[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain

Joshua Schmidlkofer menion at asylumwear.com
Fri Jun 11 17:56:48 GMT 2004 

Tony Fugere wrote:
> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a 
> backend. I'm getting to typical "The user name could not be found." 
> error upon trying to join a Windows box. I've gone through every digest 
> on lists.samba.org and other sites and nothing has worked yet. Any 
> suggestions:
> 
> Here's what I've done so far:
> 
> 1. Installed everything via RPMS:
> [root at smbtest root]# rpm -qa | grep openldap
> openldap-2.1.29-1
> openldap-clients-2.1.29-1
> openldap-servers-2.1.29-1
> openldap-devel-2.1.29-1
> [root at smbtest root]# rpm -qa | grep samba
> samba-3.0.3-5
> samba-client-3.0.3-5
> samba-common-3.0.3-5
> samba-swat-3.0.3-5
> [root at smbtest root]# rpm -qa | grep smbldap
> smbldap-tools-0.8.4-1.1.fc2.dag
> [root at smbtest root]#
> 
> 2. Made my SSL certificates and put them in /var/ssl.
> 
> 3. Made my slapd.conf:
> --- Start slapd.conf ---
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> 
> allow bind_v2
> 
> passwd-hash {SSHA]
> 
> pidfile /var/run/slapd.pid
> 
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /var/ssl/cacert.pem
> TLSCertificateFile /var/ssl/ldapcrt.pem
> TLSCertificateKeyFile /var/ssl/ldapkey.pem
> TLSVerifyClient 0
> 
> security ssf=1 update_ssf=112 simple_bind=64
> 
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
>        by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
>        by self write
>        by * auth
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
>        by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
>        by self write
>        by * auth
> access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
>        by * read
> access to dn=".*,dc=soil,dc=ncsu,dc=edu"
>        by self write
>        by * read
> 
> database        ldbm
> suffix          "dc=soil,dc=ncsu,dc=edu"
> rootdn          "cn=Manager,dc=soil,dc=ncsu,dc=edu"
> rootpw          _thepassword_
> 
> directory       /var/lib/ldap
> 
> index objectClass,uid,uidNumber,gidNumber,memberUid     eq
> index cn,mail,surname,givenname                         eq,subinitial
> --- End slapd.conf ---
> 
> 4. Made the smb.conf:
> --- Start smb.conf ---
> [global]
> 
>   ; Basic server settings
>   workgroup = testdomain
>   netbios name = smbtest
>   server string = Samba Server %v
>   security = user
>   allow trusted domains = yes
> 
>   log level = 0
>   log file = /var/log/samba/log.%m
>   max log size = 50
> 
>   domain logons = Yes
>   os level = 65
>   local master = yes
>   domain master = yes
>   preferred master = yes
>   encrypt passwords = yes
> 
>   passwd program = /usr/local/sbin/smbldap-passwd %u
>   passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
>   unix password sync = yes
> 
>   ; User and Machine Account Backends
>   ldap ssl = start_tls
>   passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
>   ldap suffix = dc=soil,dc=ncsu,dc=edu
>   ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
>   ldap delete dn = no
>   ldap user suffix = ou=People
>   ldap group suffix = ou=Groups
>   ldap machine suffix = ou=Computers
>   admin users = administrator
> 
>   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>   ; where to store user profiles
>   logon home =
>   logon path =
> 
>   ldap delete dn = Yes
>   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>   delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
> "%u" "%g"
>   set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>   delete user script = /usr/local/sbin/smbldap-userdel "%u"
>   delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> 
> [netlogon]
>   comment = Network Logon Service
>   path = /usr/local/samba/lib/netlogon
>   read only = yes
>   write list = dom_admins
> 
> [Homes]
>    username = tfugere
>    writeable = Yes
>    force create mode = 0770
>    force directory mode = 02770
>    browseable = No
> --- End smb.conf ---
> 
> 5. Made my smbldap*.conf:
> --- Start smbldap.conf ---
> UID_START="1000"
> GID_START="1000"
> SID="S-1-5-21-2625200706-2048882972-3065312840"
> slaveLDAP="smbtest.soil.ncsu.edu"
> slavePort="389"
> masterLDAP="smbtest.soil.ncsu.edu"
> masterPort="389"
> ldapTLS="1"
> verify="require"
> cafile="/var/ssl/cacert.pem"
> clientcert="/var/ssl/ldapcrt.pem"
> clientkey="/var/ssl/ldapkey.pem"
> suffix="dc=soil,dc=ncsu,dc=edu"
> usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
> computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
> groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
> scope="sub"
> hash_encrypt="SSHA"
> userLoginShell="/bin/bash"
> userHomePrefix="/home/"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="553"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userHomeDrive="logondrive"
> userScript=""
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> mk_ntpasswd="/usr/sbin/mkntpwd"
> --- End smbldap.conf ---
> --- Begin smbldap_bind.conf ---
> slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> slavePw="_hidden_"
> masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> masterPw="_hidden_"
> --- End smbldap_bind.conf ---
> 
> 6. Started up the services:
> /etc/init.d/ldap start
> /etc/init.d/smb start
> 
> 7. Set the root password:
> smbpasswd -w _thepassword_
> 
> 8. Put in some test data:
> http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
> 
> 9. Did a search on the LDAP DB:
> ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b 
> 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
> Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
> 
> 10. Set the root user password:
> smbldap-passwd root
> 
> 11. Changed the local security policy on the Windows XP machine:
> Domain member: Digitally encrypt or sign secure data channel 
> (always)                          Disabled
> Domain member: Digitally encrypt secure data channel (when 
> possible)                           Disabled
> Domain member: Digitally sign secure data channel (when 
> possible)                              Disabled
> 
> 12. Tried to join the domain through a Windows XP machine and got this 
> error when using root user:
> The following error occurred when attempting to join the domain 
> "testdomain":
> The user name could not be found.
> 
> 13. Tried to navigate to the domain via my network places and was 
> successful.
> 



Tony,

    Please be sure that the account you are using to add the machines to 
the domain has a uidNumber of '0'.   That is the only factor that was 
holding me back.


thanks,
    Joshua

More information about the samba mailing list