[Samba] Joining a Windows XP pc to Samba / LDAP domain
Paul Furness
paul.furness at vil.ite.mee.com
Fri Feb 15 17:52:36 GMT 2008
Hi, guys,
I'm trying to create a PDC using Samba with an LDAP backend. According
to all the guides I read, this should be fairly easy really, but I've
done nothing else for the last week and it still doesn't work the way
the manual says it should! As far as I can see, everything is set up and
working correctly right up to the point when I try and join a machine to
the domain.
I've posted some extracts of my config files, log files, errors and the
versions of various things, below.
I pretty much exactly followed the "Making Happy Users" chapter of the
Samba guide.
These are the steps I've gone through (in summary), starting with a
clean build of linux on the server and WinXP on the client. It starts
going wrong at step 8.
Oh just for completeness, both the new domain controller and the windows
PC are on their own, completely separate network, to ensure that the
existing domain / windows clients can have no effect whatsoever.
1. Install samba and LDAP on the server, together with phpldapadmin.
2. Configure slapd and got the ldap server working, and configure
phpldapadmin to let me connect and see what's going on, and create LDAP
entries directly if needed. Also configured PAM and NSS.
3. Configure samba as a PDC with an LDAP backend. Set the LDAP manager
password in samba. Got the SID.
5. Configured smbldap-tools, setting up the SID and LDAP details.
6. Created the linux groups for Domain Admins, Domain Users, Domain
Guests and Domain Computers.
7. Started LDAP and did an smbldap-populate. This gave exactly the right
response and a look at the ldap database proved it had created all the
appropriate entries. tested the ldap with "ldapsearch" and got the
expected response. Also checked NSS with getent and got the right
answers.
8. Added a user with smbldap-useradd then set the password for that user
with smbldap-passwd. This worked fine.
9. Checked that the root UID is set to 0. It is.
10. Checked that the user account is being read properly using pdbedit
-Lv. It is.
11. start nmb, smb and winbind, and checked the logs to see if they are
behaving. They are.
12. Tried to join the domain from the pdc (which is named "PDC") with
"net rpc join -S PDC -U root%PASSWORD
13. It fails. The message I get is:
Creation of workstation account failed
Unable to join domain LDAPTEST.
14. Tried to join a windows XP PC to the domain. It finds the domain
controller ok, and then gives the error "The username could not be
found" which, from what I've been able to find out, means that the PC
account isn't being created properly on the domain.
What's *really* odd is that it seems to be creating the computer
accounts correctly in the ldap (you can see that in the ldif export
below). And yet, despite actually creating the account, it's insisting
that it isn't.
I tried deleting the ldap entry for the computer, then creating it by
hand (smbldap-adduser -w pdc$) and it works fine. But the client still
insists that it's not joined the domain.
I *know* I'm typing the password correctly, and the log seems to bear
this out. It simply doesn't work, and I've completely run out of steam
trying to understand why. I'm presumably missing something significant
(and probably very simple). Can anyone offer some pointers - or even the
answer- before I quit computing and start driving trucks for a
living... :)
Thanks,
Paul.
Software versions:
=============
Fedora linux 8 (fully patched as of 12 Feb), with samba 3.0.28, openldap
2.3.39-1.
Windows XP with SP2 and all current updates as of 12 Feb.
Error messages:
===========
in log.smb I get this when trying to join the domain:
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
netbios connect: name1=PDC name2=PDC
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
netbios connect: local=pdc remote=pdc, name type = 0
[2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
get_md4pw: Workstation PDC$: no account in domain
[2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
_net_auth2: failed to get machine password for account PDC$:
NT_STATUS_ACCESS_DENIED
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
netbios connect: name1=PDC name2=PDC
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
netbios connect: local=pdc remote=pdc, name type = 0
[2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
smbldap_open_connection: connection opened
[2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
init_sam_from_ldap: Entry found for user: root
[2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
init_group_from_ldap: Entry found for group: 512
[2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
check_ntlm_password: authentication for user [root] -> [root] ->
[root] succeeded
[2008/02/15 17:21:45, 0]
passdb/pdb_interface.c:pdb_default_create_user(329)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
'pdc$'' gave 9
Config file extracts:
==============
slapd.conf
-----------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
...
access to attrs=userPassword
by self write
by * auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
by anonymous auth
...
database bdb
suffix "dc=vi-lab,dc=net"
rootdn "cn=Manager,dc=vi-lab,dc=net"
rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
directory /var/lib/ldap
LDIF of running database
----------------------------
dn: dc=vi-lab,dc=net
objectClass: dcObject
objectClass: organization
o: vi-lab
dc: vi-lab
dn: ou=Computers,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Computers
dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
cn: pdc$
uid: pdc$
uidNumber: 1005
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
dn: ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Groups
dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators
dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaD
omainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up file
s
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators
dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
sambaGroupType: 2
displayName: Domain Admins
dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
sambaGroupType: 2
displayName: Domain Computers
dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
sambaGroupType: 2
displayName: Domain Guests
dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
sambaGroupType: 2
displayName: Domain Users
dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators
dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators
dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10000
sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513
dn: ou=Idmap,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: Idmap
uidNumber: 10000
gidNumber: 10005
dn: ou=People,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: People
dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: furnesp
sn: furnesp
givenName: furnesp
uid: furnesp
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/furnesp
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: furnesp
sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
sambaLogonScript: \export\netlogon\logon.bat
sambaProfilePath: \\%L\Profiles\furnesp
sambaHomePath: \\%L\furnesp
sambaHomeDrive: H:
sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 15094F33692DB11DE3361C044289B84C
sambaPwdLastSet: 1203092614
sambaPwdMustChange: 1206980614
userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g==
shadowLastChange: 13924
shadowMax: 45
dn: uid=nobody,ou=People,dc=vi-lab,dc=net
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\%L\nobody
sambaHomeDrive: H:
sambaProfilePath: \\%L\Profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD ]
sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
loginShell: /bin/false
dn: uid=root,ou=People,dc=vi-lab,dc=net
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\%L\root
sambaHomeDrive: H:
sambaProfilePath: \\%L\Profiles\root
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
sambaAcctFlags: [U]
sambaNTPassword: 7681889A48EB666054D449D996329A26
sambaPwdLastSet: 1203092468
sambaPwdMustChange: 1206980468
userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w==
shadowLastChange: 13924
shadowMax: 45
gidNumber: 0
dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: LDAPTEST
sambaSID: S-1-5-21-314791047-4281314283-1819700115
gidNumber: 1000
sambaNextRid: 1000
sambaPwdHistoryLength: 0
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
uidNumber: 1006
smb.conf
----------
workgroup = LDAPTEST
netbios name = PDC
...
passdb backend = ldapsam:ldap://localhost
enable privileges = Yes
username map = /etc/samba/smbusers
smb ports = 139
name resolve order = wins bcast hosts
...
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
...http://10.226.210.245
logon script = \export\netlogon\logon.bat
...
local master = yes
os level = 35
domain master = Yes
preferred master = Yes
domain logons = Yes
security = user
encrypt passwords = Yes
wins support = Yes
dns proxy = Yes
ldap suffix = dc=vi-lab,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=vi-lab,dc=net
ldap ssl = no
ldap passwd sync = Yes
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000
[homes]
comment = Home Directories
valid users = %S
read only = No
browseable = No
[printers]
comment = SMB Print Spool
path = /var/spool/samba
guest ok = Yes
printable = Yes
browseable = No
[netlogon]
comment = Local general disk on %h
path = /export/netlogon
guest ok = Yes
locking = No
public = yes
writable = yes
[profiles]
comment = Profile Share
path = /export/profiles
read only = No
profile acls = Yes
[print$]
comment = Printer Drivers
path = /export/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, furnesp
smbusers
-----------
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest
smbldap.conf
---------------
SID="S-1-5-21-314791047-4281314283-1819700115"
sambaDomain="LDAPTEST"
slaveLDAP="localhost"
slavePort="389"
masterLDAP="localhost"
masterPort="389"
ldapTLS="0"
...
suffix="dc=vi-lab,dc=org"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
scope="sub"
...
defaultUserGid="513"
defaultComputerGid="515"
---
Paul Furness BEng(Hons) MBCS
Systems Manager
MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V
VISUAL INFORMATION LABORATORY
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
UK Registered Branch BR 003158
DDI Telephone: +44 1483 885826
Tel: +44 1483 885800 Fax: +44 1483 579107
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba/attachments/20080215/43c9da91/attachment.bin
More information about the samba
mailing list