[Samba] Samba 3.0.10 join domain

Andrew Watkins andrew at dcs.bbk.ac.uk
Wed Feb 28 17:35:15 GMT 2007 

Daniel,

Try adding "ldap idmap suffix = ou=People"

Since I noticed that "ldap user suffix" and "ldap group suffix" do not 
seem to be used.

Also, check you LDAP log files to see if you can spot the samba search 
string!

Andrew

> This is really getting frustrating.  The exact message when joining the
> domain is "user name could not be found", however I have the
> Administrator account set up with the proper data.  And i have tried
> administrator with and without the A in caps.  I can take this username,
> log into the server, and the files I create show up as owned by root.
> 
> # Administrator, People, igb.uiuc.edu
> dn: uid=Administrator,ou=People,dc=igb,dc=uiuc,dc=edu
> uid: Administrator
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: Administrator
> sn: Administrator
> mail: Administrator at igb.uiuc.edu
> loginShell: /bin/bash
> homeDirectory: /home/a-m/Administrator
> gecos: Administrator
> sambaSID: S-1-5-21-3679620730-2824407525-958489067-500
> sambaPrimaryGroupSID: S-1-5-21-3679620730-2824407525-958489067-512
> sambaAcctFlags: UX
> gidNumber: 0
> uidNumber: 0
> sambaLMPassword: somethingremoved
> sambaNTPassword: somethingremoved
> 
> My Sid matches up:
> 
> [root at file-server samba]# net getlocalsid
> SID for domain IGB-FILE-SERVER is:
> S-1-5-21-3679620730-2824407525-958489067
> 
> The server should be the master browser:
> 
>   *****
> [2007/02/28 10:20:43, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(282)
>   become_domain_master_browser_bcast:
>   Attempting to become domain master browser on workgroup IGB on subnet
> 128.174.124.12
> [2007/02/28 10:20:43, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_browser_bcast(295)
>   become_domain_master_browser_bcast: querying subnet 128.174.124.12 for
> domain master browser on workgroup IGB
> [2007/02/28 10:20:47, 0]
> nmbd/nmbd_logonnames.c:become_logon_server_success(124)
>   become_logon_server_success: Samba is now a logon server for workgroup
> IGB on subnet 128.174.124.12
> [2007/02/28 10:20:51, 0]
> nmbd/nmbd_become_dmb.c:become_domain_master_stage2(113)
>   *****
> 
>   Samba server IGB-FILE-SERVER is now a domain master browser for
> workgroup IGB on subnet 128.174.124.12
> 
>   *****
> 
> 
> If I look at the log for doing the add, it appears as if this might be
> where the error is if I look at the tail end of the smb log for the
> client trying to add with a loglevel of 5:
> 
> 
> [2007/02/28 10:31:12, 5] auth/auth_util.c:debug_unix_user_token(505)
>   UNIX token of user 0
>   Primary group is 0 and contains 0 supplementary groups
> [2007/02/28 10:31:12, 5] smbd/uid.c:change_to_root_user(296)
>   change_to_root_user: now uid=(0,0) gid=(0,0)
> [2007/02/28 10:31:12, 3] smbd/sesssetup.c:reply_sesssetup_and_X(655)
>   wct=12 flg2=0xc807
> [2007/02/28 10:31:12, 2] smbd/sesssetup.c:setup_new_vc_session(608)
>   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close
> all old resources.
> [2007/02/28 10:31:12, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(535)
>   Doing spnego session setup
> [2007/02/28 10:31:12, 3]
> smbd/sesssetup.c:reply_sesssetup_and_X_spnego(566)
>   NativeOS=[Windows 2002 Service Pack 2 2600] NativeLanMan=[Windows 2002
> 5.1] PrimaryDomain=[]
> [2007/02/28 10:31:12, 3] libsmb/ntlmssp.c:ntlmssp_server_auth(615)
>   Got user=[administrator] domain=[igb] workstation=[SAMMY] len1=24
> len2=24
> [2007/02/28 10:31:12, 5]
> auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(66)
>   auth_context challenge set by NTLMSSP callback (NTLM2)
> [2007/02/28 10:31:12, 5]
> auth/auth_ntlmssp.c:auth_ntlmssp_set_challenge(67)
>   challenge is: 
> [2007/02/28 10:31:12, 5] lib/util.c:dump_data(1999)
>   [000] 81 8F 46 13 26 F9 07 3E                           ..F.&..> 
> 
> 
> For info, my globals from smb.conf are
> 
> 
> [global]
> 	workgroup = igb
> 	netbios name = IGB-FILE-SERVER
> 	server string = Samba Server
> 	passdb backend = ldapsam:ldap://auth.igb.uiuc.edu
> 	log file = /var/log/samba/%m.log
> 	max log size = 50
> 	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 	domain logons = Yes
> 	dns proxy = No
> 	wins support = Yes
> 	ldap admin dn = cn=someonespecial,dc=igb,dc=uiuc,dc=edu
> 	ldap group suffix = ou=group
> 	ldap suffix = dc=igb,dc=uiuc,dc=edu
> 	ldap ssl = on
> 	ldap user suffix = ou=People
> 	ldap machine suffix =  ou=computer
> 	cups options = raw
>         log level = 10
> 
> 	add machine script
> = /usr/share/doc/samba-3.0.10/LDAP/smbldap-tools/smbldap-useradd.pl -w
> 	preferred master = Yes
> 	domain master = Yes
> 	os level = 65
> 	password server = None
> 	idmap uid = 1000-33554431
> 	idmap gid = 1000-33554431
> 	template shell = /bin/false
> 	username map = /etc/samba/smbusers
> 	winbind use default domain = no
> 
> 
> Any help still very much appreciated,
> 
> Dan
> 
> On Tue, 2007-02-27 at 12:57 -0600, Daniel Davidson wrote:
>> I have found a fixed my previous problems (two typos that were hard to
>> find) and now the smbldap-tools all work as expected if I run them as
>> root.  However when I try to join a domain from a windows machine, the
>> scripts never run and get an "Access is denied message".  Since I am
>> using 0.10 I do not think I can use net rpc rights, so do I need to add
>> that into ldap manually?  Or do I have to use a specific user other than
>> just someone in domain admins?
>>
>> thanks,
>>
>> Dan
>>
>

More information about the samba mailing list