Re: [Samba] PDC Multiple users

Date: Thu, 31 Jan 2008 11:37:02 -0500
From: Scott Lovenberg <scott.lovenberg@xxxxxxxxx>
Subject: Re: [Samba] PDC Multiple users

Harol Hunter wrote:

2008/1/28, Scott Lovenberg <scott.lovenberg@xxxxxxxxx>:

On Jan 28, 2008 1:39 PM, Harol Hunter <hhuntercu@xxxxxxxxx> wrote:

As you can see I still alive (I don't know for how long but ... ;-)
Well let me tell you all my users have a SID and a UID in her/his
accounts entries in LDAP I'll attach you my full smb.conf hoping you
can help me, thanks a lot pal

[global]

#########################################################################

#                               NETBIOS OPTIONS                         #

#########################################################################

netbios name = intranet

workgroup = icic

server string = Servidor Intranet

#disable netbios = yes

#########################################################################

#                               SERVER OPTIONS                          #

#########################################################################

interfaces = eth0 lo

bind interfaces only = yes

socket address = 10.0.0.1

hosts allow = 10.0.0. 127.

hosts deny = 0.0.0.0/0

#########################################################################

#                               DOMAIN OPTIONS                          #

#########################################################################

security = user

preferred master = yes

domain master = yes

local master = yes

os level = 64

admin users = @"Domain Admins"

enable privileges = yes

allow trusted domains = no

########################################################################

#                               PASSWORDS OPTIONS                      #

########################################################################

passdb backend = ldapsam:ldap://127.0.0.1/

encrypt passwords = true

#passwd chat = Cambiando contrasena de \nNueva Contrasena %n\n Retype
new password %n\n

passwd program = /usr/sbin/smbldap-passwd -u '%u'

obey pam restrictions = No

########################################################################

#                               USERS & GROUPS SCRIPTS                 #

########################################################################

#min passwd length = 6

add user script = /usr/sbin/smbldap-useradd -a -m '%u'

delete user script = /usr/sbin/smbldap-userdel '%u'

add group script = /usr/sbin/smbldap-groupadd -p '%g'

delete group script = /usr/sbin/smbldap-groupdel '%g'

add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'

delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'

set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'

add machine script = /usr/sbin/smbldap-useradd -w '%u'

########################################################################

#                                LOGONS OPTIONS                        #

########################################################################

domain logons = yes

logon path = \\intranet\profiles\%u

logon home = \\%L\%u\.profiles

logon drive = H

logon script = logon.cmd

#######################################################################

#                               LDAP OPTIONS                          #

#######################################################################

ldap suffix = dc=my,dc=domain,dc=com

ldap admin dn = cn=admin,dc=my,dc=domain,dc=com

ldap machine suffix = ou=Computers

ldap user suffix = ou=Users

ldap group suffix = ou=Groups

ldap idmap suffix = ou=Idmap

#ldap filter = ((uid=%u)&(objectclass=sambaSamAccount))

#ldap ssl = start_tls

ldap passwd sync = Yes

ldap delete dn = yes

#ldapsam:trusted = no

#######################################################################

#                               WINBIND OPTIONS                       #

#######################################################################

idmap backend = ldap://127.0.0.1/

#idmap uid = 10000-20000

#idmap gid = 10000-20000

#winbind separator = '\'

winbind trusted domains only = yes

winbind use default domain = yes

#######################################################################

#                               LOGS OPTIONS                          #

#######################################################################

log file = /var/log/samba/smb.%m

#log level = 1

log level = 10 auth:10 nmbd:10

#max log size = 5000

syslog = 0

#######################################################################

#                               MISC. OPTIONS                         #

#######################################################################

wins support = yes

time server = yes

socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192

max xmit = 8192

#getwd cache = yes

name resolve order = hosts bcast

inherit acls = no

map acl inherit = yes

server signing = mandatory

dns proxy = no

svcctl list = bind9 apache2 chrony cron slapd winbind dhcpd3

#######################################################################

#                          SHARES                                     #

########################################################################

[homes]
comment = User's Home

writable = yes

browseable = no

create mask = 0700

directory mask = 0700


[netlogon]

comment = Network Logon Service

path = /home/samba/netlogon

browseable = no

writable = no

write list = @"Domain Admins"



[profiles]

comment = Network Users Profiles

path = /home/samba/profiles

csc policy = disable

writable =yes

#force user = %U

#valid users = %U

profile acls = yes

browseable = no

readonly = no




create mask = 0600

directory mask = 0700

Hrm, settings seem fine, as far as I can tell.  Have you tried the UPHClean
Windows Service?

From Chapter 27. Desktop Profile Management of the Samba How-To:

There are certain situations that cause a cached local copy of roaming

profile not to be deleted on exit, even if the policy to force such deletion
is set. To deal with that situation, a special service was created. The
application UPHClean (User Profile Hive Cleanup) can be installed as a
service on Windows NT4/2000/XP Professional and Windows 2003.

The UPHClean software package can be downloaded from the User Profile Hive

Cleanup Service[7] web site.

Chapter 27 of the Samba How-To might be worth a read.

I'm really fuzzy as to exactly is going on.  All you did was add a few extra
clients, correct?  You were deleting the roaming profile successfully before
this without having problems?

 --
Peace and Blessings,
-Scott.

"Of course, that's just my opinion; I could be wrong"
-Dennis Miller


I think I finally find the problem, but now I don't know how to fix
it, googling a little I found a few old posts related to my problems
saying that the problem was the SambaSID entry duplicated so I made a
search and guess what all my users have the very same SambaSID so you
were right from the beginning about users map, I read I don't have to
map the samba  accounts to unix but all the users must have a
different SambaSID of course, I've no clue how this happened and how
to solve it, I only assume that it's because of  W2K profiles are
differents to WXP and the users that start having problems has logged
in both XP an 2K, am I correct? Any way I'll install XP on this
computers so all my network have the same OS but I'm still needing
help how to change uses SambaSID because I'm no sure how this SID is
given. Once again thanks for your help

Harol Hunter

Well, Win2K uses a different home path variable. I think they suggestusing something like .9xprofile or something like that for the folder.I think there's a section on mixed environments in the samba guide; howthis plays with LDAP is beyond my experience, but in theory it shouldwork exactly the same as without LDAP - the backend data interfaceshould not, IMHO, change the behavior of the application. Of course,theory and practice don't mix so well in computer science :).I think you can back up your profiles, and change the name of the serverwhich should break the SID. This will invalidate EVERY account (machineaccounts as well - you'll have to have a script for automatically addingmachines, or create the machine accounts again), so when you add themback, you should get a new SID mapping for each user name. I wouldn'tjust do this in a production environment, test it before doing it asthere is no way to undo it! I'm sure there must be a more elegant wayto do this, but I don't know it.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

References:
- [Samba] PDC Multiple users
  - From: Harol Hunter
- Re: [Samba] PDC Multiple users
  - From: Scott Lovenberg
- Re: [Samba] PDC Multiple users
  - From: Scott Lovenberg
- Re: [Samba] PDC Multiple users
  - From: Scott Lovenberg

Prev by Date: [Samba] Samba Problem Connecting
Next by Date: Re: [Samba] PANIC on 6 of my client servers .Please Help
Previous by thread: Re: [Samba] PDC Multiple users
Next by thread: [Samba] can't use Swat to add new user
Index(es):
- Date
- Thread

lists-archives.org

Re: [Samba] PDC Multiple users