I have used Samba and LDAP as a PDC successful in all previous versions of SuSE and openSUSE. Now in openSuSE version 11 it does not work. I can add the workstation to the domain, but I can not to a domain logon or add a domain user. I get every time an error message that the trust between the workstation and the server not exits.
When I logon as a local user, I can browse the shares. I am using the same configuration files for samba and ldap as in 10.3.
Branched from thread Samba as PDC.
I have openSUSE 10.3 with Samba and LDAP as a PDC working perfect. I tried to do the same on a new install of openSUSE 11.0 using the same procedure and same smb.conf, ldap.conf, slapd.conf and /etc/ldap.conf with smbldap-tools 0.9.5. I followed the same procedure as I did in 10.3 and Workstations can be added to the Domain and are registered in Ldap. Unix users are authenticated to LDAP, but a user registered in LDAP can not logon to a workstation and it gives an error "The system cannot log you on now because the Domain XYZ is not available. When I logon on to the workstation as a local Administrator I can browse the Domain and a user can open folders after login on to the Domain, but this user can not logon on the initial workstation logon screen.
Following is my smb.conf:
[global]
workgroup = XWZ
netbios name = Neptune
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
username map = /etc/samba/smbusers
guest account = nobody
map to guest = Bad User
passdb backend = ldapsam:“ldap://127.0.0.1/”
ldap admin dn = cn=Manager,dc=xyz,dc=com,dc=au
ldap suffix = dc=xyz,dc=com,dc=au
ldap group suffix = ou=Groups
ldap user suffix = ou=Users
ldap machine suffix = ou=Users
ldap ssl = No
add user script = /usr/local/sbin/smbldap-useradd -m “%u”
add machine script = /usr/local/sbin/smbldap-useradd -w “%u”
add group script = /usr/local/sbin/smbldap-groupadd -p “%g”
add user to group script = /usr/local/sbin/smbldap-groupmod -m “%u” “%g”
delete user from group script = /usr/local/sbin/smbldap-groupmod -x “%u” “%g”
set primary group script = /usr/local/sbin/smbldap-usermod -g “%g” “%u”
enable privileges = yes
domain master = yes
domain logons = yes
encrypt passwords = yes
ldap passwd sync = Yes
log level = 1
syslog = 0
log file = /var/log/samba/log.%m
time server = Yes
interfaces = 127.0.0.1 192.168.1.5/24
hosts allow = 192.168.1.0/255.255.255.0
socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
wins support = yes
Dos charset = 850
Unix charset = ISO8859-1
os level = 255
>
> Hi,
>
> Branched from thread Samba as PDC.
> I have openSUSE 10.3 with Samba and LDAP as a PDC working perfect. I
> tried to do the same on a new install of openSUSE 11.0 using the same
> procedure and same smb.conf, ldap.conf, slapd.conf and /etc/ldap.conf
> with smbldap-tools 0.9.5. I followed the same procedure as I did in
> 10.3 and Workstations can be added to the Domain and are registered in
> Ldap. Unix users are authenticated to LDAP, but a user registered in
> LDAP can not logon to a workstation and it gives an error "The system
> cannot log you on now because the Domain XYZ is not available. When I
> logon on to the workstation as a local Administrator I can browse the
> Domain and a user can open folders after login on to the Domain, but
> this user can not logon on the initial workstation logon screen.
> Following is my smb.conf:
<snip, see smb.conf in previous post, PV.>
>
>
hbsimon;
When you did the new install, unless you preserved the /etc/samba/secrets.tdb
and the tdbs in /var/lib/samba, a new SID was generated for the domain. From a
logical point of view this is a NEW domain. Each user has a SID that consists
of the domain SID followed by the rid. If the domain has SID S-1-5-21-x-y-z, a
user has a SID of S-1-5-21-x-y-z-w. I believe what is happening, is the users
are using a SID from the “old” domain (I know the names are the same, but the
SIDs are different.) Unfortunately Windows also keeps these in the registry.
HKEY_Local_Machine\Software\Microsoft\WindowsNT\currentversion\Profilelist.
Here is what I would suggest:
Execute:
net getlocalsid
This is your current domain SID. Either write it down, or better yet direct it
to a text file you can print out (and save it for future reference).
Now use pdbedit to find the SIDs in LDAP
pdbedit -Lv <username>
and finally check the SIDs on the Windows Machine in the above registry key.
I’ll bet you a beer that one of the three does not match the other two. How
you go about correcting this depends a lot on the odd man and the size of your
domain. If the domain is large, hope that only the first is the odd man.
That will be easy to fix by using net setlocalsid S-etc.
One additional test you might try is creating a test user (a user name that has
never been used before) and see if you can login with that user. If you can
not, I’m probably blowing smoke. But if you can’t be sure to check that SID
also.
Please post back the results of this and the approximate size of the domain
(i.e. number of users & workstations). If it’s really large, you might want to
get advice from someone who has had to deal with this in large domains. Most
of the domains I’ve dealt with are less than 20 users/workstations with no
LDAP.
After I had the first problem I created a new openSUSE 11 and Windows-XP workstation install in its own isolated environment with a new user and still have the same problem.
One more followup, If I logon on as the local Administrator and try to
add a Domain User from the Control Panel/User Accounts I get following
error:
The user could not be added because the following error has occurred:
The trust relationship between this workstation and the primary domain
failed.