[Samba] Join Machine to Domain
manuel.piessnegger at straumann.com
manuel.piessnegger at straumann.com
Mon Nov 17 14:27:08 GMT 2003
Hi,
I forgot to tell you, that the samba password from the
uid=Administrator,ou=Users,dc=tow,dc=net MUST be the same like the samba
password for root .
Because samba will expect both the client and the server user to have the
same password. After that the option "username map" will work correctly.
Regards
Manuel Piessnegger
"Kent L.
Nasveschuk"
<kent at wareham.k12 To
.ma.us> manuel.piessnegger at straumann.com
cc
14.11.2003 17:44 Samba List Server
<samba at lists.samba.org>
Subject
Re: [Samba] Join Machine to Domain
I appreciate your help on this. I still am having problems. Attached a
some of the pertinent configuration files.
I can login in with any account so connection and password to access
ldap server works, just can't join domain. I get an error message bad
passwd or unknown user. I added the username map but root =
administrator still doesn't work.
# Administrator, Users, tow.net
dn: uid=Administrator,ou=Users,dc=tow,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /accounts/Administrator
sambaPwdLastSet: 1068814077
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1068814077
sambaPwdMustChange: 2147483647
sambaHomePath: \\whs1\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\whs1\profiles\
sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC
sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000
loginShell: /bin/bash
gecos: Netbios Domain Administrator
sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001
userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ==
smb.conf:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = netlogon.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = WHS1
server string = RedHat 8.0 LDAP Server
passdb backend = ldapsam
ldap passwd sync = Yes
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u
# delete user script = /usr/local/sbin/smbldap-useradd.pl
# add group script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl
add machine script = /usr/local/samba/bin/smbpasswd -a -m %u
# add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
/bin/false -M %u
logon script = netlogon.bat
logon path = \\%N\profiles\%g
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 64
domain master = Yes
dns proxy = No
admin users = @domain_admins
# wins support = Yes
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
username map = /usr/local/samba/private/smbusers
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
hide files = /.*/
[profiles]
path = /accounts/profiles
read only = no
create mask = 0600
directory mask = 0700
[netlogon]
comment = Netlogon share
path = /usr/local/samba/netlogon
locking = no
browseable = no
read only = yes
write list = @domain_admins
[staff]
comment = Staff common
path = /accounts/staff
read list = @staff @techstaff
write list = @staff @techstaff
[programs]
comment = Programs
path = /accounts/programs
[adm-pgms$]
comment = Admin Programs
path = /accounts/adm_pgms
read list = @techstaff
write list = @techstaff
[images$]
comment = Ghost image files
path = /accounts/images
write list = kent
read list = @techstaff
[printers]
comment = All Printers
path = /var/spool/samba
read only = Yes
printable = Yes
browseable = No
slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
database ldbm
suffix "dc=tow,dc=net"
rootdn "cn=admin,dc=tow,dc=net"
#rootpw {SSHA}WhTBLrgNGnKeZYgS0bT6TfIL2jKBbOnr
#password-hash {crypt}
directory /usr/local/var/openldap-data/wareham
schemacheck on
lastmod on
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
#index cn,mail,surname,givenname eq,subinitial
index cn,sn,st pres,eq,sub
#access to dn=".*dc=tow,dc=net
# by self write
# by * read
#access to attrs=userPassword,sambaNTPassword,sambaLMPassword
# by self write
# by anonymous auth
# by * none
#access to *
# by * read
output of net groupmap list:
[root at whs1 root]# net groupmap list
domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody
domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
administrators (S-1-5-32-544) -> 544
users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users
guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> 546
power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547
account_operators (S-1-5-32-548) -> 548
server_operators (S-1-5-32-549) -> sys
print_operators (S-1-5-32-550) -> lp
backup_operators (S-1-5-32-551) -> bin
replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon
computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519
students (S-1-5-21-1129281578-1295143107-3311307472-2011) -> students
staff (S-1-5-21-1129281578-1295143107-3311307472-2007) -> staff
techstaff (S-1-5-21-1129281578-1295143107-3311307472-2009) -> techstaff
[root at whs1 root]#
On Fri, 2003-11-14 at 11:18, manuel.piessnegger at straumann.com wrote:
>
>
> Hello,
>
> first the ldap admin dn should be the same like the rootdn for the
OpenLdap
> Server but must not be root.
>
> Important for joining machines into a domain is that you have already
> created a user in ldap for root (uid=0), that meens posix and samba.
> After that you have to join in the machine with user root and the samba
> passowrod (not the posix password).
>
> This works when your samba server runs over the root account (root starts
> my samba daemon). If your samba server runs over a different user I think
> you have to choose this other samba admin account.
>
> Regards
>
> Manuel
>
>
>
>
>
> "Kent L.
> Nasveschuk"
> <kent at wareham.k12
To
> .ma.us> manuel.piessnegger at straumann.com
>
cc
> 13.11.2003 19:07
>
Subject
> Re: [Samba] Join Machine to Domain
>
>
>
>
>
>
>
>
>
>
> I read your post today and was wondering if you were able to get your
> W2K machines to join your domain?
>
> I'm having the same problem. I can't get the machines to join domain. I
> keep getting login failure: unknown username or bad password.My
> administrator account in LDAP is uidNumber=0 but it still fails. I know
> that the passwords work cause I can log in as administrator and see the
> home directory and other shared directories. Makes me think the
> administrative (root) account is not setup correctly between samba and
> ldap.
>
> Well, if you did get your to work let me know how.
>
>
> --
> Kent L. Nasveschuk <kent at wareham.k12.ma.us>
>
--
Kent L. Nasveschuk <kent at wareham.k12.ma.us>
More information about the samba
mailing list