[Samba] Windows 2000 pro doesn't join a domain with Samba+Ldap (linux)

Hector Blanco white.lists at gmail.com
Fri Feb 22 23:51:07 GMT 2008 

Hello people...

I had to sign up in the list because I don't know what else I could
do... I can't find my error anywhere!! :(

The thing is that I have a Linux server with Ldap (openldap2.3) +
Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
windows 2000 Professional client machine against that server, but it
won't work!!

The domain is called "JOME", and the LDAP database structure is
something like this (I hope you'll be able to see it properly)

dc=jome
 |
 \-cn=Admin
 |
 \-ou=Group
 |  |
 |  \- cn= Account operators
 |  \- cn= Administrators
 |  \- cn= Backup Operators
 |  \- cn= Domain Admins
 |  \- cn= Domain Computers
 |  \- cn= Domain Guests
 |  \- cn= Domain Users
 |  \- cn= Print operators
 |  \- cn= Replicators
 |  \- cn= test
 |
 \-ou=Hosts
 |  |
 |  \- uid=Enano$
 |  \- uid=xxxx$
 |
 \-ou=Idmap
 |
 \-ou=People
 |  |
 |  \- uid=nobody
 |  \- uid=root
 |  \- uid=test
 \-sambaDomainName=JOME


The user root is the Netbios Domain Administrator and its
sambaPrimaryGroupSID is the same as Domain Admins.

All the Group accounts in ou=Group except "test" were created by
smbldap-populate.

The linux server is the host called "xxxx" and the windows client is
the host "enano"

When I try to join the domain "JOME" from Windows, I am prompted for a
user that has permission to create "things" in the domain. I fill the
textboxes with "root" and the "rootpass", and in the samba.log file of
the server (if the debug level is 2 or higher), it appears:
"authentication for user [root] -> [root] -> [root] succeeded". After
this, the machine (enano$) is properly created (if doesn't exist) in
the Ldap schema (a new entry called enano$ appears in
ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
everything seems to be fine until in the windows machine a "error
window dialog" appears with a very ugly red signal, saying ("username
not found"). I think it must be something wrong with the user "root",
because if I try a username that is really non-existent (john, for
instance) or if I mistype the password, the message that appears in
windows is different (in my computer appears in Spanish, but it's
something like "session starting error: username not found or wrong
password")... I've tried to put a higher debug level in samba
(smb.conf-> debug level=3) and between several other messages, it
appears:
[2008/02/22 15:33:37, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
 pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER

But I don't know what structure user it may be... and I don't know why
this error only appears when the debug level is that high (I've been
googling around, and this level was only recomended for developers).
Anyway, I'm attaching a part of the samba.log file (a complete
process). You can see on lines #108 and
#118 that it seems to be authenticating "root" properly, and on line
#482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
with debug level=3 so I don't know if it is very serious or not...)
I'm not sure what kind of "user structure" it is trying to create and
why can't it (it was supposed to be able to create a "enano$" user...
why can't it do the same now?). As you may see, it's not complete, but
I took away some lines that I didn't consider relevant (maybe they
were, but... ) I'm sorry a couple of attachments had to be compressed,
but otherwise, the mail wouldn't be accepted.

I have read somewhere
(http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
that I need an entry in /etc/passwd for each machine. Ldap is "making"
the passwd, but the machines (enano$ and xxxx$ are not "users"). A
getent passwd gives this:

root at xxxx# getent passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/bin/sh
  man:x:6:12:man:/var/cache/man:/bin/sh
  lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  mail:x:8:8:mail:/var/mail:/bin/sh
  news:x:9:9:news:/var/spool/news:/bin/sh
  uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  proxy:x:13:13:proxy:/bin:/bin/sh
  www-data:x:33:33:www-data:/var/www:/bin/sh
  backup:x:34:34:backup:/var/backups:/bin/sh
  list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  dhcp:x:100:101::/nonexistent:/bin/false
  syslog:x:101:102::/home/syslog:/bin/false
  klog:x:102:103::/home/klog:/bin/false
  hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  avahi-autoipd:x:104:112:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
  messagebus:x:105:113::/var/run/dbus:/bin/false
  avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
  haldaemon:x:108:117:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
  hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
  openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
  sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
  test:x:2000:2000:Test User:/home/test:/bin/bash
  root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
  nobody:x:999:514:nobody:/dev/null:/bin/false

(the last three users: test, root and nobody only exist in the Ldap database)

Ah, and from the windows client I am able to access the shared
resources of the server when I login as "root" or "test" (users from
the ldap entry ou=People)

Just in case... an anonymous (without password) smbclient -L to the
samba server gives this:

root at xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
Password:
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]

       Sharename    Type      Comment
       ---------          ----       -------
       netlogon      Disk       Network Logon Service
       profiles        Disk        Profile Share
       print$          Disk        Printer Drivers
       IPC$            IPC          IPC Service (xxxx PDC server
Version 3.0.26a)
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]

       Server             Comment
       ---------            -------
       XXXX                xxxx PDC server Version 3.0.26a

       Workgroup       Master
       ---------            -------
       JOME                XXXX

I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
file and the
sambaldap-tools.conf file... just in case...

Sorry for such a huge message, but I have no idea of what's wrong...

Thank you very much in advance... Any hint (whatever) will be deeply
appreciated!!

More information about the samba mailing list