Re: Problems setting up Samba+LDAP PDC in Debian Sarge

To: debian-user@lists.debian.org, chema@interneta.org
Subject: Re: Problems setting up Samba+LDAP PDC in Debian Sarge
From: anoop aryal <aaryal@foresightint.com>
Date: Wed, 26 Oct 2005 10:47:28 -0500
Message-id: <[🔎] 200510261047.28762.aaryal@foresightint.com>
In-reply-to: <[🔎] a16615e30510260448y6c104fd3tccd67820566d58d8@mail.gmail.com>
References: <1130277430.637002.304290@g44g2000cwa.googlegroups.com> <[🔎] a16615e30510260448y6c104fd3tccd67820566d58d8@mail.gmail.com>

On Wednesday 26 October 2005 06:48 am, Chema wrote:
> Dear list,
>
> I have been struggling to get working a PDC using Samba with LDAP
> backend, in a fresh Debian Sarge install.
>
> 1. SeMachineAccountPrivilege
>
> I'm reading IDEALX's Linux Samba-OpenLDAP Howto as guidance. In my
> last attempt, everything appeared to be fine until the very end, the
> Integration test, when I added an admin user, got it on the "Domain
> Admin" and then tried to grant such group the
> SeMachineAccountPrivilege:
>
> dellj81:/# net -U root%MyUnixRootPass rpc rights grant 'CORENA\Domain
> Admins' SeMachineAccountPrivilege
> Failed to grant privileges for CORENA\Domain Admins
> (NT_STATUS_ACCESS_DENIED)
>
> Seems I have some kind of account problem here, since I can't make this
> to work using root nor Manager.
>
> The Howto states:
>
> <<To allow workstations to be joined to the domain, a root user must
> exist and used (uid=0).
>
> Such a user is created when initializing the directory whith the
> smbldap-populate script.
>
> >From Samba 3.0.12, it is now possible for admin users to join computers
>
> to the domain without using the "root" account."
> ...
> In fact, the 'root' account is needed in the first place so that the
> SeXXX privileges can be set.>>
>
> The smbldap-tools didn't setup any root/uid=0 account in LDAP:
>
> dellj81:/# slapcat | grep -i ^uid:
> uid: Administrator
> uid: nobody
> uid: admin
> uid: chema
> dellj81:/# slapcat | grep -i uidnum
> uidNumber: 1004
> uidNumber: 998
> uidNumber: 999
> uidNumber: 1002
> uidNumber: 1003
>
> So maybee that's what I'm missing, or should a standard (/etc/passwd)
> root suffice?
>
> 2. net getlocalsid
>
> Anyway, after fiddling around looking for clues, I found that I no
> longer can get my local sid:
>

lookup your SID from LDAP, then try:

$ net setlocalsid <SID>

[snip]

then make sure your groups are mapped. try:

$ net groupmap list


etc.. 

i can't remember the exact steps off the top of my head. but i hope this gets 
you going. if not, post back here and cc me and i'll try to find my notes.

anoop.

Reply to:

References:
- Problems setting up Samba+LDAP PDC in Debian Sarge
  - From: Chema <cateter@gmail.com>

Prev by Date: Mounting USB stuff
Next by Date: Re: udevd: get_netlink_msg: no ACTION in payload found
Previous by thread: Problems setting up Samba+LDAP PDC in Debian Sarge
Next by thread: .htaccess and .htpassword
Index(es):
- Date
- Thread