[Samba] XP Joining Samba Domain

Buchan Milne bgmilne at cae.co.za
Tue May 20 11:32:10 GMT 2003 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

_Chris McKeever_ wrote:
> I have successfully joined the XP machine to the domain.  The strange part
> is, that it only wanted to be joined if it connected to the PDC and
not the
> BDC.
>
> The way it is set-up is that the XP machine and a BDC is in one branch and
> the PDC is in another.  Every time I would try to connect via the BDC, it
> would return a value ACCESS DENIED
>
> I stopped the smb service on the BDC, and got it to connect via the
PDC.  I
> then got it to log into the domain using the BDC for authentication..I
made
> sure of this by looking at the recent log.machine-name files for the
BDC and
> PDC and it only showed up in the BDC.
>
> So I am wondering if this is expected behavior?? That it can only join via
> the PDC?
>

No, my test network worked joining via the BDC (I stopped smbd on the
PDC to be sure).

The issue is that samba does the following:

1)Check for machine account
2)If no machine account, run 'add user script'
3)Check for machine account, if it exists, join, if not return 'access
denied'.

If your LDAP server does not replicate the machine account to the
slave/BDC in the time between samba running 'add user script' and
checking again, you will see this behaviour. I solved this (suggestion
seen on this list) by adding a ';sleep 5' to the end of the add user
script, which assumes your replication occurs in under 5 seconds.

We haven't tested this on our real network again (where our BDC is an
hour's drive away).

>
> Additionally, some notes on the topic to help others...after connecting, I
> started to recieve these windows messages at logon:
>
> Cannot locate server copy of your profile and am attempting to log you in
> with you local profile.....
>
> Cannot find the local profile and is logging in with temporary profile.
>
> cannot locate your roaming profile (read only) and is attempting to
log you
> on with your local profile.
>
>
> Some of this I found to be with the SID changing between the NT
network and
> the new SAMBA controlled network.  I needed to reassign the local
copies of
> the profiles security accounts, and that took care of that.
>

This is a known issue if you don't retain SIDs, which is only possible
with samba3.

> Additionally, since I am not using roaming profiles, I wanted to turn
those
> messages off.  Using gpedit.msc and changing the following keys solved all
> those messages boxes from appearing and it only using the local profile:

You could also likely make the user's profilepath an empty string in LDAP.

We use profiles, and replicate them using rsync (hoping users don't log
in on both sides before rsync's finish).

Regards,
Buchan

- --
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE+yhI6rJK6UGDSBKcRAoEVAKCm8VzebVNrCtaB8e49BvPz1PfTfgCffis0
zGgm7OAlIG1q5RtNsS1McWc=
=3rqL
-----END PGP SIGNATURE-----

******************************************************************
Please click on http://www.cae.co.za/disclaimer.htm to read our
e-mail disclaimer.
******************************************************************

More information about the samba mailing list