Can't join domain with current CVS (SAMBA_TNG)

Steve Langasek vorlon at netexpress.net
Fri Aug 25 19:15:07 GMT 2000


On Thu, 24 Aug 2000, Matthew Geddes wrote:

> > An NT workstation will join the domain run by the TNG PDC.  This works pretty
> > well, and after joining the workstation to the domain, I'm able to run
> > smbclient against the NT workstation and authenticate using a username and
> > password from the domain.  However, I can't log onto the workstation locally
> > using any credentials from the domain; only local NT users can log in.

> I spent a couple of months (prealpha 0.8 -> 2.5 ;-)) with a problem
> displaying the same symptoms. Make sure that you're Administrator is
> root and check Lars' FAQ for all the .map file stuff. I have had
> alpha-2.6 running fine on Linux and FreeBSD.

Here are the contents of my .map files:

$ cat domaingroup.map
root="Domain Admins"
bppp="Domain Users"

$ cat domainuser.map
root=Administrator

$ cat localgroup.map
adm=BUILTIN\Administrators
lp=BUILTIN\"Print Operators"


These aren't identical to the examples in the FAQ, but the FAQ implies that
these are suggestions, not requirements.  You also mention that having a guest
user is /not/ recommended, so I left that line out of the domain user map.

Is there any reason that I would need all users to be in the "Domain Users"
group?  (Currently, "Domain Users" maps to a group that most users are /not/
members of... with ~8500 users, putting everyone in one group will be
painful.)

> > Possibly unrelated is the fact that a Unix server running TNG cannot join
> > the domain.  Using samedit fails, as mentioned in my previous message.  If I
> > use smbpasswd -j <domain>, everything appears to work -- smbpasswd file is
> > updated correctly, files are created on the member server -- but running
> > smbclient against the member server will fail.  AFAICT, this problem lies
> > somewhere on the member server side: not only is an NT member server able to
> > authenticate against the domain, if I downgrade the Unix member server to
> > Samba 2.0.7, it's also able to use domain authentication.

> Don't use smbpasswd. ;-)

If I had another way that worked... :)

Of course, since using smbpasswd -j to join a domain doesn't actually let me
authenticate from the member server, this doesn't really represent much of a
security threat for the time being. :)

> I had the same problem. It went away with the above problem. What are
> the error messages you're getting?

After adding the workstation user to the PDC's password file, this is what I
see:

sheridan:~# samedit -S . -U root -N
added interface ip=xx.xx.xx.xx bcast=xx.xx.xx.255 nmask=255.255.255.0
[root at .]$ use \\\\SHAMUPDC -U root
use \\\\SHAMUPDC -U root
Enter Password:
Server: \\SHAMUPDC:     User:   root    Domain:
Connection:     Got a positive name query response from xx.xx.xx.xx ( xx.xx.xx.xx )
session setup ok
Domain=[MATRIX] OS=[Unix] Server=[Samba TNG-alpha]
OK
[root at .]$ createuser sheridan$ -j matrix
createuser sheridan$ -j matrix
SAM Create Domain User
Got a positive name query response from xx.xx.xx.xx ( xx.xx.xx.xx )
Domain: MATRIX Name: sheridan$ ACB: [W          ]
cli_pipe: return critical error. Error was RAP code 0
Create Domain User: FAILED
[root at .]$ 

If I try adding the user sheridan$ to the smbpasswd file before running the
createuser command, I get a different set of errors, none of which are more
enlightening (to me) than the above.

I can generate logfiles easily enough if they'd be of use -- I just don't know
where to begin debugging something like this...

Thanks,
Steve Langasek
postmodern programmer





More information about the samba-ntdom mailing list