[Samba] Cannot join linux based clients to PDC (Samba 3.5.1)

Mikael Sundell mikael.sundell at gmail.com
Wed Mar 31 10:53:30 MDT 2010 

Hi all!

The problem relates to joining linux based clients to our PDC (all
Samba 3.5.1 running on CentOS5).

For some time Profiles, Homes, Netlogon and in general adding new
Windows machines has been working fine but when we try to add a new
linux client (CLIENT-FS1) to the PDC the following errors are
reported:

/var/log/messages - SERVER-PDC

Mar 31 18:13:55 localhost smbd[30810]: [2010/03/31 18:13:55.650347,
0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Mar 31 18:13:55 localhost smbd[30810]:   get_md4pw: Workstation
CLIENT-FS1$: no account in domain
Mar 31 18:13:55 localhost smbd[30810]: [2010/03/31 18:13:55.650439,
0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Mar 31 18:13:55 localhost smbd[30810]:   _netr_ServerAuthenticate2:
failed to get machine password for account CLIENT-FS1$:
NT_STATUS_ACCESS_DENIED

Domain join cmd on CLIENT-FS1:

"net rpc join -S SERVER-PDC -U root%<password>"

returns: Joined domain NTDOMAIN

The machine is added to our LDAP directory just like the Windows machines.

The following error is reported when trying to join the linux client
(again) with the newly created entry:

Mar 31 18:40:12 localhost smbd[30946]: [2010/03/31 18:40:12.162514,
0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Mar 31 18:40:12 localhost smbd[30946]:   _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
CLIENT-FS1 machine account CLIENT-FS1$

smb.conf - SERVER-PDC

[global]
	workgroup = NTDOMAIN
	realm = NTDOMAIN.COM
	netbios name = SERVER-PDC
	server string = Domain Controller
	interfaces = lo, eth0, 192.168.222.1
	bind interfaces only = Yes
	passdb backend = ldapsam:"ldap://127.0.0.1:389"
	passwd program = /usr/sbin/smbldap-passwd %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
	log level = 10
	smb ports = 139
	add user script = /usr/sbin/smbldap-useradd -m "%u"
	delete user script = /usr/sbin/smbldap-userdel "%u"
	add group script = /usr/sbin/smbldap-groupadd -p "%g"
	delete group script = /usr/sbin/smbldap-groupdel "%g"
	add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
	delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
	set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
	add machine script = /usr/sbin/smbldap-useradd -w "%u"
	logon path = \\%L\Profiles\%u
	domain logons = Yes
	domain master = Yes
	wins proxy = Yes
	wins support = Yes
	ldap admin dn = cn=Manager,dc=ntdomain,dc=com
	ldap delete dn = Yes
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=Users
	ldap machine suffix = ou=Computers
	ldap suffix = dc=ntdomain,dc=com
	ldap ssl = no
	ldap user suffix = ou=Users
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	winbind enum users = Yes
	winbind enum groups = Yes
	hosts allow = 127., 192.168.222.
	cups options = raw

[homes]
	comment = Home Directories
	read only = No
	create mask = 0700
	force create mode = 0700
	directory mask = 0700
	force directory mode = 0700
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	guest ok = Yes
	share modes = No

[Profiles]
	path = /var/lib/samba/profiles
	read only = No
	create mask = 0600
	directory mask = 0700
	guest ok = Yes
	profile acls = Yes
	browseable = No
	csc policy = disable

Please tell if more information is needed,

Thanks,

Mikael

More information about the samba mailing list