[Samba] Windows 2000 pro doesn't join a domain with Samba+Ldap
(linux)
Hector Blanco
white.lists at gmail.com
Fri Feb 22 23:51:07 GMT 2008
Hello people...
I had to sign up in the list because I don't know what else I could
do... I can't find my error anywhere!! :(
The thing is that I have a Linux server with Ldap (openldap2.3) +
Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
windows 2000 Professional client machine against that server, but it
won't work!!
The domain is called "JOME", and the LDAP database structure is
something like this (I hope you'll be able to see it properly)
dc=jome
|
\-cn=Admin
|
\-ou=Group
| |
| \- cn= Account operators
| \- cn= Administrators
| \- cn= Backup Operators
| \- cn= Domain Admins
| \- cn= Domain Computers
| \- cn= Domain Guests
| \- cn= Domain Users
| \- cn= Print operators
| \- cn= Replicators
| \- cn= test
|
\-ou=Hosts
| |
| \- uid=Enano$
| \- uid=xxxx$
|
\-ou=Idmap
|
\-ou=People
| |
| \- uid=nobody
| \- uid=root
| \- uid=test
\-sambaDomainName=JOME
The user root is the Netbios Domain Administrator and its
sambaPrimaryGroupSID is the same as Domain Admins.
All the Group accounts in ou=Group except "test" were created by
smbldap-populate.
The linux server is the host called "xxxx" and the windows client is
the host "enano"
When I try to join the domain "JOME" from Windows, I am prompted for a
user that has permission to create "things" in the domain. I fill the
textboxes with "root" and the "rootpass", and in the samba.log file of
the server (if the debug level is 2 or higher), it appears:
"authentication for user [root] -> [root] -> [root] succeeded". After
this, the machine (enano$) is properly created (if doesn't exist) in
the Ldap schema (a new entry called enano$ appears in
ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
everything seems to be fine until in the windows machine a "error
window dialog" appears with a very ugly red signal, saying ("username
not found"). I think it must be something wrong with the user "root",
because if I try a username that is really non-existent (john, for
instance) or if I mistype the password, the message that appears in
windows is different (in my computer appears in Spanish, but it's
something like "session starting error: username not found or wrong
password")... I've tried to put a higher debug level in samba
(smb.conf-> debug level=3) and between several other messages, it
appears:
[2008/02/22 15:33:37, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
But I don't know what structure user it may be... and I don't know why
this error only appears when the debug level is that high (I've been
googling around, and this level was only recomended for developers).
Anyway, I'm attaching a part of the samba.log file (a complete
process). You can see on lines #108 and
#118 that it seems to be authenticating "root" properly, and on line
#482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
with debug level=3 so I don't know if it is very serious or not...)
I'm not sure what kind of "user structure" it is trying to create and
why can't it (it was supposed to be able to create a "enano$" user...
why can't it do the same now?). As you may see, it's not complete, but
I took away some lines that I didn't consider relevant (maybe they
were, but... ) I'm sorry a couple of attachments had to be compressed,
but otherwise, the mail wouldn't be accepted.
I have read somewhere
(http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
that I need an entry in /etc/passwd for each machine. Ldap is "making"
the passwd, but the machines (enano$ and xxxx$ are not "users"). A
getent passwd gives this:
root at xxxx# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
avahi-autoipd:x:104:112:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
messagebus:x:105:113::/var/run/dbus:/bin/false
avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
haldaemon:x:108:117:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
test:x:2000:2000:Test User:/home/test:/bin/bash
root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
nobody:x:999:514:nobody:/dev/null:/bin/false
(the last three users: test, root and nobody only exist in the Ldap database)
Ah, and from the windows client I am able to access the shared
resources of the server when I login as "root" or "test" (users from
the ldap entry ou=People)
Just in case... an anonymous (without password) smbclient -L to the
samba server gives this:
root at xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
Password:
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
Sharename Type Comment
--------- ---- -------
netlogon Disk Network Logon Service
profiles Disk Profile Share
print$ Disk Printer Drivers
IPC$ IPC IPC Service (xxxx PDC server
Version 3.0.26a)
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
Server Comment
--------- -------
XXXX xxxx PDC server Version 3.0.26a
Workgroup Master
--------- -------
JOME XXXX
I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
file and the
sambaldap-tools.conf file... just in case...
Sorry for such a huge message, but I have no idea of what's wrong...
Thank you very much in advance... Any hint (whatever) will be deeply
appreciated!!
More information about the samba
mailing list