccount machine object will become a sambaSamAccount object - Samba
will add the stuff.  The posixAccount must preexist (well it can be
created by scripts, but one thing at a time).

> | 2.) That posixAccount is NOT also a sambaSamAccount

The way it should *START*.  Once you've joined it should be one.

> | 3.) That object is under you ou=System Accounts or equivalent ou
> The client machine's name is kaliklak.  The dn is:
> uid=kaliklak$,ou=Computers,dc=j9starr,dc=net

Right, that looks normal.

> | --What ldap machine suffix = says
> | 4.) Your logged into the workstation as the **LOCAL** Administrator
> Don't I have to if I don't have domain membership yet set up on the
> client box? 

You have to acquire domain membership, you do that via the LOCAL
Administrator account.

> | 5.) You've made NONE/ZERO/ZIP network connections before attempting to
> | join the domian?
> | i.e. You boot, login, and attempt to join the domain with NO
> | intermediary steps.
> I restarted the server assumeing that this would sever any connections.

Nope, that won't work.  The CIFS client may detect a server bounce and
simply (and silently) re-establish connections.  You always need to
reboot the workstation before attempting to join a domain.

> | 6.) "net getlocalsid" on the purported PDC returns a PDC like SID?
> | -->[root@littleboy /root]# net getlocalsid
> | -->SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
> | --See the lack of a RID
> [root@enigma root]# net3 getlocalsid
> SID for domain ENIGMA is: S-1-5-21-1825057718-3407101348-4194330872
> [root@enigma root]#

OK.

> | 7.) You have a uid=root object in your Dit and that object ***IS** a
> | sambaSamAccount (it's RID doesn't matter, should be 1000 following
> | normal conventions, but whatever).
> | -->[root@littleboy /root]# pdbedit -u root
> | -->root:0:root
> | --It is OK for root to also be in /etc/passwd, don't worry about it.
> I don't have access to pbedit. What package is it part of?

pdbedit comes with Samba 3.x.x.  If you don't have it your packages are
broken.

> I currently do not have a uid=root in my DIT.  I suppose I would have to
> put it in ou=People so samba can find it?

I suppose, it depends on how you have your Dit setup.

> [root@enigma samba3]# grep People smb.conf
> ldap user suffix = ou=People
> Hmmm... I would really rather not put it in a place where it can be seen
> by linux though.  I suppose I could create a sub ou under People. That

Thats why we have "ou=System Accounts", for stuff like root, apache,
mail, bie, etc...  we chose this route over "ou=Computers".

People in People (People may or may not be users).  Accounts that aren't
people (really just 'security contexts') are in "System Accounts".

> might hide it from Linux but is samba doing a sub tree search of ou
> People or not?

I'd assume yes.

> Will fix.
> | 8.) root is a memberuid attribute of your Domain Administrators group.
> | (or the root account object's dn is a member attribute of the group
> | object if your using RFC2307bis).
> I have no idea what RFC is what. I'll create uid=root sambaSamAccount
> and add it to Domain Administrators.

What does a group object look like.  If it has memberuid=xxx then you
are using RFC2307, if it has member=uid=root,.... (values are DNs) you
are using RFC2307bis.  We are currently migrating to RFC2307bis since it
has several subtle advantages.

> | -->[root@littleboy /root]# id root
> | -->uid=0(root) gid=0(root)
> | -->groups=0(root),1(bin),2(daemon),3(sys),6(disk),10(wheel),
> | -->*****4(admins)***** <- the Domain Administrators group
> [root@enigma samba3]# id root
> uid=0(root) gid=0(root) groups=0(root)
> But then it is already known that I have to fix this.
> | 9.) Your domain administrators group has a SID of PDC-SID || "-512"
> | -->[root@littleboy /root]# net groupmap list | grep Admin
> | -->Domain Admins (S-1-5-21-2037442776-3290224752-88127236-512) -> admins
> | --And of course, this SID does match the PDC SID?
> dn: uid=Administrator,ou=People,dc=j9starr,dc=net
> sambaPrimaryGroupSID: S-1-5-21-1825057718-3407101348-4194330872-512
> sambaSID: S-1-5-21-1825057718-3407101348-4194330872-500

OK.

> | 10.) You have WIS support enabled on the PDC and the client has that set
> | as the WINS server?
> [root@enigma samba3]# grep wins smb.conf
> # the default order is "host lmhosts wins bcast". "host" means use the unix
> ; name resolve order = wins lmhosts bcast
> ~   wins support = yes
> ;   wins server = w.x.y.z
> ;   wins proxy = yes
> [root@enigma samba3]#
> I've never needed to mess with this before on the client. Is this
> something new?

Are you giving it the WINS address via DHCP.  You really want to enable
WINS.