[Samba] Windows 2000 pro doesn't join a domain with Samba+Ldap
(linux)
Hector Blanco
white.lists at gmail.com
Sat Feb 23 11:23:36 GMT 2008
Yes, I did, I did...
2008/2/23, Adam Williams <awilliam at mdah.state.ms.us>:
> have you ran smbpasswd -a root
>
>
> Hector Blanco wrote:
> > Hello people...
> >
> > I had to sign up in the list because I don't know what else I could
> > do... I can't find my error anywhere!! :(
> >
> > The thing is that I have a Linux server with Ldap (openldap2.3) +
> > Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
> > windows 2000 Professional client machine against that server, but it
> > won't work!!
> >
> > The domain is called "JOME", and the LDAP database structure is
> > something like this (I hope you'll be able to see it properly)
> >
> > dc=jome
> > |
> > \-cn=Admin
> > |
> > \-ou=Group
> > | |
> > | \- cn= Account operators
> > | \- cn= Administrators
> > | \- cn= Backup Operators
> > | \- cn= Domain Admins
> > | \- cn= Domain Computers
> > | \- cn= Domain Guests
> > | \- cn= Domain Users
> > | \- cn= Print operators
> > | \- cn= Replicators
> > | \- cn= test
> > |
> > \-ou=Hosts
> > | |
> > | \- uid=Enano$
> > | \- uid=xxxx$
> > |
> > \-ou=Idmap
> > |
> > \-ou=People
> > | |
> > | \- uid=nobody
> > | \- uid=root
> > | \- uid=test
> > \-sambaDomainName=JOME
> >
> >
> > The user root is the Netbios Domain Administrator and its
> > sambaPrimaryGroupSID is the same as Domain Admins.
> >
> > All the Group accounts in ou=Group except "test" were created by
> > smbldap-populate.
> >
> > The linux server is the host called "xxxx" and the windows client is
> > the host "enano"
> >
> > When I try to join the domain "JOME" from Windows, I am prompted for a
> > user that has permission to create "things" in the domain. I fill the
> > textboxes with "root" and the "rootpass", and in the samba.log file of
> > the server (if the debug level is 2 or higher), it appears:
> > "authentication for user [root] -> [root] -> [root] succeeded". After
> > this, the machine (enano$) is properly created (if doesn't exist) in
> > the Ldap schema (a new entry called enano$ appears in
> > ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
> > everything seems to be fine until in the windows machine a "error
> > window dialog" appears with a very ugly red signal, saying ("username
> > not found"). I think it must be something wrong with the user "root",
> > because if I try a username that is really non-existent (john, for
> > instance) or if I mistype the password, the message that appears in
> > windows is different (in my computer appears in Spanish, but it's
> > something like "session starting error: username not found or wrong
> > password")... I've tried to put a higher debug level in samba
> > (smb.conf-> debug level=3) and between several other messages, it
> > appears:
> > [2008/02/22 15:33:37, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
> > pdb_default_create_user: failed to create a new user structure:
> > NT_STATUS_NO_SUCH_USER
> >
> > But I don't know what structure user it may be... and I don't know why
> > this error only appears when the debug level is that high (I've been
> > googling around, and this level was only recomended for developers).
> > Anyway, I'm attaching a part of the samba.log file (a complete
> > process). You can see on lines #108 and
> > #118 that it seems to be authenticating "root" properly, and on line
> > #482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
> > with debug level=3 so I don't know if it is very serious or not...)
> > I'm not sure what kind of "user structure" it is trying to create and
> > why can't it (it was supposed to be able to create a "enano$" user...
> > why can't it do the same now?). As you may see, it's not complete, but
> > I took away some lines that I didn't consider relevant (maybe they
> > were, but... ) I'm sorry a couple of attachments had to be compressed,
> > but otherwise, the mail wouldn't be accepted.
> >
> > I have read somewhere
> > (http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
> > that I need an entry in /etc/passwd for each machine. Ldap is "making"
> > the passwd, but the machines (enano$ and xxxx$ are not "users"). A
> > getent passwd gives this:
> >
> > root at xxxx# getent passwd
> > root:x:0:0:root:/root:/bin/bash
> > daemon:x:1:1:daemon:/usr/sbin:/bin/sh
> > bin:x:2:2:bin:/bin:/bin/sh
> > sys:x:3:3:sys:/dev:/bin/sh
> > sync:x:4:65534:sync:/bin:/bin/sync
> > games:x:5:60:games:/usr/games:/bin/sh
> > man:x:6:12:man:/var/cache/man:/bin/sh
> > lp:x:7:7:lp:/var/spool/lpd:/bin/sh
> > mail:x:8:8:mail:/var/mail:/bin/sh
> > news:x:9:9:news:/var/spool/news:/bin/sh
> > uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
> > proxy:x:13:13:proxy:/bin:/bin/sh
> > www-data:x:33:33:www-data:/var/www:/bin/sh
> > backup:x:34:34:backup:/var/backups:/bin/sh
> > list:x:38:38:Mailing List Manager:/var/list:/bin/sh
> > irc:x:39:39:ircd:/var/run/ircd:/bin/sh
> > gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
> > nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
> > dhcp:x:100:101::/nonexistent:/bin/false
> > syslog:x:101:102::/home/syslog:/bin/false
> > klog:x:102:103::/home/klog:/bin/false
> > hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
> > avahi-autoipd:x:104:112:Avahi autoip
> > daemon,,,:/var/lib/avahi-autoipd:/bin/false
> > messagebus:x:105:113::/var/run/dbus:/bin/false
> > avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
> > gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
> > haldaemon:x:108:117:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
> > hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
> > openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
> > sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
> > test:x:2000:2000:Test User:/home/test:/bin/bash
> > root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
> > nobody:x:999:514:nobody:/dev/null:/bin/false
> >
> > (the last three users: test, root and nobody only exist in the Ldap database)
> >
> > Ah, and from the windows client I am able to access the shared
> > resources of the server when I login as "root" or "test" (users from
> > the ldap entry ou=People)
> >
> > Just in case... an anonymous (without password) smbclient -L to the
> > samba server gives this:
> >
> > root at xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
> > Password:
> > Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
> >
> > Sharename Type Comment
> > --------- ---- -------
> > netlogon Disk Network Logon Service
> > profiles Disk Profile Share
> > print$ Disk Printer Drivers
> > IPC$ IPC IPC Service (xxxx PDC server
> > Version 3.0.26a)
> > Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
> >
> > Server Comment
> > --------- -------
> > XXXX xxxx PDC server Version 3.0.26a
> >
> > Workgroup Master
> > --------- -------
> > JOME XXXX
> >
> > I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
> > file and the
> > sambaldap-tools.conf file... just in case...
> >
> > Sorry for such a huge message, but I have no idea of what's wrong...
> >
> > Thank you very much in advance... Any hint (whatever) will be deeply
> > appreciated!!
> >
>
>
More information about the samba
mailing list