[Samba] Setup of a new PDC with Samba 3.2.0

Hello,

I setting up a new PDC for a new domain using samba 3.2.0
I use LDAP as passwd/idmap backend.

I started from scratch just creating the OU for the
users/groups/machines/idmaps in the ldap directory, + a user used to bind
to ldap.

So from there I started winbind and ran net sam provision, which worked
great.
Now I plan this domain will have a one way trust with one other domain,
and as I start playing with wbinfo to verify the local/builtin groups
appear, I found that wbinfo -t fails to check secret with :
myserver:/usr/local/samba/bin# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret

So, I'm wondering, do I need to create some kind of machine trust account
for the PDC itself, or this reply from wbinfo -t is expected ?

[global]
workgroup = EVENTLAB
netbios name = TLS-SRV-01
server string = Samba for EventLab
interfaces = eth1 lo
bind interfaces only = Yes
hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
socket address = 10.211.254.253
passdb backend = ldapsam:ldap://127.0.0.1:389
ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Machines
ldap suffix = dc=x-files,dc=fr
ldapsam:trusted = Yes
ldapsam:editposix = Yes
time server = Yes
map acl inherit = Yes
nt acl support = Yes
unix charset = UTF-8
# unix password sync = Yes
# passwd chat = *new*password* %n\n*new*password* %n\n *updated*
# pam password change = No
passwd program = /usr/sbin/smbldap-passwd %u
# username map = /etc/samba/username.map
reset on zero vc = Yes
use sendfile = Yes
#
# Logon options
#
domain logons = Yes
logon drive = h:
logon path = \\TLS-SRV-01\Profiles\%U
logon home = \\TLS-SRV-01\%U
logon script = Startup.bat

#
# Printing options
#
load printers = No

#
# Browsing options
#
os level = 65
announce version = 4.9
preferred master = No
domain master = Yes
local master = No
# remote browse sync = 10.212.254.254
# remote announce = 10.212.254.254

#
# WINS and resolver options
#
wins support = Yes
# wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast

#
# Debug options
#
log level = 0
debug timestamp = No
debug prefix timestamp = No
debug hires timestamp = No
debug pid = Yes
debug uid = Yes

#
# Winbind options
#
winbind enum users = Yes
winbind enum groups = Yes
idmap domains = TRUSTEDDOM
idmap config TRUSTEDDOM:backend = ldap
idmap config TRUSTEDDOM:default = Yes
idmap config TRUSTEDDOM:ldap_base_dn =
ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap config TRUSTEDDOM:ldap_url = ldap://localhost/
idmap config TRUSTEDDOM:range = 10000 - 10999

idmap alloc backend = ldap
idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
idmap alloc config:ldap_url = ldap://localhost/
idmap alloc config:range = 20000 - 20999
template homedir = /home/home/%D/%U
template shell = /bin/false
winbind: rpc only = yes
winbind nested groups = yes



--
François Legal
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:
> Hello,
>
> I setting up a new PDC for a new domain using samba 3.2.0
> I use LDAP as passwd/idmap backend.
>
> I started from scratch just creating the OU for the
> users/groups/machines/idmaps in the ldap directory, + a user used to bind
> to ldap.
>
> So from there I started winbind and ran net sam provision, which worked
> great.
> Now I plan this domain will have a one way trust with one other domain,
> and as I start playing with wbinfo to verify the local/builtin groups
> appear, I found that wbinfo -t fails to check secret with :
> myserver:/usr/local/samba/bin# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
> Could not check secret
>
> So, I'm wondering, do I need to create some kind of machine trust account
> for the PDC itself, or this reply from wbinfo -t is expected ?

Yes, you need to "join" the machine to itself (the PDC) using net join
before winbindd will work in this way on the PDC. Sorry, rather
counterintuative I know but the way it works at present.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Ok,

I just missed this part from the documentation (by the way, could anybody
spot me to the place where this is specified. I could see in Samba Howto
chapter 13, but this is not obvious).
So I did successfully join the domain, and now I get the following error
on wbinfo -t :
MYSERVER:~# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret

This looks like a resolver issue. I have
wins server = 10.212.254.254
wins proxy = Yes
name resolve order = lmhosts wins host bcast
in smb.conf, and my lmhost file says
10.211.254.253 MYDOMAIN
10.211.254.253 MYSERVER
and anyway the nmblookup succeeds:
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1b>
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1c>

> On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@thom.fr.eu.org wrote:
>> Hello,
>>
>> I setting up a new PDC for a new domain using samba 3.2.0
>> I use LDAP as passwd/idmap backend.
>>
>> I started from scratch just creating the OU for the
>> users/groups/machines/idmaps in the ldap directory, + a user used to
>> bind
>> to ldap.
>>
>> So from there I started winbind and ran net sam provision, which worked
>> great.
>> Now I plan this domain will have a one way trust with one other domain,
>> and as I start playing with wbinfo to verify the local/builtin groups
>> appear, I found that wbinfo -t fails to check secret with :
>> myserver:/usr/local/samba/bin# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>> Could not check secret
>>
>> So, I'm wondering, do I need to create some kind of machine trust
>> account
>> for the PDC itself, or this reply from wbinfo -t is expected ?
>
> Yes, you need to "join" the machine to itself (the PDC) using net join
> before winbindd will work in this way on the PDC. Sorry, rather
> counterintuative I know but the way it works at present.
>
> Jeremy.
>


--

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

On Sat, Jul 12, 2008 at 10:30:13AM +0200, devel@thom.fr.eu.org wrote:
> Ok,
>
> I just missed this part from the documentation (by the way, could anybody
> spot me to the place where this is specified. I could see in Samba Howto
> chapter 13, but this is not obvious).

No, I think you're correct. This is where it's specified.
That's not really the right place.

I'd like to take a look and fix this, but might take a
while to get to the docs update. Anyone else willing to
help ?

> So I did successfully join the domain, and now I get the following error
> on wbinfo -t :
> MYSERVER:~# wbinfo -t
> checking the trust secret via RPC calls failed
> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
> Could not check secret
>
> This looks like a resolver issue. I have
> wins server = 10.212.254.254
> wins proxy = Yes
> name resolve order = lmhosts wins host bcast
> in smb.conf, and my lmhost file says
> 10.211.254.253 MYDOMAIN
> 10.211.254.253 MYSERVER
> and anyway the nmblookup succeeds:
> tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
> querying MYDOMAIN on 10.212.254.254
> 10.211.254.253 MYDOMAIN<1b>
> tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
> querying MYDOMAIN on 10.212.254.254
> 10.211.254.253 MYDOMAIN<1c>

Run winbindd -d10 and look at the core winbindd logs to
help find out why it can't find the DC.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba

Ok, so I could finally get the level 10 log out of winbindd.

I started it with winbindd -S -F -i -d 10 > log.winbindd

The complete log file is available at http://www.thom.fr.eu.org/log.winbindd

By what I could see, it seem to get NT_STATUS_IO_TIMEOUT when trying to
connect to MYSERVER (name resolving seems OK there) then it says Receiving
SMB: Server stopped responding

Any idea ?

> On Sat, Jul 12, 2008 at 10:30:13AM +0200, devel@thom.fr.eu.org wrote:
>> Ok,
>>
>> I just missed this part from the documentation (by the way, could
>> anybody
>> spot me to the place where this is specified. I could see in Samba Howto
>> chapter 13, but this is not obvious).
>
> No, I think you're correct. This is where it's specified.
> That's not really the right place.
>
> I'd like to take a look and fix this, but might take a
> while to get to the docs update. Anyone else willing to
> help ?
>
>> So I did successfully join the domain, and now I get the following error
>> on wbinfo -t :
>> MYSERVER:~# wbinfo -t
>> checking the trust secret via RPC calls failed
>> error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
>> Could not check secret
>>
>> This looks like a resolver issue. I have
>> wins server = 10.212.254.254
>> wins proxy = Yes
>> name resolve order = lmhosts wins host bcast
>> in smb.conf, and my lmhost file says
>> 10.211.254.253 MYDOMAIN
>> 10.211.254.253 MYSERVER
>> and anyway the nmblookup succeeds:
>> tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
>> querying MYDOMAIN on 10.212.254.254
>> 10.211.254.253 MYDOMAIN<1b>
>> tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
>> querying MYDOMAIN on 10.212.254.254
>> 10.211.254.253 MYDOMAIN<1c>
>
> Run winbindd -d10 and look at the core winbindd logs to
> help find out why it can't find the DC.
>
> Jeremy.
>


--

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba