R: [Samba] Joining a Windows XP pc to Samba / LDAP domain
Andrea Lanza
andrea.lanza at frameweb.it
Sat Feb 16 10:25:42 GMT 2008
I tried exactly what you tried last week, and I was happy because everything
worked.
I folloed a tutorial on suse, also if I am using 10.3 version.
What I did differently was NOT to start winbind, NOT to create any groups in
linux. What I did wrong first time and gave me problems I posted was that I
did't issue the
net getlocalsid command and used the tutorial's one...(no
comment,please..)
When I realize the error I had to go inside ldap, using phpldapadmin, and
manually modify the value .
I didn't need to create the windows xp account. When I had to join it, I
just gave the
root/administrator password and everything was fine.: the computer account
was
created on the ldap, and I can log on to the domain whith an account I
created with smbldap-adduser
another thing : I created a new domain with a new ldap backend.
I thought you where doing the same.
But what do you mean when you tried to join the domain from pdc (point 12) ?
PDC is the PDC of that domain....You don't have to join it.
when creating account with smbldap-adduser , I specify -a and -m (and not
only -m as was suggested in the tutorial I followed.)
HTH,
Andrea
p.s. the tutorial(s) I follwed are:
Riferimenti
http://en.opensuse.org/Howto_setup_SUSE_10.1_as_Samba_PDC
http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10
> -----Messaggio originale-----
> Da: samba-bounces+andrea.lanza=frameweb.it at lists.samba.org
> [mailto:samba-bounces+andrea.lanza=frameweb.it at lists.samba.org
> ] Per conto di Paul Furness
> Inviato: venerdì 15 febbraio 2008 18.53
> A: Samba Mail List
> Oggetto: [Samba] Joining a Windows XP pc to Samba / LDAP domain
>
> Hi, guys,
>
> I'm trying to create a PDC using Samba with an LDAP backend.
> According to all the guides I read, this should be fairly
> easy really, but I've done nothing else for the last week and
> it still doesn't work the way the manual says it should! As
> far as I can see, everything is set up and working correctly
> right up to the point when I try and join a machine to the domain.
>
> I've posted some extracts of my config files, log files,
> errors and the versions of various things, below.
>
> I pretty much exactly followed the "Making Happy Users"
> chapter of the Samba guide.
> These are the steps I've gone through (in summary), starting
> with a clean build of linux on the server and WinXP on the
> client. It starts going wrong at step 8.
> Oh just for completeness, both the new domain controller and
> the windows PC are on their own, completely separate network,
> to ensure that the existing domain / windows clients can have
> no effect whatsoever.
>
> 1. Install samba and LDAP on the server, together with phpldapadmin.
>
> 2. Configure slapd and got the ldap server working, and
> configure phpldapadmin to let me connect and see what's going
> on, and create LDAP entries directly if needed. Also
> configured PAM and NSS.
>
> 3. Configure samba as a PDC with an LDAP backend. Set the
> LDAP manager password in samba. Got the SID.
>
> 5. Configured smbldap-tools, setting up the SID and LDAP details.
>
> 6. Created the linux groups for Domain Admins, Domain Users,
> Domain Guests and Domain Computers.
>
> 7. Started LDAP and did an smbldap-populate. This gave
> exactly the right response and a look at the ldap database
> proved it had created all the appropriate entries. tested the
> ldap with "ldapsearch" and got the expected response. Also
> checked NSS with getent and got the right answers.
>
> 8. Added a user with smbldap-useradd then set the password
> for that user with smbldap-passwd. This worked fine.
>
> 9. Checked that the root UID is set to 0. It is.
>
> 10. Checked that the user account is being read properly
> using pdbedit -Lv. It is.
>
> 11. start nmb, smb and winbind, and checked the logs to see
> if they are behaving. They are.
>
> 12. Tried to join the domain from the pdc (which is named
> "PDC") with "net rpc join -S PDC -U root%PASSWORD
>
> 13. It fails. The message I get is:
> Creation of workstation account failed
> Unable to join domain LDAPTEST.
>
> 14. Tried to join a windows XP PC to the domain. It finds the
> domain controller ok, and then gives the error "The username
> could not be found" which, from what I've been able to find
> out, means that the PC account isn't being created properly
> on the domain.
>
>
> What's *really* odd is that it seems to be creating the
> computer accounts correctly in the ldap (you can see that in
> the ldif export below). And yet, despite actually creating
> the account, it's insisting that it isn't.
>
> I tried deleting the ldap entry for the computer, then
> creating it by hand (smbldap-adduser -w pdc$) and it works
> fine. But the client still insists that it's not joined the domain.
>
> I *know* I'm typing the password correctly, and the log seems
> to bear this out. It simply doesn't work, and I've completely
> run out of steam trying to understand why. I'm presumably
> missing something significant (and probably very simple). Can
> anyone offer some pointers - or even the
> answer- before I quit computing and start driving trucks for
> a living... :)
>
> Thanks,
>
> Paul.
>
>
> Software versions:
> =============
> Fedora linux 8 (fully patched as of 12 Feb), with samba
> 3.0.28, openldap 2.3.39-1.
> Windows XP with SP2 and all current updates as of 12 Feb.
>
> Error messages:
> ===========
> in log.smb I get this when trying to join the domain:
>
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
> netbios connect: name1=PDC name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
> netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> get_md4pw: Workstation PDC$: no account in domain
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
> _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
> netbios connect: name1=PDC name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
> netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
> smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
> init_sam_from_ldap: Entry found for user: root
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
> init_group_from_ldap: Entry found for group: 512
> [2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
> check_ntlm_password: authentication for user [root] ->
> [root] -> [root] succeeded
> [2008/02/15 17:21:45, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
> _samr_create_user: Running the command
> `/usr/sbin/smbldap-useradd -w 'pdc$'' gave 9
>
>
> Config file extracts:
> ==============
>
> slapd.conf
> -----------
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
> ...
> access to attrs=userPassword
> by self write
> by * auth
>
> access to attrs=shadowLastChange
> by self write
> by * read
>
> access to *
> by * read
> by anonymous auth
> ...
> database bdb
> suffix "dc=vi-lab,dc=net"
> rootdn "cn=Manager,dc=vi-lab,dc=net"
> rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
> directory /var/lib/ldap
>
>
> LDIF of running database
> ----------------------------
> dn: dc=vi-lab,dc=net
>
> objectClass: dcObject
> objectClass: organization
> o: vi-lab
> dc: vi-lab
>
> dn: ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
>
> dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> cn: pdc$
> uid: pdc$
> uidNumber: 1005
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
> dn: ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
>
> dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 548
> cn: Account Operators
> description: Netbios Domain Users to manipulate users accounts
> sambaSID: S-1-5-32-548
> sambaGroupType: 5
> displayName: Account Operators
>
> dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the
> computer/sambaD omainName
> sambaSID: S-1-5-32-544
> sambaGroupType: 5
> displayName: Administrators
>
> dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 551
> cn: Backup Operators
> description: Netbios Domain Members can bypass file security
> to back up file s
> sambaSID: S-1-5-32-551
> sambaGroupType: 5
> displayName: Backup Operators
>
> dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 515
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
> sambaGroupType: 2
> displayName: Domain Computers
>
> dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaGroupType: 2
> displayName: Domain Guests
>
> dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaGroupType: 2
> displayName: Domain Users
>
> dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 550
> cn: Print Operators
> description: Netbios Domain Print Operators
> sambaSID: S-1-5-32-550
> sambaGroupType: 5
> displayName: Print Operators
>
> dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 552
> cn: Replicators
> description: Netbios Domain Supports file replication in a
> sambaDomainName
> sambaSID: S-1-5-32-552
> sambaGroupType: 5
> displayName: Replicators
>
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513
>
> dn: ou=Idmap,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> objectClass: sambaUnixIdPool
> ou: Idmap
> uidNumber: 10000
> gidNumber: 10005
>
> dn: ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: People
>
> dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: furnesp
> sn: furnesp
> givenName: furnesp
> uid: furnesp
> uidNumber: 1000
> gidNumber: 513
> homeDirectory: /home/furnesp
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: furnesp
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaLogonScript: \export\netlogon\logon.bat
> sambaProfilePath: \\%L\Profiles\furnesp
> sambaHomePath: \\%L\furnesp
> sambaHomeDrive: H:
> sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 15094F33692DB11DE3361C044289B84C
> sambaPwdLastSet: 1203092614
> sambaPwdMustChange: 1206980614
> userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g==
> shadowLastChange: 13924
> shadowMax: 45
>
> dn: uid=nobody,ou=People,dc=vi-lab,dc=net
> cn: nobody
> sn: nobody
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 514
> uid: nobody
> uidNumber: 999
> homeDirectory: /dev/null
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\%L\nobody
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\nobody
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaAcctFlags: [NUD ]
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
> loginShell: /bin/false
>
> dn: uid=root,ou=People,dc=vi-lab,dc=net
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaHomePath: \\%L\root
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\root
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
> sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
> sambaAcctFlags: [U]
> sambaNTPassword: 7681889A48EB666054D449D996329A26
> sambaPwdLastSet: 1203092468
> sambaPwdMustChange: 1206980468
> userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w==
> shadowLastChange: 13924
> shadowMax: 45
> gidNumber: 0
>
> dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: LDAPTEST
> sambaSID: S-1-5-21-314791047-4281314283-1819700115
> gidNumber: 1000
> sambaNextRid: 1000
> sambaPwdHistoryLength: 0
> sambaMinPwdAge: 0
> sambaMaxPwdAge: -1
> uidNumber: 1006
>
>
> smb.conf
> ----------
> workgroup = LDAPTEST
> netbios name = PDC
> ...
> passdb backend = ldapsam:ldap://localhost enable privileges =
> Yes username map = /etc/samba/smbusers smb ports = 139 name
> resolve order = wins bcast hosts ...
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u add group
> script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x
> '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> ...http://10.226.210.245
> logon script = \export\netlogon\logon.bat ...
> local master = yes
> os level = 35
> domain master = Yes
> preferred master = Yes
> domain logons = Yes
> security = user
> encrypt passwords = Yes
> wins support = Yes
> dns proxy = Yes
> ldap suffix = dc=vi-lab,dc=net
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=vi-lab,dc=net ldap ssl = no
> ldap passwd sync = Yes idmap backend = ldap:ldap://localhost
> idmap uid = 10000-20000 idmap gid = 10000-20000
>
> [homes]
> comment = Home Directories
> valid users = %S
> read only = No
> browseable = No
>
> [printers]
> comment = SMB Print Spool
> path = /var/spool/samba
> guest ok = Yes
> printable = Yes
> browseable = No
>
> [netlogon]
> comment = Local general disk on %h
> path = /export/netlogon
> guest ok = Yes
> locking = No
> public = yes
> writable = yes
>
> [profiles]
> comment = Profile Share
> path = /export/profiles
> read only = No
> profile acls = Yes
>
> [print$]
> comment = Printer Drivers
> path = /export/drivers
> browseable = yes
> guest ok = no
> read only = yes
> write list = root, furnesp
>
>
> smbusers
> -----------
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
>
> smbldap.conf
> ---------------
> SID="S-1-5-21-314791047-4281314283-1819700115"
> sambaDomain="LDAPTEST"
> slaveLDAP="localhost"
> slavePort="389"
> masterLDAP="localhost"
> masterPort="389"
> ldapTLS="0"
> ...
>
> suffix="dc=vi-lab,dc=org"
> usersdn="ou=People,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
> scope="sub"
> ...
> defaultUserGid="513"
> defaultComputerGid="515"
>
>
>
> ---
>
> Paul Furness BEng(Hons) MBCS
> Systems Manager
>
> MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V
> VISUAL INFORMATION LABORATORY 20, Frederick Sanger Road The
> Surrey Research Park Guildford, Surrey GU2 7YD UK Registered
> Branch BR 003158 DDI Telephone: +44 1483 885826
> Tel: +44 1483 885800 Fax: +44 1483 579107
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3092 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba/attachments/20080216/0333b9f4/smime.bin
More information about the samba
mailing list