[Samba] Samba3 & LDAP Can't join domain with Win2k Pro

Jean-Marc Pouchoulon jean-marc.pouchoulon at ac-montpellier.fr
Sun Oct 26 17:23:34 GMT 2003

> use pdbedit -a username to add samba attribute to the user ( the user
> must exist in the backend - ldap for me ).

> smbldap-useradd.pl is not supposed to do that for me ?

	Try pdbedit it to analyse your problem. 

> In the [SAMBA_3_0] and [HEAD] only a few basic entries are required:
> The root/administrator (uidNumber=0) SHOULD be present in the NT's
> Admins group (rid=512).
> """

>I removed all normal / test users from LDAP and /etc/passwd
>I created Administrator Account with :
>    smbldap-useradd.pl -a Administrator
>I change password for Administrator (different from root password)
>    smbldap-passwd.pl Administrator
>I changed uid for Administrator with :
>    smbldap-usermod.pl Administrator -u 0
>I put Administrator in "Domain Admins" Group (Domains Admin has gid =
512) :
>    smbldap-groupmod.pl -m Administrator "Domain Admins"
>I can open a session with Administrator account on my linux box.

	As I can see this account does not have have a sambasid =
*****-1000 ( 2*uid=0 + 1000) and sambgroupprimarygroupsid = *******-1001
( 2*gid=1000 + 1001 )? 

> Any log that i could check ?

smbpasswd -D99 administrator is going to give you verbose output.

> Nobody here installed  Samba 3 + LDAP on a fresh Linux Box ?
Yes me and some guys on this list.
( thanks to the samba team , ldapbackend is really scalable)

# Administrator, Users, ERIOS, FR
dn: uid=Administrator,ou=Users,dc=ERIOS,dc=FR
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: sambaSAMAccount
cn: Administrator
sn: Administrator
uid: Administrator
uidNumber: 1000
gidNumber: 513

( not 513 set 1001 )
( in fact it is also ok for samba without uid and gid number )
homeDirectory: /home//Administrator
loginShell: /bin/bash
gecos: System User
description: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
displayName: System User
sambaAcctFlags: [UX]
sambaSID: S-1-5-21-1048156053-414258101-3478167740-3000
( set 1000 rather then 3000)

sambaPrimaryGroupSID: S-1-5-21-1048156053-414258101-3478167740-2027
( set 1001 rather than 2027)

sambaHomeDrive: H:
sambaHomePath: \\ERIOS-PDC\homes
sambaProfilePath: \\ERIOS-PDC\profiles\Administrator
sambaLogonScript: Administrator.cmd
sambaLMPassword: C7E65E1008C34E6AAAD3B435B51404EE
sambaNTPassword: F0D2FA9C08D26A9C148EB11C65AE93B1
sambaPwdLastSet: 1066935343
userPassword:: e1NTSEF9YkVIdEFQT280ZGd6blJkdjI4UVVha21FZXB5Qi83cjQ=

You have to manage group after creating a nobody user in the ldap

ldapsearch uid=nobody
dn: uid=nobody,.... ,c=fr
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetorgperson
objectclass: sambaSamAccount
cn: nobody nobody
uid: nobody
givenname: nobody
sn: nobody
sambasid: S-*-501
sambaprimarygroupsid: S*-514
sambahomedrive: U:
sambapwdcanchange: 0
sambaacctflags: [NU          ]
sambapwdmustchange: 0
sambapwdlastset: 0
sambahomepath: \\%N\
sambalogofftime: 0
sambakickofftime: 0
sambalogontime: 0
sambaprofilepath: \\%N\profile

hope this help.
Bon courage.

More information about the samba mailing list