[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Jon Detert jdetert at infinityhealthcare.com
Mon Feb 21 14:14:01 MST 2011 

Hello,

I can't join a winxp box to my samba domain.  I just have one samba
server, meant to act as a PDC for domain='CHI'.
Any ideas how to troubleshoot and/or remedy?

Thanks,

Jon

Context:
------------
samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
smbldap-tools v0.9.6.
I 'populated' the ldap with 'smbldap-populate'.

I try to join the winxp box, authenticating to the domain as user
'jdetert', which is a member of the 'Administrators' group:
# smbldap-groupshow Administrators
dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
objectClass: top,posixGroup,sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the
computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
memberUid: jdetert,root

What happens:
----------------------
a failure dialog window pops up on the winxp box with this message:
'The following error occurred attempting to join the domain "CHI":
The user name could not be found.'

And here are the interesting bits (as far as I can tell) from the samba logs:

<log.smb>
[2011/02/21 14:32:07,  2] lib/smbldap_util.c:smbldap_search_domain_info(277)
  smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
[2011/02/21 14:32:07,  2] lib/smbldap.c:smbldap_open_connection(856)
  smbldap_open_connection: connection opened
[2011/02/21 14:32:07,  3] lib/smbldap.c:smbldap_connect_system(1067)
  ldap_connect_system: successful connection to the LDAP server
[2011/02/21 14:32:07,  4] lib/smbldap.c:smbldap_open(1143)
  The LDAP server is successfully connected
..
[2011/02/21 14:32:07,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
...
[2011/02/21 14:32:07,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
...
[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-500]
...

<[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-501]
[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-514]
[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/02/21 14:32:07,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-32-546]
</log.smb>

interesting bits in the log.<clientMachineName>, where
clientMachineName=testfsclient
<log.testfsclient>
[2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
.... [editor's note: that's for the group 'Users'.  Also couldn't find
groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'),  and  S-1-5-11
('Authenticated Users').]
[2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-11002]
[2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-11001]
[2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/02/21 14:32:22,  3] lib/privileges.c:get_privileges(63)
  get_privileges: No privileges assigned to SID [S-1-5-11]
.... [editor's note: the SID ending in 11002 is the user 'jdetert'
that attempted to join the machine, and the SID ending in 11001 is
jdetert's primary GID.]
[2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
  ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0
.... [editor's note: 'TESTFSCLIENT' is the name of the machine i was
trying to join.]
[2011/02/21 14:32:22,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$)))
....
[2011/02/21 14:32:22,  0] passdb/pdb_interface.c:pdb_default_create_user(342)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
-c "Workstation (testfsclient$)" "testfsclient$"' gave 9
[2011/02/21 14:32:22,  3] passdb/pdb_interface.c:pdb_default_create_user(359)
  pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
</log.testfsclient>

I assume that the 'group not found' log entries are not significant,
and that '9' was the return code from smbldap-useradd.

Anyone know what return code 9 means?
Anyone have ideas how to remedy this problem?

Thanks,

Jon

More information about the samba mailing list