[Samba] net rpc join fails the first time but succeeds the second

[adrian sender]

Your domain  member is not configured correctly, you need it to be able to 
authenticate with ldap.

Should look something like this as per Chapter 7 Samba 3 by Example..
http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap

Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File

# Global parameters

[global]
unix charset = LOCALE
workgroup = MEGANET2
security = DOMAIN
username map = /etc/samba/smbusers
log level = 10
syslog = 0
log file = /var/log/samba/%m
max log size = 50
smb ports = 139
name resolve order = wins bcast hosts
printcap name = CUPS
wins server = 192.168.2.1
ldap suffix = dc=abmas,dc=biz
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=abmas,dc=biz
idmap backend = ldap:ldap://lapdc.abmas.biz
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind trusted domains only = Yes
printer admin = root
printing = cups

Stick to the official docs, will save you days/years of time.

Adrian Sender.




From: Felipe Alfaro Solana <felipe.alfaro at gmail.com>
To: "Samba Mailing List" <samba at lists.samba.org>
Subject: [Samba] net rpc join fails the first time but succeeds the second
Sent: Friday, 19 May 2006 9:13:21 PM
Hi.

I'm having some trouble when trying to join a SAMBA machine, acting as
a member server, to a NT-style domain server managed by a SAMBA PDC
using an LDAP back-end. Both machines are running samba-3.0.10-1.4E.6
on Red Hat Enterprise Linux 4.1 Update 3 for AMD64.

When trying to add the member server to the domain, it fails with an
error message. However, if I try to add it again, the operation
succeeds.

The first try to add the member server fails with this error message:

[root at member ~]# net rpc join CENTRAL -U Administrator%password
[2006/05/19 13:01:08, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319)
Error domain join verification (reused connection): NT_STATUS_ACCESS_DENIED

Unable to join domain CENTRAL.

I can see the SAMBA machine account has been created:

[root at pdc ~]# pdbedit -L
Administrator:0:Domain Administrator
member$:10001:Machine

Then, immediately, I try to add the member server, once again:

[root at member ~]# net rpc join CENTRAL -U Administrator%password
Joined domain CENTRAL.

Both, the member server and PDC are using nss_ldap.
Thus:

[root at member ~]# id Administrator
uid=0(root) gid=0(root) groups=0(root)

The smb.conf for the PDC is:

[global]

  # Store SAMBA data into an LDAP backend
  passdb backend = ldapsam:ldap://ldap/
  ldap admin dn = cn=Directory Manager
  ldap suffix = dc=central
  ldap user suffix = ou=People
  ldap machine suffix = ou=Computers
  ldap group suffix = ou=Groups

  # Scripts for managing users and computers
  add user script = /usr/sbin/luseradd -g "Domain Users" %u
  delete user script = /usr/sbin/luserdel -r %u
  add group script = /usr/sbin/lgroupadd %g
  delete group script = /usr/sbin/groupdel %g
  add user to group script = /usr/sbin/lgroupmod -A %u %g
  delete user from group script = /usr/sbin/lgroupmod -R %u %g
  add machine script = /usr/sbin/luseradd -g "Domain Computers" -c
"Machine" -s /bin/false -d /dev/null -n -M "%u"

  workgroup = CENTRAL
  netbios name = NDS1
  server string = CENTRAL Samba Domain Controller

  load printers = no

  log file = /var/log/samba/%m.log

  security = user
  encrypt passwords = yes

  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

  os level = 35
  local master = yes
  domain master = yes
  preferred master = yes
  domain logons = yes
  logon path =

  wins support = yes

The smb.conf for the member server is:

[global]

  workgroup = CENTRAL
  server string = CENTRAL File Server
  netbios name = FS1
  log file = /var/log/samba/%m.log
  max log size = 50
  security = domain
  encrypt passwords = yes
  socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

Any ideas?
Thank you very much.