[Samba] XP Joining Samba Domain

Tue May 20 21:59:00 GMT 2003

> Some more information from the afternoon trials (comments inline below):

> TRIAL 3:
>
> Master LDAP
> domain logons = yes
> domain master = yes
>
> Slave LDAP/BDC
> domain master = no
> domain logons = yes

Yes, this is as it should be.

>
> result: successful join of machine via the MASTER LDAP using the machine
> account created in TRIAL 2...successful authentication via the BDC after
> reboot
>
>
>> >> _Chris McKeever_ wrote:
>> >
>> > Those logs are from when it tries to join the BDC when the machine
>> account _already_ exists
>> >
>>
>> Then we know what the problem is by elimination ...
>>
>
>>
>> Assuming you have samba-2.2.8 or later, it should show that
>> it rebinds to
>> the master (assuming you slave returns a referral on a write
>> request). It
>> will of course rebind with the dn in the BDC's smb.conf with
>> the password
>> you set on the BDC with smbpasswd -w
>>
>
> I am using cn=root,dc=mylan,dc=net for both the rootdn and the ldap
> admin dn for samba
>
> re-ran smbpasswd -w THEPASSWORDHERE on both machine
>
>
>> So, your problem is either
>> 1)You haven't setup referrals
>
> wouldn't this mean I couldnt create the machine account?  Which I am
> able to do: updateref "ldaps://ldap.prupref.com"
>
>> 2)Your dn used in the smb.conf on the slave does not have
>> write access to
>> the machine account. Note, samba-2.2.x will want to write all the
>> attributes for the account (not just the ones that change).
>
> it is ldap admin dn = cn=root,dc=prupref,dc=com..but then again, I can
> get the machine account created when joinging via the BDC..it just wont
> finish the joining
>
>> 3)You didn't give samba on the BDC it's LDAP password.
>>
>
> smbpasswd -w THEPASSWORDHERE was run
>
>
> Is there a way I can test the referrals and the samba password?
>
> is this a sign of a problem?
>
> BDC# smbpasswd -a cgmckeever
> New SMB password:
> Retype new SMB password:
> ldap_connect_system: Binding to ldap server as
> "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to ldap server
> as "cn=root,dc=prupref,dc=com" failed to modify user with uid =
> cgmckeever with: No such object
>
> Password changed for user cgmckeever.
> Failed to modify entry for user cgmckeever.
> Failed to modify password entry for user cgmckeever

Either it's not binding to the ldap server, or getpwname (which you can
test via 'getent passwd cgmckeever') is not working for this account,
which may mean you haven't configured nss_ldap.

>
>
> updateref "ldaps://ldap.prupref.com"
> OR
> updateref "ldap://ldap.prupref.com"

If you use ldaps, then you must be using the same hostname as is on the
SSL cert the server uses ...

>
> Searches definately show a uid=cgmckeever and I can access samba shares
> no problem fro both machines
>
> BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x
> "(uid=cgmckeever)"
> version: 1
>
> dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: account
> objectClass: posixaccount
> objectClass: shadowaccount
> objectClass: kerberosSecurityObject
> objectClass: sambaAccount
>
>
> BDC# ldapsearch -LL -H ldap://ldap.prupref.com -b"dc=prupref,dc=com" -x
> "(uid=cgmckeever)"
> version: 1
>
> dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: account
> objectClass: posixaccount
> objectClass: shadowaccount
> objectClass: kerberosSecurityObject
> objectClass: sambaAccount

Is this the full entry? If so, you're missing a whole bunch of attributes
that are required for a working account (or the dn you used can't see
them). You must ensure 'getent passwd <username>' works on the BDC also
..... but it's weird if samba authenticated you.

It may be best for you to mail me your smb.conf, smbldap_conf.pm and
/etc/ldap.conf for the BDC ... and ensure ldap is in the passwd line of
/etc/nsswitch.conf

Buchan