[Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version3.5.4
German Molano
gmolano at ignios.net
Fri Jul 2 13:04:33 MDT 2010
I found the error already and i solve it but now i have another issue:
Once the Windows 2008 R2 Foundation join the domain shows me this message:
**The server did not finish checking the license compliance. If the
server is joined to a domain, make sure that the server can connect to a
domain controller. If the license compliant check cannot be completed,
the server will automatically shut down in 0 hour(s) 30 minute(s).**
****
**Classical licensing crap ... but the PDC did not have any user
created, I think that the Windows 2008 expect to search a AD server,
counts the users created and if meets the limitations do not kill
itself ...
There is any option to work around this ...
******
German
tms3 at tms3.com wrote:
>
>
> SNIP
>
>>
>>
>>
>> Hi there, this is my config, I have a CentOS 5.3 x86_64 full
>> updated with Xen enabled with Samba 3.5.4 sernet RPMs. I have a
>> virtual machine running Windows 2008 R2 Foundation running full
>> virtualized on the same machine.
>> When i tried to join the Windows 2008 to the domain i get this message:
>> The following error ocurred attempting to join the domain "MYDOMAIN":
>> A device attached to the system is not functioning.
>
> I have that error as well. To the best of my knowledge it is
> happening because smbldap tools are calling smbpasswd right after the
> ldap add of the machine, however, some nss dependent service is using
> a cached copy of ldap which does not contain the new machine entry.
> If you simply rejoin the domain after you receive the error, things
> should work fine.
>
> Cheers,
>
> TMS III
>>
>>
>>
>> The Windows 2008 registry was modified to be able to join the domain
>> as recommended on internet:
>> |HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
>> DWORD DomainCompatibilityMode = 1
>> DWORD DNSNameResolutionRequired = 0
>> ||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
>> DWORD RequireSignOrSeal = 0
>> DWORD RequireStrongKey = 0
>> |
>> This is my config:
>> smb.conf
>> [global]
>>
>> unix charset = ISO8859-1
>> workgroup = MYDOMAIN
>> netbios name = pdc
>> passdb backend = ldapsam:ldap://127.0.0.1
>> username map = /etc/samba/smbusers
>> log level = 10
>> log file = /var/log/samba/%m.log
>> max log size = 50
>> name resolve order = hosts lmhost wins bcast
>> wins support = yes
>> time server = Yes
>> show add printer wizard = No
>> add user script = /usr/sbin/smbldap-useradd -a -m %u
>> delete user script = /usr/sbin/smbldap-userdel -r %u
>> add group script = /usr/sbin/smbldap-groupadd -p %g
>> delete group script = /usr/sbin/smbldap-groupdel %g
>> add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
>> delete user from group script = /usr/sbin/smbldap-groupmod -x
>> %u %g
>> set primary group script = /usr/sbin/smbldap-usermod -g %g %u
>> add machine script = /usr/sbin/smbldap-useradd -w -i %u
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>> *all*authentication*tokens*updated*
>> ldap password sync = Yes
>> enable privileges = Yes
>> logon script = %U.bat OR netlogon.bat
>> logon path = \\%L\profiles\%U
>> logon drive = H:
>> domain logons = Yes
>> preferred master = Yes
>> domain master = Yes
>> ldap admin dn = cn=Administrador,dc=mydomain,dc=local
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = Yes
>> ldap suffix = dc=mydomain,dc=local
>> ldap user suffix = ou=Users
>> ldap ssl = off
>> idmap backend = ldap:ldap://127.0.0.1
>> idmap uid = 10000-20000
>> idmap gid = 10000-20000
>> printer admin = Administrador
>> map acl inherit = Yes
>> printing = cups
>> printcap name = CUPS
>>
>> [homes]
>> comment = Home Directories
>> valid users = %S
>> read only = No
>> browseable = No
>>
>> [netlogon]
>> comment = Network Logon Service
>> path = /var/lib/samba/netlogon
>> guest ok = Yes
>> locking = No
>>
>> [profiles]
>> comment = Network Profiles Share
>> path = /var/lib/samba/profiles
>> read only = No
>> profile acls = Yes
>> create mode = 0600
>> directory mode = 0700
>> writable = yes
>> browseable = No
>> store dos attributes = Yes
>>
>>
>> slapd.conf
>>
>> #
>> # See slapd.conf(5) for details on configuration options.
>> # This file should NOT be world readable.
>> #
>> include /etc/openldap/schema/core.schema
>> include /etc/openldap/schema/cosine.schema
>> include /etc/openldap/schema/inetorgperson.schema
>> include /etc/openldap/schema/nis.schema
>> include /etc/openldap/schema/samba3.schema
>> include /etc/openldap/schema/dyngroup.schema
>>
>> # Allow LDAPv2 client connections. This is NOT the default.
>> allow bind_v2
>>
>> # Do not enable referrals until AFTER you have a working directory
>> # service AND an understanding of referrals.
>> #referral ldap://root.openldap.org
>>
>> pidfile /var/run/openldap/slapd.pid
>> argsfile /var/run/openldap/slapd.args
>>
>> # Load dynamic backend modules:
>> modulepath /usr/lib64/openldap
>>
>> # Modules available in openldap-servers-overlays RPM package
>> # Module syncprov.la is now statically linked with slapd and there
>> # is no need to load it here
>> # moduleload accesslog.la
>> # moduleload auditlog.la
>> # moduleload denyop.la
>> # moduleload dyngroup.la
>> # moduleload dynlist.la
>> # moduleload lastmod.la
>> # moduleload pcache.la
>> # moduleload ppolicy.la
>> # moduleload refint.la
>> # moduleload retcode.la
>> # moduleload rwm.la
>> # moduleload smbk5pwd.la
>> # moduleload translucent.la
>> # moduleload unique.la
>> # moduleload valsort.la
>>
>> # modules available in openldap-servers-sql RPM package:
>> # moduleload back_sql.la
>>
>> # The next three lines allow use of TLS for encrypting connections
>> using a
>> # dummy test certificate which you can generate by changing to
>> # /etc/pki/tls/certs, running "make slapd.pem", and fixing
>> permissions on
>> # slapd.pem so that the ldap user or group can read it. Your client
>> software
>> # may balk at self-signed certificates, however.
>> # TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
>> # TLSCertificateFile /etc/pki/tls/certs/slapd.pem
>> # TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem
>>
>> # Sample security restrictions
>> # Require integrity protection (prevent hijacking)
>> # Require 112-bit (3DES or better) encryption for updates
>> # Require 63-bit encryption for simple bind
>> # security ssf=1 update_ssf=112 simple_bind=64
>>
>> # Sample access control policy:
>> # Root DSE: allow anyone to read it
>> # Subschema (sub)entry DSE: allow anyone to read it
>> # Other DSEs:
>> # Allow self write access
>> # Allow authenticated users read access
>> # Allow anonymous users to authenticate
>> # Directives needed to implement policy:
>> # access to dn.base="" by * read
>> # access to dn.base="cn=Subschema" by * read
>> # access to *
>> # by self write
>> # by users read
>> # by anonymous auth
>> #
>> # if no access controls are present, the default policy
>> # allows anyone and everyone to read anything but restricts
>> # updates to rootdn. (e.g., "access to * by * read")
>> #
>> # rootdn can always read and write EVERYTHING!
>>
>> #######################################################################
>> # ldbm and/or bdb database definitions
>> #######################################################################
>>
>> database bdb
>> suffix "dc=mydomain,dc=local"
>> rootdn "cn=Administrador,dc=mydomain,dc=local"
>> # Cleartext passwords, especially for the rootdn, should
>> # be avoided. See slappasswd(8) and slapd.conf(5) for details.
>> # Use of strong authentication encouraged.
>> rootpw mypassword
>> # rootpw {crypt}ijFYNcSNctBYg
>>
>> # The database directory MUST exist prior to running slapd AND
>> # should only be accessible by the slapd and slap tools.
>> # Mode 700 recommended.
>> directory /var/lib/ldap
>>
>> # Indices to maintain for this database
>> #index objectClass eq,pres
>> #index ou,cn,mail,surname,givenname eq,pres,sub
>> #index uidNumber,gidNumber,loginShell eq,pres
>> #index uid,memberUid eq,pres,sub
>> #index nisMapName,nisMapEntry eq,pres,sub
>> index objectClass eq
>> index cn pres,sub,eq
>> index sn pres,sub,eq
>> index uid pres,sub,eq
>> index displayName pres,sub,eq
>> index uidNumber eq
>> index gidNumber eq
>> index memberUID eq
>> index sambaSID eq
>> index sambaPrimaryGroupSID eq
>> index sambaDomainName eq
>> index default sub
>>
>> smbldap_bind.conf
>> slaveDN="cn=Administrador,dc=mydomain,dc=local"
>> slavePw="mypassword"
>> masterDN="cn=Administrador,dc=mydomain,dc=local"
>> masterPw="mypassword"
>>
>> smbldap.conf
>> ##############################################################################
>>
>> #
>> # General Configuration
>> #
>> ##############################################################################
>>
>>
>> # Put your own SID. To obtain this number do: "net getlocalsid".
>> # If not defined, parameter is taking from "net getlocalsid" return
>> SID="S-1-5-21-3618261801-835847047-1814652966"
>>
>> # Domain name the Samba server is in charged.
>> # If not defined, parameter is taking from smb.conf configuration file
>> # Ex: sambaDomain="IDEALX-NT"
>> sambaDomain="MYDOMAIN"
>>
>> ##############################################################################
>>
>> #
>> # LDAP Configuration
>> #
>> ##############################################################################
>>
>>
>> # Notes: to use to dual ldap servers backend for Samba, you must patch
>> # Samba with the dual-head patch from IDEALX. If not using this patch
>> # just use the same server for slaveLDAP and masterLDAP.
>> # Those two servers declarations can also be used when you have
>> # . one master LDAP server where all writing operations must be done
>> # . one slave LDAP server where all reading operations must be done
>> # (typically a replication directory)
>>
>> # Slave LDAP server
>> # Ex: slaveLDAP=127.0.0.1
>> # If not defined, parameter is set to "127.0.0.1"
>> slaveLDAP="127.0.0.1"
>>
>> # Slave LDAP port
>> # If not defined, parameter is set to "389"
>> slavePort="389"
>>
>> # Master LDAP server: needed for write operations
>> # Ex: masterLDAP=127.0.0.1
>> # If not defined, parameter is set to "127.0.0.1"
>> masterLDAP="127.0.0.1"
>>
>> # Master LDAP port
>> # If not defined, parameter is set to "389"
>> masterPort="389"
>>
>> # Use TLS for LDAP
>> # If set to 1, this option will use start_tls for connection
>> # (you should also used the port 389)
>> # If not defined, parameter is set to "1"
>> ldapTLS="0"
>>
>> # How to verify the server's certificate (none, optional or require)
>> # see "man Net::LDAP" in start_tls section for more details
>> verify=""
>>
>> # CA certificate
>> # see "man Net::LDAP" in start_tls section for more details
>> cafile=""
>>
>> # certificate to use to connect to the ldap server
>> # see "man Net::LDAP" in start_tls section for more details
>> clientcert=""
>>
>> # key certificate to use to connect to the ldap server
>> # see "man Net::LDAP" in start_tls section for more details
>> clientkey=""
>>
>> # LDAP Suffix
>> # Ex: suffix=dc=IDEALX,dc=ORG
>> suffix="dc=mydomain,dc=local"
>>
>> # Where are stored Users
>> # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> usersdn
>> usersdn="ou=Users,${suffix}"
>>
>> # Where are stored Computers
>> # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> computersdn
>> computersdn="ou=Computers,${suffix}"
>>
>> # Where are stored Groups
>> # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> groupsdn
>> groupsdn="ou=Groups,${suffix}"
>>
>> # Where are stored Idmap entries (used if samba is a domain member
>> server)
>> # Ex: groupsdn="ou=Idmap,dc=IDEALX,dc=ORG"
>> # Warning: if 'suffix' is not set here, you must set the full dn for
>> idmapdn
>> idmapdn="ou=Idmap,${suffix}"
>>
>> # Where to store next uidNumber and gidNumber available for new users
>> and groups
>> # If not defined, entries are stored in sambaDomainName object.
>> # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>> # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
>> sambaUnixIdPooldn="sambaDomainName=MYDOMAIN,${suffix}"
>>
>> # Default scope Used
>> scope="sub"
>>
>> # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
>> hash_encrypt="MD5"
>>
>> # if hash_encrypt is set to CRYPT, you may set a salt format.
>> # default is "%s", but many systems will generate MD5 hashed
>> # passwords if you use "$1$%.8s". This parameter is optional!
>> crypt_salt_format=""
>>
>> ##############################################################################
>>
>> #
>> # Unix Accounts Configuration
>> #
>> ##############################################################################
>>
>>
>> # Login defs
>> # Default Login Shell
>> # Ex: userLoginShell="/bin/bash"
>> userLoginShell="/bin/false"
>>
>> # Home directory
>> # Ex: userHome="/home/%U"
>> userHome="/home/%U"
>>
>> # Default mode used for user homeDirectory
>> userHomeDirectoryMode="700"
>>
>> # Gecos
>> userGecos="System User"
>>
>> # Default User (POSIX and Samba) GID
>> defaultUserGid="513"
>>
>> # Default Computer (Samba) GID
>> defaultComputerGid="515"
>>
>> # Skel dir
>> skeletonDir="/etc/skel"
>>
>> # Default password validation time (time in days) Comment the next
>> line if
>> # you don't want password to be enable for defaultMaxPasswordAge days
>> (be
>> # careful to the sambaPwdMustChange attribute's value)
>> defaultMaxPasswordAge="45"
>>
>> ##############################################################################
>>
>> #
>> # SAMBA Configuration
>> #
>> ##############################################################################
>>
>>
>> # The UNC path to home drives location (%U username substitution)
>> # Just set it to a null string if you want to use the smb.conf 'logon
>> home'
>> # directive and/or disable roaming profiles
>> # Ex: userSmbHome="\\PDC-SMB3\%U"
>> userSmbHome="\\pdc\%U"
>>
>> # The UNC path to profiles locations (%U username substitution)
>> # Just set it to a null string if you want to use the smb.conf 'logon
>> path'
>> # directive and/or disable roaming profiles
>> # Ex: userProfile="\\PDC-SMB3\profiles\%U"
>> userProfile="\\pdc\profiles\%U"
>>
>> # The default Home Drive Letter mapping
>> # (will be automatically mapped at logon time if home directory exist)
>> # Ex: userHomeDrive="H:"
>> userHomeDrive="H:"
>>
>> # The default user netlogon script name (%U username substitution)
>> # if not used, will be automatically username.cmd
>> # make sure script file is edited under dos
>> # Ex: userScript="startup.cmd" # make sure script file is edited
>> under dos
>> userScript="%U.bat OR netlogon.bat"
>>
>> # Domain appended to the users "mail"-attribute
>> # when smbldap-useradd -M is used
>> # Ex: mailDomain="idealx.com"
>> mailDomain="mydomain.local"
>>
>> ##############################################################################
>>
>> #
>> # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
>> #
>> ##############################################################################
>>
>>
>> # Allows not to use smbpasswd (if with_smbpasswd == 0 in
>> smbldap_conf.pm) but
>> # prefer Crypt::SmbHash library
>> with_smbpasswd="0"
>> smbpasswd="/usr/bin/smbpasswd"
>>
>> # Allows not to use slappasswd (if with_slappasswd == 0 in
>> smbldap_conf.pm)
>> # but prefer Crypt:: libraries
>> with_slappasswd="0"
>> slappasswd="/usr/sbin/slappasswd"
>>
>> # comment out the following line to get rid of the default banner
>> # no_banner="1"
>>
>> The LDAP was correctly populated, and i am able to manage users using
>> smbldap-tools.
>> One final detail, when i tried to join the Windows 2008, in the
>> joinning process the workstation trust account is successfully
>> created. I see it with smbldap-userlist command or a Windows based
>> Ldap administrator.
>> Apparently the Windows 2008 in its event manager does not give much
>> information about the error.
>> If you need the samba joinning logs with debug level 10 i have them.
>>
>>
>> Thanks for your help
>>
>>
>>
>> German Molano
>>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3977 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.samba.org/pipermail/samba/attachments/20100702/26255a04/attachment.bin>
More information about the samba
mailing list