[Samba] Re: Can join domain; can't logon

Chris St. Pierre stpierre at NebrWesleyan.edu
Thu Oct 7 19:19:54 GMT 2004 

An update:  I managed to get a domain entry added to my LDAP directory.
Still got the same error.  Googled for it; found out that I had to put
my machine trust accounts in ou=people instead of ou=machines.  Did
so.  Still get the same message from Windows:

>>> "The system cannot log you on to this domain because the system's
>>> computer account in its primary domain is missing or the password on
>>> that account is incorrect."

>From Samba, it's the same old thing:

  get_md4pw: Workstation GUINEA-PIG$: no account in domain

What the heck does this mean?  How can I fix it?  Does Samba just hate me?

I've attached the section of the smbd log that appears to pertain to
the immediate problem.  Any insights you can offer would be greatly
appreciated.  Thank you.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
402.465.7549

On Tue, 5 Oct 2004, Chris St. Pierre wrote:

>I did verify that the account exists in LDAP. To prove it:
>
># ldapsearch -b "o=nebrwesleyan.edu,o=isp" "(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))"
>uid=guinea-pig$,ou=machines,o=nebrwesleyan.edu,o=isp
>[...snip...]
>
>And moreover:
>
># getent passwd guinea-pig$
>guinea-pig$:x:1001:1000:guinea-pig$:/dev/null:/bin/false
>
>I am not running ncsd.  The samba machine has a decidedly out-of-sync
>system clock, but I haven't bothered with it since it's only a test
>box.
>
>However!  Here's the smbd log:
>
>[2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289)
>  failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: Object class violation
>  	
>[2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338)
>  Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL
>[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
>  get_md4pw: Workstation GUINEA-PIG$: no account in domain
>[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261)
>  get_md4pw: Workstation GUINEA-PIG$: no account in domain
>
>Which alerts me to the fact that it's the creation of the domain in
>LDAP that's causing problems.  I properly installed the 3.0.7 schema
>-- as is evidenced by other things working -- but this is giving me an
>object class violation.  I cranked the log level up to 10, but it
>didn't give me much more information that was readily useful to me;
>the full 157K log is available, though, if you want it.
>
>Any ideas?  Or, if anyone has a typical LDAP domain entry I can look
>at, I can add it by hand and get more info from it.
>
>Thanks.
>
>Chris St. Pierre
>Unix Systems Administrator
>Nebraska Wesleyan University
>402.465.7549
>
>On Tue, 5 Oct 2004, Igor Belyi wrote:
>
>>Chris St. Pierre wrote:
>>> I had a problem similar to my current one a week or so ago, and I was
>>> encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did.  Now
>>> that I've completed that nightmare, the problem I initially set out to
>>> fix is still there, just different.  Namely:
>>> 
>>> I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC
>>> whose only job will be authentication.  Our LDAP server is on a
>>> separate box.  I can join the domain just fine, but when I try to
>>> login via Windows, I get the following error:
>>> 
>>> "The system cannot log you on to this domain because the system's
>>> computer account in its primary domain is missing or the password on
>>> that account is incorrect."
>>> 
>>> I suspected that neither of these were the case, as I created the
>>> account with idealx's smbldap-tools.  I verified that the account is
>>> there with ldapsearch.  Last time I had this problem, Samba wasn't
>>> even communicating with LDAP, but this time it is.  When I try to
>>> login, here's what the LDAP logs show:
>>
>>smbldap-tools create posixAccounts in case you use NSS LDAP support. You
>>should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you
>>probably use passwd or shadow in which case you need to use adduser to to the
>>job.
>>
>>Besides posixAccount you should also have Samba account as well. You should
>>look at what was responses to the LDAP requests by looking at the SEARCH
>>RESULT lines with the same 'conn=' and 'op='. I would guess that response was
>>'nentries=0' And it has nothing to do with some optional attributes being
>>empty - just with the fact that there's no such entry with
>>'objectClass=sambaSamAccount'.
>>
>>It can also be a problem of nscd if you have one. Your LDAP requests are at
>>10:03 and your nmbd log extract is for 11:14 which means LDAP requests were
>>done long before Samba requests unless there's a timezone issue between the
>>machines or that their clocks are really scrude up.
>>
>>I would also recommend to post smbd log instead of nmbd since its smbd which
>>interacts with LDAP.
>>
>>Igor
>>
>>> [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH
>>> base="o=nebrwesleyan.edu,o=isp" scope=2
>>> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
>>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>>> displayName sambaHomeDrive sambaHomePath sambaLogonScript
>>> sambaProfilePath description sambaUserWorkstations sambaSID
>>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>>> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
>>> sambabadpasswordtime sambapasswordhistory modifyTimestamp
>>> sambalogonhours modifyTimestamp"
>>> [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH
>>> base="o=nebrwesleyan.edu,o=isp" scope=2
>>> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid
>>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>>> displayName sambaHomeDrive sambaHomePath sambaLogonScript
>>> sambaProfilePath description sambaUserWorkstations sambaSID
>>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>>> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount
>>> sambabadpasswordtime sambapasswordhistory modifyTimestamp
>>> sambalogonhours modifyTimestamp"
>>> 
>>> It searches twice for the machine trust account, which I've verified
>>> exists.  The only thing I can think of is that not all of the
>>> attributes it's asking for exist.  (In fact, a lot of them don't.)  As
>>> you can see in the attached nmbd log, though, Samba doesn't show any
>>> obvious errors.  I've also included my smb.conf (with some changes to
>>> protect my server's innocence).  Any ideas are greatly appreciated.
>>> Thanks.
>>> 
>>> Chris St. Pierre
>>> Unix Systems Administrator
>>> Nebraska Wesleyan University
>>> 402.465.7549
>>> 
>>> 
>>> ------------------------------------------------------------------------
>>> 
>>> [global]     server string = test
>>> workgroup = NWU_TEST
>>> netbios name = TESTERATOR
>>> 
>>> log level = 1
>>> encrypt passwords = yes
>>> max smbd processes = 0
>>> socket options = TCP_NODELAY
>>> 
>>> add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
>>> 
>>> logon script = scripts\logon.bat     logon path = \\%L\profiles\%U   domain
>>> logons = yes
>>> local master = yes
>>> preferred master = yes
>>> wins server = 10.9.1.12
>>> security = user
>>> 
>>> passdb backend = ldapsam:ldap://server.nebrwesleyan.edu
>>> ldap suffix = o=nebrwesleyan.edu,o=isp
>>> ldap machine suffix = ou=Machines
>>> ldap user suffix = ou=People
>>> ldap group suffix = ou=Groups
>>> ldap filter = (uid=%u)
>>> ldap admin dn = cn=foo
>>> ldap ssl = no
>>> 
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> 
>>> [netlogon]
>>> comment = Network Logon Service      path = /var/lib/samba/netlogon  guest
>>> ok = yes     locking = No    [profiles]      comment = Profile Share path =
>>> /var/lib/samba/profiles      read only = No  [tmp]
>>> comment = temporary files
>>> path = /tmp
>>> read only = yes

More information about the samba mailing list