[Samba] Joining XP clients to a Samba PDC

Wed Dec 8 01:21:56 GMT 2004

Hi Andrew,

I ran into a couple of XP issues when trying to join my Totalnet Advanced 
Server (TAS) domain.  Though not exactly Samba, this was a change on the XP 
end and may help.  I found that I had to change the local security policy 
such that "Domain member: Digitally encrypt or sign secure channel data 
(always)" had to be disabled.  A reboot afterwards is needed.  This is 
found under Control Panel -> Performance and Maintenance -> Administrative 
Tools -> Local Security Policy -> Security Settings -> Local Policies -> 
Security Options.  I also had to disable the Internet Connection Firewall, 
at least with non-SP2.  SP2 will generally prompt you as to whether to 
allow programs to get through the firewall.  If you are not using domain 
membership, this may not apply, but it would be good to check into the 
firewall angle in any case.

Chuck

At 05:07 PM 12/7/2004, Andrew wrote:
>Greetings,
>
>I've been pulling my hair out on this problem for several days and I'm not 
>really any closer to a solution. I hope someone out there can help me.
>
>I'm trying to set up a samba PDC on a Fedora Core 2 box using an LDAP 
>backend (on another server). The base install of everything is working 
>fine. At the unix level LDAP connectivity is configured and working 
>properly for users and groups. I've also installed idealix's smbldap-tools 
>and used their script to configure the ldap directory for SAMBA. As far as 
>I can tell that's all configured and working properly too. I can add users 
>and groups with smbldap-useradd and groupadd tools and they show up in the 
>proper places when I browse the LDAP directory with a gui tool I have. 
>(Note, the SAMBA PDC and the LDAP server are two separate machines)
>
>Here's what's installed for samba on my FC2 box:
>
>samba-swat-3.0.7-2.FC2
>samba-common-3.0.7-2.FC2
>samba-client-3.0.7-2.FC2
>samba-3.0.7-2.FC2
>
>The relevant portions of my smb.conf file are as follows:
>
>
># Global parameters
>[global]
>         netbios name = LUNA
>         workgroup = BI
>         passdb backend = ldapsam:ldap://mercury.bibleinfo.com
>         os level = 35
>         preferred master = yes
>         domain master = yes
>         local master = yes
>         security = user
>         domain logons = yes
>         logon path = \\LUNA\profiles\%u
>         logon drive = H:
>         logon home = \\LUNA\%u
>         logon script = logon.cmd
>         ldap delete dn = Yes
>         add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>         add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x 
> "%u" "%g"
>         set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>         server string = Bibleinfo.com file server
>         log file = /var/log/samba/%m.log
>         log level = 10
>         max log size = 50
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = /etc/printcap
>         dns proxy = No
>         ldap suffix = dc=bibleinfo,dc=iiw
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=People
>         ldap group suffix = ou=Groups
>         ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
>         ldap admin dn = "cn=Manager,dc=bibleinfo,dc=iiw"
>         ldap ssl = start tls
>         ldap passwd sync = Yes
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>
>[netlogon]
>         path = /var/lib/samba/netlogon
>
><snip>
>
>
>As far as I can tell I should be able to join the domain with the root 
>account (added with smbldap-useradd -a -G 512 -m -s /bin/false -d 
>/dev/null -F "" -P root). But all I get for my efforts is an error dialog 
>"The following error occurred attempting to join the domain 'BI': The 
>network path was not found".
>
>The log of this attempt server side is as follows:
>
>[Administrator at luna samba]# cat 10.10.10.153.log
>[2004/12/07 17:02:59, 6] param/loadparm.c:lp_file_list_changed(2684)
>   lp_file_list_changed()
>   file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue 
> Dec  7 16:51:08 2004
>
>[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1302)
>   open_oplock_ipc: opening loopback UDP socket.
>[2004/12/07 17:02:59, 10] lib/util_sock.c:open_socket_in(717)
>   bind succeeded on port 0
>[2004/12/07 17:02:59, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
>   Linux kernel oplocks enabled
>[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1333)
>   open_oplock ipc: pid = 12086, global_oplock_port = 32895
>[2004/12/07 17:02:59, 4] lib/time.c:get_serverzone(122)
>   Serverzone is 28800
>[2004/12/07 17:02:59, 10] lib/smbldap.c:smbldap_idle_fn(1118)
>   ldap connection not idle...
>[2004/12/07 17:02:59, 10] 
>lib/util_sock.c:read_smb_length_return_keepalive(505)
>   got smb length of 68
>[2004/12/07 17:02:59, 6] smbd/process.c:process_smb(1091)
>   got message type 0x81 of len 0x44
>[2004/12/07 17:02:59, 3] smbd/process.c:process_smb(1092)
>   Transaction 0 of length 72
>[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(235)
>   netbios connect: name1=LUNA            name2=OLDDELL
>[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(242)
>   netbios connect: local=luna remote=olddell, name type = 0
>
>
>the other thing that's puzzling is that SAMBA never creates the machine 
>trust account using the script denoted in smb.conf. If I run the script 
>manually on the command line it works fine, but that still doesn't get my 
>any further with joining the domain (Same error too fact).
>
>Thanks for the help.
>
>-Andrew
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba

Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345