# Samba3 PDC and Ldap setup-migration

## ozric100

Ok ... I have openldap, pam_ldap and nss_ldap installed and working.   I have test my ldap setup and its works fine.   I am using tls for all connections.  Now  I have installed Samba3 and setup the ldap scripts,  but I am not sure I have have everthing right in the ldap database.  I have run pdbedit -i sampasswd -e samldap to convert my old samba users.   My problem is I cant seem to get machine accounts to add or join other samba servers to the domain.  I want to have one place for Unix and Samba accounts in ldap. Here is some strange output I get from pdbedit.

pdb_init_ldapsam: WARNING: Could not get domain info, nor add one to the domain

pdb_init_ldapsam: Continuing on regardless, will be unable to allocate new users/groups, and will risk BDCs having inconsistant SIDs

Does anyone know what this really means.   I have a sambaDomain objectclass in my ldap server.   I seem to be 98% ok..  I can login and smbmout shares.  But I know somthing is wrong.....  does anyone know where I should start looking to solve this ?  I have look over example ldif files for samba but I am just starting to learn ldap and I am not 100% sure what I am looking at. 

This is just my home network so.   I can tost my ldap tree and start over, If I need too ...

----------

## ozric100

As an update ...   I have deleted my old ldab ldbm, and have remigrated with the migration scripts.  I had to put schemacheck off in my configs to get the passwds to migrate...  this is due to the account objectclass ...  Anyway.   So starting with a Posix only ldad setup.   I ran smbldap populate.pl to add the samba top objects.  The I ran pdbedit -i sampasswd -e tdbsam.  The I ran pdedit -i tbbsam -e ldapsam.  I get the same result.  

This was a standalone server before. Is there anyone here who can help?

----------

## ozric100

OK ...  ...  I really should know better.    After running throught the whole drill again, I noticed something.   Never try to run tls on your localhost, it was buggering up the connection from samba.  I notice that I could run 

 ldapsearch '(&(objectClass=sambaDomain)(sambaDomainName=<mydomain name>))' and get back the objectClass.  

Anyway ..  let this be a lesson to anyone else coming down this path.  

Now and I am one LDAPing / SAMBA3 mofo ..  .. ..  and I fee much better now.

----------

## zoolook

Hi. Did you actually, or do you think someoen actually managed to setup a Samba3 PDC whith LDAP user database on gentoo? I'm stuck for 2 weeks now, the documentation all over handles only samba 2.2.x...

I managed to authenticate linux users from LDAP, but Samba3-PDC is just painful, there are no covering examples, every example shows at best the half of it, but you guess, you cannot find one half here and the other half there, no, there are redundant details, and still important things missing, to make the whole picture...

----------

## ozric100

Yes I have it setup and working.  tell me where you are at and I will try to help you.

----------

## Are`awn

Well any pointers to any documentation would be a great step.  Setting up my *Nix boxes to authenticate against LDAP is pretty easy. Seems that the Samba.schema has changed, no more sambaAccount objectClass. Anything that could give a good overview, and then maybe go into config details would be great.

----------

## ozric100

If you have ldap_nss and ldap pam working its easy from there.  Just set up the smb.conf file for you domain,the docs are right about that.   Then setup the ldap-smb* scripts that live in /usr/share/samba/scripts,  you need to simlink the *.pm files to your perl.  There is a change for the smbldap-populate script that was not in the 3.0.0 ebuild.  I will post it.

Then statup Samba and use pdbedit -i tbdsam -e ldapsam.  That should add the SambaDomain to Ldap,  then run the smbldap-populate scritp to 

add your groups.  If everything went well you are ready to add your machine accounts.  I had to add the base accouts with smb-ldap-useradd.pl

for the systems.  The just join them to the domain from the workstations.

```

#!/usr/bin/perl -w

# Populate a LDAP base for Samba-LDAP usage

#

# $Id: smbldap-populate.pl,v 1.18 2003/09/19 12:36:44 jtournier Exp $

#  This code was developped by IDEALX (http://IDEALX.org/) and

#  contributors (their names can be found in the CONTRIBUTORS file).

#

#                 Copyright (C) 2001-2002 IDEALX

#

#  This program is free software; you can redistribute it and/or

#  modify it under the terms of the GNU General Public License

#  as published by the Free Software Foundation; either version 2

#  of the License, or (at your option) any later version.

#

#  This program is distributed in the hope that it will be useful,

#  but WITHOUT ANY WARRANTY; without even the implied warranty of

#  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

#  GNU General Public License for more details.

#

#  You should have received a copy of the GNU General Public License

#  along with this program; if not, write to the Free Software

#  Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,

#  USA.

#  Purpose :

#       . Create an initial LDAP database suitable for Samba 2.2

#       . For lazy people, replace ldapadd (with only an ldif parameter)

use strict;

use FindBin;

use FindBin qw($RealBin);

use lib "$RealBin/";

use smbldap_tools;

use smbldap_conf;

use Getopt::Std;

use Net::LDAP::LDIF;

use vars qw(%oc);

# objectclass of the suffix

%oc = (

           "ou" => "organizationalUnit",

           "o" => "organization",

           "dc" => "dcObject",

          );

my %Options;

my $ok = getopts('a:b:?', \%Options);

if ( (!$ok) || ($Options{'?'}) ) {

  print "Usage: $0 [-ab?] [ldif]\n";

  print "  -a   administrator login name (default: Administrator)\n";

  print "  -b   guest login name (default: nobody)\n";

  print "  -?   show this help message\n";

  print "  ldif file to add to ldap (default: suffix, Groups,";

  print " Users, Computers and builtin users )\n";

  exit (1);

}

my $_ldifName;

my $tmp_ldif_file="/tmp/$$.ldif";

if (@ARGV >= 1) {

  $_ldifName = $ARGV[0];

}

my $adminName = $Options{'a'};

if (!defined($adminName)) {

  $adminName = "Administrator";

}

my $guestName = $Options{'b'};

if (!defined($guestName)) {

  $guestName = "nobody";

}

if (!defined($_ldifName)) {

  my $attr;

  my $val;

  my $objcl;

  print "Using builtin directory structure\n";

  if ($suffix =~ m/([^=]+)=([^,]+)/) {

        $attr = $1;

        $val = $2;

        $objcl = $oc{$attr} if (exists $oc{$attr});

        if (!defined($objcl)) {

          $objcl = "myhardcodedobjectclass";

        }

  } else {

 die "can't extract first attr and value from suffix $suffix";

  }

  #print "$attr=$val\n";

  my ($organisation,$ext) = ($suffix =~ m/dc=(\w+),dc=(\w+)$/);

  #my $FILE="|cat";

  my $FILE=$tmp_ldif_file;

  open (FILE, ">$FILE") || die "Can't open file $FILE: $!\n";

  print FILE <<EOF;

dn: $suffix

objectClass: $objcl

objectclass: organization

$attr: $val

o: $organisation

dn: $usersdn

objectClass: organizationalUnit

ou: $usersou

dn: $groupsdn

objectClass: organizationalUnit

ou: $groupsou

dn: $computersdn

objectClass: organizationalUnit

ou: $computersou

dn: uid=$adminName,$usersdn

cn: $adminName

sn: $adminName

objectClass: inetOrgPerson

objectClass: sambaSAMAccount

objectClass: posixAccount

gidNumber: 512

uid: $adminName

uidNumber: 998

homeDirectory: $_userHomePrefix

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaHomePath: $_userSmbHome

sambaHomeDrive: $_userHomeDrive

sambaProfilePath: $_userProfile

sambaPrimaryGroupSID: $SID-512

sambaLMPassword: XXX

sambaNTPassword: XXX

sambaAcctFlags: [U          ]

sambaSID: $SID-2996

loginShell: /bin/false

gecos: Netbios Domain Administrator

dn: uid=$guestName,$usersdn

cn: $guestName

sn: $guestName

objectClass: inetOrgPerson

objectClass: sambaSAMAccount

objectClass: posixAccount

gidNumber: 514

uid: $guestName

uidNumber: 999

homeDirectory: /dev/null

sambaPwdLastSet: 0

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

sambaPwdCanChange: 0

sambaPwdMustChange: 2147483647

sambaHomePath: $_userSmbHome

sambaHomeDrive: $_userHomeDrive

sambaProfilePath: $_userProfile

sambaPrimaryGroupSID: $SID-514

sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX

sambaAcctFlags: [NU         ]

sambaSID: $SID-2998

loginShell: /bin/false

dn: cn=Domain Admins,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 512

cn: Domain Admins

memberUid: $adminName

description: Netbios Domain Administrators

sambaSID: $SID-512

sambaGroupType: 2

displayName: Domain Admins

dn: cn=Domain Users,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 513

cn: Domain Users

description: Netbios Domain Users

sambaSID: $SID-513

sambaGroupType: 2

displayName: Domain Users

dn: cn=Domain Guests,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 514

cn: Domain Guests

description: Netbios Domain Guests Users

sambaSID: $SID-514

sambaGroupType: 2

displayName: Domain Guests

dn: cn=Administrators,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 544

cn: Administrators

description: Netbios Domain Members can fully administer the computer/sambaDomainName

sambaSID: $SID-544

sambaGroupType: 2

displayName: Administrators

dn: cn=Users,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 545

cn: Users

description: Netbios Domain Ordinary users

sambaSID: $SID-545

sambaGroupType: 2

displayName: users

dn: cn=Guests,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 546

cn: Guests

memberUid: $guestName

description: Netbios Domain Users granted guest access to the computer/sambaDomainName

sambaSID: $SID-546

sambaGroupType: 2

displayName: Guests

dn: cn=Power Users,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 547

cn: Power Users

description: Netbios Domain Members can share directories and printers

sambaSID: $SID-547

sambaGroupType: 2

displayName: Power Users

dn: cn=Account Operators,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 548

cn: Account Operators

description: Netbios Domain Users to manipulate users accounts

sambaSID: $SID-548

sambaGroupType: 2

displayName: Account Operators

dn: cn=Server Operators,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 549

cn: Server Operators

description: Netbios Domain Server Operators (need smb.conf configuration)

sambaSID: $SID-549

sambaGroupType: 2

displayName: Server Operators

dn: cn=Print Operators,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 550

cn: Print Operators

description: Netbios Domain Print Operators (need smb.conf configuration)

sambaSID: $SID-550

sambaGroupType: 2

displayName: Print Operators

dn: cn=Backup Operators,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 551

cn: Backup Operators

description: Netbios Domain Members can bypass file security to back up files

sambaSID: $SID-551

sambaGroupType: 2

displayName: Backup Operators

dn: cn=Replicator,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 552

cn: Replicator

description: Netbios Domain Supports file replication in a sambaDomainName

sambaSID: $SID-552

sambaGroupType: 2

displayName: Replicator

dn: cn=Domain Computers,$groupsdn

objectClass: posixGroup

objectClass: sambaGroupMapping

gidNumber: 553

cn: Domain Computers

description: Netbios Domain Computers accounts

sambaSID: $SID-553

sambaGroupType: 2

displayName: Domain Computers

EOF

  close FILE;

} else {

 $tmp_ldif_file=$_ldifName;

}

my $ldap_master=connect_ldap_master();

my $ldif = Net::LDAP::LDIF->new($tmp_ldif_file, "r", onerror => 'undef' );

while( not $ldif->eof() ) {

        my $entry = $ldif->read_entry();

        if ( $ldif->error() ) {

                print "Error msg: ",$ldif->error(),"\n";

                print "Error lines:\n",$ldif->error_lines(),"\n";

        } else {

                my $dn = $entry->dn;

                print "adding new entry: $dn\n";

                my $result=$ldap_master->add($entry);

                $result->code && warn "failed to add entry: ", $result->error ;

        }

}

$ldap_master->unbind;

system "rm -f $tmp_ldif_file";

exit(0);

########################################

=head1 NAME

smbldap-populate.pl - Populate your LDAP database

=head1 SYNOPSIS

  smbldap-populate.pl [ldif-file]

=head1 DESCRIPTION

       The smbldap-populate.pl command helps to populate an LDAP server

       by adding the necessary entries : base suffix (doesn't abort

       if already there), organizational units for users, groups and

       computers, builtin users : Administrator and guest, builtin

       groups (though posixAccount only, no SambaTNG support).

       -a name  Your local administrator login name (default: Administrator)

       -b name  Your local guest login name (default: nobody)

       If you give an extra parameter, it is assumed to be the ldif

       file to use instead of the builtin one. Options -a and -b

       will be ignored.

=head1 FILES

       /usr/lib/perl5/site-perl/smbldap_conf.pm : Global parameters.

=head1 SEE ALSO

       smp(1)

=cut

#'

# - The End

```

Notice the objectClass: sambaGroupMapping,  if your script does not have that, then use this one.  You might need to add your Domain Admin Account to the Domian Admin Group by hand in Ldap when you are done.

that is about it. it's off the top of my head so YMMV, but it should get you started.

----------

## zoolook

Wow, thanx for that info. I have indeed ldap_nss and ldap_pam working. I tried to setup the whole samba stuff with phpldapadmin, but it didn't work. I will remove the domain, the groups I added for PDC operation and do as you just told me and then run the smbldap-populate script, and I hope all this won't break the things that do work now in ldap (pam & nss). I'll try it when I get home in one ore two hours. I have symlinks done by the emerge install in  /usr/share/samba/scripts/ to the The 2 *.pm files in /etc/samba, is this what you ment by  *Quote:*   

> you need to simlink the *.pm files to your perl

 ? Or is it something else I just didn't get until now and that might solve the problem?

Anyway, thanx a lot for pointing me in the right direction, I will post my results here later this evening ( or night, btw, I'm in Germany, what time zone do you have, ozric100?).

----------

## ozric100

 *Quote:*   

> you need to simlink the *.pm files to your perl

 

You know ...  so perl can load it as a module.  Which reminds me you need a few other mods to make the scripts work,  an IO module,  I forget if protage installes it for you.  Anyway its in the READ me for the scripts in the /usr/share/docs/samba-3*/examples/ .

I am EST, GMT -5 .

----------

## Are`awn

trying to get an idea of what I am going to do, and how to configure my smb.conf for ldap. I see this:

```

       ldap filter (G)

              This parameter specifies the RFC 2254 compliant LDAP search

              filter. The default is to match the login name with the uid

              attribute for all entries matching the sambaAccount object-

              class. Note that this filter should only return one  entry.

              Default:   ldap  filter  =  (&(uid=%u)(objectclass=sambaAc-

              count))

```

Looking at my sambaSchema, which I got from my samba install, the only reference to sambaAccount I see is commented out, and in the 'Historical' section.  Is this suppose to be ? or am I suppose to have a sambaAccount objectClass?

----------

## zoolook

Well, ozric100, thank you for your version of the "smbldap-populate.pl" script, mine was indeed lacking the sambaGroupMapping bjectClass and the like. I also managed to create users and set their passwords with these perl scripts (I found the sources of the mkntpwd utility just by chance somewhere under /usr/share/doc/samba-3.0.0-r1/examples/LDAP...

When trying to join my WinXP SP1 machine (the RequireSignOrSeal registry DWORD value is set to 1), I get an "Access denied" error, although I created an "Administrator" domain admin user in LDAP whith which I try to join the machine., and in the samba log, it sais that authentication succeded. the machine account is created, as well...

The strange "Access denied" stuff appears in the log, too:

```
[2003/10/30 23:36:03, 2] lib/smbldap.c:smbldap_search_suffix(1066)

  smbldap_search_suffix: searching for:[(&(&(uid=Administrator)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(460)

  init_sam_from_ldap: Entry found for user: Administrator

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)

  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=512))]

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(1641)

  init_group_from_ldap: Entry found for group: 512

[2003/10/30 23:36:03, 2] auth/auth.c:check_ntlm_password(302)

  check_ntlm_password:  authentication for user [Administrator] -> [Administrator] -> [Administrator] succeeded

[2003/10/30 23:36:03, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.1.20)

[2003/10/30 23:36:03, 2] smbd/server.c:exit_server(558)

  Closing connections

[2003/10/30 23:36:03, 2] smbd/server.c:exit_server(558)

  Closing connections

[2003/10/30 23:36:03, 2] smbd/server.c:exit_server(558)

  Closing connections

[2003/10/30 23:36:03, 2] lib/smbldap.c:smbldap_search_suffix(1066)

  smbldap_search_suffix: searching for:[(&(&(uid=Administrator)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:init_sam_from_ldap(460)

  init_sam_from_ldap: Entry found for user: Administrator

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:ldapsam_search_one_group(1597)

  ldapsam_search_one_group: searching for:[(&(objectClass=sambaGroupMapping)(gidNumber=512))]

[2003/10/30 23:36:03, 2] passdb/pdb_ldap.c:init_group_from_ldap(1641)

  init_group_from_ldap: Entry found for group: 512

[2003/10/30 23:36:03, 2] auth/auth.c:check_ntlm_password(302)

  check_ntlm_password:  authentication for user [Administrator] -> [Administrator] -> [Administrator] succeeded

[2003/10/30 23:36:03, 2] lib/access.c:check_access(324)

  Allowed connection from  (192.168.1.20)

[2003/10/30 23:36:03, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2540)

  Returning domain sid for domain ACASA -> S-1-5-21-1111111111-2222222222-3333333333

[2003/10/30 23:36:03, 2] rpc_server/srv_samr_nt.c:access_check_samr_object(93)

  _samr_open_domain: ACCESS DENIED  (requested: 0x00000211)

[2003/10/30 23:36:03, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2540)

  Returning domain sid for domain ACASA -> S-1-5-21-1111111111-2222222222-3333333333

[2003/10/30 23:36:03, 2] rpc_server/srv_samr_nt.c:access_check_samr_function(115)

  _samr_create_user: ACCESS DENIED (granted: 0x00000201;  required: 0x00000010)

[2003/10/30 23:36:03, 2] smbd/server.c:exit_server(558)

  Closing connections

```

Can you conclude what's going wrong here, need more info? Thanx!

----------

## Are`awn

Alright, I have smbldap-populate working. My smb.conf is simple for testing.

```
[global]

        workgroup = WIKI

        netbios name = EPIA

        passdb backend = ldapsam

        encrypt passwords = yes

        wins server = 10.2.6.90

        ldap admin dn = cn=admin,dc=home

        ldap delete dn = yes

        ldap group suffix = ou=groups,dc=home

        #ldap idmap suffix = ou=idmap,dc=home

        ldap machine suffix = ou=computers,dc=home

        ldap user suffix = ou=users,dc=home

        ldap passwd sync = yes

        #ldap server = 127.0.0.1

        #ldap port = 389

        ldap suffix = dc=home
```

Problem now is I do not see any of my groups. They are in my ldap tree, though. I do have the following error in my logs.

```
Oct 31 22:13:29 [smbd] ldapsam_search_one_group: Problem during the LDAP search: LDAP error:  (Insufficient access)smbldap_open: cannot access LDAP when not root..

Oct 31 22:13:29 [smbd] [2003/10/31 22:13:29, 0] passdb/pdb_ldap.c:ldapsam_setsamgrent(2048)

Oct 31 22:13:29 [smbd] ldapsam_setsamgrent: LDAP search failed: Insufficient access

Oct 31 22:13:29 [smbd] [2003/10/31 22:13:29, 0] passdb/pdb_ldap.c:ldapsam_enum_group_mapping(2113)

Oct 31 22:13:29 [smbd] ldapsam_enum_group_mapping: Unable to open passdb
```

so I figure I am having issues talking to my ldap server. but if that was true, I wouldn't be able to see my users with the command 'net rpc user'. Any ideas ?

----------

## Xiderpunk

May I ask where you found the information to install and setup LDAP - NIS? I have tried the documents on the gentoo site and ran through it a number of times to no avail.

----------

## ozric100

I started out there.  There are serveral things wrong with the docs, If I recall.  There are also lots of threads on this forum about NSS and LDAP.  I had the most problem with TLS, Keys/CA's and access rules.  Start out open, test and tighting up alittle and tests again, repeat untill you have it locked down.

----------

