[Samba] Failure joining to Samba 3.4.5 Domain
Charlie Page
charlie.page at gmail.com
Sat Mar 6 14:22:13 MST 2010
Hello,
I am attempting to join a Windows 7 computer to a Samba 3.4.5 I setup. When
I attempt to join the domain the Windows 7 computer says: "A device attached
to this system is not functioning." There are no obvious errors in the
system logs on the Windows 7 machine or the samba PDC.
I can browse/map a drive to the PDC and access the files.
Does anyone know what is going on?
*
Windows server regedits:*
HKLM\System\CCS\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
*smb.conf:*
[global]
workgroup = MYDOMAIN
netbios name = PDCSERVER
server string = PDC [on Gentoo :: Samba server %v]
interfaces = br0,lo
bind interfaces only = Yes
hosts allow = 10.250.1.0/24, 172.16.250.0/24, 127.0.0.1/8
# hosts deny = ALL
passdb backend = ldapsam:ldap://127.0.0.1
ldap ssl = no
# ldapsam:editposix = yes
# ldapsam:trusted = yes
username map = /etc/samba/smbusers
#The 2 lines below are necessary for ltlmv2 to work (i.e. lanman and
ntlmv1 must be off)
lanman auth = no
ntlm auth = no
client ntlmv2 auth = yes
log level = 2
log file = /var/log/samba/%m.log
max log size = 50
name resolve order = wins lmhosts host bcast
# printer admin = root, "@Domain Admins"
printcap name = cups
printing = cups
load printers = yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%g" "%u"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%g"
"%u"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -wi "%u"
#logon script = scripts\logon.bat
#logon path = \\%L\Profiles\%U
logon path =
logon drive = U:
logon home = \\%L\%U
domain logons = Yes
os level = 65
preferred master = Yes
domain master = Yes
dns proxy = No
time server = Yes
wins support = Yes
ldap suffix = ou=auth,ou=example.com,dc=noc1,dc=example,dc=com
ldap admin dn = cn=Manager,dc=noc1,dc=example,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap user suffix = ou=Users
ldap passwd sync = Yes
idmap uid = 10000-15000
idmap gid = 10000-15000
hide unreadable = Yes
dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
max print jobs = 100
max connections = 100
pam password change = yes
# preserve case = yes
# short preserve case = yes
[homes]
comment = Home Directories
browseable = no
writable = yes
# You can enable VFS recycle bin on a per share basis:
# Uncomment the next 2 lines (make sure you create a
# .recycle folder in the base of the share and ensure
# all users will have write access to it. See
# examples/VFS/recycle/REAME in the samba docs for details
; vfs object = /usr/lib/samba/vfs/recycle.so
# Un-comment the following and create the netlogon directory for Domain
Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
# Un-comment the following to provide a specific roving profile share
# the default is to use the user's home directory
;[Profiles]
; path = /var/lib/samba/profiles
; browseable = no
; guest ok = yes
# This script can be enabled to create profile directories on the fly
# You may want to turn off guest acces if you enable this, as it
# hasn't been thoroughly tested.
;root preexec = PROFILE=/var/lib/samba/profiles/%u; if [ ! -e $PROFILE ]; \
; then mkdir -pm700 $PROFILE; chown %u:%g $PROFILE;fi
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
# set to yes to allow user 'guest account' to print.
guest ok = no
writable = no
printable = yes
[print$]
path = /var/lib/samba/printers
browseable = yes
read only = yes
write list = "@Domain Admins", root
guest ok = no
[primary]
comment = mydomain Main Share
path = /data/mydomain/primary/data
valid users = "@Domain Users", "@Domain Admins"
write list = "@Domain Users", "@Domain Admins"
read only = No
force create mode = 0770
[mnt1]
comment = mydomain Main Share
path = /mnt/mnt1
valid users = "@Domain Users", "@Domain Admins"
write list = "@Domain Users", "@Domain Admins"
read only = No
force create mode = 0770
*the PDC samba log from the windows 7 client*
Allowed connection from (10.250.1.244)
[2010/03/06 13:41:37, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
[2010/03/06 13:41:37, 2] smbd/sesssetup.c:1360(setup_new_vc_session)
setup_new_vc_session: New VC == 0, if NT4.x compatible we would close all
old resources.
*slapd.conf*
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
include /etc/openldap/schema/openldap.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
loglevel 0
# Load dynamic backend modules:
modulepath /usr/lib64/openldap/openldap
# moduleload back_shell.so
# moduleload back_relay.so
# moduleload back_perl.so
# moduleload back_passwd.so
# moduleload back_null.so
# moduleload back_monitor.so
# moduleload back_meta.so
moduleload back_hdb.so
# moduleload back_dnssrv.so
#TLS_REQCERT allow
TLSVerifyClient allow
TLSCertificateFile /etc/ssl/subdomainlvl1-cert.pem
TLSCertificateKeyFile /etc/ssl/private/subdomainlvl1-key.pem
TLSCACertificateFile /etc/ssl/cbs_cacert.pem
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
access to dn.base="" by * read
access to dn.base="cn=Subschema" by * read
access to attrs=userPassword,sambaLMPassword,sambaNTPassword
by anonymous auth
by self write
by * none
access to dn.subtree="ou=Groups,ou=auth,ou=example.com
,dc=noc1,dc=example,dc=com"
by dn="cn=authbind,ou=auth,ou=example.com,dc=noc1,dc=example,dc=com"
read
by users read
by anonymous none
access to dn.subtree="ou=Users,ou=auth,ou=example.com
,dc=noc1,dc=example,dc=com"
by dn="cn=authbind,ou=auth,ou=example.com,dc=noc1,dc=example,dc=com"
read
by users read
by anonymous none
access to dn.subtree="ou=Computers,ou=auth,ou=example.com
,dc=noc1,dc=example,dc=com"
by dn="cn=authbind,ou=auth,ou=example.com,dc=noc1,dc=example,dc=com"
read
by self write
by users read
by anonymous none
access to *
by dn="cn=authbind,ou=auth,ou=example.com,dc=noc1,dc=example,dc=com"
read
by users read
by anonymous none
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
#######################################################################
# BDB database definitions
#######################################################################
database hdb
suffix "dc=noc1,dc=example,dc=com"
#checkpoint <kbyte> <min>
checkpoint 32 30
rootdn "cn=Manager,dc=noc1,dc=example,dc=com"
rootpw {SSHA}NKPLHlyvmElwAqKZhmaYYpqftovBUFhq
directory /var/lib/openldap-data
# Indices to maintain
index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
Thanks,
Charlie
More information about the samba
mailing list