[Samba] XP-machines cannot join Samba PDC with tdbsam
Heinz Allerberger
allerberger at em.uni-frankfurt.de
Sat Nov 7 05:59:43 MST 2009
High there ...
I cannot join my Samba PDC any longer with my XP-machines, I mean I'm
not be able to create new machine accounts.
The existing machine-accounts in the tdb-database works properly, all
the existing XP-machines are joined without any problems. Only it isn't
possible to joint the Samba PCD with new machines...
My first Samba PDC-Configuration with this tdbsam as the passwd
backend, with the same smb.conf as today (please have a look above) I
had run with an early version of Samba 3 on a 32bit Server in 2005 with
nearly 50 XP-machines as Domain-members. In 2006 I had the first
migration of a newer 64bit hardware, this was uncomplicated, all things
worked properly with meanwhile 150 XP-machines. Now I had a new
hardware-migration of a new 64bit-Server-hardware two weeks ago and I
run into some troubles.
I did the migration in the same way as before. I stopped the old Server
and I copied the /etc/samba/smb.conf with all the scripts and the
/var/lib/samba with the tdb-database to the new Server-hardware.
The new Server runs with Debian_version 5.0.3 (Lenny), before the old
hardware run with Debian_version 4.0 (Etch).
The current Samba-Version is 3.2.5-4lenny7.
When I try to join the Domain with a XPSP3-Workstation and get the
demand "Enter the name and password of an account with permission to
join the domain" and fill in the user of the domainadmin and the
password, I get the answer "The following error occurred attempting to
join the domain "MYDOMAIN, the specified domain either does not exist or
could not be contacted". But the Domain exists, this is a fact, all the
old XP-Machines, which are members of the domain MYDOMAIN work properly.
The user domadmin and the password are really correct, when I try login
on a XP-Workstation, which is an old member of the domain, then it works
properly, I can without problems login.
Have a look at my Domain-Administator rights:
===============================
/etc/passwd: domadmin:x:500:512:Domain Administrator
MYDOMAIN:/srv/data1/home1/domadmin:/bin/bash
/etc/group domadmins:x:512:admin,domadmin
Unix username: domadmin
NT username:
Account Flags: [U ]
User SID: S-1-5-21-1656000120-2433418590-619812953-500
lookup_global_sam_rid: looking up RID 512.
pdb_getsampwrid (TDB): error looking up RID 512 by key RID_00000200.
lookup_rids: Domain Admins:2
Primary Group SID: S-1-5-21-1656000120-2433418590-619812953-512
Full Name: Domain Administrator MYDOMAIN
Home Directory: \\domainserver1\domadmin\win
HomeDir Drive: U:
Logon Script: logon.cmd
Profile Path: \\domainserver1\profiles\domadmin
Domain: MYDOMAIN
Account desc:
Workstations:
Munged dial:
Logon time: 0
Logoff time: never
Kickoff time: never
Password last set: Fr, 06 Nov 2009 12:41:16 CET
Password can change: Fr, 06 Nov 2009 12:41:16 CET
Password must change: never
Last bad password : 0
Bad password count : 0
Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
----------------------------------------------------------------------------------------
domainserver1:~# net rpc rights list accounts -U domadmin -S 192.168.151.240
Enter domadmin's password:
MYDOMAIN\domadmin
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
BUILTIN\Print Operators
No privileges assigned
BUILTIN\Account Operators
No privileges assigned
BUILTIN\Backup Operators
No privileges assigned
BUILTIN\Server Operators
No privileges assigned
BUILTIN\Administrators
SeMachineAccountPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
Everyone
No privileges assigned
-------------------------------------------------------------------------------------------------------------------
Here are the globals of my smb.conf:
[global]
unix charset = ISO8859-1
workgroup = MYDOMAIN
netbios aliases = Server2
server string = %h
update encrypted = Yes
obey pam restrictions = Yes
passdb backend = tdbsam
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add user script = /usr/sbin/adduser.sh -p -u "%u" -n "%u"
delete user script = /usr/sbin/userdel "%u"
add group script = /usr/local/bin/smbgrpadd.sh "%g"
delete group script = /usr/sbin/groupdel "%g"
add user to group script = /usr/bin/gpasswd -a "%u" "%g"
delete user from group script = /usr/bin/gpasswd -d "%u" "%g"
set primary group script = /usr/sbin/usermod -g "%g" "%u"
add machine script = /usr/sbin/addmachine.sh -u %u
logon script = logon.cmd
logon path = \\%N\profiles\%U
logon drive = U:
logon home = \\%N\%U\win
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
ldap ssl = no
panic action = /usr/share/samba/panic-action %d
invalid users = root
---------------------------------------------------------------------------------------
Here are some debug-information from the samba-log:
[2009/11/06 14:34:59, 5]
passdb/secrets.c:secrets_fetch_trusted_domain_password(644)
secrets_fetch failed!
[2009/11/06 14:34:59, 5] passdb/pdb_tdb.c:tdbsam_getsampwnam(911)
pdb_getsampwnam (TDB): error fetching database.
Key: USER_root
-------------------------------------------------------------------------------------------
Please help, I'm really desperate.
Heinz Allerberger
More information about the samba
mailing list