[Samba] W2k joining a domain controlled by samba 3.0.2a (PDC)

Buchan Milne bgmilne at obsidian.co.za
Tue May 11 11:45:46 GMT 2004

On Tue, 11 May 2004, Rafal Pietrak wrote:

> Hi all,
> I've just setup a samba(PDC)+ldap-(no)winbind and it works OK for W98
> client, but W2K client isn't able to join the domain.
> my checklist:
> 1. ldap works:
> example$ ldapsearch -LL -x -b 'ou=KAROWA' -s sub
> '(&(objectclass=*)(uid=lenec))'
> **ldap*> dn: uid=lenec,ou=People,ou=KAROWA
> **ldap*> uid: lenec
> **ldap*> objectClass: sambaSamAccount
> **ldap*> objectClass: posixAccount
> **ldap*> objectClass: account
> **ldap*> sambaAcctFlags: [U          ]
> **ldap*> sambaSID: S-1-5-21-3658755377-320826499-3197562212-1081
> **ldap*> sambaPrimaryGroupSID: S-1-5-21-3658755377-320826499-3197562212-512
> 2. libnss-ldap works:
> example$ getent passwd ; getent group
> **pass*> lenec:x:1081:513:User Lenec:/home/lenec:/bin/false
> **pass*> MORIA$:x:121:65534:Komputer MORIA:/root:/bin/false
> **group*> domainadmins:x:512:lenec
> **group*> domainguests:x:514:501
> **group*> domainusers:x:513:
> 3. pam-ldap works: user 'lenec' can access samba shares AND can change his
> password from a W98 client machine while logged-in to 'domain' (a
> tree-field login window when loggin into W98).
> Now, when I test this with W2K: selecting "My_Comp->
> (right-click)Propert-> Network_ident-> (second-button-from-top)Properties
> ->(lower-box/I-select)Domain=WORKGROUP"; I'm asked then for a domain
> administrator login and password. So, the questions are:
> (I) Who is this?

It needs to be someone who can create accounts via your 'add user' etc 

> Where in SAMBA configration I tell samba that THIS is
> domain administrator (capable of doing the above)? (In my 'best gues', I
> have made user lenec a member of "domainadmins" with rid=512, but may be
> it has nothing to do with admin priviledges?).

Well, if you use the smbldap-tools, then you would ensure that the group 
domainadmins has read permissonon the smldap_conf.pmand execute+read 
rights on the smbldap-scripts and module. And, of course, the LDAP dn in 
the smbldap_conf.pm needs to have sufficient access to the LDAP server.

> (II) Then, in samba logfiles (at the end of the e-mail - exerpts, the
> whole thing is 1MB) I can see, that samba at certain points fails to
> accept 'somebodies' credencials. I cannot figure out whos credencials they
> are, and how to change it :(.
> But, I also tried to add the workstation account directly at samba BEFORE
> I try to execute the above at the workstation itself. The result is:
> example$ getent passwd WYDAWNIC-LDC0LG\$
> **pass*> WYDAWNIC-LDC0LG$:x:60000:65534:Komputer \
> WYDAWNIC-LDC0LG:/home/hosts:
> to no avail - the W2K still gets decline from samba.
> Any clue what's wrong here?

Samba needs to be able to change the workstations trust account password 


More information about the samba mailing list