[Samba] Samba PDC + OpenLDAP, Jaunty: Can't join domain

Christopher Swingley cswingle at gmail.com
Mon Sep 14 14:30:35 MDT 2009 

Greetings!

I'm trying to get an OpenLDAP (2.4.15-1ubuntu3), Samba PDC
(2:3.3.2-1ubuntu3.1) running under Ubuntu Jaunty.  I've followed the
instructions on the Ubuntu server guide
(https://help.ubuntu.com/9.04/serverguide/C/samba-ldap.html) as closely
as possible (twice. . .), and spent some time with Chapter 5 of the
Samba3 By Example book, trying to use it to get things working.  But I
can't seem to join a computer to the domain, and I've run out of ideas.
I'd like some help trying to identify where I've gone wrong and how to
get the server to allow desktops to join.

There are three user accounts in the LDAP database, 'nobody', 'root' and
'cswingley':

    # ldapsearch -xLLL -b 'ou=People,dc=abrinc,dc=com' uid uidNumber
    dn: ou=People,dc=abrinc,dc=com

    dn: uid=root,ou=People,dc=abrinc,dc=com
    uid: root
    uidNumber: 0

    dn: uid=nobody,ou=People,dc=abrinc,dc=com
    uid: nobody
    uidNumber: 65534

    dn: uid=cswingley,ou=People,dc=abrinc,dc=com
    uid: cswingley
    uidNumber: 522

Both 'root' and 'cswingley' are able to connect to the server with
smbclient using their account passwords set up in LDAP.  Both accounts
are also in the "Domain Admins" group:

    # getent group | grep "Domain Admins"
    Domain Admins:*:512:root,cswingley

'cswingley' has the SeMachineAccountPrivilege right, as does the "Domain
Admins" group:

    # net rpc rights list accounts -U root%PASSWD
    TESTDOM\cswingley
    SeMachineAccountPrivilege

    TESTDOM\Domain Admins
    SeMachineAccountPrivilege
    SeRemoteShutdownPrivilege
    SePrintOperatorPrivilege
    SeAddUsersPrivilege
    SeDiskOperatorPrivilege

Here are a few of the /etc/samba/smb.conf settings that seem relevant:

    passdb backend = ldapsam:ldap://127.0.0.1
    ldap admin dn = cn=admin,dc=test,dc=com
    add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
    domain logons = yes
    wins support = yes
    log level = 3 passdb:10 auth:10

When I try to join a Windows XP SP3 computer to the domain as 'root' (or
'TESTDOM\root'), I get 'Logon failure: unknown user or bad password'.
When I try to join using my account (cswingley), I get 'Access is
denied'.  Adding the computer to LDAP manually using 
'smbldap-useradd -w' doesn't make a difference.

I'm not seeing anything in the logs that look like login failures or
some other obvious mistake errors, so I don't know where to go next or
what else to try.  I feel like I'm missing something very simple,
because everything goes exactly as expected when I follow along in the
guides.  But at the end of the day, it doesn't work.  Help and advice
greatly appreciated.

Thanks!

Chris
-- 
Christopher S. Swingley
http://swingleydev.com/
<cswingle at gmail.com>

More information about the samba mailing list