[Samba] Joining a Windows XP pc to Samba / LDAP domain

Adam Williams awilliam at mdah.state.ms.us
Fri Feb 15 18:50:41 GMT 2008


seems like you have a machine account problem.  so you're trying to join 
a computer named pdc$ to the domain called PDC?

what is the output of

ldapsearch -D 'cn=Manager,dc=example,dc=com' 
-b"uid=pdc$,ou=People,dc=example,dc=com" -w xxxxxxxxxxx  -x

i load my machine accounts by hand, here's an example file:

[root at gomer ~]# cat domain2\$.ldif
dn: uid=domain2$,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: account
objectClass: top
uid: domain2$
uidNumber: 2003
gidNumber: 514
homeDirectory: /dev/null
cn: domain2$

and load it with

ldapadd -D "cn=Manager,dc=example,dc=com" -w xxxxxxxxxxxx -x -v -f 
domain2\$.ldif

Paul Furness wrote:
> Hi, guys,
>
> I'm trying to create a PDC using Samba with an LDAP backend. According
> to all the guides I read, this should be fairly easy really, but I've
> done nothing else for the last week and it still doesn't work the way
> the manual says it should! As far as I can see, everything is set up and
> working correctly right up to the point when I try and join a machine to
> the domain.
>
> I've posted some extracts of my config files, log files, errors and the
> versions of various things, below.
>
> I pretty much exactly followed the "Making Happy Users" chapter of the
> Samba guide.
> These are the steps I've gone through (in summary), starting with a
> clean build of linux on the server and WinXP on the client. It starts
> going wrong at step 8.
> Oh just for completeness, both the new domain controller and the windows
> PC are on their own, completely separate network, to ensure that the
> existing domain / windows clients can have no effect whatsoever.
>
> 1. Install samba and LDAP on the server, together with phpldapadmin.
>
> 2. Configure slapd and got the ldap server working, and configure
> phpldapadmin to let me connect and see what's going on, and create LDAP
> entries directly if needed. Also configured PAM and NSS.
>
> 3. Configure samba as a PDC with an LDAP backend. Set the LDAP manager
> password in samba. Got the SID.
>
> 5. Configured smbldap-tools, setting up the SID and LDAP details.
>
> 6. Created the linux groups for Domain Admins, Domain Users, Domain
> Guests and Domain Computers.
>
> 7. Started LDAP and did an smbldap-populate. This gave exactly the right
> response and a look at the ldap database proved it had created all the
> appropriate entries. tested the ldap with "ldapsearch" and got the
> expected response. Also checked NSS with getent and got the right
> answers.
>
> 8. Added a user with smbldap-useradd then set the password for that user
> with smbldap-passwd. This worked fine.
>
> 9. Checked that the root UID is set to 0. It is.
>
> 10. Checked that the user account is being read properly using pdbedit
> -Lv. It is.
>
> 11. start nmb, smb and winbind, and checked the logs to see if they are
> behaving. They are.
>
> 12. Tried to join the domain from the pdc (which is named "PDC") with
> "net rpc join -S PDC -U root%PASSWORD
>
> 13. It fails. The message I get is: 
>  Creation of workstation account failed
>  Unable to join domain LDAPTEST.
>
> 14. Tried to join a windows XP PC to the domain. It finds the domain
> controller ok, and then gives the error "The username could not be
> found" which, from what I've been able to find out, means that the PC
> account isn't being created properly on the domain.
>
>
> What's *really* odd is that it seems to be creating the computer
> accounts correctly in the ldap (you can see that in the ldif export
> below). And yet, despite actually creating the account, it's insisting
> that it isn't.
>
> I tried deleting the ldap entry for the computer, then creating it by
> hand (smbldap-adduser -w pdc$) and it works fine. But the client still
> insists that it's not joined the domain.
>
> I *know* I'm typing the password correctly, and the log seems to bear
> this out. It simply doesn't work, and I've completely run out of steam
> trying to understand why. I'm presumably missing something significant
> (and probably very simple). Can anyone offer some pointers - or even the
> answer- before I quit computing and start driving trucks for a
> living... :)
>
> Thanks,
>
> Paul.
>
>
> Software versions:
> =============
> Fedora linux 8 (fully patched as of 12 Feb), with samba 3.0.28, openldap
> 2.3.39-1.
> Windows XP with SP2 and all current updates as of 12 Feb.
>
> Error messages:
> ===========
> in log.smb I get this when trying to join the domain:
>
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
>   get_md4pw: Workstation PDC$: no account in domain
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
>   _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: root
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
>   init_group_from_ldap: Entry found for group: 512
> [2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [root] -> [root] ->
> [root] succeeded
> [2008/02/15 17:21:45, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> 'pdc$'' gave 9
>
>
> Config file extracts:
> ==============
>
> slapd.conf
> -----------
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> ...
> access to attrs=userPassword
>                 by self write
>                 by * auth
>
> access to attrs=shadowLastChange
>                 by self write
>                 by * read
>
> access to *
>                 by * read
>                 by anonymous auth
> ...
> database        bdb
> suffix          "dc=vi-lab,dc=net"
> rootdn          "cn=Manager,dc=vi-lab,dc=net"
> rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
> directory     /var/lib/ldap
>
>
> LDIF of running database
> ----------------------------
> dn: dc=vi-lab,dc=net
>
> objectClass: dcObject
> objectClass: organization
> o: vi-lab
> dc: vi-lab
>
> dn: ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
>
> dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> cn: pdc$
> uid: pdc$
> uidNumber: 1005
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
> dn: ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
>
> dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 548
> cn: Account Operators
> description: Netbios Domain Users to manipulate users accounts
> sambaSID: S-1-5-32-548
> sambaGroupType: 5
> displayName: Account Operators
>
> dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the computer/sambaD
>  omainName
> sambaSID: S-1-5-32-544
> sambaGroupType: 5
> displayName: Administrators
>
> dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 551
> cn: Backup Operators
> description: Netbios Domain Members can bypass file security to back up file
>  s
> sambaSID: S-1-5-32-551
> sambaGroupType: 5
> displayName: Backup Operators
>
> dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 515
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
> sambaGroupType: 2
> displayName: Domain Computers
>
> dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaGroupType: 2
> displayName: Domain Guests
>
> dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaGroupType: 2
> displayName: Domain Users
>
> dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 550
> cn: Print Operators
> description: Netbios Domain Print Operators
> sambaSID: S-1-5-32-550
> sambaGroupType: 5
> displayName: Print Operators
>
> dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 552
> cn: Replicators
> description: Netbios Domain Supports file replication in a sambaDomainName
> sambaSID: S-1-5-32-552
> sambaGroupType: 5
> displayName: Replicators
>
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513
>
> dn: ou=Idmap,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> objectClass: sambaUnixIdPool
> ou: Idmap
> uidNumber: 10000
> gidNumber: 10005
>
> dn: ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: People
>
> dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: furnesp
> sn: furnesp
> givenName: furnesp
> uid: furnesp
> uidNumber: 1000
> gidNumber: 513
> homeDirectory: /home/furnesp
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: furnesp
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaLogonScript: \export\netlogon\logon.bat
> sambaProfilePath: \\%L\Profiles\furnesp
> sambaHomePath: \\%L\furnesp
> sambaHomeDrive: H:
> sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 15094F33692DB11DE3361C044289B84C
> sambaPwdLastSet: 1203092614
> sambaPwdMustChange: 1206980614
> userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g==
> shadowLastChange: 13924
> shadowMax: 45
>
> dn: uid=nobody,ou=People,dc=vi-lab,dc=net
> cn: nobody
> sn: nobody
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 514
> uid: nobody
> uidNumber: 999
> homeDirectory: /dev/null
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\%L\nobody
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\nobody
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaAcctFlags: [NUD        ]
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
> loginShell: /bin/false
>
> dn: uid=root,ou=People,dc=vi-lab,dc=net
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaHomePath: \\%L\root
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\root
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
> sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
> sambaAcctFlags: [U]
> sambaNTPassword: 7681889A48EB666054D449D996329A26
> sambaPwdLastSet: 1203092468
> sambaPwdMustChange: 1206980468
> userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w==
> shadowLastChange: 13924
> shadowMax: 45
> gidNumber: 0
>
> dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: LDAPTEST
> sambaSID: S-1-5-21-314791047-4281314283-1819700115
> gidNumber: 1000
> sambaNextRid: 1000
> sambaPwdHistoryLength: 0
> sambaMinPwdAge: 0
> sambaMaxPwdAge: -1
> uidNumber: 1006
>
>
> smb.conf
> ----------
> workgroup = LDAPTEST
> netbios name = PDC
> ...
> passdb backend = ldapsam:ldap://localhost
> enable privileges = Yes
> username map = /etc/samba/smbusers
> smb ports = 139
> name resolve order = wins bcast hosts
> ...
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> ...http://10.226.210.245
> logon script = \export\netlogon\logon.bat
> ...
> local master = yes
> os level = 35
> domain master = Yes
> preferred master = Yes
> domain logons = Yes
> security = user
> encrypt passwords = Yes
> wins support = Yes
> dns proxy = Yes
> ldap suffix = dc=vi-lab,dc=net
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=vi-lab,dc=net
> ldap ssl = no
> ldap passwd sync = Yes
> idmap backend = ldap:ldap://localhost
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> [homes]
>                 comment = Home Directories
>                 valid users = %S
>                 read only = No
>                 browseable = No
>
> [printers]
>                 comment = SMB Print Spool
>                 path = /var/spool/samba
>                 guest ok = Yes
>                 printable = Yes
>                 browseable = No
>
> [netlogon]
>                 comment = Local general disk on %h
>                 path = /export/netlogon
>                 guest ok = Yes
>                 locking = No
>                 public = yes
>                 writable = yes
>
> [profiles]
>                 comment = Profile Share
>                 path = /export/profiles
>                 read only = No
>                 profile acls = Yes
>
> [print$]
> comment = Printer Drivers
> path = /export/drivers
> browseable = yes
> guest ok = no
> read only = yes
> write list = root, furnesp
>
>
> smbusers
> -----------
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
>
> smbldap.conf
> ---------------
> SID="S-1-5-21-314791047-4281314283-1819700115"
> sambaDomain="LDAPTEST"
> slaveLDAP="localhost"
> slavePort="389"
> masterLDAP="localhost"
> masterPort="389"
> ldapTLS="0"
> ...
>
> suffix="dc=vi-lab,dc=org"
> usersdn="ou=People,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
> scope="sub"
> ...
> defaultUserGid="513"
> defaultComputerGid="515"
>
>
>
> ---
>
> Paul Furness BEng(Hons) MBCS
> Systems Manager
>
> MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V
> VISUAL INFORMATION LABORATORY
> 20, Frederick Sanger Road
> The Surrey Research Park
> Guildford, Surrey GU2 7YD
> UK Registered Branch BR 003158
> DDI Telephone: +44 1483 885826
> Tel: +44 1483 885800   Fax: +44 1483 579107
>
>   



More information about the samba mailing list