Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Hi Rob,
please stay on list. Otherwise I will charge you :-)
By the way I have no problem to get payed.

> Hi Harry,
> 
> The one very obvious difference is the result of this command: #
> ldapsearch -xLLL -b dc=afrika,dc=xx -s sub -D
> cn=admin,dc=afrika,dc=xx -w 'sambadomainname=*'
> dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
> 
> I get dn: sambaDomainName=MYDOMAIN, dc=mydomain which is different ,
> should it be MYDOMAIN dc=sam3dc?
I hope you have got the first line, the second will never work:
dn: sambaDomainName=MYDOMAIN,dc=mydomain
dn: sambaDomainName=MYDOMAIN, dc=mydomain

The difference is just one space. Remember ldap is white space sensitive!!!

You may get trouble with some dns resolver libs, because you use only one "domain component". Search for ndots...
You may also get trouble with certificate name validation for SSL/TLS hosts.

> sambaDomainName: MYDOMAIN
> sambaSID: S-1-5-21-3936576374-1604338294-181246221
> sambaAlgorithmicRidBase: 1000
> objectClass: sambaDomain
I prefer to add here an auxiliary objectclass: sambaUnixIdPool
More later on

> sambaNextUserRid: 1000
> sambaMinPwdLength: 5
> sambaPwdHistoryLength: 0
> sambaLogonToChgPwd: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutDuration: 30
> sambaLockoutObservationWindow: 30
> sambaLockoutThreshold: 0
> sambaForceLogoff: -1
> sambaRefuseMachinePwdChange: 0
> sambaNextRid: 1002
> 
> 
> 
> 
> ldapsearch -LLL -Y EXTERNAL -H ldapi:/// -b cn=schema,cn=config
> 'olcAttributeTypes=*' dn
> SASL/EXTERNAL authentication started
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: cn=schema,cn=config
> 
> dn: cn={0}core,cn=schema,cn=config
> 
> dn: cn={1}cosine,cn=schema,cn=config
> 
> dn: cn={2}nis,cn=schema,cn=config
> 
> dn: cn={3}inetorgperson,cn=schema,cn=config
> 
> dn: cn={4}samba,cn=schema,cn=config
That is the minimum you need. So it is OK.

> 
> ldapsearch -xLLL -s base -b dc=mydomain
> dn: dc=mydomain
> objectClass: top
> objectClass: dcObject
> objectClass: organization
> o: mydomain
> dc: mydomain
OK

> 
> 
> 
> The one thing I found is that when I tried to add a new Win10 machine
> to the domain, I got wrong password. The login details I entered is
> for a admin account. I then changed the password using smbpasswd and
> then I got the machine was joined with another account error message
OK. But what error message? What command?
 Please post the resulting machine account.

You should first try a win 7 machine. From win 7 to current win 10
 the default settings for smb protocol has changed. Thanks to wanna cry.
 Maybe "max protocol = NT1" will help. But read man smb.conf section:
 client max protocol. Depending on the used clients you should go with
 the highest protocol level!!!

> The other bits are similar to yours. Here is the smb.conf
> 
> 
> [global]
>         workgroup = MYDOMAIN
>         bind interfaces only = Yes
>         netbios name = sam3DC
>         security = USER
>         dns forwarder = 8.8.8.8
"dns forwarder" is not required, *but* if you set this entry,
 it should point to a local DNS server.
 Google is not always the best choice.

>   passdb backend = ldapsam:ldap://127.0.0.1/
>   obey pam restrictions = no
That I would change to yes. If yes, pam can create the
 home directorys if you add users from windows tools or
 samba tools. The user dir is created at first logon.
 The template directory is /etc/skel.

>   ldap admin dn = cn=admin,dc=mydomain
>   ldap suffix = dc=mydomain
>   ldap group suffix = ou=Group
>   ldap user suffix = ou=People
>   ldap machine suffix = ou=Computers
>   ldap idmap suffix = ou=People
>   ldap passwd sync = No
>   unix password sync = Yes
>   passwd program = /usr/sbin/smbldap-passwd -u %u
>   passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>   ldap ssl= no
> 
>        encrypt passwords = true
>         password server = sam3dc
What sould be the benefit ???
At first you setup this host as a PDC and then you delegate
 to an other password server?

>          check password script = /usr/local/sbin/crackcheck -d
> /var/cache/cracklib/cracklib_dict
> 
>         unix password sync = No
You should add:
        ldap passwd sync     = yes
        pam password change  = yes
 to sync windows and unix passwords.

>         log level = 10 auth:5
tooooooooooooo high
		log level = 1 auth:5
 makes more sense

>         syslog = 0
>         log file = /var/log/samba/log.%m
>         max log size = 1000
> 
>          socket options = IPTOS_LOWDELAY TCP_NODELAY SO_KEEPALIVE
> SO_SNDBUF=8192 SO_RCVBUF=8192
Please remove this line. Do not ask me or any other.
 Just do it. It is mystic.

>         local master = No
>         domain master = No
>         preferred master = No
If this host should be a domain controler ( primary or secondary )
 change all to yes

Test it with nmblookup i.e.
# nmblookup SCHULE
querying SCHULE on 127.255.255.255
10.100.0.1 SCHULE<00>

# nmblookup -M  SCHULE
querying SCHULE on 127.255.255.255
10.100.0.1 SCHULE<1d>

# nmblookup ALIX
querying ALIX on 127.255.255.255
10.100.0.1 ALIX<00>

# nmblookup -M  ALIX
querying ALIX on 127.255.255.255
querying ALIX on 10.100.255.255
name_query failed to find name ALIX#1d

Where SCHULE is the netbios domain name and
ALIX is the PDC name.

>          invalid users =
>           hosts deny = ALL
Fine, you deny all hosts on your network. What are you doing here?

>         load printers = Yes
>         printcap name = cups
>         printing = cups
>         add machine script = /usr/sbin/useradd -d /dev/null -g
> machines -s /bin/false %u
This will *not* add windows hosts to the ldap backend. So do not
 expect working windows machines.

A common script is:
        add machine script   = /usr/sbin/smbldap-useradd -w "%u"

>         # Logon Options
>         logon script = %U.bat
>         logon drive = n:
>         domain logons = Yes
> 
>         logon home = \\%L\%u\%a\.profiles
>         logon home = \\%L\%U\profile
Overwriting entrys in this way seems bad practice, surely it works.

>         logon path =
> 
>         # Browse Options
>         os level = 65
>         preferred master = Yes
>         local master = Yes
>         domain master = Yes
Fine you will setup the Netbios stuff. Please remove the
 other lines. This one wins, because they comes later in this file. 

>         # WINS Options
>         dns proxy = No
>         wins proxy = No
>         wins support = Yes
> 
> 
>         # Getting symlinks working for the OCEs
>         unix extensions = no
> 
>         # Audit settings
>         full_audit:prefix = %u|%I|%S
>         full_audit:failure = none
>         full_audit:success = mkdir rmdir read pread write pwrite
> rename unlink
>         full_audit:facility = local5
>         full_audit:priority = notice
> 
> [homes]
>         comment = Home Directories
>         create mask = 0700
>         directory mask = 0700
>         browseable = No
>         read only = No
>         path = %H/samba
unusual, but if it works for you

>         vfs objects = full_audit
you have silently disabled acl handling!
        vfs objects = acl_xattr full_audit

>         follow symlinks = yes
risky. Remove it if possible. Otherwise change symlinks to real dirs
 and remove then. 




Check if you have a machine account for your server:
# ldapsearch -xLLL 'uid=hostname$'
I assume you have none.

Now, the unixidpool:

Add the attached	ldif with:
ldapmodify -x -D cn=admin,dc=mydomain -W -f unixidpool.ldif

check if it is OK
# ldapsearch -xLLL objectclass=sambaunixidpool

Restart samba and reapply the admin password. This should add the machine account:
smbpasswd -w <ldap admin password>

If the machine account is not their, restart both samba and winbind and wait some seconds.

The next useable uidnumber in smabaDomainName should change from 10000 to 10001.
# ldapsearch -xLLL uidnumber=10001
dn: sambaDomainName=SCHULE,dc=afrika,dc=xx
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: SCHULE
sambaSID: S-1-5-21-1507708399-2130971284-2230424465
sambaAlgorithmicRidBase: 1000
sambaNextRid: 100000
sambaNextUserRid: 2000
sambaNextGroupRid: 100000
uidNumber: 10001
gidNumber: 2000
sambaPwdHistoryLength: 0
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaMinPwdAge: 0
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1

have fun

# cat unixidpool.ldif 
dn: sambaDomainName=MYDOMAIN,dc=mydomain
changetype: modify
add: objectclass
objectclass: sambaUnixIdPool
-
add: uidnumber
uidnumber: 10000
-
add: gidnumber
gidnumber: 10000
-

-- 

Gruss
	Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba