[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
Joshua Schmidlkofer
menion at asylumwear.com
Fri Jun 11 17:56:48 GMT 2004
Tony Fugere wrote:
> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
> backend. I'm getting to typical "The user name could not be found."
> error upon trying to join a Windows box. I've gone through every digest
> on lists.samba.org and other sites and nothing has worked yet. Any
> suggestions:
>
> Here's what I've done so far:
>
> 1. Installed everything via RPMS:
> [root at smbtest root]# rpm -qa | grep openldap
> openldap-2.1.29-1
> openldap-clients-2.1.29-1
> openldap-servers-2.1.29-1
> openldap-devel-2.1.29-1
> [root at smbtest root]# rpm -qa | grep samba
> samba-3.0.3-5
> samba-client-3.0.3-5
> samba-common-3.0.3-5
> samba-swat-3.0.3-5
> [root at smbtest root]# rpm -qa | grep smbldap
> smbldap-tools-0.8.4-1.1.fc2.dag
> [root at smbtest root]#
>
> 2. Made my SSL certificates and put them in /var/ssl.
>
> 3. Made my slapd.conf:
> --- Start slapd.conf ---
> include /etc/openldap/schema/core.schema
> include /etc/openldap/schema/cosine.schema
> include /etc/openldap/schema/inetorgperson.schema
> include /etc/openldap/schema/nis.schema
> include /etc/openldap/schema/samba.schema
>
> allow bind_v2
>
> passwd-hash {SSHA]
>
> pidfile /var/run/slapd.pid
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /var/ssl/cacert.pem
> TLSCertificateFile /var/ssl/ldapcrt.pem
> TLSCertificateKeyFile /var/ssl/ldapkey.pem
> TLSVerifyClient 0
>
> security ssf=1 update_ssf=112 simple_bind=64
>
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
> by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
> by self write
> by * auth
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
> by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
> by self write
> by * auth
> access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
> by * read
> access to dn=".*,dc=soil,dc=ncsu,dc=edu"
> by self write
> by * read
>
> database ldbm
> suffix "dc=soil,dc=ncsu,dc=edu"
> rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu"
> rootpw _thepassword_
>
> directory /var/lib/ldap
>
> index objectClass,uid,uidNumber,gidNumber,memberUid eq
> index cn,mail,surname,givenname eq,subinitial
> --- End slapd.conf ---
>
> 4. Made the smb.conf:
> --- Start smb.conf ---
> [global]
>
> ; Basic server settings
> workgroup = testdomain
> netbios name = smbtest
> server string = Samba Server %v
> security = user
> allow trusted domains = yes
>
> log level = 0
> log file = /var/log/samba/log.%m
> max log size = 50
>
> domain logons = Yes
> os level = 65
> local master = yes
> domain master = yes
> preferred master = yes
> encrypt passwords = yes
>
> passwd program = /usr/local/sbin/smbldap-passwd %u
> passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
> unix password sync = yes
>
> ; User and Machine Account Backends
> ldap ssl = start_tls
> passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
> ldap suffix = dc=soil,dc=ncsu,dc=edu
> ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
> ldap delete dn = no
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> admin users = administrator
>
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> ; where to store user profiles
> logon home =
> logon path =
>
> ldap delete dn = Yes
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> "%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>
> [netlogon]
> comment = Network Logon Service
> path = /usr/local/samba/lib/netlogon
> read only = yes
> write list = dom_admins
>
> [Homes]
> username = tfugere
> writeable = Yes
> force create mode = 0770
> force directory mode = 02770
> browseable = No
> --- End smb.conf ---
>
> 5. Made my smbldap*.conf:
> --- Start smbldap.conf ---
> UID_START="1000"
> GID_START="1000"
> SID="S-1-5-21-2625200706-2048882972-3065312840"
> slaveLDAP="smbtest.soil.ncsu.edu"
> slavePort="389"
> masterLDAP="smbtest.soil.ncsu.edu"
> masterPort="389"
> ldapTLS="1"
> verify="require"
> cafile="/var/ssl/cacert.pem"
> clientcert="/var/ssl/ldapcrt.pem"
> clientkey="/var/ssl/ldapkey.pem"
> suffix="dc=soil,dc=ncsu,dc=edu"
> usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
> computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
> groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
> scope="sub"
> hash_encrypt="SSHA"
> userLoginShell="/bin/bash"
> userHomePrefix="/home/"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="553"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userHomeDrive="logondrive"
> userScript=""
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> mk_ntpasswd="/usr/sbin/mkntpwd"
> --- End smbldap.conf ---
> --- Begin smbldap_bind.conf ---
> slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> slavePw="_hidden_"
> masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> masterPw="_hidden_"
> --- End smbldap_bind.conf ---
>
> 6. Started up the services:
> /etc/init.d/ldap start
> /etc/init.d/smb start
>
> 7. Set the root password:
> smbpasswd -w _thepassword_
>
> 8. Put in some test data:
> http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
>
> 9. Did a search on the LDAP DB:
> ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b
> 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
> Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
>
> 10. Set the root user password:
> smbldap-passwd root
>
> 11. Changed the local security policy on the Windows XP machine:
> Domain member: Digitally encrypt or sign secure data channel
> (always) Disabled
> Domain member: Digitally encrypt secure data channel (when
> possible) Disabled
> Domain member: Digitally sign secure data channel (when
> possible) Disabled
>
> 12. Tried to join the domain through a Windows XP machine and got this
> error when using root user:
> The following error occurred when attempting to join the domain
> "testdomain":
> The user name could not be found.
>
> 13. Tried to navigate to the domain via my network places and was
> successful.
>
Tony,
Please be sure that the account you are using to add the machines to
the domain has a uidNumber of '0'. That is the only factor that was
holding me back.
thanks,
Joshua
More information about the samba
mailing list