[Samba] Join Machine to Domain
Kent L. Nasveschuk
kent at wareham.k12.ma.us
Fri Nov 14 16:44:16 GMT 2003
I appreciate your help on this. I still am having problems. Attached a
some of the pertinent configuration files.
I can login in with any account so connection and password to access
ldap server works, just can't join domain. I get an error message bad
passwd or unknown user. I added the username map but root =
administrator still doesn't work.
# Administrator, Users, tow.net
dn: uid=Administrator,ou=Users,dc=tow,dc=net
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson
objectClass: sambaSAMAccount
objectClass: posixAccount
gidNumber: 0
uid: Administrator
uidNumber: 0
homeDirectory: /accounts/Administrator
sambaPwdLastSet: 1068814077
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 1068814077
sambaPwdMustChange: 2147483647
sambaHomePath: \\whs1\Administrator
sambaHomeDrive: H:
sambaProfilePath: \\whs1\profiles\
sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC
sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467
sambaAcctFlags: [U ]
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000
loginShell: /bin/bash
gecos: Netbios Domain Administrator
sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001
userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ==
smb.conf:
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = netlogon.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = WHS1
server string = RedHat 8.0 LDAP Server
passdb backend = ldapsam
ldap passwd sync = Yes
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u
# delete user script = /usr/local/sbin/smbldap-useradd.pl
# add group script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl
add machine script = /usr/local/samba/bin/smbpasswd -a -m %u
# add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
/bin/false -M %u
logon script = netlogon.bat
logon path = \\%N\profiles\%g
logon drive = H:
logon home = \\%L\%U
domain logons = Yes
os level = 64
domain master = Yes
dns proxy = No
admin users = @domain_admins
# wins support = Yes
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
username map = /usr/local/samba/private/smbusers
[homes]
comment = Home Directories
read only = no
browseable = no
writable = yes
path = %H
# valid users = %S
hide files = /.*/
[profiles]
path = /accounts/profiles
read only = no
create mask = 0600
directory mask = 0700
[netlogon]
comment = Netlogon share
path = /usr/local/samba/netlogon
locking = no
browseable = no
read only = yes
write list = @domain_admins
[staff]
comment = Staff common
path = /accounts/staff
read list = @staff @techstaff
write list = @staff @techstaff
[programs]
comment = Programs
path = /accounts/programs
[adm-pgms$]
comment = Admin Programs
path = /accounts/adm_pgms
read list = @techstaff
write list = @techstaff
[images$]
comment = Ghost image files
path = /accounts/images
write list = kent
read list = @techstaff
[printers]
comment = All Printers
path = /var/spool/samba
read only = Yes
printable = Yes
browseable = No
slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema
database ldbm
suffix "dc=tow,dc=net"
rootdn "cn=admin,dc=tow,dc=net"
#rootpw {SSHA}WhTBLrgNGnKeZYgS0bT6TfIL2jKBbOnr
#password-hash {crypt}
directory /usr/local/var/openldap-data/wareham
schemacheck on
lastmod on
# Indices to maintain
#index objectClass eq
index objectClass,uid,uidNumber,gidNumber eq
#index cn,mail,surname,givenname eq,subinitial
index cn,sn,st pres,eq,sub
#access to dn=".*dc=tow,dc=net
# by self write
# by * read
#access to attrs=userPassword,sambaNTPassword,sambaLMPassword
# by self write
# by anonymous auth
# by * none
#access to *
# by * read
output of net groupmap list:
[root at whs1 root]# net groupmap list
domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody
domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
administrators (S-1-5-32-544) -> 544
users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users
guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> 546
power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547
account_operators (S-1-5-32-548) -> 548
server_operators (S-1-5-32-549) -> sys
print_operators (S-1-5-32-550) -> lp
backup_operators (S-1-5-32-551) -> bin
replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon
computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519
students (S-1-5-21-1129281578-1295143107-3311307472-2011) -> students
staff (S-1-5-21-1129281578-1295143107-3311307472-2007) -> staff
techstaff (S-1-5-21-1129281578-1295143107-3311307472-2009) -> techstaff
[root at whs1 root]#
On Fri, 2003-11-14 at 11:18, manuel.piessnegger at straumann.com wrote:
>
>
> Hello,
>
> first the ldap admin dn should be the same like the rootdn for the OpenLdap
> Server but must not be root.
>
> Important for joining machines into a domain is that you have already
> created a user in ldap for root (uid=0), that meens posix and samba.
> After that you have to join in the machine with user root and the samba
> passowrod (not the posix password).
>
> This works when your samba server runs over the root account (root starts
> my samba daemon). If your samba server runs over a different user I think
> you have to choose this other samba admin account.
>
> Regards
>
> Manuel
>
>
>
>
>
> "Kent L.
> Nasveschuk"
> <kent at wareham.k12 To
> .ma.us> manuel.piessnegger at straumann.com
> cc
> 13.11.2003 19:07
> Subject
> Re: [Samba] Join Machine to Domain
>
>
>
>
>
>
>
>
>
>
> I read your post today and was wondering if you were able to get your
> W2K machines to join your domain?
>
> I'm having the same problem. I can't get the machines to join domain. I
> keep getting login failure: unknown username or bad password.My
> administrator account in LDAP is uidNumber=0 but it still fails. I know
> that the passwords work cause I can log in as administrator and see the
> home directory and other shared directories. Makes me think the
> administrative (root) account is not setup correctly between samba and
> ldap.
>
> Well, if you did get your to work let me know how.
>
>
> --
> Kent L. Nasveschuk <kent at wareham.k12.ma.us>
>
--
Kent L. Nasveschuk <kent at wareham.k12.ma.us>
More information about the samba
mailing list