[Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
German Molano
gmolano at ignios.net
Fri Jul 2 07:26:07 MDT 2010
The weird thing is this i tried that too ... but i receive this error:
The following error occurred attempting to join the domain "MYDOMAIN":
The specified account already exists.
I had to delete to LDAP Workstation account every time that I tried a
solution.
To this time i see that problem that you mention on the internet but on
Centos apparently there is not a workaround to this nss caching thing.
The possible workarounds that I imagine is editing smbldap-useradd, on
the workstation option including to do not exit if the workstation
account exists (I do not know to much Perl).
Or the easy one, once is created the workstation account on ldap
directory, disable the add machine script and restart samba service.
and then back again the Windows 2008 joinning process. Once the Windows
2008 is in the domain, enable the add machine script option and restart
again. The ugly thing is that there are several Windows 7 workstations
on the network.
How i can solve that nss error ?
Thanks for your help
German
tms3 at tms3.com wrote:
>
>
> SNIP
>
>>
>>
>>
>> Hi there, this is my config, I have a CentOS 5.3 x86_64 full
>> updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a
>> virtual machine running Windows 2008 R2 Foundation running full
>> virtualized on the same machine.
>> When i tried to join the Windows 2008 to the domain i get this message:
>> The following error ocurred attempting to join the domain "MYDOMAIN":
>> A device attached to the system is not functioning.
>
> I have that error as well. To the best of my knowledge it is
> happening because smbldap tools are calling smbpasswd right after the
> ldap add of the machine, however, some nss dependent service is using
> a cached copy of ldap which does not contain the new machine entry.
> If you simply rejoin the domain after you receive the error, things
> should work fine.
>
> Cheers,
>
> TMS III
>>
>>
>>
>> The Windows 2008 registry was modified to be able to join the domain
>> as recommended on internet:
>> |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
>> DWORD DomainCompatibilityMode = 1
>> DWORD DNSNameResolutionRequired = 0
>> ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
>> DWORD RequireSignOrSeal = 0
>> DWORD RequireStrongKey = 0
>> |
>> This is my config:
>> smb.conf
>> [global]
>>
>> unix charset = ISO8859-1
>> workgroup = MYDOMAIN
>> netbios name = pdc
>> passdb backend = ldapsam:ldap://127.0.0.1
>> username map = /etc/samba/smbusers
>> log level = 10
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> name resolve order = hosts lmhost wins bcast
>> wins support = yes
>> time server = Yes
>> show add printer wizard = No
>> add user script = /usr/sbin/smbldap-useradd -a -m %u
>> delete user script = /usr/sbin/smbldap-userdel -r %u
>> add group script = /usr/sbin/smbldap-groupadd -p %g
>> delete group script = /usr/sbin/smbldap-groupdel %g
>> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>> %u %g
>> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>> add machine script = /usr/sbin/smbldap-useradd -w -i %u
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>> ldap password sync = Yes
>> enable privileges = Yes
>> logon script = %U.bat OR netlogon.bat
>> logon path = \\%L\profiles\%U
>> logon drive = H:
>> domain logons = Yes
>> preferred master = Yes
>> domain master = Yes
>> ldap admin dn = cn=Administrador,dc=mydomain,dc=local
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = Yes
>> ldap suffix = dc=mydomain,dc=local
>> ldap user suffix = ou=Users
>> ldap ssl = off
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> printer admin = Administrador
>> map acl inherit = Yes
>> printing = cups
>> printcap name = CUPS
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S
>> read only = No
>> browseable = No
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> guest ok = Yes
>> locking = No
>>
>> [profiles]
>> comment = Network Profiles Share
>> path = /var/lib/samba/profiles
>> read only = No
>> profile acls = Yes
>> create mode = 0600
>> directory mode = 0700
>> writable = yes
>> browseable = No
>> store dos attributes = Yes
>>
>>
>> slapd.conf
>>
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> include /etc/openldap/schema/core.schema
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> include /etc/openldap/schema/samba3.schema
>> include /etc/openldap/schema/dyngroup.schema
>>
>> # Allow LDAPv2 client connections. This is NOT the default.
>> allow bind_v2
>>
>> # Do not enable referrals until AFTER you have a working directory
>> # service AND an understanding of referrals.
>> #referral ldap://root.openldap.org
>>
>> pidfile /var/run/openldap/slapd.pid
>> argsfile /var/run/openldap/slapd.args
>>
>> # Load dynamic backend modules:
>> modulepath /usr/lib64/openldap
>>
>> # Modules available in openldap-servers-overlays RPM package
>> # Module syncprov.la is now statically linked with slapd and there
>> # is no need to load it here
>> # moduleload accesslog.la
>> # moduleload auditlog.la
>> # moduleload denyop.la
>> # moduleload dyngroup.la
>> # moduleload dynlist.la
>> # moduleload lastmod.la
>> # moduleload pcache.la
>> # moduleload ppolicy.la
>> # moduleload refint.la
>> # moduleload retcode.la
>> # moduleload rwm.la
>> # moduleload smbk5pwd.la
>> # moduleload translucent.la
>> # moduleload unique.la
>> # moduleload valsort.la
>>
>> # modules available in openldap-servers-sql RPM package:
>> # moduleload back_sql.la
>>
>> # The next three lines allow use of TLS for encrypting connections
>> using a
>> # dummy test certificate which you can generate by changing to
>> # /etc/pki/tls/certs, running "make slapd.pem", and fixing
>> permissions on
>> # slapd.pem so that the ldap user or group can read it. Your client
>> software
>> # may balk at self-signed certificates, however.
>> # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>> # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
>> # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
>>
>> # Sample security restrictions
>> # Require integrity protection (prevent hijacking)
>> # Require 112-bit (3DES or better) encryption for updates
>> # Require 63-bit encryption for simple bind
>> # security ssf=1 update_ssf=112 simple_bind=64
>>
>> # Sample access control policy:
>> # Root DSE: allow anyone to read it
>> # Subschema (sub)entry DSE: allow anyone to read it
>> # Other DSEs:
>> # Allow self write access
>> # Allow authenticated users read access
>> # Allow anonymous users to authenticate
>> # Directives needed to implement policy:
>> # access to dn.base="" by * read
>> # access to dn.base="cn=Subschema" by * read
>> # access to *
>> # by self write
>> # by users read
>> # by anonymous auth
>> #
>> # if no access controls are present, the default policy
>> # allows anyone and everyone to read anything but restricts
>> # updates to rootdn. (e.g., "access to * by * read")
>> #
>> # rootdn can always read and write EVERYTHING!
>>
>> #######################################################################
>> # ldbm and/or bdb database definitions
>> #######################################################################
>>
>> database bdb
>> suffix "dc=mydomain,dc=local"
>> rootdn "cn=Administrador,dc=mydomain,dc=local"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw mypassword
>> # rootpw {crypt}ijFYNcSNctBYg
>>
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd and slap tools.
>> # Mode 700 recommended.
>> directory /var/lib/ldap
>>
>> # Indices to maintain for this database
>> #index objectClass eq,pres
>> #index ou,cn,mail,surname,givenname eq,pres,sub
>> #index uidNumber,gidNumber,loginShell eq,pres
>> #index uid,memberUid eq,pres,sub
>> #index nisMapName,nisMapEntry eq,pres,sub
>> index objectClass eq
>> index cn pres,sub,eq
>> index sn pres,sub,eq
>> index uid pres,sub,eq
>> index displayName pres,sub,eq
>> index uidNumber eq
>> index gidNumber eq
>> index memberUID eq
>> index sambaSID eq
>> index sambaPrimaryGroupSID eq
>> index sambaDomainName eq
>> index default sub
>>
>> smbldap_bind.conf
>> slaveDN="cn=Administrador,dc=mydomain,dc=local"
>> slavePw="mypassword"
>> masterDN="cn=Administrador,dc=mydomain,dc=local"
>> masterPw="mypassword"
>>
>> smbldap.conf
>> ##############################################################################
>>
>> #
>> # General Configuration
>> #
>> ##############################################################################
>>
>>
>> # Put your own SID. To obtain this number do: "net getlocalsid".
>> # If not defined, parameter is taking from "net getlocalsid" return
>> SID="S-1-5-21-3618261801-835847047-1814652966"
>>
>> # Domain name the Samba server is in charged.
>> # If not defined, parameter is taking from smb.conf configuration file
>> # Ex: sambaDomain="IDEALX-NT"
>> sambaDomain="MYDOMAIN"
>>
>> ##############################################################################
>>
>> #
>> # LDAP Configuration
>> #
>> ##############################################################################
>>
>>
>> # Notes: to use to dual ldap servers backend for Samba, you must patch
>> # Samba with the dual-head patch from IDEALX. If not using this patch
>> # just use the same server for slaveLDAP and masterLDAP.
>> # Those two servers declarations can also be used when you have
>> # . one master LDAP server where all writing operations must be done
>> # . one slave LDAP server where all reading operations must be done
>> # (typically a replication directory)
>>
>> # Slave LDAP server
>> # Ex: slaveLDAP=127.0.0.1
>> # If not defined, parameter is set to "127.0.0.1"
>> slaveLDAP="127.0.0.1"
>>
>> # Slave LDAP port
>> # If not defined, parameter is set to "389"
>> slavePort="389"
>>
>> # Master LDAP server: needed for write operations
>> # Ex: masterLDAP=127.0.0.1
>> # If not defined, parameter is set to "127.0.0.1"
>> masterLDAP="127.0.0.1"
>>
>> # Master LDAP port
>> # If not defined, parameter is set to "389"
>> masterPort="389"
>>
>> # Use TLS for LDAP
>> # If set to 1, this option will use start_tls for connection
>> # (you should also used the port 389)
>> # If not defined, parameter is set to "1"
>> ldapTLS="0"
>>
>> # How to verify the server's certificate (none, optional or require)
>> # see "man Net::LDAP" in start_tls section for more details
>> verify=""
>>
>> # CA certificate
>> # see "man Net::LDAP" in start_tls section for more details
>> cafile=""
>>
>> # certificate to use to connect to the ldap server
>> # see "man Net::LDAP" in start_tls section for more details
>> clientcert=""
>>
>> # key certificate to use to connect to the ldap server
>> # see "man Net::LDAP" in start_tls section for more details
>> clientkey=""
>>
>> # LDAP Suffix
>> # Ex: suffix=dc=IDEALX,dc=ORG
>> suffix="dc=mydomain,dc=local"
>>
>> # Where are stored Users
>> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> usersdn
>> usersdn="ou=Users,${suffix}"
>>
>> # Where are stored Computers
>> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> computersdn
>> computersdn="ou=Computers,${suffix}"
>>
>> # Where are stored Groups
>> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> groupsdn
>> groupsdn="ou=Groups,${suffix}"
>>
>> # Where are stored Idmap entries (used if samba is a domain member
>> server)
>> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> idmapdn
>> idmapdn="ou=Idmap,${suffix}"
>>
>> # Where to store next uidNumber and gidNumber available for new users
>> and groups
>> # If not defined, entries are stored in sambaDomainName object.
>> # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
>> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
>>
>> # Default scope Used
>> scope="sub"
>>
>> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
>> hash_encrypt="MD5"
>>
>> # if hash_encrypt is set to CRYPT, you may set a salt format.
>> # default is "%s", but many systems will generate MD5 hashed
>> # passwords if you use "$1$%.8s". This parameter is optional!
>> crypt_salt_format=""
>>
>> ##############################################################################
>>
>> #
>> # Unix Accounts Configuration
>> #
>> ##############################################################################
>>
>>
>> # Login defs
>> # Default Login Shell
>> # Ex: userLoginShell="/bin/bash"
>> userLoginShell="/bin/false"
>>
>> # Home directory
>> # Ex: userHome="/home/%U"
>> userHome="/home/%U"
>>
>> # Default mode used for user homeDirectory
>> userHomeDirectoryMode="700"
>>
>> # Gecos
>> userGecos="System User"
>>
>> # Default User (POSIX and Samba) GID
>> defaultUserGid="513"
>>
>> # Default Computer (Samba) GID
>> defaultComputerGid="515"
>>
>> # Skel dir
>> skeletonDir="/etc/skel"
>>
>> # Default password validation time (time in days) Comment the next
>> line if
>> # you don't want password to be enable for defaultMaxPasswordAge days
>> (be
>> # careful to the sambaPwdMustChange attribute's value)
>> defaultMaxPasswordAge="45"
>>
>> ##############################################################################
>>
>> #
>> # SAMBA Configuration
>> #
>> ##############################################################################
>>
>>
>> # The UNC path to home drives location (%U username substitution)
>> # Just set it to a null string if you want to use the smb.conf 'logon
>> home'
>> # directive and/or disable roaming profiles
>> # Ex: userSmbHome="\\PDC-SMB3\%U"
>> userSmbHome="\\pdc\%U"
>>
>> # The UNC path to profiles locations (%U username substitution)
>> # Just set it to a null string if you want to use the smb.conf 'logon
>> path'
>> # directive and/or disable roaming profiles
>> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
>> userProfile="\\pdc\profiles\%U"
>>
>> # The default Home Drive Letter mapping
>> # (will be automatically mapped at logon time if home directory exist)
>> # Ex: userHomeDrive="H:"
>> userHomeDrive="H:"
>>
>> # The default user netlogon script name (%U username substitution)
>> # if not used, will be automatically username.cmd
>> # make sure script file is edited under dos
>> # Ex: userScript="startup.cmd" # make sure script file is edited
>> under dos
>> userScript="%U.bat OR netlogon.bat"
>>
>> # Domain appended to the users "mail"-attribute
>> # when smbldap-useradd -M is used
>> # Ex: mailDomain="idealx.com"
>> mailDomain="mydomain.local"
>>
>> ##############################################################################
>>
>> #
>> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
>> #
>> ##############################################################################
>>
>>
>> # Allows not to use smbpasswd (if with_smbpasswd == 0 in
>> smbldap_conf.pm) but
>> # prefer Crypt::SmbHash library
>> with_smbpasswd="0"
>> smbpasswd="/usr/bin/smbpasswd"
>>
>> # Allows not to use slappasswd (if with_slappasswd == 0 in
>> smbldap_conf.pm)
>> # but prefer Crypt:: libraries
>> with_slappasswd="0"
>> slappasswd="/usr/sbin/slappasswd"
>>
>> # comment out the following line to get rid of the default banner
>> # no_banner="1"
>>
>> The LDAP was correctly populated, and i am able to manage users using
>> smbldap-tools.
>> One final detail, when i tried to join the Windows 2008, in the
>> joinning process the workstation trust account is successfully
>> created. I see it with smbldap-userlist command or a Windows based
>> Ldap administrator.
>> Apparently the Windows 2008 in its event manager does not give much
>> information about the error.
>> If you need the samba joinning logs with debug level 10 i have them.
>>
>>
>> Thanks for your help
>>
>>
>>
>> German Molano
>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3977 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100702/22a911c5/attachment.bin>
More information about the samba
mailing list