[Samba] XP Joining Samba Domain

Tue May 20 22:43:31 GMT 2003

Good News/Bad News

Good News:
I was able to get the XP machine to join via the BDC..but I had to fart with
some smb.conf settings.  The main problem was this:

/etc/openldap/slapd.conf
updatedn "cn=replicate,dc=prupref,dc=com"
updateref "ldaps://ldap.prupref.com"

I had the two lines reversed (you may want to make note of that in your
how-to Buchan)...What clued me was running smbpasswd from the slave server
gave a failure.  Flipping them got smbpasswd to work from the remote server
and then onto figuring out the joinging issue.

Bad News:
In the BDC server, I need to comment out domain master, otherwise I would
continually return 'specified domain does not exist' (any ideas??)..I don't
believe this then defaults to NO...any comment? The reason I feel this is
that then I get a lot of log.smbd entries saying that it is trying to become
the master but another already exists.

Also, if I shutdown the smb service on the master/PDC I get the same 'domain
does not exist message' (this may be attributed to the master/pdc being the
wins server as well?)

There are some comments below here as well ---->

> > Some more information from the afternoon trials (comments 
> inline below):
> 
> > TRIAL 3:
> >
> > Master LDAP
> > domain logons = yes
> > domain master = yes
> >
> > Slave LDAP/BDC
> > domain master = no
> > domain logons = yes
> 
> Yes, this is as it should be.
> 

as stated I need to comment out domain master from the BDC smb.conf

> >
> > result: successful join of machine via the MASTER LDAP 
> using the machine
> > account created in TRIAL 2...successful authentication via 
> the BDC after
> > reboot
> >
> >
> >> >> _Chris McKeever_ wrote:
> >> >
> >> > Those logs are from when it tries to join the BDC when 
> the machine
> >> account _already_ exists
> >> >
> >>
> >> Then we know what the problem is by elimination ...
> >>
> >
> >>
> >> Assuming you have samba-2.2.8 or later, it should show that
> >> it rebinds to
> >> the master (assuming you slave returns a referral on a write
> >> request). It
> >> will of course rebind with the dn in the BDC's smb.conf with
> >> the password
> >> you set on the BDC with smbpasswd -w
> >>
> >
> > I am using cn=root,dc=mylan,dc=net for both the rootdn and the ldap
> > admin dn for samba
> >
> > re-ran smbpasswd -w THEPASSWORDHERE on both machine
> >
> >
> >> So, your problem is either
> >> 1)You haven't setup referrals
> >
> > wouldn't this mean I couldnt create the machine account?  Which I am
> > able to do: updateref "ldaps://ldap.prupref.com"
> >
> >> 2)Your dn used in the smb.conf on the slave does not have
> >> write access to
> >> the machine account. Note, samba-2.2.x will want to write all the
> >> attributes for the account (not just the ones that change).
> >
> > it is ldap admin dn = cn=root,dc=prupref,dc=com..but then 
> again, I can
> > get the machine account created when joinging via the 
> BDC..it just wont
> > finish the joining
> >
> >> 3)You didn't give samba on the BDC it's LDAP password.
> >>
> >
> > smbpasswd -w THEPASSWORDHERE was run
> >
> >
> > Is there a way I can test the referrals and the samba password?
> >
> > is this a sign of a problem?
> >
> > BDC# smbpasswd -a cgmckeever
> > New SMB password:
> > Retype new SMB password:
> > ldap_connect_system: Binding to ldap server as
> > "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to 
> ldap server
> > as "cn=root,dc=prupref,dc=com" failed to modify user with uid =
> > cgmckeever with: No such object
> >
> > Password changed for user cgmckeever.
> > Failed to modify entry for user cgmckeever.
> > Failed to modify password entry for user cgmckeever
> 
> Either it's not binding to the ldap server, or getpwname 
> (which you can
> test via 'getent passwd cgmckeever') is not working for this account,
> which may mean you haven't configured nss_ldap.
> 

BINGO!  but it was the flipped update statements in the slapd.conf

> >
> >
> > updateref "ldaps://ldap.prupref.com"
> > OR
> > updateref "ldap://ldap.prupref.com"
> 
> If you use ldaps, then you must be using the same hostname as 
> is on the
> SSL cert the server uses ...
> 
> >
> > Searches definately show a uid=cgmckeever and I can access 
> samba shares
> > no problem fro both machines
> >
> > BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x
> > "(uid=cgmckeever)"
> > version: 1
> >
> > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: account
> > objectClass: posixaccount
> > objectClass: shadowaccount
> > objectClass: kerberosSecurityObject
> > objectClass: sambaAccount
> >
> >
> > BDC# ldapsearch -LL -H ldap://ldap.prupref.com 
> -b"dc=prupref,dc=com" -x
> > "(uid=cgmckeever)"
> > version: 1
> >
> > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> > objectClass: top
> > objectClass: person
> > objectClass: organizationalPerson
> > objectClass: inetOrgPerson
> > objectClass: account
> > objectClass: posixaccount
> > objectClass: shadowaccount
> > objectClass: kerberosSecurityObject
> > objectClass: sambaAccount
> 
> 
> Is this the full entry? If so, you're missing a whole bunch 
> of attributes
> that are required for a working account (or the dn you used can't see
> them). You must ensure 'getent passwd <username>' works on 
> the BDC also
> ..... but it's weird if samba authenticated you.
> 

sorry, shoud have put cut marks there

> It may be best for you to mail me your smb.conf, smbldap_conf.pm and
> /etc/ldap.conf for the BDC ... and ensure ldap is in the 
> passwd line of
> /etc/nsswitch.conf
> 

I think everything is good other than why I need to comment out the domain
master line in the smb.conf (redhat thing???)  If you think you want to look
through my config files, let me know, I will send them to you off-list.  But
now I just think it is figuring out why I need to comment out domain master
for it all to work

> Buchan
> 
> 