FDS as Domain Controller Howto - replace Windows 2003 - Part 1

[barry905]

This is the story of how I finally replaced a Windows 2003 Domain Controller with a Linux based domain controller and used it with a mixture of Linux and Windows workstations. My main reason for doing this was to demonstrate that it could be done and to find out how. It is written in the form of a Howto, and hopefully it will be of use to other people trying the same exercise.

Acknowledgments:

This document is a continuation, if you will, of the Samba Howto that can be found at http://directory.fedoraproject.org/w...ntation#Howtos. To the author(s) of that document I offer my heartfelt thanks, but found that the document did not cover all the steps required to implement a Domain Controller using FDS. This document is my attempt to continue that document to include all necessary steps.

Needless to say, any error and omissions in this document are mine and mine alone: and I would appreciate it if you would let me know of any that you find.

Part 1 - Installing the Software

Background:

Over a number of years I have developed a home network that I use to test my wilder flights of fancy. Typically I use this setup to evaluate operating system, software packages, hardware components. I use it both for functional tests and performance testing, and so all the hardware is available to be re-used and re-configured at any time. The only exception to this are three disks that are reserved as data disks, and they contain either the original or backup copies of all data that I do not want to lose. For this reason, I tend to use separate disks for the operating system in all my machines, and keep the data on other disks.

So this is my testbed. It comprises two servers and three workstations. The whole is physically wired together and shared a single IP addressing scheme, but with a Windows 2003 PDC the Windows and Linux portions were effectively separate. This I wanted to rectify. I used the same hardware (from the Windows Server) but changed to a Fedora 8 system with Samba 3 and a Fedora Directory Server backend to manage user accounts.

For those hardware junkies amongst you this is the hardware that I used for my test network:

seagoon Domain Controller
Fedora 8 (Formerly Windows 2003)
Sempron 2800+, 576 MB Memory
Asus K8V-VM Motherboard
VIA K8M890 Integrated Graphics Controller
20 GB system disk
250 GB data disk
320 GB data disk
DVD+R

minnie Workstation
Fedora 8
Sempron 2800+, 512 MB Memory
Asus A7V400-MX Motherboard
Asus A9250 Graphics Controller
10 GB system disk
35 GB data disk
9 GB data disk
5 GB data disk
DVD+RW

bloodnock Workstation for testing
Fedora 8
Athlon 64 X2 3800+, 1 GB Memory
Asus M2N-MX SE+ Motherboard
Saffire Radeon X550 Graphics Controller
20 GB system disk
DVD+R

eccles General Purpose Workstation
Windows XP
Athlon 64 6000+, 2 GB Memory
Asus M2NPV-VM Motherboard
Asus EN7300GT Graphics Controller
80 GB system disk
DVD+R
DVD+RW

bluebottle Web Server
Fedora 8
Pentium III 550MHz, 512 MB Memory
HP Motherboard
ATI Radeon 7000 Graphics Controller
20 GB system disk
DVD+R
CD+RW

Prerequisites for the domain controller:

Fedora 8 clean install. I installed a fresh version of Fedora 8 for this, and added all the upgrades so that I had the latest versions of all the software packages. I installed a minimum number of packages - just enough to run the server and nothing else. I did not install any of the development packages, and only the Servers I needed (BIND, SMB, HTTP). Once I finished the install, I configured the Services so that only the minimum that I needed were started.

Samba SMB server. I used the latest from the release, 3.0.28.

Apache web server 2.2.8-1

DNS for the network. For this I used BIND 9.5.0-23, which was the latest. Prior to starting configuring the PDC I needed to set this up. This bit is fairly significant. It allows the Windows workstations to access the domain controller without requiring a third party modifications such as pGina. You will see from the list below that my domain is called "home" (imaginative) and uses the 192.168.1 addresses. The service records are there to enable Windows to identify and talk to the domain controller. This is the data that I used:

@ SOA seagoon root.seagoon.home. ( 7
3H
1H
1W
1H )
NS seagoon
seagoon IN 1H A 192.168.1.2
bloodnock IN 1H A 192.168.1.120
minnie IN 1H A 192.168.1.150
eccles IN 1H A 192.168.1.100
bluebottle IN 1H A 192.168.1.5
_ldap._tcp.dc._msdcs IN 1H SRV 0 100 389 seagoon
_ldap._tcp.pdc._msdcs IN 1H SRV 0 100 389 seagoon
IN 1H SRV 0 100 389 seagoon.home
_ldap._tcp IN 1H SRV 0 100 389 seagoon
_ldap._tcp.home-site._sites IN 1H SRV 0 100 389 seagoon
_ldap._tcp.home_site._sites.dc_msdcs IN 1H SRV 0 100 389 seagoon
_ldap._tcp.gc._msdcs IN 1H SRV 0 100 389 seagoon
_gc._tcp IN 1H SRV 0 100 3268 seagoon
_gc._tcp.home-site._sites IN 1H SRV 0 100 3268 seagoon

I wanted to use the openLDAP migrations tools, which I extracted from the openLDAP rpm file and copied to the /usr/share/openldap/migration directory.

Finally I needed the ol-schema-migration.pl tool mentioned in the howto; this can be obtained from http://directory.fedoraproject.org/d...ema-migrate.pl

Now we can begin configuring.

Firstly, add the necessary repositories so that we can get the latest version of the DS code

$ cd /etc/yum.repos.d
$ wget http://directory.fedoraproject.org/s...idmcommon.repo
$ wget http://directory.fedoraproject.org/sources/dirsrv.repo

Now install Fedora Directory Server software, and then configure it.

$ yum install fedora-ds
$ setup-ds-admin

In the interests of space I have just posted the replies I made to the setup script. The whole thing will not fit into this post, so I have just included my choices.

Choose a setup type [2]: 2

Computer name [seagoon]: seagoon.home

System User [nobody]:

System Group [nobody]:

Do you want to register this software with an existing
configuration directory server? [no]:

Please enter the administrator ID for the configuration directory

Configuration directory server administrator ID [admin]:
Password
Password (confirm)

Administration Domain [home]

Directory server network port [389]

Directory server identifier [seagoon]

Suffix [dc=home]

Directory Manager DN [cn=Directory Manager]
Password
Password (confirm)

Administration port [9830]


Log file is '/tmp/setupqbdJiS.log'

Just test to see if it's working - this will open the admin screen. If it does, everything is working fine and you can breathe again. If not, it's time to troubleshoot. Check the logs, or repeat the install

$ fedora-idm-console

Now create an ldif file to add the samba schema to FDS and load it into the server:

$ ./ol-schema-migrate.pl -b /usr/share/doc/samba-*/LDAP/samba.schema
> /etc/dirsrv/slapd-seagoon/schema/61samba.ldif
$ service dirsrv restart

Use the Authentication application to enable LDAP and Winbind for user information and LDAP, Winbind and SMB for authentication.

[barry905]

Now edit your samba configuration file to look something like this:

# This is the main Samba configuration file.

#======================= Global Settings =====================================

[global]

#--authconfig--start-line--

# Generated by authconfig on 2008/03/09 11:49:03
# DO NOT EDIT THIS SECTION (delimited by --start-line--/--end-line--)
# Any modification may be deleted or altered by authconfig in future

workgroup = home
password server = seagoon
security = user
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
template shell = /bin/false
winbind use default domain = false
winbind offline logon = true

#--authconfig--end-line--

server string = home domain PDC
netbios name = seagoon

interfaces = lo eth0
hosts allow = 127. 192.168.1.

log file = /var/log/samba/log.%m
max log size = 50

encrypt passwords = yes
unix password sync = yes
passwd program = /usr/sbin/smbldap-passwd %u ! )
pam password change = no ! ) lines added to correct problem with user changing their password
ldap password sync = yes ! )


passdb backend = ldapsam:ldap://192.168.1.2/
ldap admin dn = cn=Directory Manager
ldap suffix = dc=home
ldap user suffix = ou=People
ldap machine suffix = ou=Computers
ldap group suffix = ou=Groups

domain master = yes
domain logons = yes
preferred master = yes
local master = yes
os level = 65


add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"

# disables roaming profiles

logon path =
logon home =

wins support = yes
wins proxy = no
dns proxy = yes

# --------------------------- Printing Options -----------------------------
#

cups options = raw
printcap name = /etc/printcap
printing = cups


#============================ Share Definitions ==============================

[homes]
comment = Home Directories
browseable = no
writeable = yes
valid users = %S

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = yes
writeable = no
printable = yes

[utils]
path = /more_data/utils
writeable = yes
browseable = yes
guest ok = yes

[downloads]
path = /more_data/downloads
writeable = yes
browseable = yes
guest ok = yes

[games]
path = /more_data/games
writeable = yes
browseable = yes
guest ok = yes

Test this and start samba

$ testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[printers]"
Processing section "[utils]"
Processing section "[games]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

[global]
workgroup = HOME
server string = home domain PDC
interfaces = lo, eth0
password server = seagoon
passdb backend = ldapsam:ldap://192.168.1.2/
passwd program = /usr/bin/passwd %u
unix password sync = Yes
log file = /var/log/samba/log.%m
max log size = 50
printcap name = /etc/printcap
add user script = /usr/sbin/useradd "%u" -n -g users
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/sbin/groupadd "%g"
delete group script = /usr/sbin/groupdel "%g"
delete user from group script = /usr/sbin/userdel "%u" "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
logon path =
logon home =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Directory Manager
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap suffix = dc=home
ldap user suffix = ou=People
idmap uid = 16777216-33554431
idmap gid = 16777216-33554431
winbind offline logon = Yes
hosts allow = 127., 192.168.1.
printing = cups
cups options = raw
print command =
lpq command = %p
lprm command =

[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
share modes = No

[utils]
path = /more_data/utils
read only = No
guest ok = Yes

[downloads]
path = /more_data/downloads
read only = No
guest ok = Yes

[games]
path = /more_data/games
read only = No
guest ok = Yes



Now create the password for the ldap manager

$ smbpasswd -w directory_manager_password
$ net getlocalsid

Now create a domain name ldif file (sambaDomainName.ldif) that is similar to the one below, but substitute your own domain name and SID:

dn: sambaDomainName=home,dc=home
objectclass: sambaDomain
objectclass: sambaUnixIdPool
objectclass: top
sambaDomainName: home
sambaSID: S-1-5-21-572043478-4085498504-1707095083
uidNumber: 550
gidNumber: 550

And now add it to FDS

$ /usr/lib/dirsrv/slapd-seagoon/ldif2ldap "cn=Directory Manager" directory_manager_password ./sambaDomainName.ldif

Now for the groups. First create a file sambaGroups which contains:

Domain Admins:x:2512:
Domain Users:x:2513:
Domain Guests:x:2514:
Domain Computers:x:2515:

Then convert it to an ldif file and add it to FDS

$ /usr/lib/dirsrv/slapd-seagoon/ldif2ldap "cn=Directory Manager" directory_manager_password ./sambaGroups.ldif

Next create some unix groups and map them to the equivalent NT groups

$ groupadd -g 2512 Domain_Admins
$ groupadd -g 2513 Domain_Users
$ groupadd -g 2514 Domain_Guests
$ groupadd -g 2515 Domain_Computers
$ net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain_Admins'
$ net groupmap add rid=2513 ntgroup='Domain Users' unixgroup='Domain_Users'
$ net groupmap add rid=2514 ntgroup='Domain Guests' unixgroup='Domain_Guests'
$ net groupmap add rid=2515 ntgroup='Domain Computers' unixgroup='Domain_Computers'

And make sure that worked correctly

$ net groupmap list

The final step is to add an Administrator account. To do this we need to create the account and then modify it to use the correct Samba SID. So create a sambaAdmin file containing:

Administrator:*:0:0:Samba Admin:/root:/bin/bash

Then import it into FDS and edit it:

$ /usr/share/openldap/migrate/migrate_passwd.pl ./sambaAdmin > sambaAdmin.ldif
$ /usr/lib/dirsrv/slapd-seagoon/ldif2ldap "cn=Directory Manager" directory_manager_password ./sambaAdmin.ldif
smbpasswd -a Administrator
$ pdbedit -U $(net getlocalsid | sed 's/SID for domain SEAGOON is: //' ) -500 -u Administrator -r

To make my life a little easier I wanted a utility to add users to the directory, but I could not find one. So I wrote a simple script to do the work for me. This is it:

# /bin/bash
#
# script to add a user account to LDAP
#
/usr/sbin/useradd -n -g Domain_Users $1
cat /etc/passwd | grep $1 > newUser.tmp
/usr/share/openldap/migration/migrate_passwd.pl ./newUser.tmp > ./newUser.ldif
/usr/lib/dirsrv/slapd-seagoon/ldif2ldap "cn=Directory Manager" directory_manager_password ./newUser.ldif
#
# Now add the User password
#
/usr/bin/smbpasswd -a $1
#
# Clean up time
#
rm ./newUser.tmp
rm ./newUser.ldif

And then I did the same for adding machines

# /bin/bash
#
# script to add a machine account to LDAP
#
/usr/sbin/useradd -n -c "Workstation ($1\$)" -M -d /nohome -s /bin/false $1\$
cat /etc/passwd | grep $1 > newMachine.tmp
/usr/share/openldap/migration/migrate_passwd.pl ./newMachine.tmp > ./newMachine.ldif
/usr/lib/dirsrv/slapd-seagoon/ldif2ldap "cn=Directory Manager" directory_manager_password ./newMachine.ldif
#
# Now add the machine password
#
/usr/bin/smbpasswd -a -m $1\$
#
# Clean up time
#
rm ./newMachine.tmp
rm ./newMachine.ldif

The last little bit is to join the domain controller to the domain. You do this by creating a machine account for the domamin controller and then simply joining the domain. You also need to start the Samba services, so we will do that here. We will also add root to the password database.

$ service nmb start
$ service smb start
$ ./ldap_machine_add.sh seagoon
$ smbpasswd -a root
$ net join home
$ net rpc testjoin

And that's all folks. You are now the proud possesser of a Linux Domain Controller using Samba and a Fedora Directory Server backend.

The real last step is to make sure that all the services are set to restart after a reboot (nmb, smb, dirsrv, dirsrv-admin, httpd), and to reboot it and ensure that everything works once more. So reboot and test like this:

$ net rpc testjoin
$ fedora-idm-console
$ net groupmap list
$ wbinfo -u
$ wbinfo -t
$ wbinfo -g
$ fedora-idm-console

So now we have a Domain Controller for my local domain "home". For it to be of any user we had better add some users and some workstations. Adding users is simple: just use the shell script.

$ ./ldap_user_add.sh user1

If I was doing hundreds of users I would take the trouble to create a script to make life easier. There is a migration script that will extract all users from the passwd file, but you will need to write something to take care of the passwords. As you can see, my expertise is not in scripting, so I just created what worked for me.

[barry905]

My workstations come in two flavours: Windows XP and Linux. To add an XP machine, just do the following:

Create a machine account for the workstation

$ ./ldap_machine_add.sh eccles

Then manually edit the FDS record by putting it into the Domain Computers container and adding an NT account. On the workstation, just change domains in the usual way. I found that, when prompted, the Administrator account worked just fine so I used that. After rebooting my first logon was as "root" on the domain, after which everything works fine.

Adding a Linux workstation is a little more complicated.

Again, the first thing to do is to add the machine account exactly as above. Then logon as root and edit smb.conf to look something like:

[global]

workgroup = home
netbios name = minnie
server string = minnie workstation


interfaces = lo eth0 192.168.1.150/24
hosts allow = 127. 192.168.1

log file = /var/log/samba/log.%m
max log size = 50
security = domain
password server = seagoon
encrypt passwords = yes
idmap uid = 15000-20000
idmap gid = 15000-20000
wins server = 192.168.1.2

local master = no
domain master = no
domain logons = no

os level = 33
preferred master = no
case sensitive = no

winbind use default domain = yes
dns proxy = yes

load printers = yes
cups options = raw

# Winbind options

winbind uid = 10000-20000
winbind gid = 10000-20000
winbind enum users = yes
winbind enum groups = yes


# Share Definitions

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

Now join the domain

$ net join home

You will also need to change another three files in the /etc/pam.d directory. You need to add the line

session required pam_mkhomedir.so skel=/etc/skel mask=0077

to the end of these files:
/etc/pam.d/gdm
/etc/pam.d/sshd

and then add it as the next-to-last line in
/etc/pam.d/login

Finally, you need to create the container directory for these home directories

$ mkdir /home/HOME
$ chmod 755 /home/HOME

And that is it. Time for drinks.......

[lau_swat]

Hello, I have a problem, after I add the Administrator to FDS and I try to create the Samba Administrator account with "smbpasswd -a Administrator" it says "Failed to modify password entry for user Administrator". If i execute the command to modify the account to use the corect samba SID "pdbedit -U $(...)" it says that the username could nout be found! But if I add a user in linux with usseradd username, and add a smbpasswd -a username, it automatically creates an entry in FDS for that user. Could you please enlighten me, because I am in a total mist.

Regards, Laurentiu

[lau_swat]

Here is my smb.conf:

[global]
workgroup = MIDEARTH
server string = test pdc
#interfaces = 192.168.1.140/255.255.255.0
map to guest = Bad User
password server = localhost
passdb backend = ldapsam:ldap://localhost:389/
username map = /etc/samba/smbusers
client NTLMv2 auth = Yes
client lanman auth = No
client plaintext auth = No
log level = 1
max log size = 50
name resolve order = wins lmhosts bcast
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
#cups server = 127.0.0.1
#add user script = /opt/IDEALX/sbin/smbldap-useradd -a -m "%u"
#delete user script = /opt/IDEALX/sbin/smbldap-userdel "%u"
#add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g"
#delete group script = /opt/IDEALX/sbin/smbldap-groupdel "%g"
#add user to group script = /opt/IDEALX/sbin/smbldap-groupmod -m "%u" "%g"
#delete user from group script = /opt/IDEALX/sbin/smbldap-groupmod -x "%u" "%g"
#set primary group script = /opt/IDEALX/sbin/smbldap-usermod -g
#add machine script = /opt/IDEALX/sbin/smbldap-useradd -w "%u"

################################################## #############
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -w "Workstation (%u)" "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"





logon path = \\server\Profiles\%U
domain logons = Yes
os level = 255
lm announce = Yes
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=example,dc=com
ldap ssl = no
ldap user suffix = ou=Users
host msdfs = Yes
idmap backend = ldap:ldap://127.0.0.1:389
idmap uid = 500-10000
idmap gid = 500-10000
template shell = /bin/bash
winbind enum groups = No
winbind trusted domains only = Yes
admin users = @Administrators, '@Domain, Admins'
# printer admin = '@Print, Operators'
#hosts allow = 192.168.1., 192.168.100., 192.168.200., 127., 10., 192.168.0.
hosts allow = 127. 192.168.1.
ea support = Yes
map acl inherit = Yes
block size = 4096
#cups options = raw
case sensitive = No
preserve case = No
veto files = /*.mp3/*.mpg/*.avi/*.mpeg/*.divx/
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd

[homes]
comment = Home Directories
read only = No
browseable = No

[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = Yes
browseable = No
share modes = No

[profiles]
comment = windows profiles
path = /home/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
browseable = No


And my [root@server samba]# pdbedit -U $( net getlocalsid | sed 's/SID for domain MIDEARTH is: //' )-500 -u Administrator -r -d 4 command:

lp_load: refreshing parameters
Initialising global parameters
params.cm_process() - Processing configuration file "/etc/samba/smb.conf"
Processing section "[global]"
doing parameter workgroup = MIDEARTH
doing parameter server string = test pdc
doing parameter map to guest = Bad User
doing parameter password server = localhost
doing parameter passdb backend = ldapsam:ldap://localhost:389/
doing parameter username map = /etc/samba/smbusers
doing parameter client NTLMv2 auth = Yes
doing parameter client lanman auth = No
doing parameter client plaintext auth = No
doing parameter log level = 1
doing parameter max log size = 50
doing parameter name resolve order = wins lmhosts bcast
doing parameter time server = Yes
doing parameter deadtime = 10
doing parameter socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
doing parameter add user script = /usr/sbin/useradd "%u" -n -g users
doing parameter add group script = /usr/sbin/groupadd "%g"
doing parameter add machine script = /usr/sbin/useradd -w "Workstation (%u)" "%u"
doing parameter delete user script = /usr/sbin/userdel "%u"
doing parameter delete user from group script = /usr/sbin/userdel "%u" "%g"
doing parameter delete group script = /usr/sbin/groupdel "%g"
doing parameter logon path = \\server\Profiles\%U
doing parameter domain logons = Yes
doing parameter os level = 255
doing parameter lm announce = Yes
doing parameter preferred master = Yes
doing parameter domain master = Yes
doing parameter dns proxy = No
doing parameter wins support = Yes
doing parameter ldap admin dn = cn=Manager
doing parameter ldap delete dn = Yes
doing parameter ldap group suffix = ou=Groups
doing parameter ldap idmap suffix = ou=Idmap
doing parameter ldap machine suffix = ou=Computers
doing parameter ldap passwd sync = Yes
doing parameter ldap suffix = dc=example,dc=com
doing parameter ldap ssl = no
doing parameter ldap user suffix = ou=Users
doing parameter host msdfs = Yes
doing parameter idmap backend = ldap:ldap://127.0.0.1:389
doing parameter idmap uid = 500-10000
doing parameter idmap gid = 500-10000
doing parameter template shell = /bin/bash
doing parameter winbind enum groups = No
doing parameter winbind trusted domains only = Yes
doing parameter admin users = @Administrators, '@Domain, Admins'
doing parameter hosts allow = 127. 192.168.1.
doing parameter ea support = Yes
doing parameter map acl inherit = Yes
doing parameter block size = 4096
doing parameter case sensitive = No
doing parameter preserve case = No
doing parameter veto files = /*.mp3/*.mpg/*.avi/*.mpeg/*.divx/
doing parameter dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
pm_process() returned Yes
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MIDEAR TH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MIDEAR TH))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesfully connected
ldapsam_getsampwnam: Unable to locate user [Administrator] count=0
Username not found!


I followed the steps from your HowTo and from:http://directory.fedoraproject.org/w...a#Requirements

[barry905]

First of all, have you opened the FDS console and checked to make sure that the Administrator account exists there. You should find it if you open the directory server, then the Directory tab, and then it sould be under "People" .

Having checked that come out of the console and just verify that you can access the account through ldapsearch. The syntax may vary depending on which version you are using: mine used the line '/usr/lib/mozldap/ldapsearch -b MIDEARTH -x '(uid=Administrator)'.

Let me know how you get on.

[redcap]

I've been following through this how-to as well and cannot get my console up. When I type in the Fedora-idm-console command i get a login window that wants a url. When I enter the ip for my server I get a message that the user id or password is incorrect or there is a directory problem. I know the dirsrv and httpd services are running however. You do use the admin account you created during the fds setup, right?

[barry905]

If you read through the log file created when you installed FDS it will tell you what the url you need is. It should be something along the lines of http://seagoon.home:9830/, and the username is, as you guessed, "admin"

[redcap]

Right, sorry. I'm still fairly new to linux. the setup .inf pointed me to a url similar to the one you gave except it wants to use the 389 port instead of the 9830(using the 9830 port returns a url incorrect or server not running message). This however returns a java.io.EOFException: Connection lost message. My java re is the icedtea 1.7 which according to the fedora project pages should work with the console in fedora 8. Any ideas would be appreciated.

[barry905]

First of all, your java release is good (I know, because it's the one I use). I wonder though whether FDS is started. Can you check that both the Directory Server and the Admin Server are running(the DIRSRV and DIRSRV-ADMIN services. Can you make sure these services are running and try again. Let me know what happens.

[lau_swat]

Hello again, I use Fedora DS 1.0.4, after issueing these steps:
Lets create a Samba Administrator account with an RID of 500. Create a file /tmp/sambaAdmin with the following :

Administrator:x:0:0:Samba Admin:/root:/bin/bash

and:
/opt/fedora-ds/slapd-<server>/ldif2ldap "cn=Directory manager" password /tmp/sambaAdmin.ldif

the Administrator account was added properly in the directory server at ou=People, but when I enter: pdbedit -U $( net getlocalsid | sed 's/SID for domain YOURWORKGROUP is: //' )-500 -u Administrator -r, it says Username could not be found!

I also tried to use the fdstools but they are not working very well because it alows me to add a workstation, but I cannot add users.

I tried to use your scripts to add users and machines but I get the following:


[root@server tmp]# ./ldap_user_add.sh workstation1

./newUser.ldif: No such file or directory
New SMB password:
Retype new SMB password:
ldapsam_add_sam_account: failed to modify/add user with uid = workstation1 (dn = uid=workstation1,ou=Users,dc=example,dc=com)
Failed to add entry for user workstation1.
Failed to modify password entry for user workstation1

and for the users:

[root@server tmp]# ./ldap_user_add.sh laurentiu.leitan

./newUser.ldif: No such file or directory
New SMB password:
Retype new SMB password:
ldapsam_add_sam_account: failed to modify/add user with uid = laurentiu.leitan (dn = uid=laurentiu.leitan,ou=Users,dc=example,dc=com)
Failed to add entry for user laurentiu.leitan.
Failed to modify password entry for user laurentiu.leitan

Regards, Laurentiu

[redcap]

Both of these services are running. The error message is still the same. I did notice a service called LDAP that is not running. Is this necessary for FDS or did it come with the open LDAP stuff?

[barry905]

to both of you I offer the following encouragement: although this howto looks fairly straight-forward (and it does work) it was the result of a number of attempts by me to get the **** thing working. At times the only thing that kept me going was a mixture of sheer pigheadedness and bloodymindedness. I must have reinstalled the whole system about 10 times. I couldn't tell you what, if any, was the difference between each - I thought there was none. So persevere.

To Laurentiu:

First of all, you might want to consider upgrading to the latest release of FDS unless you have some good reason for using the 1.0.4 release. Secondly, check the existence of the Administrator account by using both "ldapsearch -x -Z '(uid=Administrator)' " and "pdbedit -v -u Administrator". If they both give the roughly the same results then everyting is ok, but if not it should isolate the problem for you. ldapsearch will check the ldap directory for the user, and pdbedit checks the samba user database for you.

You may also want to try a clean install and see if you are still having problems.

Good luck.

To redcap:

You imply that you have installed openLDAP on your system. I'm wondering if this is causing some confusion to samba. Try copying the migration tools (which is all you need from openLDAP) to another directory and delete the package. Then try again.

And good luck to you too.

[redcap]

Yeah, I'm on my fifth install
OpenLDAP is installed on my distro of Fedora 8 (standard distro i had thought?) by default and the whole thing crashes due to init scripts if it is unistalled (network manger and 7 other packages are also unistalled as dependancies along with it) and will not reboot. Is this not the case with your distro? If not where did you get it? As for it confusing samba, I haven't even configured samba yet (on this install).

I also noticed in part one of your how to the line that reads: "Apache http server. A"
Is there more to do then install and start the httpd service to bring up the console?

Like I said I'm new to linux, and I'm sure at least one of these questions is stupid, so thanks for overlooking that in advance.

[barry905]

Having checked i find that my distro does have openldap on it, but I didn't install it. It also has the fds base package, but I didn't install that either. When I did my install I chose to configure my packages prior to install, and I did not select the "Network Servers" option under the "Servers" section.

So you could try that - time for the sixth install!!!!

The line that you quoted was in fact a typo, and so I've edited to read "Apache web server 2.2.8-1". And it only need to be installed and started.

There are no such things as stupid questions, only stupid answers. So keep persevering and keep the questions coming.

Good luck.