[Samba] XP machine wont join domain

Preston Hagar prestonh at gmail.com
Thu Oct 20 12:37:14 MDT 2011


On Wed, Oct 19, 2011 at 11:15 PM, Lachlan Musicman <datakid at gmail.com> wrote:
> Hi
>
> I'm on ubuntu 10.04 LTS fully up to date.
>
> Am running a samba-ldap server but for some reason I can't connect a
> new fully updated XP machine to the domain.
>
> I've added other machines (6 months ago now, none since) successfully.
>
> I see a file /var/log/samba/log.machinename, but
> /var/log/samba/log.nmbd and /var/log/samba/log.smbd don't have
> anything of note.
>
> Using 'net rpc rights list' I have confirmed that my user can add
> users/machines to the domain.
>
> There is no firewall problem - there is no firewall between these
> machines, as they are on a local LAN together and the XP's firewall is
> disabled.
>
> I can successfully map a shared drive on the XP machine using the same
> credentials. (and, in fact, if I don't disconnect that share, I get a
> different error about not being able to have more than one connection
> at the same time)
>
> Samba conf is here: http://paste.ubuntu.com/713761/
>
> I've tried changing security from user to domain and back, without success.
>
> The error I get after entering the same credentials as above is
> "Access is denied".
>
> Any ideas? Even any pointers on how I might trace the network traffic
> to see where the issues are, since there's no data in the logs of
> note?
>
> I'm not excellent at the smb/ldap, and while I did set this server up,
> I didn't configure the smbldap part of the set up, so I'm not 100%
> sure or certain about what is happening there - am I doing something
> wrong in that regard?
>
> Other machines and users are happily connected to the server over
> smb/ldap, and when I look at their computer->properties, it says they
> are on the domain SBLS, which is what I expected and what I am trying
> to connect the current machine to.
>
> Any help appreciated.
>
> cheers
> L.
>

This may no longer be official Samba policy, so someone please correct
me if I am wrong, but have you tried setting the registry/gpedit fixes
before joining?

Here is what I do on our XP machines:

Start->Run, run gpedit.msc

Change the following:

Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options branch.

Make sure to disable the following policies:

Domain Member: Digitally encrypt or sign secure channel data (always)

Domain Member: Digitally sign secure channel data (when possible)

Computer Configuration\Administrative Templates\System\User Profiles

Make sure to enable the following policy:

Do not check for user ownership of Roaming Profile Folders


After you make the changes, reboot (not sure if it is required, but
always a good policy with Windows), then try to join the domain again.
 Join the domain first before mapping any drives or anything like
that.

Anyway, just a thought.  Hope it helps.

Preston


More information about the samba mailing list