RC2: Cannot join domain

José Luis Tallón jltallon at adv-solutions.net
Wed Sep 10 10:47:28 GMT 2003

We've been working with Samba for the last years. Most ( if not all ) of it 
has worked as documented. Stability is much better than M$ Windows' and it 
is roughly an order of magnitude better on the same hardware ( you can add 
this to you customer quotes, Jerry ;)  )

We have recently upgraded to RC2 from beta2, and we found this behaviour: 
while the "File Server" functions work perfectly well ( as always ), we 
have lost the ability to join machines to the domain, which get rejected 
with "username not found" message. Using LDAP backend.

We did a quite big test yesterday, were we joined 32 machines to the 
domain, and we only succeeded using smbpasswd backend. LDAP backend 
wouldn't let us join machines to the domain. We suspected a corrupted 
installation or defective hardware...

( sorry, pressed "send inmediately" -Ctrl-E- keyboard shortcut when trying 
to go to EOL ;)  )

A couple hours before we had upgraded our main domain controllers to RC2 
and everything seemed to work fine... until this morning, when we needed to 
join a machine to this domain. It has all worked flawlessly for the last 
two months, with big sustained workloads.

So.. What changed in RC2 which has to do with domain joining? Release notes 
do not show anything relevant ( or so it seems )
Anything needs to change in SMB.CONF and/or the LDAP DIT, or we just found 
a bug?

Hardware: Dell 2600SC, 2xXeon 2.4GHz, 1GB ECC DDRAM, very recently purchased

Software:  Debian Woody base, Samba3.0.0beta2+3.0.0rc2-1 and OpenLDAP 
2.1.22-1 from Sid, plus their dependencies.

Clients: W2K and WXP Pro, plus some NT4 ( not relevant )

Note: we have an "administrator" account with UID 0, Primary group SID 
DOMAIN-544, member of group with SID DOMAIN-512 ( both mappings checked 
with net groupmap )

------8<---- smb.conf ----8<--------------

workgroup = CNSR

server string = Servidor (%h)
;netbios name = SERVIDOR

load printers = no
; printing = bsd
; printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups

;   guest account = nobody
invalid users = root

log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0

security = user
encrypt passwords = true

passdb backend = ldapsam:ldap://localhost, tdbsam, guest

algorithmic rid base = 1000

ldap suffix = dc=xxxxxxxx,dc=xxx
ldap admin dn = uid=samba,ou=daemons,dc=recuerdo,dc=net
ldap delete dn = no
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=machines

ldap filter = "(uid=%u)"

idmap only = no
idmap backend = winbind
ldap idmap suffix = ou=idmap,ou=samba,dc=recuerdo,dc=net
winbind use default domain = yes
idmap uid = 50000-55000
idmap gid = 50000-55000

#winbind separator = +

username map = /etc/samba/smbusers
;   include = /home/samba/etc/smb.conf.%m

socket options = TCP_NODELAY

local master = yes
os level = 20
domain master = yes
preferred master = auto

wins support = no
dns proxy = no
name resolve order = lmhosts host wins bcast

;   preserve case = yes
;   short preserve case = yes

; unix password sync = true
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n 
:* %n\n .
pam password change = no
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
obey pam restrictions = no

domain logons = yes
logon script = netlogon.bat
logon drive = H:
logon path = \\%L\Profiles\%u

panic action = /usr/share/samba/panic-action %d

#======================= Share Definitions =======================

    comment = Home Directories
    browseable = no
    writeable = yes
    read only = no
    csc policy = disable
    force create mode = 0640
    force directory mode = 2750

    comment = Network Logon Service
    path = /profiles/netlogon
    guest ok = yes
    writable = no
    share modes = no

     comment = Directorio de perfiles
     path = /profiles
     browseable = no
     guest ok = yes
     writeable = yes
;    nt acl support = no
     profile acls = yes
     create mask = 0600
     directory mask = 0700

More information about the samba-technical mailing list