[Samba] security = ads: problem join XP Pro?

Paul Gienger pgienger at ae-solutions.com
Wed Jun 9 19:24:49 GMT 2004 

Are you running any windows servers in your setup or just one samba box 
and the clients?

Assuming the latter, which sounds like you unless I'm badly mis-reading 
you here, you don't *need* any special DNS entries to make things work.  
Perhaps you could attach your smb.conf file?  It sounds like your 
security parameter is way out of whack, which could be causing your 
issues. 
security = domain
  is for when you have a functioning NT network to add this machine to 
that holds your login info.  I've successfully added a 3.0 machine to a 
2.2.x network and then not had to do any passdb setup on it.
security = ads
  is for configuring authentication against an existing 2000 (/2003?) AD 
network, which you haven't mentioned here.

You probably want (from TOSHaRG):
preferred master = yes
domain master = yes
local master = yes
security = user
domain logons = yes

Etienne-Hugues Fortin wrote:

>>Does your DNS server have the following entries:
>>If not it won't work.
>>    
>>
>
>It's the first time I'm seeing this list.  I know that XP Pro was asking
>for something like _ldap._tcp.<domainname> but even googling on this
>didn't helped me getting what you just sent.
>
>I'll add this to my DNS.  Just to make sure everything is clear, I have to
>replace the first "fsklwaw.net" with my own domain and then, I'm replacing
>the server.fsklaw.net with my fully qualified hostname for my samba server
>acting as the PDC.  Everything else would stay identical.  Is that right?
>
>
>Etienne-Hugues
>
>  
>
>>_ldap._tcp.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net.
>>_ldap._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 389
>>server.fsklaw.net.
>>_ldap._tcp.pdc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net.
>>_ldap._tcp.gc._msdcs.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net.
>>_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.fsklaw.net. 600 IN SRV
>>0 100 3268 server.fsklaw.net.
>>_ldap._tcp.d8888ddc-59fe-434d-8cca-f00ca06b564d.domains._msdcs.fsklaw.net.
>>600 IN SRV 0 100 389 server.fsklaw.net.
>>gc._msdcs.fsklaw.net. 600 IN A 192.168.62.1
>>42254cae-00e0-4814-a063-af2189b41e2b._msdcs.fsklaw.net. 600 IN CNAME
>>server.fsklaw.net.
>>_kerberos._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 88
>>server.fsklaw.net.
>>_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN
>>SRV 0 100 88 server.fsklaw.net.
>>_ldap._tcp.dc._msdcs.fsklaw.net. 600 IN SRV 0 100 389 server.fsklaw.net.
>>_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.fsklaw.net. 600 IN SRV
>>0 100 389 server.fsklaw.net.
>>_kerberos._tcp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net.
>>_kerberos._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100
>>88 server.fsklaw.net.
>>_gc._tcp.fsklaw.net. 600 IN SRV 0 100 3268 server.fsklaw.net.
>>_gc._tcp.Default-First-Site-Name._sites.fsklaw.net. 600 IN SRV 0 100 3268
>>server.fsklaw.net.
>>_kerberos._udp.fsklaw.net. 600 IN SRV 0 100 88 server.fsklaw.net.
>>_kpasswd._tcp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net.
>>_kpasswd._udp.fsklaw.net. 600 IN SRV 0 100 464 server.fsklaw.net.
>>fsklaw.net. 600 IN A 192.168.61.1
>>gc._msdcs.fsklaw.net. 600 IN A 192.168.61.1
>>
>>
>>
>>Etienne-Hugues Fortin wrote:
>>
>>    
>>
>>>Hi,
>>>
>>>I've configured Samba 3.0.4 with Openldap 2.1.22 to use my samba server
>>>as
>>>a PDC.  At first, I had some problem with the user administrator.  I've
>>>then found the workaround a few days ago.  Now that this is fixed, I'm
>>>trying to join a XP Pro workstation to my domain.  I've done multiple
>>>test
>>>and never succeeded.  I'm always getting XP Pro to complain about not
>>>being able to find a domain and talking about a SRV entry in my DNS
>>>(which
>>>is dynamic as required when using dhcp at the same time).
>>>
>>>So, this morning, in a desesperate attempt, I changed security = ads to
>>>security = domain and retry to join the domain from XP Pro.  To my
>>>surprise, it worked fine.  I've reread the documentation and it's still
>>>saying that we should use security = domain when our server is acting as
>>>a
>>>BDC, not a PDC.
>>>
>>>I still have to do more test tonight to see if everything is working but
>>>right now, I'm more curious to understand why my samba server (which is
>>>now acting as a BDC) is accepting a join request while it's not when it's
>>>acting as a PDC.  Is that normal?  Should I keep my server in security =
>>>domain mode?
>>>
>>>Thank you.
>>>
>>>
>>>Etienne-Hugues Fortin
>>>
>>>
>>>      
>>>
>>
>>--
>>To unsubscribe from this list go to the following URL and read the
>>instructions:  http://lists.samba.org/mailman/listinfo/samba
>>
>>    
>>
>
>  
>

-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com

More information about the samba mailing list