[Samba] XP Joining Samba Domain

_Chris McKeever_ tech-mail at prupref.com
Tue May 20 15:19:44 GMT 2003 

Here is my log file when I try to join a new computer (XP) as well as the
ldap entry for it
I have tried with the account pre-existing and with the account not
existing, and I get the same error.

Please Note: that authenticating with an already joined machine works fine.
and that the other machine is called marketing-x so I know that the hyphen
is not the issue.

Can anyone help me with this, I am going in circles.

-----------------------------
ldap_connect_system: Binding to ldap server as "cn=ldap,dc=prupref,dc=com"
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_connect_system(331)
  ldap_connect_system: succesful connection to the LDAP server
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_search_one_user(343)
  ldap_search_one_user: searching
for:[(&(uid=marketing-y$)(objectclass=sambaAccount))]
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:init_ldap_from_sam(756)
  Setting entry for user: marketing-y$
[2003/05/20 09:44:13, 0] passdb/pdb_ldap.c:pdb_update_sam_account(1104)
  failed to modify user with uid = marketing-y$ with: No such object
  	
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_debug(60)
  000000 samr_io_r_set_userinfo 
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
      0000 status: NT_STATUS_ACCESS_DENIED
--------------------------
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(124)
  	challenge : 0A9EBAA624DECD5A
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(125)
  	calculated: 0000000000000000
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(134)
  credentials check wrong
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_debug(60)
  000000 net_io_r_auth 
[2003/05/20 10:03:03, 6] rpc_parse/parse_prs.c:prs_debug(60)
      000000 smb_io_chal 
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_uint8s(675)
          0000 data: 27 81 12 42 f0 33 21 08 
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
      0008 status: NT_STATUS_ACCESS_DENIED
[2003/05/20 10:03:03, 5] rpc_server/srv_pipe.c:api_rpcTNP(1235)
  api_rpcTNP: called api_netlog_rpc successfully
[2003/05/20 10:03:03, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
  free_pipe_context: destroying talloc pool of size 80
[2003/05/20 10:03:03, 10] rpc_server/srv_pipe_hnd.c:write_to_pipe(766)
  write_to_pipe: data_used = 140
----------------------------
dn: uid=marketing-y$,ou=Computers,dc=prupref,dc=com
objectClass: top
objectClass: posixAccount
objectClass: sambaAccount
uidNumber: 501
gidNumber: 1010
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
uid: marketing-y$
pwdLastSet: 1053442890
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: marketing-y$
cn: marketing-y$
rid: 2002
primaryGroupID: 3021
acctFlags: [W          ]



> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at cae.co.za]
> Sent: Tuesday, May 20, 2003 6:32 AM
> To: samba at lists.samba.org
> Cc: _Chris McKeever_
> Subject: Re: [Samba] XP Joining Samba Domain
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> _Chris McKeever_ wrote:
> > I have successfully joined the XP machine to the domain.  
> The strange part
> > is, that it only wanted to be joined if it connected to the PDC and
> not the
> > BDC.
> >
> > The way it is set-up is that the XP machine and a BDC is in 
> one branch and
> > the PDC is in another.  Every time I would try to connect 
> via the BDC, it
> > would return a value ACCESS DENIED
> >
> > I stopped the smb service on the BDC, and got it to connect via the
> PDC.  I
> > then got it to log into the domain using the BDC for 
> authentication..I
> made
> > sure of this by looking at the recent log.machine-name files for the
> BDC and
> > PDC and it only showed up in the BDC.
> >
> > So I am wondering if this is expected behavior?? That it 
> can only join via
> > the PDC?
> >
> 
> No, my test network worked joining via the BDC (I stopped smbd on the
> PDC to be sure).
> 
> The issue is that samba does the following:
> 
> 1)Check for machine account
> 2)If no machine account, run 'add user script'
> 3)Check for machine account, if it exists, join, if not return 'access
> denied'.
> 
> If your LDAP server does not replicate the machine account to the
> slave/BDC in the time between samba running 'add user script' and
> checking again, you will see this behaviour. I solved this (suggestion
> seen on this list) by adding a ';sleep 5' to the end of the add user
> script, which assumes your replication occurs in under 5 seconds.
> 
> We haven't tested this on our real network again (where our BDC is an
> hour's drive away).
> 
> >
> > Additionally, some notes on the topic to help 
> others...after connecting, I
> > started to recieve these windows messages at logon:
> >
> > Cannot locate server copy of your profile and am attempting 
> to log you in
> > with you local profile.....
> >
> > Cannot find the local profile and is logging in with 
> temporary profile.
> >
> > cannot locate your roaming profile (read only) and is attempting to
> log you
> > on with your local profile.
> >
> >
> > Some of this I found to be with the SID changing between the NT
> network and
> > the new SAMBA controlled network.  I needed to reassign the local
> copies of
> > the profiles security accounts, and that took care of that.
> >
> 
> This is a known issue if you don't retain SIDs, which is only possible
> with samba3.
> 
> > Additionally, since I am not using roaming profiles, I 
> wanted to turn
> those
> > messages off.  Using gpedit.msc and changing the following 
> keys solved all
> > those messages boxes from appearing and it only using the 
> local profile:
> 
> You could also likely make the user's profilepath an empty 
> string in LDAP.
> 
> We use profiles, and replicate them using rsync (hoping users 
> don't log
> in on both sides before rsync's finish).
> 
> Regards,
> Buchan
> 
> - --
> |--------------Another happy Mandrake Club member--------------|
> Buchan Milne                Mechanical Engineer, Network Manager
> Cellphone * Work            +27 82 472 2231 * +27 21 8828820x202
> Stellenbosch Automotive Engineering         http://www.cae.co.za
> GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
> 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE+yhI6rJK6UGDSBKcRAoEVAKCm8VzebVNrCtaB8e49BvPz1PfTfgCffis0
> zGgm7OAlIG1q5RtNsS1McWc=
> =3rqL
> -----END PGP SIGNATURE-----
> 
> ******************************************************************
> Please click on http://www.cae.co.za/disclaimer.htm to read our
> e-mail disclaimer.
> ******************************************************************
>

More information about the samba mailing list