Talk:OES as PDC
Have any questions or comments about creating an eDirectory-enabled Primary Domain Controller? Want something clarified? Post here and I'll try to answer them.
- 1 SMB.conf Security Settings
- 2 Setting Admin UID with iManager
- 3 Using eDirectory Groups in the PDC
- 4 SambaDomain not updating correctly if Hostname and Domain are the same
- 5 Problem when adding Admin to primary group 'Domain Admins'
- 6 NTLM using Novell edirecotry
- 7 Windows Login Scripts
- 8 Password's become expired when restarting Samba
- 9 SAMBA + UNIVERSAL PASSWORD
SMB.conf Security Settings
Answer: All smb.conf values not specified should be left at their OES defaults. OES's default for security is security = user, so you are correct. I'll add a note to the main page.
--Justin Grote - Network Architect - JWG Networks 13:50, 26 April 2006 (MDT)
Setting Admin UID with iManager
- What is the message you get about iManager not being able to assign UID 0?
- Did you substitute your admin password for Adm1nPW?
- Are you running OES SP2? You need the version of Samba that comes with it, OES SP1 or earlier will NOT work.
- Did you make sure that the LDAPsearch mentioned in the article returned a SambaGroupIDNumber of 512?
- Is your Admin user LUM and Samba enabled?
- To give Admin a UID number of 0 (you shouldn't have to do this), You should go to the "Modify Object" tab of eDirectory Administration in iManager, select the user, go to the "Other" tab, and change the uidNumber to 0 (it should be in the neighborhood of 600 or so)
Reply: solved after samba enabling the user. the article doesn't say to samba enable the admin, =)
Using eDirectory Groups in the PDC
Answer: Yes, absolutely. Just use the net groupmap command to map each LUM-enabled Group to a Samba group, just don't include the "rid" option, as the rid of these groups doesn't have to be special and should be autogenerated.
SambaDomain not updating correctly if Hostname and Domain are the same
Answer: Don't name your domain the same as the hostname..
It might be that it is connected to something else as well as I have completely reconstructed the samba entries in edir.
Problem when adding Admin to primary group 'Domain Admins'
when I tried to enable Admin for linux, it was not possible for me to assign him the group 'Domain Admins' as primary group. The reason: Admin was already linux enabled with the primary group 'admingroup' and it was not possible for me to remove this. So 'Domain Admins' was only a secondary group of Admin, and this was not enough (it was not possible to grant SeMachineAccountPrivilege to Admin). Also Admin had from some earlier tests a wrong sambaPrimaryGroupSID, and I couldn't find out how to remove this. Is it possible to remove a wrong LUM- and Samba-Configuration from an existing user?
My solution: I created a Samba-Admin with Supervisor-Rights to the tree, enabled this user for Linux and Samba, changed the samba ldap admin in smb.conf to this user, and added the password with 'smbpasswd -w <pwd>' to secrets.tdb.
Now it works for me, I am able to add computers to the domain and I can log on to the domain.
NTLM using Novell edirecotry
I have installed novell edirectory in my win2000 server which is part of a domain.Prior to novell i was using NTLM
with Active directory services.Now instead of ADS i want to use edirectory.Can you please tell me how i have to configure the NTLM to work with Novell directory services instead of ADS.
By default NTLM always checks for the ADS.How to configure the NTLM to work with edirectory?
Windows Login Scripts
Your document has helped me quite a bit in setting up this system. I am wondering if you have any documentation to the effect of setting up Windows Login scripts in this environment. Can it be done and if so how?
Thanks in Advance
Answer: Since the information is pulled directly from eDirectory every time, there is no sync involved, so you should just be able to use the same process multiple times to set up multiple PDCs in different locations, which I have done successfully. As far as two servers on the same subnet, I'm not quite sure how to go about that one. -Justin Grote
Current Stutus of PDC/BDC with OES2
Answer: Domain Services for Windows is the official implementation of an Active Directory emulator in OES2. This solution is one I developed a while ago and is unsupported by Novell but does work. -Justin Grote
Upgrading to OES2
If you can wait until OES2 SP1, I would recommend going with Domain Services for Windows as that will be fully supported by Novell. However, if you can wait, you can follow this unsupported procedure.
Does this work with OES2?
There is some new functionality in OES2 that incorporates some of the stuff I laid out here, but for the most part, it is that Novell won't support it until Domain Services for Windows with SP1. So while the technology supports it, Novell may not support you if you have to call them for help. I think that's where the confusion arises.
Usage in Production
JGrote- Yes, I have implemented this for several clients and they have multiple applications that they were told "require Active Directory" using it for authentication just ifne.
Password's become expired when restarting Samba
I have an issue where user's get prompted on first logon to change their password saying it is expired.
Once they change it all is well - until I restart the Samba daemon, then the get prompted again.
I have found that if I "pdbedit --pwd-must-change-time="2010-01-01" username" that stops it occuring (until 2010) but as these accounts are flagged X they password should never expire anyhow. It would seem an expiry date must be set - even if it is going to be ignored !
How can I stop Samba from saying the "Windows" password is expired when it isn't ?
I am running OES2, and as the workstations run the Novell Client I can enforce my password changes at that level.
So close !!!!
SAMBA + UNIVERSAL PASSWORD
Hi, great article!
PDC is working fine, but i have some problems:
1- SAMBA it is ignoring the eDirectory password. When i create a user with smbpasswd (i could not create the user with iManager, returns the error: "Cannot continue because we could not get the Samba Net Bios name.") with lum enabled for that eDirectory user, the universal password do not works just only the smbpasswd. I have used the default policy created with iManager and enable the "Allow Admin to Retrieve Password".
2- So every time that we need to create a new user, we must enable the LUM and SMB for that user? There is some way to make this a little more "automatic". I try to make a LUM GROUP and put there every new user, but if i dont put "AGAIN" that group in LUM through iManager, the new user is not recognized automatically by the LUM
iManager version 2.7.3 OES2 SP1 updated samba-3.0.32-0.8 Novell eDirectory 8.8 - 8.8 SP5