[Samba] Can't login to Samba PDC

Scott Gross SGross at newsgroupwest.com
Mon Mar 1 19:07:24 GMT 2004 

Sorry, when I was hitting reply I thought it was going back to the list not
just to you.  I wasn't paying attention to the address line in the e-mail.

I'm not using the windows wizard to join the domain but I am doing the join
from the windows workstation.  I'm not big on some of the wizards so I use
the change button (from windows XP computer name screen) or the properties
button (from Win2K network identification screen).  The computer is being
added to the _COMPUTERS_ container in my LDAP with the appropriate trailing
$ (uid=fife3400sales02$,ou=_COMPUTERS_).  The domain portion of all SID's is
the same (User-Group-Computer-sambaDomainName).  When the workstation tries
to authenticate the user I can see the connection to IPC$ on the samba
server.  'uid=root,ou=_USERS_' is a sambaSamAccount and is a member of
'cn=Domain Users,ou=_GROUPS_'.   I did just notice that 'cn=Domain
Computers,ou=_GROUPS_' doesn't have any members in it.  Do I need to add the
computers to this group?

> -----Original Message-----
> From: Craig White [mailto:craigwhite at azapple.com]
> Sent: Monday, March 01, 2004 10:16 AM
> To: Scott Gross
> Cc: samba at lists.samba.org
> Subject: RE: [Samba] Can't login to Samba PDC
> 
> On Mon, 2004-03-01 at 10:42, Scott Gross wrote:
> > First thing is what list do you keeping talking about?  Am I not
> supposed to
> > be asking about Samba things in this list?
> >
> ---
> The Samba list is the list I am specifically referring to. Everytime you
> hit the 'reply' button, it replies only to me. If you hit 'reply to all'
> it will also reply to the samba list. Every reply I have hit, I have
> added the samba at lists.samba.org to the address because you seem to only
> want to reply to me. Thus, you would be asking Samba things to the samba
> list if you would only include the samba list in your replies.
> ---
> > Second is the domain names are different.  That is how you can tell
> which
> > domain you are logging into.  Why don't you try helping with the problem
> or
> > let someone else if you don't want to.
> >
> ---
> I would be happy to let someone else help you - you have to actually
> post to the list instead of just emailing me.
> 
> If the domain names are different, then your usage of the term migrate
> in your original email was misleading and I'm sorry it took me 4 emails
> to get this information out of you.
> 
> Evidently, the method you are using to 'join' the domain with the
> computer isn't functioning properly. Are you putting the computer
> accounts in the 'People' container? Is root a samba member? Do you use
> the Win2K/WinXP wizard to join the domain?
> 
> Craig
> 
> >
> > > -----Original Message-----
> > > From: Craig White [mailto:craigwhite at azapple.com]
> > > Sent: Monday, March 01, 2004 9:43 AM
> > > To: Scott Gross
> > > Cc: samba at lists.samba.org
> > > Subject: RE: [Samba] Can't login to Samba PDC
> > >
> > > First thing is...please keep this on list
> > >
> > > Second thing is...if NT is a PDC, then machine accounts should be
> > > created on that system - You can't simulataneously have a Windows &
> > > Samba PDC/BDC of any combination. How would you be sure which machine
> is
> > > getting the machine accounts and which machine is handling the
> > > authentication?
> > >
> > > Craig
> > >
> > > On Mon, 2004-03-01 at 09:48, Scott Gross wrote:
> > > > First thing is first.  I need to be able to join a machine to the
> domain
> > > and
> > > > be able to login to the domain.   This is just to test and make sure
> the
> > > new
> > > > Samba server is working.  This is the problem I'm having and what
> I'm
> > > > looking for help on.  Not how to migrate my users.
> > > >
> > > > > -----Original Message-----
> > > > > From: Craig White [mailto:craigwhite at azapple.com]
> > > > > Sent: Monday, March 01, 2004 8:52 AM
> > > > > To: Scott Gross
> > > > > Cc: samba at lists.samba.org
> > > > > Subject: RE: [Samba] Can't login to Samba PDC
> > > > >
> > > > > Please keep this on list...
> > > > >
> > > > > The logical thing to do would be to keep your NT server as the
> PDC.
> > > Set
> > > > > up samba not to be a domain controller at all but as a member
> server
> > > to
> > > > > the domain (join that machine to the domain - using password
> server =
> > > > > PDC / security = domain and net join ...)
> > > > >
> > > > > That way, you can create all of the users, join all the machines,
> set
> > > up
> > > > > roaming profiles (on the 'member' server) and get all ready. Then,
> > > when
> > > > > you are ready, you can do the net rpc vampire command and suck all
> of
> > > > > the user accounts/machine accounts/groups into your LDAP.
> > > > >
> > > > > Craig
> > > > >
> > > > > On Mon, 2004-03-01 at 09:34, Scott Gross wrote:
> > > > > > I was planning to do each machine manually rather than using
> scripts
> > > to
> > > > > move
> > > > > > the users as I have to change a lot of things on the users PC to
> > > keep
> > > > > them
> > > > > > running after I move them to the new domain.  So my intention
> was to
> > > > > join
> > > > > > the computer to the new domain, add the user to the Samba domain
> > > then
> > > > > > configure their PC for the new e-mail system and such.  I have
> to do
> > > > > about
> > > > > > 100 workstations in many different locations and a slow change
> over
> > > with
> > > > > no
> > > > > > problems is preferable to a faster one where users might
> experience
> > > > > > problems.
> > > > > >
> > > > > > This having been said I'm still having problems that after I
> join
> > > the
> > > > > > workstation to the new domain I can't login to it.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: Craig White [mailto:craigwhite at azapple.com]
> > > > > > > Sent: Friday, February 27, 2004 9:33 PM
> > > > > > > To: Scott Gross
> > > > > > > Cc: samba at lists.samba.org
> > > > > > > Subject: RE: [Samba] Can't login to Samba PDC
> > > > > > >
> > > > > > > Let's keep this on list - there are a lot brighter people than
> I
> > > am on
> > > > > > > this stuff...
> > > > > > >
> > > > > > > On Fri, 2004-02-27 at 19:58, Scott Gross wrote:
> > > > > > >
> > > > > > > > 3 - migrate? as in net rpc vampire? - how certain are you
> that
> > > LDAP
> > > > > is
> > > > > > > > working? Does LDAP handle linux login? Are you logging ldap
> > > > > connections
> > > > > > > > etc?
> > > > > > > >
> > > > > > > > migrate as in move from one to the other.  I'm trying to get
> the
> > > > > Samba
> > > > > > > > server running while we're using NT4 and then I will move my
> > > users
> > > > > and
> > > > > > > > workstations to the new domain.  I'm going to move them one
> > > machine
> > > > > and
> > > > > > > user
> > > > > > > > at a time manually.  Yes LDAP handles the linux logins as
> well
> > > and
> > > > > this
> > > > > > > is
> > > > > > > > working.  I haven't set-up the LDAP to log the logins but
> this
> > > is
> > > > > > > something
> > > > > > > > I want to do as well.
> > > > > > > ----
> > > > > > > OK - I am trying to understand what you are telling me.
> > > > > > >
> > > > > > > I can't possibly envision a scenario that you can make this
> work -
> > > > > > > moving one computer and one user over at a time. The computer
> > > accounts
> > > > > > > continually change their passwords.
> > > > > > >
> > > > > > > This is what the net rpc vampire command is designed to do,
> move
> > > the
> > > > > > > machine accounts, user accounts and group accounts over to new
> > > setup
> > > > > > > while still retaining all the SID structure. It indeed works -
> I
> > > know
> > > > > > > because I did it.
> > > > > > >
> > > > > > > That is not to say that it is without it's problems but it is
> -
> > > the
> > > > > > > intended method and I learned a long time ago about the
> benefit to
> > > > > > > calculate wind direction before I start peeing.
> > > > > > >
> > > > > > > If you really feel as though you have LDAP set up properly -
> it
> > > > > appears
> > > > > > > that you have a grasp on it since you can run ldapsearch from
> > > command
> > > > > > > line (I am shocked at the number of people that think they
> have
> > > LDAP
> > > > > > > running and can't query LDAP), then you really should just
> slapcat
> > > > > your
> > > > > > > current setup, dump it, slapadd the stuff you need into LDAP
> and
> > > use
> > > > > the
> > > > > > > net rpc vampire and suck it all in. You should have no problem
> > > getting
> > > > > > > it to simultaneously add the posixAccount & sambaSamAccount
> > > properties
> > > > > -
> > > > > > > the only things that you may have to reconcile are 1 -
> existing
> > > > > accounts
> > > > > > > in posixland that you want to be both posix & samba (perhaps
> you
> > > have
> > > > > > > overlap and different passwords/uid's) and 2 - It's hard to
> pull
> > > the
> > > > > > > plug on the existing NT 4 server because it probably has file
> &
> > > print
> > > > > > > shares that you wanna keep around...try shutting off the
> netlogon
> > > > > > > service AFTER - you change the settings in smb.conf to make it
> PDC
> > > > > like
> > > > > > > and restarting smbd/nmbd. It will still be mostly functional
> > > > > > >
> > > > > > > Craig

More information about the samba mailing list