Talk:OES as PDC

From MicroFocusInternationalWiki
Jump to: navigation, search

Have any questions or comments about creating an eDirectory-enabled Primary Domain Controller? Want something clarified? Post here and I'll try to answer them.

--Justin Grote - JWG Networks 19:38, 13 April 2006 (MDT)

SMB.conf Security Settings

What are your security settings in smb.conf (security = user ?)
-B Sundqvist

Answer: All smb.conf values not specified should be left at their OES defaults. OES's default for security is security = user, so you are correct. I'll add a note to the main page.
--Justin Grote - Network Architect - JWG Networks 13:50, 26 April 2006 (MDT)

Setting Admin UID with iManager

I can't get "Successfully granted rights." message after "net -U Admin%Adm1nPW rpc rights grant Admin SeMachineAccountPrivilege".
I get no message and imanager can't assign UID 0 to admin user. Is there another way to assign UID=0 to admin user?


  • What is the message you get about iManager not being able to assign UID 0?
  • Did you substitute your admin password for Adm1nPW?
  • Are you running OES SP2? You need the version of Samba that comes with it, OES SP1 or earlier will NOT work.
  • Did you make sure that the LDAPsearch mentioned in the article returned a SambaGroupIDNumber of 512?
  • Is your Admin user LUM and Samba enabled?
  • To give Admin a UID number of 0 (you shouldn't have to do this), You should go to the "Modify Object" tab of eDirectory Administration in iManager, select the user, go to the "Other" tab, and change the uidNumber to 0 (it should be in the neighborhood of 600 or so)

--Justin Grote - Network Architect - JWG Networks 09:24, 10 May 2006 (MDT)

Reply: solved after samba enabling the user. the article doesn't say to samba enable the admin, =)

Yep, you're right. I added that, thanks for the note. --Justin Grote - Network Architect - JWG Networks 11:22, 10 May 2006 (MDT)

Using eDirectory Groups in the PDC

Is it ok to groupmap other LUM enabled groups to see them when creating policies?
I am trying to use nitrobit group policy to create group policies but can't see other groups then Domain Admins, Domain Guests etc. which we have enabled before.

Answer: Yes, absolutely. Just use the net groupmap command to map each LUM-enabled Group to a Samba group, just don't include the "rid" option, as the rid of these groups doesn't have to be special and should be autogenerated.

--Justin Grote - Network Architect - JWG Networks 07:54, 18 May 2006 (MDT)

SambaDomain not updating correctly if Hostname and Domain are the same

When I try 'net getlocalsid' I get the following error:

Adding domain info for WAYS failed with NT_STATUS_UNSUCCESSFUL SID for domain GWAYS-W is: S-1-5-21-2818485225-3817732705-1415268070

The log files indicate that the SambaDomainName has already an entry.

Answer: Don't name your domain the same as the hostname.. It might be that it is connected to something else as well as I have completely reconstructed the samba entries in edir.

Response: I'll add a note to the article.
--Justin Grote - Network Architect - JWG Networks 19:52, 14 June 2006 (MDT)

Problem when adding Admin to primary group 'Domain Admins'


when I tried to enable Admin for linux, it was not possible for me to assign him the group 'Domain Admins' as primary group. The reason: Admin was already linux enabled with the primary group 'admingroup' and it was not possible for me to remove this. So 'Domain Admins' was only a secondary group of Admin, and this was not enough (it was not possible to grant SeMachineAccountPrivilege to Admin). Also Admin had from some earlier tests a wrong sambaPrimaryGroupSID, and I couldn't find out how to remove this. Is it possible to remove a wrong LUM- and Samba-Configuration from an existing user?

My solution: I created a Samba-Admin with Supervisor-Rights to the tree, enabled this user for Linux and Samba, changed the samba ldap admin in smb.conf to this user, and added the password with 'smbpasswd -w <pwd>' to secrets.tdb.

Now it works for me, I am able to add computers to the domain and I can log on to the domain.


Erhard Gruber

NTLM using Novell edirecotry


      I have installed novell edirectory in my win2000 server which is part of a domain.Prior to novell i was using NTLM

with Active directory services.Now instead of ADS i want to use edirectory.Can you please tell me how i have to configure the NTLM to work with Novell directory services instead of ADS.

By default NTLM always checks for the ADS.How to configure the NTLM to work with edirectory?

Thanks, Jai

Windows Login Scripts

Your document has helped me quite a bit in setting up this system. I am wondering if you have any documentation to the effect of setting up Windows Login scripts in this environment. Can it be done and if so how?

Thanks in Advance

BDC Failover

Is there a similar suggestion on how to implement a samba BDC for failover and/or load balancing?
Something like but presumably with eDirectory rather than plain openLDAP maintining the directory sync between master and slave servers.
-D Tilroe

Answer: Since the information is pulled directly from eDirectory every time, there is no sync involved, so you should just be able to use the same process multiple times to set up multiple PDCs in different locations, which I have done successfully. As far as two servers on the same subnet, I'm not quite sure how to go about that one. -Justin Grote

Current Stutus of PDC/BDC with OES2

With OES2 is the streamlining and mainstreaming of this capability (perhaps with the aforementioned BDC feature) what is meant by "Domain Services for Windows"?
-D Tilroe

Answer: Domain Services for Windows is the official implementation of an Active Directory emulator in OES2. This solution is one I developed a while ago and is unsupported by Novell but does work. -Justin Grote

Upgrading to OES2

I'll try to migrate to OES2 from OES sp2 and I am planning to make a clean install instead of an upgrade. Do you have any suggestions about PDC?

If you can wait until OES2 SP1, I would recommend going with Domain Services for Windows as that will be fully supported by Novell. However, if you can wait, you can follow this unsupported procedure.

Does this work with OES2?

OES2 SAMBA works as an NT4 style domain or not?
Curious because I have read conflicting information. "Samba version 3 also includes support for NT-style domain authentication. In a non-OES environment, the Linux server running Samba can be configured as a domain controller." "OES 2 Linux does not support Samba running in NT 4 domain mode as either a primary or backup domain controller."

But in contradiction to this... Novell Samba provides Windows (CIFS and HTTP-WebDAV) access to files stored on an OES Linux server's file system. It can also serve as a Windows NT-style Domain Controller to allow Windows computers to join the domain and access the server using an eDirectory username and password.

Has anyone found out which is correct?

There is some new functionality in OES2 that incorporates some of the stuff I laid out here, but for the most part, it is that Novell won't support it until Domain Services for Windows with SP1. So while the technology supports it, Novell may not support you if you have to call them for help. I think that's where the confusion arises.

Usage in Production

Is anyone using this setup in a production environment?

JGrote- Yes, I have implemented this for several clients and they have multiple applications that they were told "require Active Directory" using it for authentication just ifne.

Password's become expired when restarting Samba

How to stop Samba passwords being expired ?


I have an issue where user's get prompted on first logon to change their password saying it is expired.

Once they change it all is well - until I restart the Samba daemon, then the get prompted again.

I have found that if I "pdbedit --pwd-must-change-time="2010-01-01" username" that stops it occuring (until 2010) but as these accounts are flagged X they password should never expire anyhow. It would seem an expiry date must be set - even if it is going to be ignored !

How can I stop Samba from saying the "Windows" password is expired when it isn't ?

I am running OES2, and as the workstations run the Novell Client I can enforce my password changes at that level.

So close !!!!


Hi, great article!

PDC is working fine, but i have some problems:

1- SAMBA it is ignoring the eDirectory password. When i create a user with smbpasswd (i could not create the user with iManager, returns the error: "Cannot continue because we could not get the Samba Net Bios name.") with lum enabled for that eDirectory user, the universal password do not works just only the smbpasswd. I have used the default policy created with iManager and enable the "Allow Admin to Retrieve Password".

2- So every time that we need to create a new user, we must enable the LUM and SMB for that user? There is some way to make this a little more "automatic". I try to make a LUM GROUP and put there every new user, but if i dont put "AGAIN" that group in LUM through iManager, the new user is not recognized automatically by the LUM


iManager version 2.7.3
OES2 SP1 updated
Novell eDirectory 8.8 - 8.8 SP5

Thanks Man!