[Samba] Samba PDC + OpenLDAP, Jaunty: Can't join domain
Christopher Swingley
cswingle at gmail.com
Mon Sep 14 14:30:35 MDT 2009
Greetings!
I'm trying to get an OpenLDAP (2.4.15-1ubuntu3), Samba PDC
(2:3.3.2-1ubuntu3.1) running under Ubuntu Jaunty. I've followed the
instructions on the Ubuntu server guide
(https://help.ubuntu.com/9.04/serverguide/C/samba-ldap.html) as closely
as possible (twice. . .), and spent some time with Chapter 5 of the
Samba3 By Example book, trying to use it to get things working. But I
can't seem to join a computer to the domain, and I've run out of ideas.
I'd like some help trying to identify where I've gone wrong and how to
get the server to allow desktops to join.
There are three user accounts in the LDAP database, 'nobody', 'root' and
'cswingley':
# ldapsearch -xLLL -b 'ou=People,dc=abrinc,dc=com' uid uidNumber
dn: ou=People,dc=abrinc,dc=com
dn: uid=root,ou=People,dc=abrinc,dc=com
uid: root
uidNumber: 0
dn: uid=nobody,ou=People,dc=abrinc,dc=com
uid: nobody
uidNumber: 65534
dn: uid=cswingley,ou=People,dc=abrinc,dc=com
uid: cswingley
uidNumber: 522
Both 'root' and 'cswingley' are able to connect to the server with
smbclient using their account passwords set up in LDAP. Both accounts
are also in the "Domain Admins" group:
# getent group | grep "Domain Admins"
Domain Admins:*:512:root,cswingley
'cswingley' has the SeMachineAccountPrivilege right, as does the "Domain
Admins" group:
# net rpc rights list accounts -U root%PASSWD
TESTDOM\cswingley
SeMachineAccountPrivilege
TESTDOM\Domain Admins
SeMachineAccountPrivilege
SeRemoteShutdownPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege
SeDiskOperatorPrivilege
Here are a few of the /etc/samba/smb.conf settings that seem relevant:
passdb backend = ldapsam:ldap://127.0.0.1
ldap admin dn = cn=admin,dc=test,dc=com
add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
domain logons = yes
wins support = yes
log level = 3 passdb:10 auth:10
When I try to join a Windows XP SP3 computer to the domain as 'root' (or
'TESTDOM\root'), I get 'Logon failure: unknown user or bad password'.
When I try to join using my account (cswingley), I get 'Access is
denied'. Adding the computer to LDAP manually using
'smbldap-useradd -w' doesn't make a difference.
I'm not seeing anything in the logs that look like login failures or
some other obvious mistake errors, so I don't know where to go next or
what else to try. I feel like I'm missing something very simple,
because everything goes exactly as expected when I follow along in the
guides. But at the end of the day, it doesn't work. Help and advice
greatly appreciated.
Thanks!
Chris
--
Christopher S. Swingley
http://swingleydev.com/
<cswingle at gmail.com>
More information about the samba
mailing list