[Samba] XP Joining Samba Domain
_Chris McKeever_
tech-mail at prupref.com
Tue May 20 15:19:44 GMT 2003
Here is my log file when I try to join a new computer (XP) as well as the
ldap entry for it
I have tried with the account pre-existing and with the account not
existing, and I get the same error.
Please Note: that authenticating with an already joined machine works fine.
and that the other machine is called marketing-x so I know that the hyphen
is not the issue.
Can anyone help me with this, I am going in circles.
-----------------------------
ldap_connect_system: Binding to ldap server as "cn=ldap,dc=prupref,dc=com"
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_connect_system(331)
ldap_connect_system: succesful connection to the LDAP server
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_search_one_user(343)
ldap_search_one_user: searching
for:[(&(uid=marketing-y$)(objectclass=sambaAccount))]
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:init_ldap_from_sam(756)
Setting entry for user: marketing-y$
[2003/05/20 09:44:13, 0] passdb/pdb_ldap.c:pdb_update_sam_account(1104)
failed to modify user with uid = marketing-y$ with: No such object
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_debug(60)
000000 samr_io_r_set_userinfo
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
0000 status: NT_STATUS_ACCESS_DENIED
--------------------------
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(124)
challenge : 0A9EBAA624DECD5A
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(125)
calculated: 0000000000000000
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(134)
credentials check wrong
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_debug(60)
000000 net_io_r_auth
[2003/05/20 10:03:03, 6] rpc_parse/parse_prs.c:prs_debug(60)
000000 smb_io_chal
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_uint8s(675)
0000 data: 27 81 12 42 f0 33 21 08
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
0008 status: NT_STATUS_ACCESS_DENIED
[2003/05/20 10:03:03, 5] rpc_server/srv_pipe.c:api_rpcTNP(1235)
api_rpcTNP: called api_netlog_rpc successfully
[2003/05/20 10:03:03, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
free_pipe_context: destroying talloc pool of size 80
[2003/05/20 10:03:03, 10] rpc_server/srv_pipe_hnd.c:write_to_pipe(766)
write_to_pipe: data_used = 140
----------------------------
dn: uid=marketing-y$,ou=Computers,dc=prupref,dc=com
objectClass: top
objectClass: posixAccount
objectClass: sambaAccount
uidNumber: 501
gidNumber: 1010
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
uid: marketing-y$
pwdLastSet: 1053442890
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: marketing-y$
cn: marketing-y$
rid: 2002
primaryGroupID: 3021
acctFlags: [W ]
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne at cae.co.za]
> Sent: Tuesday, May 20, 2003 6:32 AM
> To: samba at lists.samba.org
> Cc: _Chris McKeever_
> Subject: Re: [Samba] XP Joining Samba Domain
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> _Chris McKeever_ wrote:
> > I have successfully joined the XP machine to the domain.
> The strange part
> > is, that it only wanted to be joined if it connected to the PDC and
> not the
> > BDC.
> >
> > The way it is set-up is that the XP machine and a BDC is in
> one branch and
> > the PDC is in another. Every time I would try to connect
> via the BDC, it
> > would return a value ACCESS DENIED
> >
> > I stopped the smb service on the BDC, and got it to connect via the
> PDC. I
> > then got it to log into the domain using the BDC for
> authentication..I
> made
> > sure of this by looking at the recent log.machine-name files for the
> BDC and
> > PDC and it only showed up in the BDC.
> >
> > So I am wondering if this is expected behavior?? That it
> can only join via
> > the PDC?
> >
>
> No, my test network worked joining via the BDC (I stopped smbd on the
> PDC to be sure).
>
> The issue is that samba does the following:
>
> 1)Check for machine account
> 2)If no machine account, run 'add user script'
> 3)Check for machine account, if it exists, join, if not return 'access
> denied'.
>
> If your LDAP server does not replicate the machine account to the
> slave/BDC in the time between samba running 'add user script' and
> checking again, you will see this behaviour. I solved this (suggestion
> seen on this list) by adding a ';sleep 5' to the end of the add user
> script, which assumes your replication occurs in under 5 seconds.
>
> We haven't tested this on our real network again (where our BDC is an
> hour's drive away).
>
> >
> > Additionally, some notes on the topic to help
> others...after connecting, I
> > started to recieve these windows messages at logon:
> >
> > Cannot locate server copy of your profile and am attempting
> to log you in
> > with you local profile.....
> >
> > Cannot find the local profile and is logging in with
> temporary profile.
> >
> > cannot locate your roaming profile (read only) and is attempting to
> log you
> > on with your local profile.
> >
> >
> > Some of this I found to be with the SID changing between the NT
> network and
> > the new SAMBA controlled network. I needed to reassign the local
> copies of
> > the profiles security accounts, and that took care of that.
> >
>
> This is a known issue if you don't retain SIDs, which is only possible
> with samba3.
>
> > Additionally, since I am not using roaming profiles, I
> wanted to turn
> those
> > messages off. Using gpedit.msc and changing the following
> keys solved all
> > those messages boxes from appearing and it only using the
> local profile:
>
> You could also likely make the user's profilepath an empty
> string in LDAP.
>
> We use profiles, and replicate them using rsync (hoping users
> don't log
> in on both sides before rsync's finish).
>
> Regards,
> Buchan
>
> - --
> |--------------Another happy Mandrake Club member--------------|
> Buchan Milne Mechanical Engineer, Network Manager
> Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
> Stellenbosch Automotive Engineering http://www.cae.co.za
> GPG Key http://ranger.dnsalias.com/bgmilne.asc
> 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE+yhI6rJK6UGDSBKcRAoEVAKCm8VzebVNrCtaB8e49BvPz1PfTfgCffis0
> zGgm7OAlIG1q5RtNsS1McWc=
> =3rqL
> -----END PGP SIGNATURE-----
>
> ******************************************************************
> Please click on http://www.cae.co.za/disclaimer.htm to read our
> e-mail disclaimer.
> ******************************************************************
>
More information about the samba
mailing list