[Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
German Molano
gmolano at ignios.net
Fri Jul 2 12:19:13 MDT 2010
I found the error:
smb.conf
add machine script = /usr/sbin/smbldap-useradd -w -i %u
i changed to
add machine script = /usr/sbin/smbldap-useradd -w %u
smbldap-useradd -i option is made for trust accounts
German
German Molano wrote:
> The weird thing is this i tried that too ... but i receive this error:
>
> The following error occurred attempting to join the domain "MYDOMAIN":
> The specified account already exists.
>
> I had to delete to LDAP Workstation account every time that I tried a
> solution.
> To this time i see that problem that you mention on the internet but
> on Centos apparently there is not a workaround to this nss caching thing.
> The possible workarounds that I imagine is editing smbldap-useradd, on
> the workstation option including to do not exit if the workstation
> account exists (I do not know to much Perl).
> Or the easy one, once is created the workstation account on ldap
> directory, disable the add machine script and restart samba service.
> and then back again the Windows 2008 joinning process. Once the
> Windows 2008 is in the domain, enable the add machine script option
> and restart again. The ugly thing is that there are several Windows 7
> workstations on the network.
>
> How i can solve that nss error ?
>
> Thanks for your help
>
> German
>
>
> tms3 at tms3.com wrote:
>>
>>
>> SNIP
>>
>>>
>>>
>>>
>>> Hi there, this is my config, I have a CentOS 5.3 x86_64 full
>>> updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a
>>> virtual machine running Windows 2008 R2 Foundation running full
>>> virtualized on the same machine.
>>> When i tried to join the Windows 2008 to the domain i get this message:
>>> The following error ocurred attempting to join the domain "MYDOMAIN":
>>> A device attached to the system is not functioning.
>>
>> I have that error as well. To the best of my knowledge it is
>> happening because smbldap tools are calling smbpasswd right after the
>> ldap add of the machine, however, some nss dependent service is using
>> a cached copy of ldap which does not contain the new machine entry.
>> If you simply rejoin the domain after you receive the error, things
>> should work fine.
>>
>> Cheers,
>>
>> TMS III
>>>
>>>
>>>
>>> The Windows 2008 registry was modified to be able to join the domain
>>> as recommended on internet:
>>> |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
>>> DWORD DomainCompatibilityMode = 1
>>> DWORD DNSNameResolutionRequired = 0
>>> ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
>>> DWORD RequireSignOrSeal = 0
>>> DWORD RequireStrongKey = 0
>>> |
>>> This is my config:
>>> smb.conf
>>> [global]
>>>
>>> unix charset = ISO8859-1
>>> workgroup = MYDOMAIN
>>> netbios name = pdc
>>> passdb backend = ldapsam:ldap://127.0.0.1
>>> username map = /etc/samba/smbusers
>>> log level = 10
>>> log file = /var/log/samba/%m.log
>>> max log size = 50
>>> name resolve order = hosts lmhost wins bcast
>>> wins support = yes
>>> time server = Yes
>>> show add printer wizard = No
>>> add user script = /usr/sbin/smbldap-useradd -a -m %u
>>> delete user script = /usr/sbin/smbldap-userdel -r %u
>>> add group script = /usr/sbin/smbldap-groupadd -p %g
>>> delete group script = /usr/sbin/smbldap-groupdel %g
>>> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>>> %u %g
>>> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>>> add machine script = /usr/sbin/smbldap-useradd -w -i %u
>>> passwd program = /usr/sbin/smbldap-passwd %u
>>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>>> *all*authentication*tokens*updated*
>>> ldap password sync = Yes
>>> enable privileges = Yes
>>> logon script = %U.bat OR netlogon.bat
>>> logon path = \\%L\profiles\%U
>>> logon drive = H:
>>> domain logons = Yes
>>> preferred master = Yes
>>> domain master = Yes
>>> ldap admin dn = cn=Administrador,dc=mydomain,dc=local
>>> ldap group suffix = ou=Groups
>>> ldap idmap suffix = ou=Idmap
>>> ldap machine suffix = ou=Computers
>>> ldap passwd sync = Yes
>>> ldap suffix = dc=mydomain,dc=local
>>> ldap user suffix = ou=Users
>>> ldap ssl = off
>>> idmap backend = ldap:ldap://127.0.0.1
>>> idmap uid = 10000-20000
>>> idmap gid = 10000-20000
>>> printer admin = Administrador
>>> map acl inherit = Yes
>>> printing = cups
>>> printcap name = CUPS
>>>
>>> [homes]
>>> comment = Home Directories
>>> valid users = %S
>>> read only = No
>>> browseable = No
>>>
>>> [netlogon]
>>> comment = Network Logon Service
>>> path = /var/lib/samba/netlogon
>>> guest ok = Yes
>>> locking = No
>>>
>>> [profiles]
>>> comment = Network Profiles Share
>>> path = /var/lib/samba/profiles
>>> read only = No
>>> profile acls = Yes
>>> create mode = 0600
>>> directory mode = 0700
>>> writable = yes
>>> browseable = No
>>> store dos attributes = Yes
>>>
>>>
>>> slapd.conf
>>>
>>> #
>>> # See slapd.conf(5) for details on configuration options.
>>> # This file should NOT be world readable.
>>> #
>>> include /etc/openldap/schema/core.schema
>>> include /etc/openldap/schema/cosine.schema
>>> include /etc/openldap/schema/inetorgperson.schema
>>> include /etc/openldap/schema/nis.schema
>>> include /etc/openldap/schema/samba3.schema
>>> include /etc/openldap/schema/dyngroup.schema
>>>
>>> # Allow LDAPv2 client connections. This is NOT the default.
>>> allow bind_v2
>>>
>>> # Do not enable referrals until AFTER you have a working directory
>>> # service AND an understanding of referrals.
>>> #referral ldap://root.openldap.org
>>>
>>> pidfile /var/run/openldap/slapd.pid
>>> argsfile /var/run/openldap/slapd.args
>>>
>>> # Load dynamic backend modules:
>>> modulepath /usr/lib64/openldap
>>>
>>> # Modules available in openldap-servers-overlays RPM package
>>> # Module syncprov.la is now statically linked with slapd and there
>>> # is no need to load it here
>>> # moduleload accesslog.la
>>> # moduleload auditlog.la
>>> # moduleload denyop.la
>>> # moduleload dyngroup.la
>>> # moduleload dynlist.la
>>> # moduleload lastmod.la
>>> # moduleload pcache.la
>>> # moduleload ppolicy.la
>>> # moduleload refint.la
>>> # moduleload retcode.la
>>> # moduleload rwm.la
>>> # moduleload smbk5pwd.la
>>> # moduleload translucent.la
>>> # moduleload unique.la
>>> # moduleload valsort.la
>>>
>>> # modules available in openldap-servers-sql RPM package:
>>> # moduleload back_sql.la
>>>
>>> # The next three lines allow use of TLS for encrypting connections
>>> using a
>>> # dummy test certificate which you can generate by changing to
>>> # /etc/pki/tls/certs, running "make slapd.pem", and fixing
>>> permissions on
>>> # slapd.pem so that the ldap user or group can read it. Your client
>>> software
>>> # may balk at self-signed certificates, however.
>>> # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>>> # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
>>> # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
>>>
>>> # Sample security restrictions
>>> # Require integrity protection (prevent hijacking)
>>> # Require 112-bit (3DES or better) encryption for updates
>>> # Require 63-bit encryption for simple bind
>>> # security ssf=1 update_ssf=112 simple_bind=64
>>>
>>> # Sample access control policy:
>>> # Root DSE: allow anyone to read it
>>> # Subschema (sub)entry DSE: allow anyone to read it
>>> # Other DSEs:
>>> # Allow self write access
>>> # Allow authenticated users read access
>>> # Allow anonymous users to authenticate
>>> # Directives needed to implement policy:
>>> # access to dn.base="" by * read
>>> # access to dn.base="cn=Subschema" by * read
>>> # access to *
>>> # by self write
>>> # by users read
>>> # by anonymous auth
>>> #
>>> # if no access controls are present, the default policy
>>> # allows anyone and everyone to read anything but restricts
>>> # updates to rootdn. (e.g., "access to * by * read")
>>> #
>>> # rootdn can always read and write EVERYTHING!
>>>
>>> #######################################################################
>>> # ldbm and/or bdb database definitions
>>> #######################################################################
>>>
>>> database bdb
>>> suffix "dc=mydomain,dc=local"
>>> rootdn "cn=Administrador,dc=mydomain,dc=local"
>>> # Cleartext passwords, especially for the rootdn, should
>>> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
>>> # Use of strong authentication encouraged.
>>> rootpw mypassword
>>> # rootpw {crypt}ijFYNcSNctBYg
>>>
>>> # The database directory MUST exist prior to running slapd AND
>>> # should only be accessible by the slapd and slap tools.
>>> # Mode 700 recommended.
>>> directory /var/lib/ldap
>>>
>>> # Indices to maintain for this database
>>> #index objectClass eq,pres
>>> #index ou,cn,mail,surname,givenname eq,pres,sub
>>> #index uidNumber,gidNumber,loginShell eq,pres
>>> #index uid,memberUid eq,pres,sub
>>> #index nisMapName,nisMapEntry eq,pres,sub
>>> index objectClass eq
>>> index cn pres,sub,eq
>>> index sn pres,sub,eq
>>> index uid pres,sub,eq
>>> index displayName pres,sub,eq
>>> index uidNumber eq
>>> index gidNumber eq
>>> index memberUID eq
>>> index sambaSID eq
>>> index sambaPrimaryGroupSID eq
>>> index sambaDomainName eq
>>> index default sub
>>>
>>> smbldap_bind.conf
>>> slaveDN="cn=Administrador,dc=mydomain,dc=local"
>>> slavePw="mypassword"
>>> masterDN="cn=Administrador,dc=mydomain,dc=local"
>>> masterPw="mypassword"
>>>
>>> smbldap.conf
>>> ##############################################################################
>>>
>>> #
>>> # General Configuration
>>> #
>>> ##############################################################################
>>>
>>>
>>> # Put your own SID. To obtain this number do: "net getlocalsid".
>>> # If not defined, parameter is taking from "net getlocalsid" return
>>> SID="S-1-5-21-3618261801-835847047-1814652966"
>>>
>>> # Domain name the Samba server is in charged.
>>> # If not defined, parameter is taking from smb.conf configuration file
>>> # Ex: sambaDomain="IDEALX-NT"
>>> sambaDomain="MYDOMAIN"
>>>
>>> ##############################################################################
>>>
>>> #
>>> # LDAP Configuration
>>> #
>>> ##############################################################################
>>>
>>>
>>> # Notes: to use to dual ldap servers backend for Samba, you must patch
>>> # Samba with the dual-head patch from IDEALX. If not using this patch
>>> # just use the same server for slaveLDAP and masterLDAP.
>>> # Those two servers declarations can also be used when you have
>>> # . one master LDAP server where all writing operations must be done
>>> # . one slave LDAP server where all reading operations must be done
>>> # (typically a replication directory)
>>>
>>> # Slave LDAP server
>>> # Ex: slaveLDAP=127.0.0.1
>>> # If not defined, parameter is set to "127.0.0.1"
>>> slaveLDAP="127.0.0.1"
>>>
>>> # Slave LDAP port
>>> # If not defined, parameter is set to "389"
>>> slavePort="389"
>>>
>>> # Master LDAP server: needed for write operations
>>> # Ex: masterLDAP=127.0.0.1
>>> # If not defined, parameter is set to "127.0.0.1"
>>> masterLDAP="127.0.0.1"
>>>
>>> # Master LDAP port
>>> # If not defined, parameter is set to "389"
>>> masterPort="389"
>>>
>>> # Use TLS for LDAP
>>> # If set to 1, this option will use start_tls for connection
>>> # (you should also used the port 389)
>>> # If not defined, parameter is set to "1"
>>> ldapTLS="0"
>>>
>>> # How to verify the server's certificate (none, optional or require)
>>> # see "man Net::LDAP" in start_tls section for more details
>>> verify=""
>>>
>>> # CA certificate
>>> # see "man Net::LDAP" in start_tls section for more details
>>> cafile=""
>>>
>>> # certificate to use to connect to the ldap server
>>> # see "man Net::LDAP" in start_tls section for more details
>>> clientcert=""
>>>
>>> # key certificate to use to connect to the ldap server
>>> # see "man Net::LDAP" in start_tls section for more details
>>> clientkey=""
>>>
>>> # LDAP Suffix
>>> # Ex: suffix=dc=IDEALX,dc=ORG
>>> suffix="dc=mydomain,dc=local"
>>>
>>> # Where are stored Users
>>> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
>>> # Warning: if 'suffix' is not set here, you must set the full dn for
>>> usersdn
>>> usersdn="ou=Users,${suffix}"
>>>
>>> # Where are stored Computers
>>> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>>> # Warning: if 'suffix' is not set here, you must set the full dn for
>>> computersdn
>>> computersdn="ou=Computers,${suffix}"
>>>
>>> # Where are stored Groups
>>> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
>>> # Warning: if 'suffix' is not set here, you must set the full dn for
>>> groupsdn
>>> groupsdn="ou=Groups,${suffix}"
>>>
>>> # Where are stored Idmap entries (used if samba is a domain member
>>> server)
>>> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
>>> # Warning: if 'suffix' is not set here, you must set the full dn for
>>> idmapdn
>>> idmapdn="ou=Idmap,${suffix}"
>>>
>>> # Where to store next uidNumber and gidNumber available for new
>>> users and groups
>>> # If not defined, entries are stored in sambaDomainName object.
>>> # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>>> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
>>> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
>>>
>>> # Default scope Used
>>> scope="sub"
>>>
>>> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
>>> hash_encrypt="MD5"
>>>
>>> # if hash_encrypt is set to CRYPT, you may set a salt format.
>>> # default is "%s", but many systems will generate MD5 hashed
>>> # passwords if you use "$1$%.8s". This parameter is optional!
>>> crypt_salt_format=""
>>>
>>> ##############################################################################
>>>
>>> #
>>> # Unix Accounts Configuration
>>> #
>>> ##############################################################################
>>>
>>>
>>> # Login defs
>>> # Default Login Shell
>>> # Ex: userLoginShell="/bin/bash"
>>> userLoginShell="/bin/false"
>>>
>>> # Home directory
>>> # Ex: userHome="/home/%U"
>>> userHome="/home/%U"
>>>
>>> # Default mode used for user homeDirectory
>>> userHomeDirectoryMode="700"
>>>
>>> # Gecos
>>> userGecos="System User"
>>>
>>> # Default User (POSIX and Samba) GID
>>> defaultUserGid="513"
>>>
>>> # Default Computer (Samba) GID
>>> defaultComputerGid="515"
>>>
>>> # Skel dir
>>> skeletonDir="/etc/skel"
>>>
>>> # Default password validation time (time in days) Comment the next
>>> line if
>>> # you don't want password to be enable for defaultMaxPasswordAge
>>> days (be
>>> # careful to the sambaPwdMustChange attribute's value)
>>> defaultMaxPasswordAge="45"
>>>
>>> ##############################################################################
>>>
>>> #
>>> # SAMBA Configuration
>>> #
>>> ##############################################################################
>>>
>>>
>>> # The UNC path to home drives location (%U username substitution)
>>> # Just set it to a null string if you want to use the smb.conf
>>> 'logon home'
>>> # directive and/or disable roaming profiles
>>> # Ex: userSmbHome="\\PDC-SMB3\%U"
>>> userSmbHome="\\pdc\%U"
>>>
>>> # The UNC path to profiles locations (%U username substitution)
>>> # Just set it to a null string if you want to use the smb.conf
>>> 'logon path'
>>> # directive and/or disable roaming profiles
>>> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
>>> userProfile="\\pdc\profiles\%U"
>>>
>>> # The default Home Drive Letter mapping
>>> # (will be automatically mapped at logon time if home directory exist)
>>> # Ex: userHomeDrive="H:"
>>> userHomeDrive="H:"
>>>
>>> # The default user netlogon script name (%U username substitution)
>>> # if not used, will be automatically username.cmd
>>> # make sure script file is edited under dos
>>> # Ex: userScript="startup.cmd" # make sure script file is edited
>>> under dos
>>> userScript="%U.bat OR netlogon.bat"
>>>
>>> # Domain appended to the users "mail"-attribute
>>> # when smbldap-useradd -M is used
>>> # Ex: mailDomain="idealx.com"
>>> mailDomain="mydomain.local"
>>>
>>> ##############################################################################
>>>
>>> #
>>> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
>>> #
>>> ##############################################################################
>>>
>>>
>>> # Allows not to use smbpasswd (if with_smbpasswd == 0 in
>>> smbldap_conf.pm) but
>>> # prefer Crypt::SmbHash library
>>> with_smbpasswd="0"
>>> smbpasswd="/usr/bin/smbpasswd"
>>>
>>> # Allows not to use slappasswd (if with_slappasswd == 0 in
>>> smbldap_conf.pm)
>>> # but prefer Crypt:: libraries
>>> with_slappasswd="0"
>>> slappasswd="/usr/sbin/slappasswd"
>>>
>>> # comment out the following line to get rid of the default banner
>>> # no_banner="1"
>>>
>>> The LDAP was correctly populated, and i am able to manage users
>>> using smbldap-tools.
>>> One final detail, when i tried to join the Windows 2008, in the
>>> joinning process the workstation trust account is successfully
>>> created. I see it with smbldap-userlist command or a Windows based
>>> Ldap administrator.
>>> Apparently the Windows 2008 in its event manager does not give much
>>> information about the error.
>>> If you need the samba joinning logs with debug level 10 i have them.
>>>
>>>
>>> Thanks for your help
>>>
>>>
>>>
>>> German Molano
>>>
>>
>>
>>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3977 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100702/8a543f7c/attachment.bin>
More information about the samba
mailing list