[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
Tony Fugere
tony_fugere at ncsu.edu
Fri Jun 11 14:57:14 GMT 2004
I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
backend. I'm getting to typical "The user name could not be found."
error upon trying to join a Windows box. I've gone through every digest
on lists.samba.org and other sites and nothing has worked yet. Any
suggestions:
Here's what I've done so far:
1. Installed everything via RPMS:
[root at smbtest root]# rpm -qa | grep openldap
openldap-2.1.29-1
openldap-clients-2.1.29-1
openldap-servers-2.1.29-1
openldap-devel-2.1.29-1
[root at smbtest root]# rpm -qa | grep samba
samba-3.0.3-5
samba-client-3.0.3-5
samba-common-3.0.3-5
samba-swat-3.0.3-5
[root at smbtest root]# rpm -qa | grep smbldap
smbldap-tools-0.8.4-1.1.fc2.dag
[root at smbtest root]#
2. Made my SSL certificates and put them in /var/ssl.
3. Made my slapd.conf:
--- Start slapd.conf ---
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
passwd-hash {SSHA]
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ssl/cacert.pem
TLSCertificateFile /var/ssl/ldapcrt.pem
TLSCertificateKeyFile /var/ssl/ldapkey.pem
TLSVerifyClient 0
security ssf=1 update_ssf=112 simple_bind=64
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
by * read
access to dn=".*,dc=soil,dc=ncsu,dc=edu"
by self write
by * read
database ldbm
suffix "dc=soil,dc=ncsu,dc=edu"
rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu"
rootpw _thepassword_
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
--- End slapd.conf ---
4. Made the smb.conf:
--- Start smb.conf ---
[global]
; Basic server settings
workgroup = testdomain
netbios name = smbtest
server string = Samba Server %v
security = user
allow trusted domains = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 50
domain logons = Yes
os level = 65
local master = yes
domain master = yes
preferred master = yes
encrypt passwords = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
unix password sync = yes
; User and Machine Account Backends
ldap ssl = start_tls
passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
ldap suffix = dc=soil,dc=ncsu,dc=edu
ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
admin users = administrator
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; where to store user profiles
logon home =
logon path =
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = dom_admins
[Homes]
username = tfugere
writeable = Yes
force create mode = 0770
force directory mode = 02770
browseable = No
--- End smb.conf ---
5. Made my smbldap*.conf:
--- Start smbldap.conf ---
UID_START="1000"
GID_START="1000"
SID="S-1-5-21-2625200706-2048882972-3065312840"
slaveLDAP="smbtest.soil.ncsu.edu"
slavePort="389"
masterLDAP="smbtest.soil.ncsu.edu"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/var/ssl/cacert.pem"
clientcert="/var/ssl/ldapcrt.pem"
clientkey="/var/ssl/ldapkey.pem"
suffix="dc=soil,dc=ncsu,dc=edu"
usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHomePrefix="/home/"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="553"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive="logondrive"
userScript=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/sbin/mkntpwd"
--- End smbldap.conf ---
--- Begin smbldap_bind.conf ---
slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
slavePw="_hidden_"
masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
masterPw="_hidden_"
--- End smbldap_bind.conf ---
6. Started up the services:
/etc/init.d/ldap start
/etc/init.d/smb start
7. Set the root password:
smbpasswd -w _thepassword_
8. Put in some test data:
http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
9. Did a search on the LDAP DB:
ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b
'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
10. Set the root user password:
smbldap-passwd root
11. Changed the local security policy on the Windows XP machine:
Domain member: Digitally encrypt or sign secure data channel
(always) Disabled
Domain member: Digitally encrypt secure data channel (when
possible) Disabled
Domain member: Digitally sign secure data channel (when
possible) Disabled
12. Tried to join the domain through a Windows XP machine and got this
error when using root user:
The following error occurred when attempting to join the domain
"testdomain":
The user name could not be found.
13. Tried to navigate to the domain via my network places and was
successful.
--
Tony Fugere
tony_fugere at ncsu.edu
More information about the samba
mailing list