[Samba] W2k domain join fails Samba 3 pdc
Brad Askew
Brad.Askew at Tsch.biz
Wed Dec 13 19:18:43 GMT 2006
I cannot join any windows clients to my samba 3 pdc. I am seeing these
logs in my samba log.machinename when I am attempting to join it to the
domain. I am using an OpenLDAP backend hosted on the pdc. I can su, or
ssh into the pdc with ldap only accounts without problem.
[2006/12/13 12:36:05, 2] lib/smbldap.c:smbldap_open_connection(722)
smbldap_open_connection: connection opened
[2006/12/13 12:36:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: Admin
[2006/12/13 12:36:05, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199)
init_group_from_ldap: Entry found for group: 512
[2006/12/13 12:36:05, 2] auth/auth.c:check_ntlm_password(307)
check_ntlm_password: authentication for user [admin] -> [admin] ->
[Admin] succeeded
[2006/12/13 12:36:06, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2659)
Returning domain sid for domain TSCH ->
S-1-5-21-1413032332-9999999999-666666666
[2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
init_ldap_from_sam: Setting entry for user: readykey$
[2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(2141)
ldapsam_add_sam_account: added: uid == readykey$ in the LDAP database
[2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: readykey$
[2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: readykey$
[2006/12/13 12:36:06, 0] libsmb/smbencrypt.c:decode_pw_buffer(514)
decode_pw_buffer: incorrect password length (2118141193).
[2006/12/13 12:36:06, 0] libsmb/smbencrypt.c:decode_pw_buffer(515)
decode_pw_buffer: check that 'encrypt passwords = yes'
[2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: readykey$
[2006/12/13 12:36:06, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(480)
ldapsam_delete_entry: Could not delete attributes for
uid=readykey$,ou=Computers,dc=tsch,dc=lan, error: Object class violation
(attribute 'displayName' not allowed)
[2006/12/13 12:36:07, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/12/13 12:36:42, 2] lib/smbldap.c:smbldap_open_connection(722)
smbldap_open_connection: connection opened
[2006/12/13 12:36:42, 2] smbd/server.c:exit_server(614)
Closing connections
[2006/12/13 12:36:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: Admin
[2006/12/13 12:36:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199)
init_group_from_ldap: Entry found for group: 512
[2006/12/13 12:36:42, 2] auth/auth.c:check_ntlm_password(307)
check_ntlm_password: authentication for user [admin] -> [admin] ->
[Admin] succeeded
[2006/12/13 12:36:44, 2] smbd/server.c:exit_server(614)
Closing connections
I used smbldap-tools to populate the dit. This created a cn=Admin
account in the tree, with a uidNumber=0, and allowed me to set the
password, I have been using this account to attempt to join the client.
I see that even though the join fails, the machine account gets created
in my ou=Computers.
The error I get on the windows workstation is "Logon failure: unknown
username or bad password."
Openldap server 2.2.30, freebsd 6.1-release, and samba 3.0.21b
my smb.conf
[global]
netbios name = test-dc
encrypt passwords = yes
workgroup = tsch
security = user
invalid users = bin daemon sys man postfix mail ftp
admin users = @wheel
# domain admin group = @wheel
# domain admin users = root
# wins support = yes
printing = cups
passdb backend = ldapsam:ldap://localhost
# username map = /etc/samba/smbusers
enable privileges = yes
os level = 65
preferred master = yes
show add printer wizard = yes
local master = yes
domain logons = yes
domain master = yes
logon path = \\%N\profiles\%U
logon drive = H:
logon home = \\%N\Users\%U
# logon script =
## idealx scripts for user, group, and machine account mgmt
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
add group script = /usr/local/sbin/smbldap-groupadd "%g"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/local/sbin/smbldap-useradd - w "%u"
## password sync
passwd program = /usr/local/sbin/smbldap-passwd -o %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*passwd:*all*authentication*tokens*updated*
unix password sync = yes
## OpenLDAP stuff here
ldap suffix = dc=tsch,dc=lan
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap idmap suffix = ou=People
ldap admin dn = cn=Manager,dc=tsch,dc=lan
ldap passwd sync = yes
ldap ssl = no
ldap delete dn = no
# idmap backend = ldap:ldap://localhost
# idmap uid = 15000-20000
# idmap gid = 15000-20000
## logging options
log level = 2
log file = /usr/local/samba/var/log.%m
max log size = 1000
syslog = 1
## defining the network logon service
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/netlogon
read only = yes
#write list
valid users = root @smbusers
## Defining profile shares for roaming profiles
[profiles]
comment = Roaming profile shares
path = /usr/local/samba/profiles
writeable = yes
create mask = 0600
directory mask = 0700
browsable = no
guest ok = yes
[printers]
comment = All printers
path = /var/spool/samba
browseable = no
# Set public = yes to allow user 'guest account' to print
guest ok = no
writeable = no
printable = yes
--
Brad Askew
The Surgery Center of Huntsville
721 Madison St.
Huntsville, AL 35801
256.533.4888
256.319.2710 - Fax
More information about the samba
mailing list