[Samba] problem joining WinXP machine to samba PDC+LDAP environment

Thu Feb 24 00:13:46 MST 2011

I had a test system running with the same rpms. Did the setup as described
and could not change user passwords and sync things the
way it should to my ldap slave. In the end I recognized I had to run winbind
on the pdc!?
And after all I was missing a real step by step setup. So I returned to
smba/ldap smbldaptools setting up my system in an hour(Master - Master
Repication).
If you can post your editposix setup to me I would try a second time :-)  

-----------------------------------------------
EDV Daniel Müller

Leitung EDV
Tropenklinik Paul-Lechler-Krankenhaus
Paul-Lechler-Str. 24
72076 Tübingen

Tel.: 07071/206-463, Fax: 07071/206-499
eMail: mueller at tropenklinik.de
Internet: www.tropenklinik.de
-----------------------------------------------

-----Ursprüngliche Nachricht-----
Von: Mike Brady [mailto:mike.brady at devnull.net.nz] 
Gesendet: Mittwoch, 23. Februar 2011 19:18
An: mueller at tropenklinik.de
Cc: 'Jon Detert'; samba at lists.samba.org
Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP
environment

Quoting Daniel Müller <mueller at tropenklinik.de>:

> " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried
> this it did not
> Work right. And there is nowhere a good and new howto about this feature.
No
> description goes into the depth.
>
> -----------------------------------------------
> EDV Daniel Müller
>
> Leitung EDV
> Tropenklinik Paul-Lechler-Krankenhaus
> Paul-Lechler-Str. 24
> 72076 Tübingen
>
> Tel.: 07071/206-463, Fax: 07071/206-499
> eMail: mueller at tropenklinik.de
> Internet: www.tropenklinik.de
> -----------------------------------------------
> -----Ursprüngliche Nachricht-----
> Von: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
Im
> Auftrag von Mike Brady
> Gesendet: Mittwoch, 23. Februar 2011 09:17
> An: Jon Detert
> Cc: samba at lists.samba.org
> Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP
> environment
>
> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>
>> On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady
>> <mike.brady at devnull.net.nz> wrote:
>>> Quoting Jon Detert <jdetert at infinityhealthcare.com>:
>>>
>>>> Hello,
>>>>
>>>> I can't join a winxp box to my samba domain.  I just have one samba
>>>> server, meant to act as a PDC for domain='CHI'.
>>>> Any ideas how to troubleshoot and/or remedy?
>>>>
>>>> Thanks,
>>>>
>>>> Jon
>>>>
>>>> Context:
>>>> ------------
>>>> samba v3.3.8 on CentOS v5.5, using ldapsam backend.  Domainname ='CHI'.
>>>> smbldap-tools v0.9.6.
>>>> I 'populated' the ldap with 'smbldap-populate'.
>>>>
>>>> I try to join the winxp box, authenticating to the domain as user
>>>> 'jdetert', which is a member of the 'Administrators' group:
>>>> # smbldap-groupshow Administrators
>>>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
>>>> objectClass: top,posixGroup,sambaGroupMapping
>>>> gidNumber: 544
>>>> cn: Administrators
>>>> description: Netbios Domain Members can fully administer the
>>>> computer/sambaDomainName
>>>> sambaSID: S-1-5-32-544
>>>> sambaGroupType: 5
>>>> displayName: Administrators
>>>> memberUid: jdetert,root
>>>>
>>>> What happens:
>>>> ----------------------
>>>> a failure dialog window pops up on the winxp box with this message:
>>>> 'The following error occurred attempting to join the domain "CHI":
>>>> The user name could not be found.'
>>
>> -- snip --
>>
>>> I am working through a similar setup at the moment.
>>>
>>> Looking at the smbldap-useradd source, status 9 is "user must not exist
> in
>>> LDAP", so I assume from that that the workstation userid already exists?
>>
>>
>> Turns out you are correct.  So, I deleted the 'user'="testfsclient$"
>> from the ou=Computers, and retried, but it failed with the same error,
>> and it re-created the user object.
>>
>> Any ideas how/why joining the domain is not fully working?
>>
>> Thanks,
>>
>> Jon
>>
> Jon
>
> A couple more things:
> 1) smbldap-populate initializes the sambaGroupType for all the
> S-1-5-32-* SIDs to 5.  This is incorrect.  It should be 4, but this
> probably isn't causing this issue.
> 2) I think that root needs to be in the Domain Admins group in order
> to join a machine to the domain, not the Administrators group which is
> a local group.  At least that is how I am set up.
> 3) Depending on the details of your implementation you may not need to
> use smbldap-tools at all.  Have a look at the ldapsam:editposix and
> ldapsam:trusted on the smb.conf man page.  Note that using
> ldapsam:editposix is one case where winbind is required on a Samba PDC.
>
> Mike
>
>
> ----------------------------------------------------------------
> This message was sent using IMP, the Internet Messaging Program.
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>
>

Daniel

Exactly how did ldapsam:editposix not "work right"?

I thought that the smb.conf man page described things well enough.

I have converted my test set up from using smbldap-tools to using  
ldapsam:posixedit and so far it is doing everything that I was using  
smbldap-tools for correctly.  I am using the SerNet 3.5.6 RPMs.

Mike

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.