Web lists-archives.com

Re: [Samba] Fwd: Migrating server




Hi Rob,

> Joining the machine to the domain
> 
> slapd[2332]: conn=1120 op=9 SRCH base="dc=mydomain" scope=2 
deref=0
> filter="(&(uid=sadmin)(objectClass=sambaSamAccount))" slapd[2332]:
> conn=1120 op=9 SRCH attr=uid uidNumber gidNumber homeDirectory
> sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime
> sambaLogoffTime sambaKickoffTime cn sn displayName sambaHomeDrive
> sambaHomePath sambaLogonScript sambaProfilePath description
> sambaUserWorkstations sambaSID sambaPrimaryGroupSID 
sambaLMPassword
> sambaNTPassword sambaDomainName objectClass sambaAcctFlags
> sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime
> sambaPasswordHistory modifyTimestamp sambaLogonHours 
modifyTimestamp
> uidNumber gidNumber homeDirectory loginShell gecos slapd[2332]: <=
> bdb_equality_candidates: (uid) not indexed slapd[2332]: conn=1120
> op=9 SEARCH RESULT tag=101 err=0 nentries=1 text= slapd[2332]:
> conn=1120 op=10 SRCH base="dc=mydomain" scope=2 deref=0
> filter="(&(gidNumber=1359)(objectClass=sambaGroupMapping))"
> slapd[2332]: conn=1120 op=10 SRCH attr=sambaSID slapd[2332]: <=
> bdb_equality_candidates: (gidNumber) not indexed slapd[2332]:
> conn=1120 op=10 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[2332]: conn=1120 op=11 SRCH base="dc=mydomain" scope=2 
deref=0
> filter="(&(objectClass=posixGroup)(|(memberUid=sadmin)
(gidNumber=1359)
> ))" slapd[2332]: conn=1120 op=11 SRCH attr=gidNumber sambaSID
> slapd[2332]: <= bdb_equality_candidates: (memberUid) not indexed
> slapd[2332]: <= bdb_equality_candidates: (gidNumber) not indexed
> slapd[2332]: conn=1120 op=11 SEARCH RESULT tag=101 err=0 
nentries=1
> text=
This is *not* a join. It is just samba's try to verify that sadmin has the rights 
(aka are in the right groups) to join. And he failed!

so post the output of

getent passwd sadmin
getent passwd hadmin

getent group 512
getent group 1359

After verifying group membership samba evaluates the privileges. This is 
not seen here. We set them, when we have solved the group problem.

> The two ways I can join a machine to teh domain is
> - Change to TDBSAM
> - Remove both the lines from smb.conf
> ldapsam:editposix = yes ldapsam:trusted = yes
> 
> The strange thing is that Win7 joins to the domain, reboots then gives
> the domain trust failed message. Windows10 joins and works. That
> might be an issue with the machine password
> 
> My question is that are we loosing anything by not using the editposix
> and trusted option. I understand that smbdlap is not supported but it
> seems to work in my testing
Once we have fixed the errors in your configuration and your data, I'm 
pretty sure that both, smbldap and sameditposix, will work. Then you must 
decide which route you will follow in the future.

Be patient, their are other errors.

PS
your output of the slapd logs are hard to read. Would be much easier if 
you turn of the line wrapping in your mail composer.

-- 

Gruss
	Harry Jede
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba