[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain

Thu Sep 23 18:55:46 GMT 2004

Tony,

I do not have any proof to contradict your information, however, the source 
code suggests that this advice is perhaps suspect.

The particular module that handles automatic account creation is in 
~samba/source/rpc_server/srv_samr_nt.c and specifically at line 2253.
Here is the very line that does the parameter substitution:

 all_string_sub(add_script, "%u", account, sizeof(add_script));

As you can see, it is the "%u" parameter that is being substituted. Maybe I am 
reading this incorrectly? However, I have performed many hundreds of 
installations and have always used the "%u" parameter - and it has worked.

Given this background I respectfully suggest that we should understand 
precisely what is happening in your situation by examining the samba logs for 
the use of this function give both the "%u" and again with the "%m" 
parameters. You can turn up the debug level on just this module by setting
in smb.conf [globals]:
	log level = 0 rpc_srv:5 sam:5
	log file = /var/log/samba/%m.log
	max log size = 0

Please would test this and report the findings. If our documentation is in 
error I want to fix it immediately.

Thanks so much for your input.

Cheers,
John T.

On Thursday 23 September 2004 12:11, Tony Fugere wrote:
> After, oh, six months of attempts here and there to read everyone's
> experiences with Samba/LDAP and inability for a windows 2000/XP machine
> to join the domain, I finally discovered what was not working properly.
>
> In my smb.conf I put:
>
>    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>
> As instructed by many How-to's and Idealx. However, I thought to myself,
> %m means machine name right? So, I change the .conf to:
>
>    add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
> 
> 
> Restarted Samba and tried to join the domain and VOILA! Just thought I'd
> let the community know so that when people in my previous position
> search Google for this subject they'll find this answer.
>
> As of this e-mail, I'm using Samba 3.0.7, OpenLDAP 2.1.29, and
> Smbldap-tools 0.8.5.
>
> --
> Tony Fugere
> tony_fugere at ncsu.edu
>
> I wrote:
>
> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
> backend. I'm getting to typical "The user name could not be found."
> error upon trying to join a Windows box. I've gone through every digest
> on lists.samba.org and other sites and nothing has worked yet. Any
> suggestions:
>
> Here's what I've done so far:
>
> 1. Installed everything via RPMS:
> [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm
> -qa | grep openldap openldap-2.1.29-1
> openldap-clients-2.1.29-1
> openldap-servers-2.1.29-1
> openldap-devel-2.1.29-1
> [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm
> -qa | grep samba samba-3.0.3-5
> samba-client-3.0.3-5
> samba-common-3.0.3-5
> samba-swat-3.0.3-5
> [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm
> -qa | grep smbldap smbldap-tools-0.8.4-1.1.fc2.dag
> [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#
>
> 2. Made my SSL certificates and put them in /var/ssl.
>
> 3. Made my slapd.conf:
> --- Start slapd.conf ---
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
>
> allow bind_v2
>
> passwd-hash {SSHA]
>
> pidfile /var/run/slapd.pid
>
> TLSCipherSuite HIGH:MEDIUM:+SSLv2
> TLSCACertificateFile /var/ssl/cacert.pem
> TLSCertificateFile /var/ssl/ldapcrt.pem
> TLSCertificateKeyFile /var/ssl/ldapkey.pem
> TLSVerifyClient 0
>
> security ssf=1 update_ssf=112 simple_bind=64
>
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
>         by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
>         by self write
>         by * auth
> access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
>         by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
>         by self write
>         by * auth
> access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
>         by * read
> access to dn=".*,dc=soil,dc=ncsu,dc=edu"
>         by self write
>         by * read
>
> database        ldbm
> suffix          "dc=soil,dc=ncsu,dc=edu"
> rootdn          "cn=Manager,dc=soil,dc=ncsu,dc=edu"
> rootpw          _thepassword_
>
> directory       /var/lib/ldap
>
> index objectClass,uid,uidNumber,gidNumber,memberUid     eq
> index cn,mail,surname,givenname                         eq,subinitial
> --- End slapd.conf ---
>
> 4. Made the smb.conf:
> --- Start smb.conf ---
> [global]
>
>    ; Basic server settings
>    workgroup = testdomain
>    netbios name = smbtest
>    server string = Samba Server %v
>    security = user
>    allow trusted domains = yes
>
>    log level = 0
>    log file = /var/log/samba/log.%m
>    max log size = 50
>
>    domain logons = Yes
>    os level = 65
>    local master = yes
>    domain master = yes
>    preferred master = yes
>    encrypt passwords = yes
>
>    passwd program = /usr/local/sbin/smbldap-passwd %u
>    passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
>    unix password sync = yes
>
>    ; User and Machine Account Backends
>    ldap ssl = start_tls
>    passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
>    ldap suffix = dc=soil,dc=ncsu,dc=edu
>    ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
>    ldap delete dn = no
>    ldap user suffix = ou=People
>    ldap group suffix = ou=Groups
>    ldap machine suffix = ou=Computers
>    admin users = administrator
>
>    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
>    ; where to store user profiles
>    logon home =
>    logon path =
>
>    ldap delete dn = Yes
>    add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>    add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>    add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>    add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
>    delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> "%u" "%g"
>    set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
>    delete user script = /usr/local/sbin/smbldap-userdel "%u"
>    delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>
> [netlogon]
>    comment = Network Logon Service
>    path = /usr/local/samba/lib/netlogon
>    read only = yes
>    write list = dom_admins
>
> [Homes]
>     username = tfugere
>     writeable = Yes
>     force create mode = 0770
>     force directory mode = 02770
>     browseable = No
> --- End smb.conf ---
>
> 5. Made my smbldap*.conf:
> --- Start smbldap.conf ---
> UID_START="1000"
> GID_START="1000"
> SID="S-1-5-21-2625200706-2048882972-3065312840"
> slaveLDAP="smbtest.soil.ncsu.edu"
> slavePort="389"
> masterLDAP="smbtest.soil.ncsu.edu"
> masterPort="389"
> ldapTLS="1"
> verify="require"
> cafile="/var/ssl/cacert.pem"
> clientcert="/var/ssl/ldapcrt.pem"
> clientkey="/var/ssl/ldapkey.pem"
> suffix="dc=soil,dc=ncsu,dc=edu"
> usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
> computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
> groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
> scope="sub"
> hash_encrypt="SSHA"
> userLoginShell="/bin/bash"
> userHomePrefix="/home/"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="553"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> userSmbHome=""
> userProfile=""
> userHomeDrive="logondrive"
> userScript=""
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> mk_ntpasswd="/usr/sbin/mkntpwd"
> --- End smbldap.conf ---
> --- Begin smbldap_bind.conf ---
> slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> slavePw="_hidden_"
> masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
> masterPw="_hidden_"
> --- End smbldap_bind.conf ---
>
> 6. Started up the services:
> /etc/init.d/ldap start
> /etc/init.d/smb start
>
> 7. Set the root password:
> smbpasswd -w _thepassword_
>
> 8. Put in some test data:
> http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
>
> 9. Did a search on the LDAP DB:
> ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b
> 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
> Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
>
> 10. Set the root user password:
> smbldap-passwd root
>
> 11. Changed the local security policy on the Windows XP machine:
> Domain member: Digitally encrypt or sign secure data channel
> (always)                          Disabled
> Domain member: Digitally encrypt secure data channel (when
> possible)                           Disabled
> Domain member: Digitally sign secure data channel (when
> possible)                              Disabled
>
> 12. Tried to join the domain through a Windows XP machine and got this
> error when using root user:
> The following error occurred when attempting to join the domain
> "testdomain":
> The user name could not be found.
>
> 13. Tried to navigate to the domain via my network places and was
> successful.
>
> --
> Tony Fugere
> tony_fugere at ncsu.edu <http://lists.samba.org/mailman/listinfo/samba>

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.