# [gave up] PDC - Samba + ldap - joining domain - problem.

## diaz

Edit: Please skip to post #4, as the last problem is stated there.

Hello.

I have followed this tutorial, and tried to do exactly what they were telling me to do, though I've had some problems understanding it all along the way. (I think it's somewhat confusingly written).

It seems to work in most ways, except the fact that I have problems adding new machines to this test-domain. The 'userlist' has been populated (as per smbldap-populate), and the user Administrator have the password 'secret'. 'secret' is the password I use everywhere in this test.

On the WinXP test-machine I get a 'Permission denied' box, and my sambalog tells me this:

```

foto home # tail -f /var/log/samba/log.smbd

[2004/10/06 12:30:35, 0] lib/smbldap.c:smbldap_search_domain_info(1338)

  Adding domain info for SMB3 failed with NT_STATUS_UNSUCCESSFUL

```

when I try to add this WinXP-machine to the domain.

I get the same error when I do 

```

foto home # net getlocalsid

[2004/10/06 12:42:47, 0] lib/smbldap.c:smbldap_search_domain_info(1338)

  Adding domain info for SMB3 failed with NT_STATUS_UNSUCCESSFUL

SID for domain PDC-SMB3 is: S-1-5-21-2845760531-147960559-287959922

```

But atleast I get the SID.

My complete (?) configuration will be listed below.

When I get this test-domain up and running, I will start over and make myself a new one, that's more fitting for my network (when it comes to names, passwords etc.), and hopefully I will be able to post a 'howto' her on the forum. I'm missing that myself, and I guess others do aswell  :Razz: 

I have not got around to set up ssl for this yet.

I'd prefer to have it working without first   :Cool: 

```

foto home # cat /etc/openldap/slapd.conf

include  /etc/openldap/schema/core.schema

include  /etc/openldap/schema/cosine.schema

include  /etc/openldap/schema/inetorgperson.schema

include  /etc/openldap/schema/nis.schema

include  /etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid

schemacheck on

lastmod  on

#TLSCertificateFile /etc/openldap/ldap.idealx.com.pem

#TLSCertificateKeyFile /etc/openldap/ldap.idealx.com.key

#TLSCACertificateFile /etc/openldap/ca.pem

#TLSCipherSuite :SSLv3

#TLSVerifyClient demand

#######################################################################

# ldbm database definitions

#######################################################################

database bdb

suffix  dc=IDEALX,dc=ORG

rootdn  "cn=Manager,dc=IDEALX,dc=ORG"

rootpw  secret

directory /var/lib/openldap-data/

index      objectClass,uidNumber,gidNumber                  eq

index      cn,sn,uid,displayName                            pres,sub,eq

index      memberUid,mail,givenname                 eq,subinitial

index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

# users can authenticate and change their password

access to attrs=userPassword,sambaNTPassword,sambaLMPassword

      by self write

      by anonymous auth

      by * none

# all others attributes are readable to everybody

access to *

      by * read

# users can authenticate and change their password

access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=nssldap,ou=DSA,dc=idealx,dc=org" write

      by self write

      by anonymous auth

      by * none

# some attributes need to be readable anonymously so that 'id user' can answer correctly

access to attrs=objectClass,entry,gecos,homeDirectory,uid,uidNumber,gidNumber,cn,memberUid

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by * read

# somme attributes can be writable by users themselves

access to attrs=description,telephoneNumber

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by self write

      by * read

# some attributes need to be writable for samba

access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaSID,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by self read

      by * none

# samba need to be able to create the samba domain account

access to dn.base="dc=idealx,dc=org"

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by * none

# samba need to be able to create new users account

access to dn="ou=Users,dc=idealx,dc=org"

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by * none

# samba need to be able to create new groups account

access to dn="ou=Groups,dc=idealx,dc=org"

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by * none

# samba need to be able to create new computers account

access to dn="ou=Computers,dc=idealx,dc=org"

      by dn="cn=samba,ou=DSA,dc=idealx,dc=org" write

      by dn="cn=smbldap-tools,ou=DSA,dc=idealx,dc=org" write

      by * none

# this can be omitted but we leave it: there could be other branch

# in the directory

access to *

      by self read

      by * none

foto home #

```

I have tried with and without the ACL's.

```

foto home # cat /etc/ldap.conf

# Your LDAP server. Must be resolvable without using LDAP.

host 127.0.0.1

# The distinguished name of the search base.

base dc=IDEALX,dc=ORG

# The distinguished name to bind to the server with if the effective user ID

# is root. Password must be stored in /etc/ldap.secret (mode 600)

rootbinddn cn=nssldap,ou=DSA,dc=IDEALX,dc=ORG

# RFC2307bis naming contexts

# we use ?sub (and not the default ?one) because we

# separated sambaAccounts on ou=Computer,dc=IDEALX,dc=org

# and ou=People,dc=IDEALX,dc=org

nss_base_passwd         ou=Users,dc=IDEALX,dc=ORG?one

nss_base_shadow         ou=Users,dc=IDEALX,dc=ORG?one

#nss_base_passwd         dc=IDEALX,dc=ORG?sub

#nss_base_shadow         dc=IDEALX,dc=ORG?sub

nss_base_group          ou=Groups,dc=IDEALX,dc=ORG?one

# Security options

ssl no

pam_password md5

# - The End

```

I have tried both the pairs of nss_base_passwd/shadow.

```

foto home # cat /etc/openldap/ldap.conf

HOST 127.0.0.1

BASE dc=IDEALX,dc=ORG

```

```

foto home # cat /etc/smbldap-tools/smbldap.conf

# $Source: /opt/cvs/samba/smbldap-tools/smbldap.conf,v $

##############################################################################

#

# General Configuration

#

##############################################################################

# Put your own SID

# to obtain this number do: net getlocalsid

SID="S-1-5-21-2845760531-147960559-287959922"

##############################################################################

#

# LDAP Configuration

#

##############################################################################

# Notes: to use to dual ldap servers backend for Samba, you must patch

# Samba with the dual-head patch from IDEALX. If not using this patch

# just use the same server for slaveLDAP and masterLDAP.

# Those two servers declarations can also be used when you have

# . one master LDAP server where all writing operations must be done

# . one slave LDAP server where all reading operations must be done

#   (typically a replication directory)

# Ex: slaveLDAP=127.0.0.1

slaveLDAP="127.0.0.1"

slavePort="389"

# Master LDAP : needed for write operations

# Ex: masterLDAP=127.0.0.1

masterLDAP="127.0.0.1"

masterPort="389"

# Use TLS for LDAP

# If set to 1, this option will use start_tls for connection

# (you should also used the port 389)

ldapTLS="0"

# How to verify the server's certificate (none, optional or require)

# see "man Net::LDAP" in start_tls section for more details

verify="require"

# CA certificate

# see "man Net::LDAP" in start_tls section for more details

cafile="/etc/smbldap-tools/ca.pem"

# certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientcert="/etc/smbldap-tools/smbldap-tools.pem"

# key certificate to use to connect to the ldap server

# see "man Net::LDAP" in start_tls section for more details

clientkey="/etc/smbldap-tools/smbldap-tools.key"

# LDAP Suffix

# Ex: suffix=dc=IDEALX,dc=ORG

suffix="dc=idealx,dc=org"

# Where are stored Users

# Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"

usersdn="ou=Users,${suffix}"

# Where are stored Computers

# Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"

computersdn="ou=Computers,${suffix}"

# Where are stored Groups

# Ex groupsdn="ou=Groups,dc=IDEALX,dc=ORG"

groupsdn="ou=Groups,${suffix}"

# Where are stored Idmap entries (used if samba is a domain member server)

# Ex groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"

idmapdn="ou=Idmap,${suffix}"

# Where to store next uidNumber and gidNumber available

sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"

# Default scope Used

scope="sub"

# Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA)

hash_encrypt="SSHA"

# if hash_encrypt is set to CRYPT, you may set a salt format.

# default is "%s", but many systems will generate MD5 hashed

# passwords if you use "$1$%.8s". This parameter is optional!

crypt_salt_format="%s"

##############################################################################

#

# Unix Accounts Configuration

#

##############################################################################

# Login defs

# Default Login Shell

# Ex: userLoginShell="/bin/bash"

userLoginShell="/bin/bash"

# Home directory

# Ex: userHome="/home/%U"

userHome="/home/%U"

# Gecos

userGecos="System User"

# Default User (POSIX and Samba) GID

defaultUserGid="513"

# Default Computer (Samba) GID

defaultComputerGid="515"

# Skel dir

skeletonDir="/etc/skel"

# Default password validation time (time in days) Comment the next line if

# you don't want password to be enable for defaultMaxPasswordAge days (be

# careful to the sambaPwdMustChange attribute's value)

defaultMaxPasswordAge="99"

##############################################################################

#

# SAMBA Configuration

#

##############################################################################

# The UNC path to home drives location (%U username substitution)

# Ex: \\My-PDC-netbios-name\homes\%U

# Just set it to a null string if you want to use the smb.conf 'logon home'

# directive and/or disable roaming profiles

userSmbHome="\\PDC-SMB3\homes\%U"

# The UNC path to profiles locations (%U username substitution)

# Ex: \\My-PDC-netbios-name\profiles\%U

# Just set it to a null string if you want to use the smb.conf 'logon path'

# directive and/or disable roaming profiles

userProfile="\\PDC-SMB3\profiles\%U"

# The default Home Drive Letter mapping

# (will be automatically mapped at logon time if home directory exist)

# Ex: H: for H:

userHomeDrive="H:"

# The default user netlogon script name (%U username substitution)

# if not used, will be automatically username.cmd

# make sure script file is edited under dos

# Ex: %U.cmd

# userScript="startup.cmd" # make sure script file is edited under dos

userScript="%U.cmd"

# Domain appended to the users "mail"-attribute

# when smbldap-useradd -M is used

#mailDomain="idealx.com"

##############################################################################

#

# SMBLDAP-TOOLS Configuration (default are ok for a RedHat)

#

##############################################################################

# Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but

# prefer Crypt::SmbHash library

with_smbpasswd="0"

smbpasswd="/usr/bin/smbpasswd"

```

```

foto home # cat /etc/smbldap-tools/smbldap_bind.conf

############################

# Credential Configuration #

############################

# Notes: you can specify two differents configuration if you use a

# master ldap for writing access and a slave ldap server for reading access

# By default, we will use the same DN (so it will work for standard Samba

# release)

slaveDN="cn=Manager,dc=IDEALX,dc=ORG"

slavePw="secret"

masterDN="cn=Manager,dc=IDEALX,dc=ORG"

masterPw="secret"

```

```

foto home # cat /etc/nsswitch.conf

passwd:     files ldap

shadow:     files ldap

group:      files ldap

#hosts:     db files nisplus nis dns

hosts:      files dns

# Example - obey only what nisplus tells us...

#services:   nisplus [NOTFOUND=return] files

#networks:   nisplus [NOTFOUND=return] files

#protocols:  nisplus [NOTFOUND=return] files

#rpc:        nisplus [NOTFOUND=return] files

#ethers:     nisplus [NOTFOUND=return] files

#netmasks:   nisplus [NOTFOUND=return] files

bootparams: nisplus [NOTFOUND=return] files

ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files

netgroup:   files

publickey:  nisplus

automount:  files

aliases:    files nisplus

```

```

foto home # cat /etc/pam.d/system-auth

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      /lib/security/pam_env.so

auth        sufficient    /lib/security/pam_unix.so likeauth nullok

auth        sufficient    /lib/security/pam_ldap.so use_first_pass

auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

account     sufficient    /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=

password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow

password    sufficient    /lib/security/pam_ldap.so use_authtok

password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so

session     required      /lib/security/pam_unix.so

session     optional      /lib/security/pam_ldap.so

```

```

foto home # testparm

Load smb config files from /etc/samba/smb.conf

Processing section "[homes]"

Processing section "[netlogon]"

Processing section "[profiles]"

Processing section "[printers]"

Processing section "[print$]"

Processing section "[public]"

Loaded services file OK.

Server role: ROLE_DOMAIN_PDC

Press enter to see a dump of your service definitions

# Global parameters

[global]

        workgroup = SMB3

        netbios name = PDC-SMB3

        server string = Samba Server %v

        min passwd length = 3

        map to guest = Bad User

        passdb backend = ldapsam:ldap://127.0.0.1/

        passwd program = /usr/share/samba/scripts/smbldap-passwd -u %u

        passwd chat = "Changing password for*\nNew password*" %n\n "*Retype new password*" %n\n"

        username map = /etc/samba/smbusers

        unix password sync = Yes

        syslog = 0

        log file = /var/log/samba/log.%m

        max log size = 100000

        time server = Yes

        deadtime = 10

        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

        add user script = /usr/share/samba/scripts/smbldap-useradd -m "%u"

        delete user script = /usr/share/samba/scripts/smbldap-userdel "%u"

        add group script = /usr/share/samba/scripts/smbldap-groupadd -p "%g"

        delete group script = /usr/share/samba/scripts/smbldap-groupdel "%g"

        add user to group script = /usr/share/samba/scripts/smbldap-groupmod -m "%u" "%g"

        delete user from group script = /usr/share/samba/scripts/smbldap-groupmod -x "%u" "%g"

        set primary group script = /usr/share/samba/scripts/smbldap-usermod -g "%g" "%u"

        add machine script = /usr/share/samba/scripts/smbldap-useradd -w "%u"

        logon script = logon.bat

        logon path =

        logon drive = H:

        logon home =

        domain logons = Yes

        os level = 65

        preferred master = Yes

        domain master = Yes

        wins support = Yes

        ldap admin dn = cn=samba,ou=DSA,dc=IDEALX,dc=ORG

        ldap delete dn = Yes

        ldap group suffix = ou=Groups

        ldap idmap suffix = ou=Users

        ldap machine suffix = ou=Computers

        ldap passwd sync = Yes

        ldap suffix = dc=IDEALX,dc=ORG

        ldap user suffix = ou=Users

        printer admin = "@Print Operators"

        create mask = 0640

        directory mask = 0750

        nt acl support = No

        case sensitive = No

        dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]

        comment = repertoire de %U, %u

        read only = No

        create mask = 0644

        directory mask = 0775

        browseable = No

[netlogon]

        path = /home/netlogon/

        browseable = No

[profiles]

        path = /home/profiles

        valid users = %U, "@Domain Admins"

        force user = %U

        read only = No

        create mask = 0600

        directory mask = 0700

        guest ok = Yes

        profile acls = Yes

        browseable = No

        csc policy = disable

[printers]

        comment = Network Printers

        path = /home/spool/

        guest ok = Yes

        printable = Yes

        print command = /usr/bin/lpr -P%p -r %s

        lpq command = /usr/bin/lpq -P%p

        lprm command = /usr/bin/lprm -P%p %j

        browseable = No

[print$]

        path = /home/printers

        valid users = "@Print Operators"

        write list = "@Print Operators"

        create mask = 0664

        directory mask = 0775

[public]

        comment = Repertoire public

        path = /home/public

        read only = No

        create mask = 0664

        directory mask = 0775

        guest ok = Yes

```

----------

## diaz

I might have found something that can help;

I read through this howto, and found:

 *Quote:*   

> Adding accounts with smbpasswd    [toc]
> 
> --------------------------------------------------------------------------------
> 
> Now, with the new year, the smbpasswd makes all the ldap stuff for you, from the scratch. Run the ./bin/smbpasswd to add new entries (ws or people),... of course, you need the /etc/passwdand/etc/groups (or equivalent files) contains the accounts and groups.... 
> ...

 

So I decided to try to add my test-xp client manually, and got following errors:

```
foto net # smbpasswd  -m -a rmlab01$ -D 256

Netbios name list:-

my_netbios_names[0]="PDC-SMB3"

Trying to load: ldapsam:ldap://127.0.0.1/

Attempting to register passdb backend ldapsam

Successfully added passdb backend 'ldapsam'

Attempting to register passdb backend ldapsam_compat

Successfully added passdb backend 'ldapsam_compat'

Attempting to register passdb backend smbpasswd

Successfully added passdb backend 'smbpasswd'

Attempting to register passdb backend tdbsam

Successfully added passdb backend 'tdbsam'

Attempting to register passdb backend guest

Successfully added passdb backend 'guest'

Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1/ (ldapsam)

Found pdb backend ldapsam

Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SMB3))]

smbldap_search: base => [dc=IDEALX,dc=ORG], filter => [(&(objectClass=sambaDomain)(sambaDomainName=SMB3))], scope => [2]

smbldap_open_connection: ldap://127.0.0.1/

smbldap_open_connection: connection opened

ldap_connect_system: Binding to ldap server ldap://127.0.0.1/ as "cn=samba,ou=DSA,dc=IDEALX,dc=ORG"

ldap_connect_system: succesful connection to the LDAP server

The LDAP server is succesfully connected

Got no domain info entries for domain

smbldap_search: base => [dc=IDEALX,dc=ORG], filter => [(&(sambaDomainName=SMB3)(objectclass=sambaDomain))], scope => [2]

smbldap_open: already connected to the LDAP server

Adding new domain

smbldap_add: dn => [sambaDomainName=SMB3,dc=IDEALX,dc=ORG]

smbldap_open: already connected to the LDAP server

failed to add domain dn= sambaDomainName=SMB3,dc=IDEALX,dc=ORG with: Insufficient access

        no write access to parent

Adding domain info for SMB3 failed with NT_STATUS_UNSUCCESSFUL

pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain

pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs

pdb backend ldapsam:ldap://127.0.0.1/ has a valid init

Attempting to find an passdb backend to match guest (guest)

Found pdb backend guest

pdb backend guest has a valid init

smbldap_search: base => [dc=IDEALX,dc=ORG], filter => [(&(uid=rmlab01$)(objectclass=sambaSamAccount))], scope => [2]

smbldap_open: already connected to the LDAP server

ldapsam_getsampwnam: Unable to locate user [rmlab01$] count=0

Finding user rmlab01$

Trying _Get_Pwnam(), username as lowercase is rmlab01$

Trying _Get_Pwnam(), username as uppercase is RMLAB01$

Checking combinations of 0 uppercase letters in rmlab01$

Get_Pwnam_internals didn't find user [rmlab01$]!

Failed to initialise SAM_ACCOUNT for user rmlab01$. Does this user exist in the UNIX password database ?

Failed to modify password entry for user rmlab01$

```

And basically, what got my attention, was the following:

```
Got no domain info entries for domain

smbldap_search: base => [dc=IDEALX,dc=ORG], filter => [(&(sambaDomainName=SMB3)(objectclass=sambaDomain))], scope => [2]

smbldap_open: already connected to the LDAP server

Adding new domain

smbldap_add: dn => [sambaDomainName=SMB3,dc=IDEALX,dc=ORG]

smbldap_open: already connected to the LDAP server

failed to add domain dn= sambaDomainName=SMB3,dc=IDEALX,dc=ORG with: Insufficient access

        no write access to parent

Adding domain info for SMB3 failed with NT_STATUS_UNSUCCESSFUL

```

Maybe this is because I have tested it without ACL's in the slapd.conf,

so I will try to add them again, and if that fails, remerge openldap with USE="-acl".

Will be updated, and input is still welcome.

Edit: Suddenly found out that openldap don't use use 'acl', but samba does. Anyhow, reemerging both.

Suggestions to ACL's is still welcome though.

----------

## diaz

I have fixed the Adding domain info for SMB3 failed with NT_STATUS_UNSUCCESSFUL-problem.

The ldap-account samba was configured to use, either don't exist, or don't have permissions. I guess the last one, so I made samba use 'Manager' instead.

But I still can't add my test-xp to the domain..

I will try to get more on this though.

----------

## diaz

Seems like the problem is elsewhere.

After some quick searches through the forum, after getting ideas from the reading around my last two posts her, I have stopped at this point:

```
foto schema # net rpc join -U root

Password:

Create of workstation account failed

User specified does not have administrator privileges

Unable to join domain SMB3.

foto schema # net rpc join -U administrator

Password:

Create of workstation account failed

User specified does not have administrator privileges

Unable to join domain SMB3.

foto schema # net rpc join -U Administrator

Password:

Create of workstation account failed

User specified does not have administrator privileges

Unable to join domain SMB3.

```

Basically, it seems like the administrator-account "doesn't work".

The only really related thread on this forum, well atleast what I could find, was this one.

But the fix here does not apply to my case, though I'll add my /etc/pam.d/samba here.

```
foto schema # cat /etc/pam.d/samba

#%PAM-1.0

# pam_smbpass.so authenticates against the smbpasswd file

auth       required     pam_smbpass.so nodelay

account    required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

password   required     pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf

```

My ldap Administrator:

```
foto schema # /usr/share/samba/scripts/smbldap-usershow Administrator

dn: uid=Administrator,ou=Users,dc=idealx,dc=org

cn: Administrator

sn: Administrator

objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount

gidNumber: 512

uid: Administrator

uidNumber: 0

homeDirectory: /home/Administrator

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaHomePath: \\PDC-SMB3\homes\Administrator

sambaHomeDrive: H:

sambaProfilePath: \\PDC-SMB3\profiles\Administrator\

sambaPrimaryGroupSID: S-1-5-21-2845760531-147960559-287959922-512

sambaSID: S-1-5-21-2845760531-147960559-287959922-2996

loginShell: /bin/false

gecos: Netbios Domain Administrator

sambaLMPassword: etc

sambaAcctFlags: [U]

sambaNTPassword: etc

sambaPwdLastSet: 1097059275

sambaPwdMustChange: 1105612875

userPassword: {SSHA}etc

```

This was added with smbldap-populate.

So, after clearing my previous obstacle, I'm stuck again.

Joy.

----------

## lblblb

sorry for the OT, but...

What package provides the "authconfig" utility referred to in the howto?

will you pls tell me the output of this command:

qpkg -f `which authconfig`

Meanwhile, I'll see what I can come up with -- I've had mixed luck with sambapdc+ldap.

----------

## diaz

Sorry for late response, I've been without internet this weekend.

Well, I never used authconfig, and I don't have in my system.

But as you see from this quote from the howto, they have included how /ets/pam.d/system-auth should look like. As far as I have understood, this should be sufficient. But I might be terribly wrong at this assumption.

 *Quote:*   

> 4.2 Linux Operating System
> 
> You need to tell you Linux box to use LDAP using pam_ldap and nss_ldap. Then, you should run nscd and finish your system LDAP configuration. 4.2.1 pam_ldap, nss_ldap and nscd Use authconfig 12 to activate pam_ldap : 
> 
> Cache Information 
> ...

 

From this, I've done some emerge -s on pam, nss and nis, and some surfing and googling around.

Haven't had the time to do this thoroughly, have to be at work tomorrow, in about 8 hrs..

Seems like a very redhat'ish tool, so I guess it somehow can be downloaded from their site. Knowing which package though, can be problematic. Haven't touched RH since 99, and that wasn't voluntarily.

Hope we/I can get this done without installing redhat, as it has always been confusing to me.  :Evil or Very Mad: 

----------

## diaz

Basically, I gave up.

I even tested to run it on Fedora (the closest to RH I could care to find), got some other errors there...

Looks like I'll have to look on this later..

For now, samba pdc without ldap!  "#¤!"#¤   :Confused: 

----------

## Adamal

go here and check out the windows registry hacks

http://www.ccs.uky.edu/docs/samba.htm

----------

## UberLord

One thing that I've learned is that my LDAP setup is perfect - provided I do not run nscd. If I do, it breaks.

----------

## lblblb

 *UberLord wrote:*   

> One thing that I've learned is that my LDAP setup is perfect - provided I do not run nscd. If I do, it breaks.

 

agreed.  there's something wrong with nscd.  /etc/init.d/nscd stop/restart don't work  I have to kill -9 nscd, then /etc/init.d/nscd zap, then start it again.

I've had some success setting nscd.conf to *not* cache passwords.  But nscd seems to do something screwy with samba, too.  I wish I could be more specific -- I just know that restarting nscd has fixed problems a lot of times, and there are lots of minor complaints in the logs about nscd by samba (don't remember if it's nmbd or smbd)

----------

