[Samba] unable to join w2k3 SP1 to samba 3 domain.

Emil Konow emil at troxy.net
Wed Sep 9 06:02:36 MDT 2009

>> 09/09/2009 00:51:59:650 NetpManageMachineAccountWithSid: NetUserAdd on
>> '\\PDC' for 'DEVSRV01$' failed: 0x8b0
>> 09/09/2009 00:51:59:655 NetpSetMachineAccountPasswordAndTypeEx: Broken
>> account type 0x11 -- error out
>> 09/09/2009 00:51:59:657 NetpManageMachineAccountWithSid: status of
>> attempting to set password on '\\PDC' for 'DEVSRV01$': 0x524
>> 09/09/2009 00:51:59:657 NetpJoinDomain: status of creating account: 0x524
>> 09/09/2009 00:51:59:657 NetpJoinDomain: initiaing a rollback due to
>> earlier errors
> It definitely looks like it can't set the machine password.
> ...
> When you add the Windows machine to the domain it should ask you for
> a username and password, so use one that has lots of access :-)
> Cheers,
> Adam.

Hi, my user is a domain admin, ie. a member of group RID 512.
When I try to join the domain, I'm prompted for username and password.
This means that the Windows server has successfully located the Samba
PDC using Wins resolution.
So far so good, but when I enter my credentials I get the error
message after 3-5 secs.

Could it be that my Samba users is badly setup?
I'm using tdbsam password backend.
I performed the following procedure when I created my Samba users:

## Add essential Samba groups
sudo groupadd --gid 512 smb-domain-admins
sudo groupadd --gid 513 smb-domain-users
sudo groupadd --gid 514 smb-domain-guests
sudo groupadd --gid 515 smb-domain-computers

## Add Samba group mapping
sudo net groupmap add ntgroup="Domain Admins"
unixgroup=smb-domain-admins rid=512
sudo net groupmap add ntgroup="Domain Users" unixgroup=smb-domain-users rid=513
sudo net groupmap add ntgroup="Domain Guests"
unixgroup=smb-domain-guests rid=514
sudo net groupmap add ntgroup="Domain Computers"
unixgroup=smb-domain-computers rid=515

## Add Samba domain admin
sudo useradd -g 512 -d /dev/null -s /bin/false devadm
sudo passwd devadm
sudo pdbedit -a -u devadm

## Add Samba machine account
sudo useradd -g 515 -d /dev/null -s /bin/false devsrv01$
sudo pdbedit -a -u devsrv01$

Here is a dump of smb.conf, using testparm:

Load smb config files from /etc/samba/smb.conf
Processing section "[netlogon]"
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC
Press enter to see a dump of your service definitions

       workgroup = DEVNET
       netbios name = PDC
       passdb backend = tdbsam:/etc/samba/passdb.tdb
       log level = 2
       log file = /var/log/samba/samba.log
       name resolve order = wins
       load printers = No
       disable spoolss = Yes
       logon path =
       logon home =
       domain logons = Yes
       os level = 33
       preferred master = Yes
       domain master = Yes
       dns proxy = No
       wins support = Yes

       path = /var/lib/samba/netlogon

More information about the samba mailing list