[Samba] Samba 3.6.23 and Windows 7

Andrey Repin anrdaemon at yandex.ru
Mon Nov 10 16:52:27 MST 2014

Greetings, Harry Jede!

Apology for hijacking the thread, but it appears I have an issue somewhere
around there, too.

The environment:

NT4 domain `CCENTER'
Domain controller (PDC) `USERL' (joined… of course)
WinXP system `station1' (joined)
WinXP system `station2' (new)
Win7 system `daemon-v7' (new)

# lsb_release -a; smbd -V; slapd -V
No LSB modules are available.
Distributor ID: Ubuntu
Description:    Ubuntu 12.04.5 LTS
Release:        12.04
Codename:       precise
Version 3.6.3
@(#) $OpenLDAP: slapd  (Sep 19 2013 22:49:31) $
        buildd at batsu:/build/buildd/openldap-2.4.28/debian/build/servers/slapd

# net sam listmem 'Domain Computers'
CCENTER\Domain Computers has 2 members

# pdbedit -Lv daemon-v7
Username not found!

# net sam show 'Domain Users'
CCENTER\Domain Users is a Domain Group with SID S-1-5-21-1031481445-3291699540-3997755762-513
# net sam show 'Domain Computers'
CCENTER\Domain Computers is a Domain Group with SID S-1-5-21-1031481445-3291699540-3997755762-515
# net sam show 'Domain Admins'
CCENTER\Domain Admins is a Domain Group with SID S-1-5-21-1031481445-3291699540-3997755762-512
# net sam listmem 'Domain Admins'
CCENTER\Domain Admins has 3 members
# net sam show 'domainadmin'
CCENTER\domainadmin is a User with SID S-1-5-21-1031481445-3291699540-3997755762-61024
# smbclient -U domainadmin //USERL/domainadmin -c'prompt;ls'
Enter domainadmin's password:
Domain=[CCENTER] OS=[Unix] Server=[Samba 3.6.3]
  .                                   D        0  Tue Feb  4 01:06:34 2014
  ..                                  D        0  Mon Feb 24 10:52:33 2014
  .profile                            H      586  Tue Feb  4 01:06:34 2014
  .bashrc                             H     2940  Tue Feb  4 01:06:34 2014
  .bash_logout                        H      220  Tue Feb  4 01:06:34 2014

                40314 blocks of size 65536. 25984 blocks available

The domain was created on Samba 3.0, then the system has gone through a number
of upgrades. It works… somewhat, I can login with domain users to the system,
but I'm unable to join new machines to the domain.

I.e., I can do
net use \\USERL\IPC$ /user:CCENTER\domainadmin
from the new machine not in domain, thus connecting to the server and browsing
files just fine.
But when I try to join that machine to the domain with the same user
credentials, I get "Access denied".
Any other settings I could check in particular? Or should I try to create a
new admin user?

Server role: ROLE_DOMAIN_PDC
        dos charset = CP866
        workgroup = CCENTER
        server string = %h server (Samba, Ubuntu)
        interfaces =,
        bind interfaces only = Yes
        obey pam restrictions = Yes
        passdb backend = ldapsam:ldap://
        pam password change = Yes
        syslog = 7
        syslog only = Yes
        log file = /var/log/samba/log.%m
        max log size = 1000
        min protocol = NT1
        time server = Yes
        unix extensions = No
        add user script = /usr/sbin/smbldap-useradd -am "%u"
        delete user script = /usr/sbin/smbldap-userdel "%u"
        add group script = /usr/sbin/smbldap-groupadd -p "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        logon path =
        logon home =
        domain logons = Yes
        os level = 68
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=admin,dc=ccenter,dc=lan
        ldap delete dn = Yes
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap passwd sync = yes
        ldap suffix = dc=ccenter,dc=lan
        ldap ssl = no
        ldap user suffix = ou=Users
        panic action = /usr/share/samba/panic-action %d
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        idmap config CCENTER : range = 30000-50000
        idmap config CCENTER : backend = ldapsam:ldap://
        idmap config * : backend = tdb

        comment = Home Directory
        valid users = %S
        read only = No
        create mask = 0775
        force create mode = 0600
        security mask = 0775
        force security mode = 0600
        directory mask = 0775
        force directory mode = 0700
        directory security mask = 0775
        force directory security mode = 0700
        browseable = No
        csc policy = disable

        comment = All Printers
        path = /var/spool/samba
        create mask = 0700
        printable = Yes
        print ok = Yes
        browseable = No

        comment = Printer Drivers
        path = /var/lib/samba/printers

Andrey Repin (anrdaemon at yandex.ru) 11.11.2014, <01:55>

Sorry for my terrible english...

More information about the samba mailing list