[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Wed Feb 23 11:17:46 MST 2011

Quoting Daniel Müller <mueller at tropenklinik.de>:

> " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried
> this it did not
> Work right. And there is nowhere a good and new howto about this feature. No
> description goes into the depth.
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] Im
> Auftrag von Mike Brady
> Gesendet: Mittwoch, 23. Februar 2011 09:17
> An: Jon Detert
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP
> environment
>
> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>
>> On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady
>> <mike.brady at devnull.net.nz> wrote:
>>> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>>>
>>>> Hello,
>>>>
>>>> I can't join a winxp box to my samba domain.  I just have one samba
>>>> server, meant to act as a PDC for domain='CHI'.
>>>> Any ideas how to troubleshoot and/or remedy?
>>>>
>>>> Thanks,
>>>>
>>>> Jon
>>>>
>>>> Context:
>>>> ------------
>>>> samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
>>>> smbldap-tools v0.9.6.
>>>> I 'populated' the ldap with 'smbldap-populate'.
>>>>
>>>> I try to join the winxp box, authenticating to the domain as user
>>>> 'jdetert', which is a member of the 'Administrators' group:
>>>> # smbldap-groupshow Administrators
>>>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
>>>> objectClass: top,posixGroup,sambaGroupMapping
>>>> gidNumber: 544
>>>> cn: Administrators
>>>> description: Netbios Domain Members can fully administer the
>>>> computer/sambaDomainName
>>>> sambaSID: S-1-5-32-544
>>>> sambaGroupType: 5
>>>> displayName: Administrators
>>>> memberUid: jdetert,root
>>>>
>>>> What happens:
>>>> ----------------------
>>>> a failure dialog window pops up on the winxp box with this message:
>>>> 'The following error occurred attempting to join the domain "CHI":
>>>> The user name could not be found.'
>>
>> -- snip --
>>
>>> I am working through a similar setup at the moment.
>>>
>>> Looking at the smbldap-useradd source, status 9 is "user must not exist
> in
>>> LDAP", so I assume from that that the workstation userid already exists?
>>
>>
>> Turns out you are correct.  So, I deleted the 'user'="testfsclient$"
>> from the ou=Computers, and retried, but it failed with the same error,
>> and it re-created the user object.
>>
>> Any ideas how/why joining the domain is not fully working?
>>
>> Thanks,
>>
>> Jon
>>
> Jon
>
> A couple more things:
> 1) smbldap-populate initializes the sambaGroupType for all the
> S-1-5-32-* SIDs to 5.  This is incorrect.  It should be 4, but this
> probably isn't causing this issue.
> 2) I think that root needs to be in the Domain Admins group in order
> to join a machine to the domain, not the Administrators group which is
> a local group.  At least that is how I am set up.
> 3) Depending on the details of your implementation you may not need to
> use smbldap-tools at all.  Have a look at the ldapsam:editposix and
> ldapsam:trusted on the smb.conf man page.  Note that using
> ldapsam:editposix is one case where winbind is required on a Samba PDC.
>
> Mike
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Daniel

Exactly how did ldapsam:editposix not "work right"?

I thought that the smb.conf man page described things well enough.

I have converted my test set up from using smbldap-tools to using  
ldapsam:posixedit and so far it is doing everything that I was using  
smbldap-tools for correctly.  I am using the SerNet 3.5.6 RPMs.

Mike

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.