[Samba] winbind joins with domain name , not netbios name
Turki Al-Ibrahim
turkim at gmail.com
Fri Sep 23 14:11:17 GMT 2005
If I change security to ads, the domain controller (smbd) wont work ?!
because the PDC is the same server.
Thanks to any help.
On 9/23/05, Jason Gerfen <jason.gerfen at scl.utah.edu> wrote:
>
> Turki Al-Ibrahim wrote:
>
> >Hi,
> >
> >I am having a problem with Winbind:
> >
> >First, some information ..
> >Domain name :TESTDOM
> >PDC's Netbios name : ubuntu
> >Samba version : 3.0.20 (lateset patches installed) with LDAP backend.
> >Linux : Ubuntu 2.6.10
> >
> >Samba is running smoothly, with no problems.
> >
> >I wanted to use Winbind, so I followed Samba HowTo - chapter 23
> >http://us5.samba.org/samba/docs/man/Samba3-HOWTO/winbind.html#id2634776
> >
> >I wanted to configure winbind to use the domain installed in the same
> >server, so I joined using this command :
> >net join -U administrator
> >
> >It says Joined Domain TESTDOM , and a machine account is created in LDAP
> >with the following attributes :
> >
> >dn: uid=ubuntu$,ou=Computers,dc=testdom,dc=com
> >objectClass: top,inetOrgPerson,posixAccount,sambaSamAccount
> >cn: ubuntu$
> >sn: ubuntu$
> >uid: ubuntu$
> >uidNumber: 1006
> >gidNumber: 515
> >homeDirectory: /dev/null
> >loginShell: /bin/false
> >description: Computer
> >gecos: Computer
> >sambaSID: S-1-5-21-649663798-2503265242-3544459435-3012
> >sambaPrimaryGroupSID: S-1-5-21-649663798-2503265242-3544459435-2031
> >displayName: Computer
> >sambaPwdCanChange: 1127424362
> >sambaPwdMustChange: 2147483647
> >sambaLMPassword: F6612BB25EF49A45DBF571ADD3E3B73E
> >sambaNTPassword: 3EFFA0C5FF16761A846B9B24192F5955
> >sambaPwdLastSet: 1127424362
> >sambaAcctFlags: [S ] (S should be for server trust account , is this
> normal
> >?)
> >
> >Then , I start Winbind.
> >
> >Here is the output of wbinfo -u , -g & -t
> >
> >root at ubuntu:/var/www/samba-doc/htmldocs # wbinfo -u
> >Error looking up domain users
> >
> >root at ubuntu:/var/www/samba-doc/htmldocs # wbinfo -g
> >BUILTIN\Print Operators
> >BUILTIN\Backup Operators
> >BUILTIN\Replicators
> >
> >root at ubuntu:/var/www/samba-doc/htmldocs # wbinfo -t
> >checking the trust secret via RPC calls failed
> >error code was NT_STATUS_ACCESS_DENIED (0xc0000022)
> >Could not check secret
> >
> >When performing the command wbingo -t (to check secret), smbd logs :
> >
> >ldapsam_getsampwnam: Unable to locate user [TESTDOM$] count=0
> >[2005/09/23 00:34:56, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> > pop_sec_ctx (65534, 65534) - sec_ctx_stack_ndx = 0
> >[2005/09/23 00:34:56, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
> > get_md4pw: Workstation TESTDOM$: no account in domain
> >
> >The machine account it is searching is TESTDOM$ , which is the domain
> name ,
> >not the netbios name.
> >
> >Can any body help me with this one ?
> >
> >Thanks & Regards.
> >
> >Here's smb.conf :
> >[global]
> >workgroup = TESTDOM
> >netbios name = ubuntu
> >syslog = 0
> >log level = 4
> >name resolve order = wins bcast hosts
> >printcap name = CUPS
> >show add printer wizard = No
> >
> >add user script = /usr/sbin/smbldap-useradd -a -m '%u'
> >delete user script = /usr/sbin/smbldap-userdel %u
> >add group script = /usr/sbin/smbldap-groupadd -p '%g'
> >delete group script = /usr/sbin/smbldap-groupdel '%g'
> >add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> >delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u'
> >'%g'
> >set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> >add machine script = /usr/sbin/smbldap-useradd -w '%u'
> >
> >domain logons = Yes
> >domain master = yes
> >wins support = yes
> >printing = CUPS
> >
> >ldap passwd sync = Yes
> >ldap admin dn = cn=Manager,dc=testdom,dc=com
> >passdb backend = ldapsam:"ldap://127.0.0.1/"
> >ldap delete dn = yes
> >ldap suffix = dc=testdom,dc=com
> >ldap user suffix = ou=Users
> >ldap machine suffix = ou=Computers
> >ldap group suffix = ou=Groups
> >ldap idmap suffix = ou=Idmap
> >idmap backend = ldap:ldap://localhost
> >
> >time server = yes
> >logon path =
> >logon home =
> >idmap uid = 15000-20000
> >idmap gid = 15000-20000
> >template shell = /bin/bash
> >security = user
> >
> >
> %> net ads leave #need to leave domain if applicable
> set:
> security = ads
> then rejoin domain
> %> net ads join -U Administrator
> %> wbinfo --sequence
> %> getent passwd
> That last command should list the users you are attempting to
> authentication using the NTLM auth. mechanism
>
> >winbind use default domain = yes
> >
> >[homes]
> >comment = Home Directories
> >valid users = %S
> >writeable = yes
> >browseable = No
> >[netlogon]
> >comment = Network Logon Service
> >path = /samba/netlogon
> >browseable = no
> >guest ok = yes
> >
> >
>
>
> --
> Jason Gerfen
> Student Computing Labs, University Of Utah
> jason.gerfen at scl.utah.edu
>
> J. Willard Marriott Library
> 295 S 1500 E, Salt Lake City, UT 84112-0860
> 801-585-9810
>
> "My girlfriend threated to
> leave me if I went boarding...
> I will miss her."
> ~ DIATRIBE aka FBITKK
>
>
--
Turki M. Al-Ibrahim
turkim (at) gmail.com <http://gmail.com>
More information about the samba
mailing list