Setup of a new PDC with Samba 3.2.0

Hello,

I setting up a new PDC for a new domain using samba 3.2.0
I use LDAP as passwd/idmap backend.

I started from scratch just creating the OU for the
users/groups/machines/idmaps in the ldap directory, + a user used to bind
to ldap.

So from there I started winbind and ran net sam provision, which worked
great.
Now I plan this domain will have a one way trust with one other domain,
and as I start playing with wbinfo to verify the local/builtin groups
appear, I found that wbinfo -t fails to check secret with :
myserver:/usr/local/samba/bin# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
Could not check secret

So, I'm wondering, do I need to create some kind of machine trust account
for the PDC itself, or this reply from wbinfo -t is expected ?

[global]
        workgroup = EVENTLAB
        netbios name = TLS-SRV-01
        server string = Samba for EventLab
        interfaces = eth1 lo
        bind interfaces only = Yes
        hosts allow = 10.211.0.0/16 10.212.0.0/16 127.0.0.1
        socket address = 10.211.254.253
        passdb backend = ldapsam:ldap://127.0.0.1:389
        ldap admin dn = cn=SambaAdmin,dc=x-files,dc=fr
        ldap user suffix = ou=People
        ldap group suffix = ou=Groups
        ldap machine suffix = ou=Machines
        ldap suffix = dc=x-files,dc=fr
        ldapsam:trusted = Yes
        ldapsam:editposix = Yes
        time server = Yes
        map acl inherit = Yes
        nt acl support = Yes
        unix charset = UTF-8
# unix password sync = Yes
# passwd chat = *new*password* %n\n*new*password* %n\n *updated*
# pam password change = No
        passwd program = /usr/sbin/smbldap-passwd %u
# username map = /etc/samba/username.map
        reset on zero vc = Yes
        use sendfile = Yes
#
# Logon options
#
        domain logons = Yes
        logon drive = h:
        logon path = \\TLS-SRV-01\Profiles\%U
        logon home = \\TLS-SRV-01\%U
        logon script = Startup.bat

#
# Printing options
#
        load printers = No

#
# Browsing options
#
        os level = 65
        announce version = 4.9
        preferred master = No
        domain master = Yes
        local master = No
# remote browse sync = 10.212.254.254
# remote announce = 10.212.254.254

#
# WINS and resolver options
#
        wins support = Yes
# wins server = 10.212.254.254
        wins proxy = Yes
        name resolve order = lmhosts wins host bcast

#
# Debug options
#
  log level = 0
        debug timestamp = No
        debug prefix timestamp = No
        debug hires timestamp = No
        debug pid = Yes
        debug uid = Yes

#
# Winbind options
#
        winbind enum users = Yes
        winbind enum groups = Yes
        idmap domains = TRUSTEDDOM
        idmap config TRUSTEDDOM:backend = ldap
        idmap config TRUSTEDDOM:default = Yes
        idmap config TRUSTEDDOM:ldap_base_dn =
ou=TRUSTEDDOM,ou=Idmaps,dc=x-files,dc=fr
        idmap config TRUSTEDDOM:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
        idmap config TRUSTEDDOM:ldap_url     = ldap://localhost/
        idmap config TRUSTEDDOM:range        = 10000 - 10999

        idmap alloc backend = ldap
        idmap alloc config:ldap_base_dn = ou=Idmaps,dc=x-files,dc=fr
        idmap alloc config:ldap_user_dn = cn=SambaAdmin,dc=x-files,dc=fr
        idmap alloc config:ldap_url     = ldap://localhost/
        idmap alloc config:range        = 20000 - 20999
        template homedir = /home/home/%D/%U
        template shell = /bin/false
        winbind: rpc only = yes
        winbind nested groups = yes



--
François Legal
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

On Fri, Jul 11, 2008 at 04:50:55PM +0200, devel@... wrote:
Yes, you need to "join" the machine to itself (the PDC) using net join
before winbindd will work in this way on the PDC. Sorry, rather
counterintuative I know but the way it works at present.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Ok,

I just missed this part from the documentation (by the way, could anybody
spot me to the place where this is specified. I could see in Samba Howto
chapter 13, but this is not obvious).
So I did successfully join the domain, and now I get the following error
on wbinfo -t :
MYSERVER:~# wbinfo -t
checking the trust secret via RPC calls failed
error code was NT_STATUS_DOMAIN_CONTROLLER_NOT_FOUND (0xc0000233)
Could not check secret

This looks like a resolver issue. I have
        wins server = 10.212.254.254
        wins proxy = Yes
        name resolve order = lmhosts wins host bcast
in smb.conf, and my lmhost file says
10.211.254.253  MYDOMAIN
10.211.254.253  MYSERVER
and anyway the nmblookup succeeds:
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1b
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1b>
tls-srv-01:~# nmblookup -R -U 10.212.254.254 MYDOMAIN#1c
querying MYDOMAIN on 10.212.254.254
10.211.254.253 MYDOMAIN<1c>


--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

On Sat, Jul 12, 2008 at 10:30:13AM +0200, devel@... wrote:
> Ok,
>
> I just missed this part from the documentation (by the way, could anybody
> spot me to the place where this is specified. I could see in Samba Howto
> chapter 13, but this is not obvious).

No, I think you're correct. This is where it's specified.
That's not really the right place.

I'd like to take a look and fix this, but might take a
while to get to the docs update. Anyone else willing to
help ?

Run winbindd -d10 and look at the core winbindd logs to
help find out why it can't find the DC.

Jeremy.
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Ok, so I could finally get the level 10 log out of winbindd.

I started it with winbindd -S -F -i -d 10 > log.winbindd

The complete log file is available at http://www.thom.fr.eu.org/log.winbindd

By what I could see, it seem to get NT_STATUS_IO_TIMEOUT when trying to
connect to MYSERVER (name resolving seems OK there) then it says Receiving
SMB: Server stopped responding

Any idea ?


--

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba