[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Mike Brady mike.brady at devnull.net.nz
Mon Feb 21 15:15:56 MST 2011 

Quoting Jon Detert <jdetert at infinityhealthcare.com>:

> Hello,
>
> I can't join a winxp box to my samba domain.  I just have one samba
> server, meant to act as a PDC for domain='CHI'.
> Any ideas how to troubleshoot and/or remedy?
>
> Thanks,
>
> Jon
>
> Context:
> ------------
> samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
> smbldap-tools v0.9.6.
> I 'populated' the ldap with 'smbldap-populate'.
>
> I try to join the winxp box, authenticating to the domain as user
> 'jdetert', which is a member of the 'Administrators' group:
> # smbldap-groupshow Administrators
> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
> objectClass: top,posixGroup,sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the
> computer/sambaDomainName
> sambaSID: S-1-5-32-544
> sambaGroupType: 5
> displayName: Administrators
> memberUid: jdetert,root
>
> What happens:
> ----------------------
> a failure dialog window pops up on the winxp box with this message:
> 'The following error occurred attempting to join the domain "CHI":
> The user name could not be found.'
>
> And here are the interesting bits (as far as I can tell) from the samba logs:
>
> <log.smb>
> [2011/02/21 14:32:07,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
>   smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
> [2011/02/21 14:32:07,  2] lib/smbldap.c:smbldap_open_connection(856)
>   smbldap_open_connection: connection opened
> [2011/02/21 14:32:07,  3] lib/smbldap.c:smbldap_connect_system(1067)
>   ldap_connect_system: successful connection to the LDAP server
> [2011/02/21 14:32:07,  4] lib/smbldap.c:smbldap_open(1143)
>   The LDAP server is successfully connected
> ..
> [2011/02/21 14:32:07,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>   ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(gidNumber=0))
> ...
> [2011/02/21 14:32:07,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>   ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
> ...
> [2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID
> [S-1-5-21-3685928793-4148883033-3314734756-500]
> ...
>
> <[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID
> [S-1-5-21-3685928793-4148883033-3314734756-501]
> [2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID
> [S-1-5-21-3685928793-4148883033-3314734756-514]
> [2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID [S-1-5-2]
> [2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID [S-1-5-32-546]
> </log.smb>
>
> interesting bits in the log.<clientMachineName>, where
> clientMachineName=testfsclient
> <log.testfsclient>
> [2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>   ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
> .... [editor's note: that's for the group 'Users'.  Also couldn't find
> groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'),  and  S-1-5-11
> ('Authenticated Users').]
> [2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID
> [S-1-5-21-3685928793-4148883033-3314734756-11002]
> [2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID
> [S-1-5-21-3685928793-4148883033-3314734756-11001]
> [2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID [S-1-5-2]
> [2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
>   get_privileges: No privileges assigned to SID [S-1-5-11]
> .... [editor's note: the SID ending in 11002 is the user 'jdetert'
> that attempted to join the machine, and the SID ending in 11001 is
> jdetert's primary GID.]
> [2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
>   ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0
> .... [editor's note: 'TESTFSCLIENT' is the name of the machine i was
> trying to join.]
> [2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
>   ldapsam_getgroup: Did not find group, filter was
> (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$)))
> ....
> [2011/02/21 14:32:22,  0] passdb/pdb_interface.c:pdb_default_create_user(342)
>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> -c "Workstation (testfsclient$)" "testfsclient$"' gave 9
> [2011/02/21 14:32:22,  3] passdb/pdb_interface.c:pdb_default_create_user(359)
>   pdb_default_create_user: failed to create a new user structure:
> NT_STATUS_NO_SUCH_USER
> </log.testfsclient>
>
> I assume that the 'group not found' log entries are not significant,
> and that '9' was the return code from smbldap-useradd.
>
> Anyone know what return code 9 means?
> Anyone have ideas how to remedy this problem?
>
> Thanks,
>
> Jon
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

I am working through a similar setup at the moment.

Looking at the smbldap-useradd source, status 9 is "user must not  
exist in LDAP", so I assume from that that the workstation userid  
already exists?

I have just added a Window 7 machine to my domain and also get "No  
privileges assigned to SID" messages, but no group not found messages  
and the domain join works for me.

Regards

Mike


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

More information about the samba mailing list