[Samba] XP Joining Samba Domain

_Chris McKeever_ tech-mail at prupref.com
Thu May 22 21:55:09 GMT 2003


Buchan (or other knowledgeable list subscribers)...was wondering if you had
any time to ponder my issue here?

Thanks

> 
> Good News/Bad News
> 
> Good News:
> I was able to get the XP machine to join via the BDC..but I 
> had to fart with
> some smb.conf settings.  The main problem was this:
> 
> /etc/openldap/slapd.conf
> updatedn "cn=replicate,dc=prupref,dc=com"
> updateref "ldaps://ldap.prupref.com"
> 
> I had the two lines reversed (you may want to make note of 
> that in your
> how-to Buchan)...What clued me was running smbpasswd from the 
> slave server
> gave a failure.  Flipping them got smbpasswd to work from the 
> remote server
> and then onto figuring out the joinging issue.
> 
> Bad News:
> In the BDC server, I need to comment out domain master, 
> otherwise I would
> continually return 'specified domain does not exist' (any 
> ideas??)..I don't
> believe this then defaults to NO...any comment? The reason I 
> feel this is
> that then I get a lot of log.smbd entries saying that it is 
> trying to become
> the master but another already exists.
> 
> Also, if I shutdown the smb service on the master/PDC I get 
> the same 'domain
> does not exist message' (this may be attributed to the 
> master/pdc being the
> wins server as well?)
> 
> 
> There are some comments below here as well ---->
> 
>  
> > > Some more information from the afternoon trials (comments 
> > inline below):
> > 
> > > TRIAL 3:
> > >
> > > Master LDAP
> > > domain logons = yes
> > > domain master = yes
> > >
> > > Slave LDAP/BDC
> > > domain master = no
> > > domain logons = yes
> > 
> > Yes, this is as it should be.
> > 
> 
> as stated I need to comment out domain master from the BDC smb.conf
> 
> > >
> > > result: successful join of machine via the MASTER LDAP 
> > using the machine
> > > account created in TRIAL 2...successful authentication via 
> > the BDC after
> > > reboot
> > >
> > >
> > >> >> _Chris McKeever_ wrote:
> > >> >
> > >> > Those logs are from when it tries to join the BDC when 
> > the machine
> > >> account _already_ exists
> > >> >
> > >>
> > >> Then we know what the problem is by elimination ...
> > >>
> > >
> > >>
> > >> Assuming you have samba-2.2.8 or later, it should show that
> > >> it rebinds to
> > >> the master (assuming you slave returns a referral on a write
> > >> request). It
> > >> will of course rebind with the dn in the BDC's smb.conf with
> > >> the password
> > >> you set on the BDC with smbpasswd -w
> > >>
> > >
> > > I am using cn=root,dc=mylan,dc=net for both the rootdn 
> and the ldap
> > > admin dn for samba
> > >
> > > re-ran smbpasswd -w THEPASSWORDHERE on both machine
> > >
> > >
> > >> So, your problem is either
> > >> 1)You haven't setup referrals
> > >
> > > wouldn't this mean I couldnt create the machine account?  
> Which I am
> > > able to do: updateref "ldaps://ldap.prupref.com"
> > >
> > >> 2)Your dn used in the smb.conf on the slave does not have
> > >> write access to
> > >> the machine account. Note, samba-2.2.x will want to write all the
> > >> attributes for the account (not just the ones that change).
> > >
> > > it is ldap admin dn = cn=root,dc=prupref,dc=com..but then 
> > again, I can
> > > get the machine account created when joinging via the 
> > BDC..it just wont
> > > finish the joining
> > >
> > >> 3)You didn't give samba on the BDC it's LDAP password.
> > >>
> > >
> > > smbpasswd -w THEPASSWORDHERE was run
> > >
> > >
> > > Is there a way I can test the referrals and the samba password?
> > >
> > > is this a sign of a problem?
> > >
> > > BDC# smbpasswd -a cgmckeever
> > > New SMB password:
> > > Retype new SMB password:
> > > ldap_connect_system: Binding to ldap server as
> > > "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to 
> > ldap server
> > > as "cn=root,dc=prupref,dc=com" failed to modify user with uid =
> > > cgmckeever with: No such object
> > >
> > > Password changed for user cgmckeever.
> > > Failed to modify entry for user cgmckeever.
> > > Failed to modify password entry for user cgmckeever
> > 
> > Either it's not binding to the ldap server, or getpwname 
> > (which you can
> > test via 'getent passwd cgmckeever') is not working for 
> this account,
> > which may mean you haven't configured nss_ldap.
> > 
> 
> BINGO!  but it was the flipped update statements in the slapd.conf
> 
> > >
> > >
> > > updateref "ldaps://ldap.prupref.com"
> > > OR
> > > updateref "ldap://ldap.prupref.com"
> > 
> > If you use ldaps, then you must be using the same hostname as 
> > is on the
> > SSL cert the server uses ...
> > 
> > >
> > > Searches definately show a uid=cgmckeever and I can access 
> > samba shares
> > > no problem fro both machines
> > >
> > > BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x
> > > "(uid=cgmckeever)"
> > > version: 1
> > >
> > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: inetOrgPerson
> > > objectClass: account
> > > objectClass: posixaccount
> > > objectClass: shadowaccount
> > > objectClass: kerberosSecurityObject
> > > objectClass: sambaAccount
> > >
> > >
> > > BDC# ldapsearch -LL -H ldap://ldap.prupref.com 
> > -b"dc=prupref,dc=com" -x
> > > "(uid=cgmckeever)"
> > > version: 1
> > >
> > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com
> > > objectClass: top
> > > objectClass: person
> > > objectClass: organizationalPerson
> > > objectClass: inetOrgPerson
> > > objectClass: account
> > > objectClass: posixaccount
> > > objectClass: shadowaccount
> > > objectClass: kerberosSecurityObject
> > > objectClass: sambaAccount
> > 
> > 
> > Is this the full entry? If so, you're missing a whole bunch 
> > of attributes
> > that are required for a working account (or the dn you used 
> can't see
> > them). You must ensure 'getent passwd <username>' works on 
> > the BDC also
> > ..... but it's weird if samba authenticated you.
> > 
> 
> 
> sorry, shoud have put cut marks there
> 
> > It may be best for you to mail me your smb.conf, smbldap_conf.pm and
> > /etc/ldap.conf for the BDC ... and ensure ldap is in the 
> > passwd line of
> > /etc/nsswitch.conf
> > 
> 
> I think everything is good other than why I need to comment 
> out the domain
> master line in the smb.conf (redhat thing???)  If you think 
> you want to look
> through my config files, let me know, I will send them to you 
> off-list.  But
> now I just think it is figuring out why I need to comment out 
> domain master
> for it all to work
> 
> 
> > Buchan
> > 
> > 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
> 



More information about the samba mailing list