[Samba] Samba 3.0.10 join domain

Daniel Davidson danield at igb.uiuc.edu
Wed Feb 28 17:28:27 GMT 2007


This is really getting frustrating.  The exact message when joining the
domain is "user name could not be found", however I have the
Administrator account set up with the proper data.  And i have tried
administrator with and without the A in caps.  I can take this username,
log into the server, and the files I create show up as owned by root.

# Administrator, People, igb.uiuc.edu
dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu
uid: Administrator
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: Administrator
sn: Administrator
mail: Administrator at igb.uiuc.edu
loginShell: /bin/bash
homeDirectory: /home/a-m/Administrator
gecos: Administrator
sambaSID: S-1-5-21-3679620730-2824407525-958489067-500
sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512
sambaAcctFlags: UX
gidNumber: 0
uidNumber: 0
sambaLMPassword: somethingremoved
sambaNTPassword: somethingremoved

My Sid matches up:

[root at file-server samba]# net getlocalsid
SID for domain IGB-FILE-SERVER is:
S-1-5-21-3679620730-2824407525-958489067

The server should be the master browser:

  *****
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
  become_domain_master_browser_bcast:
  Attempting to become domain master browser on workgroup IGB on subnet
128.174.124.12
[2007/02/28 10:20:43, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
  become_domain_master_browser_bcast: querying subnet 128.174.124.12 for
domain master browser on workgroup IGB
[2007/02/28 10:20:47, 0]
nmbd/nmbd_logonnames.c:become_logon_server_success(124)
  become_logon_server_success: Samba is now a logon server for workgroup
IGB on subnet 128.174.124.12
[2007/02/28 10:20:51, 0]
nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)
  *****

  Samba server IGB-FILE-SERVER is now a domain master browser for
workgroup IGB on subnet 128.174.124.12

  *****


If I look at the log for doing the add, it appears as if this might be
where the error is if I look at the tail end of the smb log for the
client trying to add with a loglevel of 5:


[2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505)
  UNIX token of user 0
  Primary group is 0 and contains 0 supplementary groups
[2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296)
  change_to_root_user: now uid=(0,0) gid=(0,0)
[2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
  wct=12 flg2=0xc807
[2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
  setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
all old resources.
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
  Doing spnego session setup
[2007/02/28 10:31:12, 3]
smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
  NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
5.1] PrimaryDomain=[]
[2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
  Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24
len2=24
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66)
  auth_context challenge set by NTLMSSP callback (NTLM2)
[2007/02/28 10:31:12, 5]
auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67)
  challenge is: 
[2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999)
  [000] 81 8F 46 13 26 F9 07 3E                           ..F.&..> 


For info, my globals from smb.conf are


[global]
	workgroup = igb
	netbios name = IGB-FILE-SERVER
	server string = Samba Server
	passdb backend = ldapsam:ldap://auth.igb.uiuc.edu
	log file = /var/log/samba/%m.log
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	domain logons = Yes
	dns proxy = No
	wins support = Yes
	ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu
	ldap group suffix = ou=group
	ldap suffix = dc=igb,dc=uiuc,dc=edu
	ldap ssl = on
	ldap user suffix = ou=People
	ldap machine suffix =  ou=computer
	cups options = raw
        log level = 10

	add machine script
= /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w
	preferred master = Yes
	domain master = Yes
	os level = 65
	password server = None
	idmap uid = 1000-33554431
	idmap gid = 1000-33554431
	template shell = /bin/false
	username map = /etc/samba/smbusers
	winbind use default domain = no


Any help still very much appreciated,

Dan

On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote:
> I have found a fixed my previous problems (two typos that were hard to
> find) and now the smbldap-tools all work as expected if I run them as
> root.  However when I try to join a domain from a windows machine, the
> scripts never run and get an "Access is denied message".  Since I am
> using 0.10 I do not think I can use net rpc rights, so do I need to add
> that into ldap manually?  Or do I have to use a specific user other than
> just someone in domain admins?
> 
> thanks,
> 
> Dan
> 



More information about the samba mailing list