[Samba] security = ads: problem join XP Pro?

Etienne-Hugues Fortin efortin at cyberspicace.com
Wed Jun 16 00:55:40 GMT 2004

Hi Paul,

Finally, I got a new hard disk and reinstalled my XP workstation.  I'm now
able to join the domain correctly.  I've also been able to add my printer
driver on the PDC.  So, everything is working great now.

Here's my smb.conf for those who would like a working configuration of a PDC
with LDAP


workgroup = cyberspicace
netbios name = fs01
server string = fs01
socket options = TCP_NODELAY SO_SNDBUF=8192 SO_RCVBUF=8192
wins support = yes

;PDC and master browser settings
os level = 64
preferred master = yes
local master = yes
domain master = yes
domain logons = yes

;security and logging settings
security = user
encrypt passwords = yes
unix password sync = yes
passdb backend = ldapsam:ldap://<servername.domain>
username map = /etc/samba/smbusers
log level = 1
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139 445

;security - interface
interfaces = eth0 lo 127/8
bind interfaces only = yes

name resolve order = wins bcast hosts
time server = yes
load printers = yes
printcap name = cups
printing = cups
show add printer wizard = yes

;various scripts
passwd program = /var/lib/samba/sbin/smbldap-passwd.pl -o %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
delete user script = /var/lib/samba/sbin/smbldap-userdel.pl %u
add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%'g
add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl -m '%u'
delete user from group script = /var/lib/samba/sbin/smbldap-groupmod.pl -x
%u' '%g'
set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl -g '%g'
add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'
logon script = scripts\logon.bat
logon path = \\%L\profiles\%U
logon drive = X:

admin users = @Domain\ Admins
printer admin = root, @Domain\ Admins

;ldap backend
ldap suffix = dc=<domainname>,dc=com
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=Manager,dc=<domainname>,dc=com
map acl inherit = Yes

include = /etc/samba/shares.conf

Where shares.conf is having

path = /tmp
hosts allow =,
hosts deny =

comment = Home Directories
;valid users = %S
writable = yes
browseable = No

comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
locking = no

comment = Profile Share
path = /home/samba/profiles
writable = yes
profile acls = yes
browseable = no
guest ok = yes

comment = SMB Print Spool
path = /var/spool/samba
guest ok = yes
public = yes
writable = no
printable = yes
use client driver = no
browseable = no

comment = Printer Drivers
path = /var/lib/samba/drivers
browseable = yes
guest ok = no
read only = yes
write list = administrator, root

This is a really long config file but it's working.

Thank you for your help.  It has been really appreciated.


-----Original Message-----
From: samba-bounces+efortin=cyberspicace.com at lists.samba.org
[mailto:samba-bounces+efortin=cyberspicace.com at lists.samba.org] On Behalf Of
Etienne-Hugues Fortin
Sent: June 10, 2004 08:50
To: Paul Gienger
Cc: samba at lists.samba.org
Subject: Re: [Samba] security = ads: problem join XP Pro?

Hi Paul,

> Where are you getting with adding the machines?  You should get a posix
> user added with machinename$ for the uid, then that user will be
> modified to include the sambaSamAccount data.

That's what I got when I tried joining the domain while security was set
to domain.  However, I've not been able to retest this with security set
to user as you suggested.  My test workstation hard disk crashed
yesterday.  I'm expecting my replacement drive tomorrow so I should be
able to test this during the weekend.

> I would suggest these for 'official' resources:
> http://us2.samba.org/samba/docs/man/howto/samba-pdc.html*
> *and
> http://us2.samba.org/samba/docs/man/guide/
> **

I'll have a look at those.  Until now, I've use the Samba by example and
that's where I got the security = ads which seems to be the cause of my

> there are a couple  of comments below:

Yes, the smbldap-tools are installed and working.  I've also setted the
secret with smbpasswd -w.  As I said, the join worked after I tried
security = domain.  I'm pretty sure it will work as well with security =
user.  I just have to wait for my new hard disk...

I'll keep you posted as soon as I'm having tested it.

Have a nice day.


To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba

More information about the samba mailing list