[Samba] Cannot Join Domain unless I use username Root - 3.0.2.a tdbsam

Mike Young mikey at e-mage.com.au
Mon Mar 22 00:55:03 GMT 2004 

I am unable to get a client to join a domain unless I login and join as
root. The worksation errors with username or password incorrect. However I
notice that if I then immediately go to the network neighborhood I can
actually see the domain and navigate all its resourses (shares / printers
etc).

I am running samba3.0.2a on redhat 8 and have both winXP and win2K
clients. I have a unix & samba user called "administrator" that belongs to
both the usergroup "ntadmins" and "root". The group mappings work
correctly as once I have joined the domain as root and then logged on as
administrator, administrator has Domain Admin privilleges.

I am currently manually adding the machines to the backend database by
issuing the following commands:

useradd -g 100 -d /dev/null -c "description" -s /bin/false mahine_name$
pdbedit -a -m -u machine_name

I then go to the relavant client and use the control panel / system / join
domain functionality to try and register with the domain. I only seem to
be able to register with the domain if I use user ROOT and not
administrator.


I would greatly oblige any ideas on this - Is it a bug or have i got
something wrong with my configuration?

Here is the relavant configuration information :

Unix groups:

GrpName       GID
========      ====
ntadmins      702
administrator 703

Unix users:

UsrName	      GID  Primary Group  Groups
========      ==== ============   =======================
administrator 603  ntadmins       users,root,admnistrator


> net groupmap list

System Operators (S-1-5-32-549) -> -1 Replicators (S-1-5-32-552) -> -1
Guests (S-1-5-32-546) -> -1
Domain Admins (S-1-5-21-2420991726-2856996462-1657861143-512) -> ntadmins
Domain Guests (S-1-5-21-2420991726-2856996462-1657861143-514) -> nobody
Power Users (S-1-5-32-547) -> -1
Print Operators (S-1-5-32-550) -> -1
Administrators (S-1-5-32-544) -> -1
Account Operators (S-1-5-32-548) -> -1 Domain Users
(S-1-5-21-2420991726-2856996462-1657861143-513) -> users Backup Operators
(S-1-5-32-551) -> -1 Users (S-1-5-32-545) -> -1

> pdbedit -l -v

------- snip -------
Unix username:        root
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2420991726-2856996462-1657861143-1000
Primary Group SID:    S-1-5-21-2420991726-2856996462-1657861143-1001 
Full Name:            root
Home Directory:       \\juan\root
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\root\0.0.0.0 
Domain:               E-MAGE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sat, 14 Dec 1901 07:45:51 GMT 
Kickoff time:         Sat, 14 Dec 1901 07:45:51 GMT 
Password last set:    Sun, 21 Mar 2004 18:37:01 GMT 
Password can change:  Sun, 21 Mar 2004 18:37:01 GMT 
Password must change: Sat, 14 Dec 1901 07:45:51 GMT 
---------------
Unix username:        dimension$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2420991726-2856996462-1657861143-2216
Primary Group SID:    S-1-5-21-2420991726-2856996462-1657861143-515 Full
Name:            dimension XP
Home Directory:       \\juan\dimension_ 
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\dimension_\0.0.0.0 
Domain:              E-MAGE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:              Sat, 14 Dec 1901 07:45:51 
GMT Kickoff time:         Sat, 14 Dec 1901 07:45:51 
GMT Password last set:    Fri, 05 Mar 200409:16:24 
GMT Password can change:  Fri, 05 Mar 2004 09:16:24 
GMT Password must change:  Sat, 14 Dec 1901 07:45:51 
GMT 
---------------
Unix username:        dimension-w2k$
NT username:
Account Flags:        [W          ]
User SID:             S-1-5-21-2420991726-2856996462-1657861143-2220
Primary Group SID:    S-1-5-21-2420991726-2856996462-1657861143-515 Full
Name:            dimension 2k
Home Directory:       \\juan\dimension-w2k_ 
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\dimension-w2k_\0.0.0.0 
Domain:              E-MAGE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sat, 14 Dec 1901 07:45:51 
GMT Kickoff time:        Sat, 14 Dec 1901 07:45:51 
GMT Password last set:    Sun, 21 Mar 2004 18:41:16 
GMT Password can change:  Sun, 21 Mar 2004 18:41:16 
GMT Password must change: Sat, 14 Dec 1901 07:45:51 
GMT 
---------------
Unix username:        administrator
NT username:
Account Flags:        [U          ]
User SID:             S-1-5-21-2420991726-2856996462-1657861143-2206
Primary Group SID:    S-1-5-21-2420991726-2856996462-1657861143-512 Full
Name:            wrkgrp domain administrator 
Home Directory:      \\juan\administrator 
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\juan\profiles\administrator\0.0.0.0 
Domain:              E-MAGE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Sat, 14 Dec 1901 07:45:51 
GMT Kickoff time:     Sat, 14 Dec 1901 07:45:51 
GMT Password last set:    Fri, 05 Mar 2004 09:08:19 
GMT Password can change:  Fri, 05 Mar 2004 09:08:19 
GMT Password must change: Sat, 14 Dec 1901 07:45:51 
GMT

------- snip -------

>cat smb.conf
[global]
    workgroup = e-mage
    netbios name = JUAN
    server string = %h server (Samba %v)

    log file = /var/log/samba/log.%m
    max log size = 1000
    syslog = 0

    client lanman auth = No
    client plaintext auth = No

    wins support = Yes
    domain master = yes
    local master = yes
    preferred master = yes
    os level = 65
    security = user
    time server = yes

    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE
    SO_RCVBUF=8192 SO_SNDBUF=8192

    preserve case = yes
    short preserve case = yes

    encrypt passwords = true
    passdb backend = tdbsam
    domain logons = yes
    guest account = nobody
    unix password sync = yes


    logon path = \\%L\profiles\%U\%M
    logon script = logon.bat
    logon drive = H:

    add machine script = /usr/sbin/adduser --home /dev/null --ingroup
    machines
--shell /bin/false --no-create-home --disabled-login --gecos "SAMBA
Machine Account" --force-badname "%u"

    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter*new*UNIX*password:* %n\n
    *Retype*new*UNIX*password:*%n\n
    *passwd:*password*updated*successfully* passwd chat debug = yes

    add user script = /usr/sbin/adduser --shell /dev/null --quiet
    --disabled-login -- gecos "Samba user" %u
delete user script = /usr/sbin/deluser --remove-home --remove-all-files
--backup %u

    add group script = /usr/local/samba/bin/addgroup.sh "%g" delete group
    script = /usr/sbin/delgroup "%g"

    add user to group script = /usr/sbin/adduser %u "%g" delete user from
    group script = /usr/sbin/deluser %u "%g" set primary group script =
    /usr/sbin/usermod -g "%g" %u

    load printers = yes
    show add printer wizard = yes
    printcap name = /etc/printcap
    printing = cups
    use client driver = no

[netlogon]
    comment = Network Logon Service ;Needed for a PDC path =
    /home/samba_cfg/netlogon
    writable = no
    read only = no
    browsable = no
    share modes = no
    write list = @ntadmin

[profiles]
    path = /home/samba_cfg/samba-ntprof
    browsable = no
    writable = yes
    create mask = 0700
    directory mask = 0700

[homes]
    comment = Home Directories
    read only = no
    browsable = no
    guest ok = no
    map archive = yes
    writable = yes
    create mask = 0700
    directory mask = 0700
    # Use virtual file systems to create a recycle bin vfs objects =
    recycle

------- snip -------

More information about the samba mailing list