[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain

Tony Fugere tony_fugere at ncsu.edu
Thu Sep 23 18:11:33 GMT 2004 

After, oh, six months of attempts here and there to read everyone's 
experiences with Samba/LDAP and inability for a windows 2000/XP machine 
to join the domain, I finally discovered what was not working properly.

In my smb.conf I put:

   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"

As instructed by many How-to's and Idealx. However, I thought to myself, 
%m means machine name right? So, I change the .conf to:

   add machine script = /usr/local/sbin/smbldap-useradd -w "%m"

Restarted Samba and tried to join the domain and VOILA! Just thought I'd 
let the community know so that when people in my previous position 
search Google for this subject they'll find this answer.

As of this e-mail, I'm using Samba 3.0.7, OpenLDAP 2.1.29, and 
Smbldap-tools 0.8.5.

-- 
Tony Fugere
tony_fugere at ncsu.edu

I wrote:

I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a 
backend. I'm getting to typical "The user name could not be found." 
error upon trying to join a Windows box. I've gone through every digest 
on lists.samba.org and other sites and nothing has worked yet. Any 
suggestions:

Here's what I've done so far:

1. Installed everything via RPMS:
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm -qa | grep openldap
openldap-2.1.29-1
openldap-clients-2.1.29-1
openldap-servers-2.1.29-1
openldap-devel-2.1.29-1
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm -qa | grep samba
samba-3.0.3-5
samba-client-3.0.3-5
samba-common-3.0.3-5
samba-swat-3.0.3-5
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm -qa | grep smbldap
smbldap-tools-0.8.4-1.1.fc2.dag
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#

2. Made my SSL certificates and put them in /var/ssl.

3. Made my slapd.conf:
--- Start slapd.conf ---
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

allow bind_v2

passwd-hash {SSHA]

pidfile /var/run/slapd.pid

TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ssl/cacert.pem
TLSCertificateFile /var/ssl/ldapcrt.pem
TLSCertificateKeyFile /var/ssl/ldapkey.pem
TLSVerifyClient 0

security ssf=1 update_ssf=112 simple_bind=64

access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
        by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
        by self write
        by * auth
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
        by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
        by self write
        by * auth
access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
        by * read
access to dn=".*,dc=soil,dc=ncsu,dc=edu"
        by self write
        by * read

database        ldbm
suffix          "dc=soil,dc=ncsu,dc=edu"
rootdn          "cn=Manager,dc=soil,dc=ncsu,dc=edu"
rootpw          _thepassword_

directory       /var/lib/ldap

index objectClass,uid,uidNumber,gidNumber,memberUid     eq
index cn,mail,surname,givenname                         eq,subinitial
--- End slapd.conf ---

4. Made the smb.conf:
--- Start smb.conf ---
[global]

   ; Basic server settings
   workgroup = testdomain
   netbios name = smbtest
   server string = Samba Server %v
   security = user
   allow trusted domains = yes

   log level = 0
   log file = /var/log/samba/log.%m
   max log size = 50

   domain logons = Yes
   os level = 65
   local master = yes
   domain master = yes
   preferred master = yes
   encrypt passwords = yes

   passwd program = /usr/local/sbin/smbldap-passwd %u
   passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
   unix password sync = yes

   ; User and Machine Account Backends
   ldap ssl = start_tls
   passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
   ldap suffix = dc=soil,dc=ncsu,dc=edu
   ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
   ldap delete dn = no
   ldap user suffix = ou=People
   ldap group suffix = ou=Groups
   ldap machine suffix = ou=Computers
   admin users = administrator

   socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

   ; where to store user profiles
   logon home =
   logon path =

   ldap delete dn = Yes
   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
   delete user from group script = /usr/local/sbin/smbldap-groupmod -x 
"%u" "%g"
   set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
   delete user script = /usr/local/sbin/smbldap-userdel "%u"
   delete group script = /usr/local/sbin/smbldap-groupdel "%g"

[netlogon]
   comment = Network Logon Service
   path = /usr/local/samba/lib/netlogon
   read only = yes
   write list = dom_admins

[Homes]
    username = tfugere
    writeable = Yes
    force create mode = 0770
    force directory mode = 02770
    browseable = No
--- End smb.conf ---

5. Made my smbldap*.conf:
--- Start smbldap.conf ---
UID_START="1000"
GID_START="1000"
SID="S-1-5-21-2625200706-2048882972-3065312840"
slaveLDAP="smbtest.soil.ncsu.edu"
slavePort="389"
masterLDAP="smbtest.soil.ncsu.edu"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/var/ssl/cacert.pem"
clientcert="/var/ssl/ldapcrt.pem"
clientkey="/var/ssl/ldapkey.pem"
suffix="dc=soil,dc=ncsu,dc=edu"
usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHomePrefix="/home/"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="553"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive="logondrive"
userScript=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/sbin/mkntpwd"
--- End smbldap.conf ---
--- Begin smbldap_bind.conf ---
slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
slavePw="_hidden_"
masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
masterPw="_hidden_"
--- End smbldap_bind.conf ---

6. Started up the services:
/etc/init.d/ldap start
/etc/init.d/smb start

7. Set the root password:
smbpasswd -w _thepassword_

8. Put in some test data:
http://www.soil.ncsu.edu/tony_temp/smbtest.ldif

9. Did a search on the LDAP DB:
ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b 
'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out

10. Set the root user password:
smbldap-passwd root

11. Changed the local security policy on the Windows XP machine:
Domain member: Digitally encrypt or sign secure data channel 
(always)                          Disabled
Domain member: Digitally encrypt secure data channel (when 
possible)                           Disabled
Domain member: Digitally sign secure data channel (when 
possible)                              Disabled

12. Tried to join the domain through a Windows XP machine and got this 
error when using root user:
The following error occurred when attempting to join the domain 
"testdomain":
The user name could not be found.

13. Tried to navigate to the domain via my network places and was 
successful.

-- 
Tony Fugere
tony_fugere at ncsu.edu <http://lists.samba.org/mailman/listinfo/samba>

More information about the samba mailing list