[Samba] Samba + LDAP Windows Join Domain
James Taylor
jtaylor at laszlosystems.com
Wed Feb 15 22:38:05 GMT 2006
Hello all,
I have been working on this issue for some time and I know I am close to a
solution.
I am currently running samba 3.0.13. I have set the samba server up as a
NT4 Domain controller and I have also integrated my LDAP configuration with
samba. When I try to join the samba domain from any Windows 2000 or Windows
XP machine I get the error message "The user could not be found". My
smbldap-tools scripts are working in the sense that the Machine Add script
is adding the machinename$ domain account. I have read several different
Samba Windows Join Domain documents and have tried different variations of
my config's to see if I can resolve this issue.
I know my Samba LDAP configuration is good as I am able to authenticate to
SMB file shares on the samba server with groups mapped to my LDAP database.
I am also seeing successful LDAP binds as well in the logs.
Any pointers on things I may be able to try would be great.
Configs as follows:
# Global parameters
[global]
workgroup = MYDOMAIN
realm = MYDOMAIN.COM
server string = Samba Server %v
interfaces = 192.168.0.8/16
min password length = 3
map to guest = Bad User
passdb backend = ldapsam:ldap://myldapsvr/
enable privileges = Yes
passwd program = /usr/sbin/smbldap-passwd
username map = /etc/samba/smbusers
client NTLMv2 auth = No
client lanman auth = No
client plaintext auth = No
syslog = 7
log file = /var/log/samba/log.%m
max log size = 100000
smb ports = 135 445
min protocol = NT1
time server = Yes
deadtime = 10
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -c
'Machine Account' -s /bin/false '%u'
logon script = logon.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = Yes
ldap admin dn = cn=Manager,dc=mydomain,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap passwd sync = Yes
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
printer admin = @adm, root
create mask = 0755
directory mask = 0750
hosts allow = 192.168., 127.
nt acl support = No
case sensitive = No
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
[printers]
comment = All Printers
path = /var/spool/samba
create mask = 0700
guest ok = Yes
printable = Yes
browseable = No
[print$]
path = /var/lib/samba/printers
write list = @adm, root
inherit permissions = Yes
guest ok = Yes
[admin]
path = /
valid users = @adm, root, jtaylor
admin users = @adm, root, jtaylor
read only = No
browseable = No
Thank you all
James Taylor
More information about the samba
mailing list