[Samba] Join Machine to Domain
Kent L. Nasveschuk
kent at wareham.k12.ma.us
Mon Nov 17 23:46:17 GMT 2003
Hey,
Thanks for getting back to me. I could not put this down till I knew why
things weren't working.I finally succeded in making everyting work and
finding out why I had problems.
I couldn't make it work with administrator. As soon as I deleted the
administrator user and replaced user with root, Wah lah! I can join
workstations. I removed username map from smb.conf.
I also had a very strange error message that I have discovered is caused
by some keys in the workstation registry that I changed. These are keys
that are reported to need to be changed in XP and not W2K.
The learning curve for this is high. I learned a great deal about Samba
and LDAP but both packages are slick and work together quite well. All
the time I've spent on this has been well worth it.
Thanks for your help.
Kent N
On Mon, 2003-11-17 at 09:27, manuel.piessnegger at straumann.com wrote:
>
>
> Hi,
>
> I forgot to tell you, that the samba password from the
> uid=Administrator,ou=Users,dc=tow,dc=net MUST be the same like the samba
> password for root .
> Because samba will expect both the client and the server user to have the
> same password. After that the option "username map" will work correctly.
>
>
>
> Regards
>
> Manuel Piessnegger
>
>
>
>
> "Kent L.
> Nasveschuk"
> <kent at wareham.k12 To
> .ma.us> manuel.piessnegger at straumann.com
> cc
> 14.11.2003 17:44 Samba List Server
> <samba at lists.samba.org>
> Subject
> Re: [Samba] Join Machine to Domain
>
>
>
>
>
>
>
>
>
>
> I appreciate your help on this. I still am having problems. Attached a
> some of the pertinent configuration files.
>
> I can login in with any account so connection and password to access
> ldap server works, just can't join domain. I get an error message bad
> passwd or unknown user. I added the username map but root =
> administrator still doesn't work.
>
> # Administrator, Users, tow.net
> dn: uid=Administrator,ou=Users,dc=tow,dc=net
> cn: Administrator
> sn: Administrator
> objectClass: inetOrgPerson
> objectClass: sambaSAMAccount
> objectClass: posixAccount
> gidNumber: 0
> uid: Administrator
> uidNumber: 0
> homeDirectory: /accounts/Administrator
> sambaPwdLastSet: 1068814077
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 1068814077
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\whs1\Administrator
> sambaHomeDrive: H:
> sambaProfilePath: \\whs1\profiles\
> sambaLMPassword: E3B4E05BE6A182C9E13B8E8F6853DCAC
> sambaNTPassword: F4858C7E53BB628AE91E00E9DB6CD467
> sambaAcctFlags: [U ]
> sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000
> loginShell: /bin/bash
> gecos: Netbios Domain Administrator
> sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-1001
> userPassword:: e1NNRDV9ZGpiNFo3ODQ3VFlKYWJYZEM5ZGRtSkFpMklzPQ==
>
>
>
> smb.conf:
>
>
> [global]
> workgroup = WarehamPS
> encrypt passwords = Yes
> time server = Yes
> socket options = TCP_NODELAY
> security = user
> logon script = netlogon.bat
> writable = Yes
> dns proxy = no
> directory mask = 02770
> preferred master = yes
> netbios name = WHS1
> server string = RedHat 8.0 LDAP Server
> passdb backend = ldapsam
> ldap passwd sync = Yes
> passwd program = /usr/local/samba/bin/smbpasswd %u
> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
> *Retype\snew\sUnix\spassword:* %n\n
> log file = /var/log/samba.%m
> debug level = 2
> max log size = 50
> add user script = /usr/local/sbin/smbldap-useradd.pl %u
> # delete user script = /usr/local/sbin/smbldap-useradd.pl
> # add group script = /usr/local/sbin/smbldap-groupadd.pl
> delete group script = /usr/local/sbin/smbldap-groupdel.pl
> add machine script = /usr/local/samba/bin/smbpasswd -a -m %u
> # add machine script = /usr/sbin/useradd -d /dev/null -g 502 -s
> /bin/false -M %u
> logon script = netlogon.bat
> logon path = \\%N\profiles\%g
> logon drive = H:
> logon home = \\%L\%U
> domain logons = Yes
> os level = 64
> domain master = Yes
> dns proxy = No
> admin users = @domain_admins
> # wins support = Yes
> ldap suffix = dc=tow,dc=net
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap admin dn = cn=admin,dc=tow,dc=net
> ldap ssl = no
> username map = /usr/local/samba/private/smbusers
> [homes]
> comment = Home Directories
> read only = no
> browseable = no
> writable = yes
> path = %H
> # valid users = %S
> hide files = /.*/
>
> [profiles]
> path = /accounts/profiles
> read only = no
> create mask = 0600
> directory mask = 0700
>
> [netlogon]
> comment = Netlogon share
> path = /usr/local/samba/netlogon
> locking = no
> browseable = no
> read only = yes
> write list = @domain_admins
>
> [staff]
> comment = Staff common
> path = /accounts/staff
> read list = @staff @techstaff
> write list = @staff @techstaff
>
> [programs]
> comment = Programs
> path = /accounts/programs
>
> [adm-pgms$]
> comment = Admin Programs
> path = /accounts/adm_pgms
> read list = @techstaff
> write list = @techstaff
>
> [images$]
> comment = Ghost image files
> path = /accounts/images
> write list = kent
> read list = @techstaff
>
> [printers]
> comment = All Printers
> path = /var/spool/samba
> read only = Yes
> printable = Yes
> browseable = No
>
> slapd.conf
>
> # $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
> 17:06:18 kurt Exp $
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/samba.schema
> database ldbm
> suffix "dc=tow,dc=net"
> rootdn "cn=admin,dc=tow,dc=net"
> #rootpw {SSHA}WhTBLrgNGnKeZYgS0bT6TfIL2jKBbOnr
> #password-hash {crypt}
> directory /usr/local/var/openldap-data/wareham
> schemacheck on
> lastmod on
> # Indices to maintain
> #index objectClass eq
> index objectClass,uid,uidNumber,gidNumber eq
> #index cn,mail,surname,givenname eq,subinitial
> index cn,sn,st pres,eq,sub
> #access to dn=".*dc=tow,dc=net
> # by self write
> # by * read
> #access to attrs=userPassword,sambaNTPassword,sambaLMPassword
> # by self write
> # by anonymous auth
> # by * none
> #access to *
> # by * read
>
>
> output of net groupmap list:
>
>
> [root at whs1 root]# net groupmap list
> domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
> domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody
> domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
> administrators (S-1-5-32-544) -> 544
> users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users
> guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> 546
> power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547
> account_operators (S-1-5-32-548) -> 548
> server_operators (S-1-5-32-549) -> sys
> print_operators (S-1-5-32-550) -> lp
> backup_operators (S-1-5-32-551) -> bin
> replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon
> computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
> Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519
> students (S-1-5-21-1129281578-1295143107-3311307472-2011) -> students
> staff (S-1-5-21-1129281578-1295143107-3311307472-2007) -> staff
> techstaff (S-1-5-21-1129281578-1295143107-3311307472-2009) -> techstaff
> [root at whs1 root]#
>
>
>
> On Fri, 2003-11-14 at 11:18, manuel.piessnegger at straumann.com wrote:
> >
> >
> > Hello,
> >
> > first the ldap admin dn should be the same like the rootdn for the
> OpenLdap
> > Server but must not be root.
> >
> > Important for joining machines into a domain is that you have already
> > created a user in ldap for root (uid=0), that meens posix and samba.
> > After that you have to join in the machine with user root and the samba
> > passowrod (not the posix password).
> >
> > This works when your samba server runs over the root account (root starts
> > my samba daemon). If your samba server runs over a different user I think
> > you have to choose this other samba admin account.
> >
> > Regards
> >
> > Manuel
> >
> >
> >
> >
> >
>
> > "Kent L.
>
> > Nasveschuk"
>
> > <kent at wareham.k12
> To
> > .ma.us> manuel.piessnegger at straumann.com
>
> >
> cc
> > 13.11.2003 19:07
>
> >
> Subject
> > Re: [Samba] Join Machine to Domain
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
>
> >
> >
> >
> >
> > I read your post today and was wondering if you were able to get your
> > W2K machines to join your domain?
> >
> > I'm having the same problem. I can't get the machines to join domain. I
> > keep getting login failure: unknown username or bad password.My
> > administrator account in LDAP is uidNumber=0 but it still fails. I know
> > that the passwords work cause I can log in as administrator and see the
> > home directory and other shared directories. Makes me think the
> > administrative (root) account is not setup correctly between samba and
> > ldap.
> >
> > Well, if you did get your to work let me know how.
> >
> >
> > --
> > Kent L. Nasveschuk <kent at wareham.k12.ma.us>
> >
> --
> Kent L. Nasveschuk <kent at wareham.k12.ma.us>
>
--
Kent L. Nasveschuk <kent at wareham.k12.ma.us>
More information about the samba
mailing list