[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Daniel Müller mueller at tropenklinik.de
Wed Feb 23 01:24:51 MST 2011

" ldapsam:editposix"-Is as I can tell not a good solution whenever I tried
this it did not
Work right. And there is nowhere a good and new howto about this feature. No
description goes into the depth. 

EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----Ursprüngliche Nachricht-----
Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
Auftrag von Mike Brady
Gesendet: Mittwoch, 23. Februar 2011 09:17
An: Jon Detert
Cc: samba at lists.samba.org
Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP

Quoting Jon Detert <jdetert at infinityhealthcare.com>:

> On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady  
> <mike.brady at devnull.net.nz> wrote:
>> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>>> Hello,
>>> I can't join a winxp box to my samba domain.  I just have one samba
>>> server, meant to act as a PDC for domain='CHI'.
>>> Any ideas how to troubleshoot and/or remedy?
>>> Thanks,
>>> Jon
>>> Context:
>>> ------------
>>> samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
>>> smbldap-tools v0.9.6.
>>> I 'populated' the ldap with 'smbldap-populate'.
>>> I try to join the winxp box, authenticating to the domain as user
>>> 'jdetert', which is a member of the 'Administrators' group:
>>> # smbldap-groupshow Administrators
>>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
>>> objectClass: top,posixGroup,sambaGroupMapping
>>> gidNumber: 544
>>> cn: Administrators
>>> description: Netbios Domain Members can fully administer the
>>> computer/sambaDomainName
>>> sambaSID: S-1-5-32-544
>>> sambaGroupType: 5
>>> displayName: Administrators
>>> memberUid: jdetert,root
>>> What happens:
>>> ----------------------
>>> a failure dialog window pops up on the winxp box with this message:
>>> 'The following error occurred attempting to join the domain "CHI":
>>> The user name could not be found.'
> -- snip --
>> I am working through a similar setup at the moment.
>> Looking at the smbldap-useradd source, status 9 is "user must not exist
>> LDAP", so I assume from that that the workstation userid already exists?
> Turns out you are correct.  So, I deleted the 'user'="testfsclient$"
> from the ou=Computers, and retried, but it failed with the same error,
> and it re-created the user object.
> Any ideas how/why joining the domain is not fully working?
> Thanks,
> Jon

A couple more things:
1) smbldap-populate initializes the sambaGroupType for all the  
S-1-5-32-* SIDs to 5.  This is incorrect.  It should be 4, but this  
probably isn't causing this issue.
2) I think that root needs to be in the Domain Admins group in order  
to join a machine to the domain, not the Administrators group which is  
a local group.  At least that is how I am set up.
3) Depending on the details of your implementation you may not need to  
use smbldap-tools at all.  Have a look at the ldapsam:editposix and  
ldapsam:trusted on the smb.conf man page.  Note that using  
ldapsam:editposix is one case where winbind is required on a Samba PDC.


This message was sent using IMP, the Internet Messaging Program.

To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list