[Samba] Windows 2000 pro doesn't join a domain with Samba+Ldap (linux)

Adam Williams awilliam at mdah.state.ms.us
Sat Feb 23 03:02:21 GMT 2008 

have you ran smbpasswd -a root

Hector Blanco wrote:
> Hello people...
>
> I had to sign up in the list because I don't know what else I could
> do... I can't find my error anywhere!! :(
>
> The thing is that I have a Linux server with Ldap (openldap2.3) +
> Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
> windows 2000 Professional client machine against that server, but it
> won't work!!
>
> The domain is called "JOME", and the LDAP database structure is
> something like this (I hope you'll be able to see it properly)
>
> dc=jome
>  |
>  \-cn=Admin
>  |
>  \-ou=Group
>  |  |
>  |  \- cn= Account operators
>  |  \- cn= Administrators
>  |  \- cn= Backup Operators
>  |  \- cn= Domain Admins
>  |  \- cn= Domain Computers
>  |  \- cn= Domain Guests
>  |  \- cn= Domain Users
>  |  \- cn= Print operators
>  |  \- cn= Replicators
>  |  \- cn= test
>  |
>  \-ou=Hosts
>  |  |
>  |  \- uid=Enano$
>  |  \- uid=xxxx$
>  |
>  \-ou=Idmap
>  |
>  \-ou=People
>  |  |
>  |  \- uid=nobody
>  |  \- uid=root
>  |  \- uid=test
>  \-sambaDomainName=JOME
>
>
> The user root is the Netbios Domain Administrator and its
> sambaPrimaryGroupSID is the same as Domain Admins.
>
> All the Group accounts in ou=Group except "test" were created by
> smbldap-populate.
>
> The linux server is the host called "xxxx" and the windows client is
> the host "enano"
>
> When I try to join the domain "JOME" from Windows, I am prompted for a
> user that has permission to create "things" in the domain. I fill the
> textboxes with "root" and the "rootpass", and in the samba.log file of
> the server (if the debug level is 2 or higher), it appears:
> "authentication for user [root] -> [root] -> [root] succeeded". After
> this, the machine (enano$) is properly created (if doesn't exist) in
> the Ldap schema (a new entry called enano$ appears in
> ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
> everything seems to be fine until in the windows machine a "error
> window dialog" appears with a very ugly red signal, saying ("username
> not found"). I think it must be something wrong with the user "root",
> because if I try a username that is really non-existent (john, for
> instance) or if I mistype the password, the message that appears in
> windows is different (in my computer appears in Spanish, but it's
> something like "session starting error: username not found or wrong
> password")... I've tried to put a higher debug level in samba
> (smb.conf-> debug level=3) and between several other messages, it
> appears:
> [2008/02/22 15:33:37, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
>  pdb_default_create_user: failed to create a new user structure:
> NT_STATUS_NO_SUCH_USER
>
> But I don't know what structure user it may be... and I don't know why
> this error only appears when the debug level is that high (I've been
> googling around, and this level was only recomended for developers).
> Anyway, I'm attaching a part of the samba.log file (a complete
> process). You can see on lines #108 and
> #118 that it seems to be authenticating "root" properly, and on line
> #482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
> with debug level=3 so I don't know if it is very serious or not...)
> I'm not sure what kind of "user structure" it is trying to create and
> why can't it (it was supposed to be able to create a "enano$" user...
> why can't it do the same now?). As you may see, it's not complete, but
> I took away some lines that I didn't consider relevant (maybe they
> were, but... ) I'm sorry a couple of attachments had to be compressed,
> but otherwise, the mail wouldn't be accepted.
>
> I have read somewhere
> (http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
> that I need an entry in /etc/passwd for each machine. Ldap is "making"
> the passwd, but the machines (enano$ and xxxx$ are not "users"). A
> getent passwd gives this:
>
> root at xxxx# getent passwd
>   root:x:0:0:root:/root:/bin/bash
>   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>   bin:x:2:2:bin:/bin:/bin/sh
>   sys:x:3:3:sys:/dev:/bin/sh
>   sync:x:4:65534:sync:/bin:/bin/sync
>   games:x:5:60:games:/usr/games:/bin/sh
>   man:x:6:12:man:/var/cache/man:/bin/sh
>   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>   mail:x:8:8:mail:/var/mail:/bin/sh
>   news:x:9:9:news:/var/spool/news:/bin/sh
>   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>   proxy:x:13:13:proxy:/bin:/bin/sh
>   www-data:x:33:33:www-data:/var/www:/bin/sh
>   backup:x:34:34:backup:/var/backups:/bin/sh
>   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>   dhcp:x:100:101::/nonexistent:/bin/false
>   syslog:x:101:102::/home/syslog:/bin/false
>   klog:x:102:103::/home/klog:/bin/false
>   hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
>   avahi-autoipd:x:104:112:Avahi autoip
> daemon,,,:/var/lib/avahi-autoipd:/bin/false
>   messagebus:x:105:113::/var/run/dbus:/bin/false
>   avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>   gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
>   haldaemon:x:108:117:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
>   hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
>   openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
>   sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
>   test:x:2000:2000:Test User:/home/test:/bin/bash
>   root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
>   nobody:x:999:514:nobody:/dev/null:/bin/false
>
> (the last three users: test, root and nobody only exist in the Ldap database)
>
> Ah, and from the windows client I am able to access the shared
> resources of the server when I login as "root" or "test" (users from
> the ldap entry ou=People)
>
> Just in case... an anonymous (without password) smbclient -L to the
> samba server gives this:
>
> root at xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
> Password:
> Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
>
>        Sharename    Type      Comment
>        ---------          ----       -------
>        netlogon      Disk       Network Logon Service
>        profiles        Disk        Profile Share
>        print$          Disk        Printer Drivers
>        IPC$            IPC          IPC Service (xxxx PDC server
> Version 3.0.26a)
> Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
>
>        Server             Comment
>        ---------            -------
>        XXXX                xxxx PDC server Version 3.0.26a
>
>        Workgroup       Master
>        ---------            -------
>        JOME                XXXX
>
> I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
> file and the
> sambaldap-tools.conf file... just in case...
>
> Sorry for such a huge message, but I have no idea of what's wrong...
>
> Thank you very much in advance... Any hint (whatever) will be deeply
> appreciated!!
>

More information about the samba mailing list