[KLUG Members] Help for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a
anybody?
Jim C.
members@kalamazoolinux.org
Sat, 24 Jan 2004 02:22:43 -0800
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
| Right it shouldn't be. When you execute the domain join the
| posixAccount machine object will become a sambaSamAccount object - Samba
| will add the stuff. The posixAccount must preexist (well it can be
| created by scripts, but one thing at a time).
Lines 212-214 in /usr/share/samba3/scripts/smbldap-useradd.pl were the
lines that add the sambaSamAccount objectclass to a machine account.
They were commented out. I commented them back in and now it works. It
~ didn't work before... What do you make of that?
|>| 2.) That posixAccount is NOT also a sambaSamAccount
| The way it should *START*. Once you've joined it should be one.
I'll run a quick test. Leave the Domain, delete the machine account,
then comment out those 3 lines in
/usr/share/samba3/scripts/smbldap-useradd.pl again. See what happens
when I try to join that box to the domain again...
...doesn't work. So for some reason samba is not adding the
sambaSamAccount objectclass to the machine account.
|
|>| 3.) That object is under you ou=System Accounts or equivalent ou
|>The client machine's name is kaliklak. The dn is:
|>uid=kaliklak$,ou=Computers,dc=j9starr,dc=net
| Right, that looks normal.
|>| 5.) You've made NONE/ZERO/ZIP network connections before attempting to
|>| join the domian?
...
| Nope, that won't work. The CIFS client may detect a server bounce and
| simply (and silently) re-establish connections. You always need to
| reboot the workstation before attempting to join a domain.
OK, good to know for the future. Client box must be restarted.
|>| 6.) "net getlocalsid" on the purported PDC returns a PDC like SID?
|>| -->[root@littleboy /root]# net getlocalsid
|>| -->SID for domain BARBEL is: S-1-5-21-2037442776-3290224752-88127236
|>| --See the lack of a RID
|>[root@enigma root]# net3 getlocalsid
|>SID for domain ENIGMA is: S-1-5-21-1825057718-3407101348-4194330872
|>[root@enigma root]#
| OK.
Why does it say domain ENIGMA though? The domain is named J9STARR. The
~ server machine is named Enigma.
|>| 7.) You have a uid=root object in your Dit and that object ***IS** a
|>| sambaSamAccount (it's RID doesn't matter, should be 1000 following
|>| normal conventions, but whatever).
|>| -->[root@littleboy /root]# pdbedit -u root
|>| -->root:0:root
|>| --It is OK for root to also be in /etc/passwd, don't worry about it.
|>I don't have access to pbedit. What package is it part of?
| pdbedit comes with Samba 3.x.x. If you don't have it your packages are
| broken.
K. Found this. I was typeing pbedit instead of pbdedit and also it is
pdbedit3 on this box.
|>I currently do not have a uid=root in my DIT. I suppose I would have to
|>put it in ou=People so samba can find it?
|
|
| I suppose, it depends on how you have your Dit setup.
|
|
|>[root@enigma samba3]# grep People smb.conf
|>ldap user suffix = ou=People
|>Hmmm... I would really rather not put it in a place where it can be seen
|>by linux though. I suppose I could create a sub ou under People. That
|
|
| Thats why we have "ou=System Accounts", for stuff like root, apache,
| mail, bie, etc... we chose this route over "ou=Computers".
OK but how would you use "ou=System Accounts"? I mean Samba would have
to look in ou=People, ou=Computers, ou=Groups. Is "ou=System Accounts"
a subtree of "ou=People"? Is there a suffix setting I am not aware of?
For example: ldap system suffix = "ou=System Accounts"
| People in People (People may or may not be users). Accounts that aren't
| people (really just 'security contexts') are in "System Accounts".
|>| 8.) root is a memberuid attribute of your Domain Administrators group.
|>| (or the root account object's dn is a member attribute of the group
|>| object if your using RFC2307bis).
|>I have no idea what RFC is what. I'll create uid=root sambaSamAccount
|>and add it to Domain Administrators.
I'm going to put posixAccount back into root and set the uidNumber to 0
to see what effect it has.
| What does a group object look like. If it has memberuid=xxx then you
| are using RFC2307, if it has member=uid=root,.... (values are DNs) you
| are using RFC2307bis. We are currently migrating to RFC2307bis since it
| has several subtle advantages.
My groups look like: memberuid=xxx
|>| -->[root@littleboy /root]# id root
...
|>sambaSID: S-1-5-21-1825057718-3407101348-4194330872-500
| OK.
|>| 10.) You have WIS support enabled on the PDC and the client has that set
...
| Are you giving it the WINS address via DHCP. You really want to enable
| WINS.
I'll check and see what the router is doing in this regards. Uh oh. The
router doesn't seem to be capable of WINS. No options for it.
- --
- -----------------------------------------------------------------
| I can be reached on the following messenger services: |
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 |
|---------------------------------------------------------------|
| Y!: j_c_llings Jabber: jcllings@nureality.com |
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAEkdz57L0B7uXm9oRAionAJ0UUoqG090Ey6jvbByW37wIp89QUACcDARy
5su1PLQpJoMmTYSU2hSBbGE=
=VAVI
-----END PGP SIGNATURE-----