Results 1 to 6 of 6

Thread: openSUSE 11 and Samba/Ldap as PDC

  1. #1

    Default openSUSE 11 and Samba/Ldap as PDC

    Hi,

    I have used Samba and LDAP as a PDC successful in all previous versions of SuSE and openSUSE. Now in openSuSE version 11 it does not work. I can add the workstation to the domain, but I can not to a domain logon or add a domain user. I get every time an error message that the trust between the workstation and the server not exits.
    When I logon as a local user, I can browse the shares. I am using the same configuration files for samba and ldap as in 10.3.

    Are there any new securities added in 11.0?

    Thanks and Regards,
    Horst

  2. #2

    Default Re: openSUSE 11 and Samba/Ldap as PDC

    Hi,

    Branched from thread Samba as PDC.
    I have openSUSE 10.3 with Samba and LDAP as a PDC working perfect. I tried to do the same on a new install of openSUSE 11.0 using the same procedure and same smb.conf, ldap.conf, slapd.conf and /etc/ldap.conf with smbldap-tools 0.9.5. I followed the same procedure as I did in 10.3 and Workstations can be added to the Domain and are registered in Ldap. Unix users are authenticated to LDAP, but a user registered in LDAP can not logon to a workstation and it gives an error "The system cannot log you on now because the Domain XYZ is not available. When I logon on to the workstation as a local Administrator I can browse the Domain and a user can open folders after login on to the Domain, but this user can not logon on the initial workstation logon screen.
    Following is my smb.conf:
    [global]
    workgroup = XWZ
    netbios name = Neptune
    printing = cups
    printcap name = cups
    printcap cache time = 750
    cups options = raw
    username map = /etc/samba/smbusers
    guest account = nobody
    map to guest = Bad User
    passdb backend = ldapsam:"ldap://127.0.0.1/"
    ldap admin dn = cn=Manager,dc=xyz,dc=com,dc=au
    ldap suffix = dc=xyz,dc=com,dc=au
    ldap group suffix = ou=Groups
    ldap user suffix = ou=Users
    ldap machine suffix = ou=Users
    ldap ssl = No
    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
    enable privileges = yes
    domain master = yes
    domain logons = yes
    encrypt passwords = yes
    ldap passwd sync = Yes
    log level = 1
    syslog = 0
    log file = /var/log/samba/log.%m
    time server = Yes
    interfaces = 127.0.0.1 192.168.1.5/24
    hosts allow = 192.168.1.0/255.255.255.0
    socket options = SO_KEEPALIVE IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    wins support = yes
    Dos charset = 850
    Unix charset = ISO8859-1
    os level = 255
    # Where to store NT user profiles? (passdb)
    logon path = \\Neptune\profiles\.msprofile
    # Where to store 9x/ ME roaming profiles
    logon home = \\Neptune\profiles\.9xprofile

    logon drive = U:
    logon script = %U.bat

    [homes]
    comment = Home Directories
    valid users = %S, %D%w%S
    browseable = No
    read only = No
    directory mask = 0750
    inherit acls = Yes

    [netlogon]
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    browseable = no
    guest ok = yes
    writable = no
    share modes = no

    [profiles]
    comment = Network Profiles Service
    path = %H
    browseable = no
    read only = No
    writeable = yes
    store dos attributes = Yes
    create mask = 0600
    directory mask = 0700

    [printers]
    comment = All Printers
    path = /var/tmp
    printable = Yes
    browseable = No
    guest ok = Yes
    public = Yes
    writeable = No
    read only = Yes

    [Share]
    comment = Share Directory
    path = /export/shares
    public = yes
    writeable = yes
    printable = no
    create mask = 0770
    directory mask = 0770

  3. #3
    PV NNTP User

    Default Re: openSUSE 11 and Samba/Ldap as PDC

    hbsimon wrote:

    >
    > Hi,
    >
    > Branched from thread Samba as PDC.
    > I have openSUSE 10.3 with Samba and LDAP as a PDC working perfect. I
    > tried to do the same on a new install of openSUSE 11.0 using the same
    > procedure and same smb.conf, ldap.conf, slapd.conf and /etc/ldap.conf
    > with smbldap-tools 0.9.5. I followed the same procedure as I did in
    > 10.3 and Workstations can be added to the Domain and are registered in
    > Ldap. Unix users are authenticated to LDAP, but a user registered in
    > LDAP can not logon to a workstation and it gives an error "The system
    > cannot log you on now because the Domain XYZ is not available. When I
    > logon on to the workstation as a local Administrator I can browse the
    > Domain and a user can open folders after login on to the Domain, but
    > this user can not logon on the initial workstation logon screen.
    > Following is my smb.conf:

    <snip, see smb.conf in previous post, PV.>
    >
    >

    hbsimon;
    When you did the new install, unless you preserved the /etc/samba/secrets.tdb
    and the tdbs in /var/lib/samba, a new SID was generated for the domain. From a
    logical point of view this is a NEW domain. Each user has a SID that consists
    of the domain SID followed by the rid. If the domain has SID S-1-5-21-x-y-z, a
    user has a SID of S-1-5-21-x-y-z-w. I believe what is happening, is the users
    are using a SID from the "old" domain (I know the names are the same, but the
    SIDs are different.) Unfortunately Windows also keeps these in the registry.
    HKEY_Local_Machine\Software\Microsoft\WindowsNT\currentversion\Profilelist.

    Here is what I would suggest:
    Execute:

    net getlocalsid

    This is your current domain SID. Either write it down, or better yet direct it
    to a text file you can print out (and save it for future reference).

    Now use pdbedit to find the SIDs in LDAP
    pdbedit -Lv <username>

    and finally check the SIDs on the Windows Machine in the above registry key.

    I'll bet you a beer that one of the three does not match the other two. How
    you go about correcting this depends a lot on the odd man and the size of your
    domain. If the domain is large, hope that only the first is the odd man.
    That will be easy to fix by using net setlocalsid S-etc.

    One additional test you might try is creating a test user (a user name that has
    never been used before) and see if you can login with that user. If you can
    not, I'm probably blowing smoke. But if you can't be sure to check that SID
    also.

    Please post back the results of this and the approximate size of the domain
    (i.e. number of users & workstations). If it's really large, you might want to
    get advice from someone who has had to deal with this in large domains. Most
    of the domains I've dealt with are less than 20 users/workstations with no
    LDAP.
    --
    P. V.
    "We have met the enemy an he is us" Pogo

  4. #4

    Default Re: openSUSE 11 and Samba/Ldap as PDC

    After I had the first problem I created a new openSUSE 11 and Windows-XP workstation install in its own isolated environment with a new user and still have the same problem.

    One more followup, If I logon on as the local Administrator and try to
    add a Domain User from the Control Panel/User Accounts I get following
    error:
    The user could not be added because the following error has occurred:
    The trust relationship between this workstation and the primary domain
    failed.

    Horst

    Horst
    Last edited by hbsimon; 08-Aug-2008 at 19:06. Reason: Incorrect

  5. #5
    PV NNTP User

    Default Re: openSUSE 11 and Samba/Ldap as PDC

    hbsimon wrote:

    >

    <snip>
    > is part of the domain and needed a reboot.By the way net getlocalsid
    > net setlocalsid is not valid on the XP workstation.
    >
    > Horst
    >
    >


    Perhaps I was not clear, you need to run net getlocalsid on the linux side not
    the XP side.
    --
    P. V.
    Only fools rush in where angels fear to tread.

  6. #6

    Default Re: openSUSE 11 and Samba/Ldap as PDC

    Quote Originally Posted by PV View Post
    hbsimon wrote:

    >

    <snip>
    > is part of the domain and needed a reboot.By the way net getlocalsid
    > net setlocalsid is not valid on the XP workstation.
    >
    > Horst
    >
    >


    Perhaps I was not clear, you need to run net getlocalsid on the linux side not
    the XP side.
    --
    P. V.
    Only fools rush in where angels fear to tread.
    I solved the problem by updating openldap2 to version 2.4.11 from Index of /repositories/network:

    Regards,
    Horst

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •