[Samba] Domain login not working with MySQL backend

James MacLean macleajb at ednet.ns.ca
Sun Mar 6 21:06:19 GMT 2005 

Andreas Braun wrote:

> Hello!
>
> I'm kind of stuck here. I'd like to set up a Samba PDC server using a 
> MySQL database backend, so that me and my colleges can easily 
> administer the users with a PHP based web interface. I've already 
> installed and configured Samba 3.0.11 and MySQL 4.0 on FreeBSD. 
> Everything seems to work great, except I can't login. I always get a 
> message that says the domain controller is not availabe or the 
> computer account is not existing. The log file says: 
> "rpc_server/srv_netlog_nt.c:get_md4pw(261) md4pw: Workstation PC1$: no 
> account in domain". What did I do wrong? :(
>
> This is the workstation account:
> Unix username:        pc1$
> NT username:          pc1$
> Account Flags:        [W          ]
> User SID:             S-1-5-21-3555237956-4202347196-2499260156-3008
> Primary Group SID:    S-1-5-21-3555237956-4202347196-2499260156-515
> Full Name:            User &
> Home Directory:       HomeDir Drive:        Logon Script:         
> Profile Path:         Domain:               test
> Account desc:         Workstations:         Munged dial:          
> Logon time:           0
> Logoff time:          0
> Kickoff time:         0
> Password last set:    Sun, 06 Mar 2005 19:25:40 UTC
> Password can change:  Sun, 06 Mar 2005 19:25:40 UTC
> Password must change: Wed, 18 May 2033 05:33:19 UTC
> Last bad password   : 0
> Bad password count  : 0
> Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>
>
> That's what I already did:
>
> - I've created the user accounts in FreeBSD (user1)
>
> - I've created the machine accounts in FreeBSD (pc1$)
>
> - I've added the users in Samba: "pdbedit -a -u user1"
>
> - I've added the workstation accunts in Samba: "pdbedit -a -m -u pc1"
>
> - I've checked that the accounts are correctly inserted in the database
>
> - I can change the computer's domain to the Samba PDC's one
>
> - I can open home shares using samba accounts
>
>
> I have searched around the Internet, but I could not find a solution. 
> :( I hope somebody can give me a hint! Thank you!
>
>
> Kind regards,
>
> camouflageX

I went through this recently and I'm not sure I'll have _your_ answer, 
but some things that were gotcha's on my install :

1. Make sure "net getlocalsid" matches the sids in "net groupmap list".
2. Make sure the userid and machine id's also share this correct SID 
parts. Actually now that I think of it, that was the problem I had.
3. Make sure you have an admin account to work with. For me, I did 
something like :
  net groupmap modify ntgroup="Domain Admins" unixgroup=ntadmin
  net groupmap modify ntgroup="Domain Users" unixgroup=users
  net groupmap modify ntgroup="Domain Guests" unixgroup=nobody
  and add admin userids to the ntadmin group.
4. Create a userid that has the UID of 500 (according to the HowTo.)
5. 3.0.11 has the very usefull perms to not need to be root options, so 
I also did something like :
net rpc rights grant DOMAIN\\Domain Admins" SeMachineAccountPrivilege 
SePrintOperatorPrivilege SeAddUsersPrivilege SeDiskOperatorPrivilege -U 
"administrator"
6. Added some stuff to smb.conf:
  enable privileges = yes
  add machine script = /usr/sbin/useradd -d /dev/null -g machines -c 
"machine account" -s /bin/false -M %u
7. Go ahead a join a computer to the domain.

JES

More information about the samba mailing list