On Tue, 11 May 2004, Rafal Pietrak wrote: > Hi all, > > I've just setup a samba(PDC)+ldap-(no)winbind and it works OK for W98 > client, but W2K client isn't able to join the domain. > > my checklist: > 1. ldap works: > example$ ldapsearch -LL -x -b 'ou=KAROWA' -s sub > '(&(objectclass=*)(uid=lenec))' > **ldap*> dn: uid=lenec,ou=People,ou=KAROWA > **ldap*> uid: lenec > **ldap*> objectClass: sambaSamAccount > **ldap*> objectClass: posixAccount > **ldap*> objectClass: account > **ldap*> sambaAcctFlags: [U ] > **ldap*> sambaSID: S-1-5-21-3658755377-320826499-3197562212-1081 > **ldap*> sambaPrimaryGroupSID: S-1-5-21-3658755377-320826499-3197562212-512 > 2. libnss-ldap works: > example$ getent passwd ; getent group > **pass*> lenec:x:1081:513:User Lenec:/home/lenec:/bin/false > **pass*> MORIA$:x:121:65534:Komputer MORIA:/root:/bin/false > **group*> domainadmins:x:512:lenec > **group*> domainguests:x:514:501 > **group*> domainusers:x:513: > 3. pam-ldap works: user 'lenec' can access samba shares AND can change his > password from a W98 client machine while logged-in to 'domain' (a > tree-field login window when loggin into W98). > > Now, when I test this with W2K: selecting "My_Comp-> > (right-click)Propert-> Network_ident-> (second-button-from-top)Properties > ->(lower-box/I-select)Domain=WORKGROUP"; I'm asked then for a domain > administrator login and password. So, the questions are: > (I) Who is this?
It needs to be someone who can create accounts via your 'add user' etc scripts. > Where in SAMBA configration I tell samba that THIS is > domain administrator (capable of doing the above)? (In my 'best gues', I > have made user lenec a member of "domainadmins" with rid=512, but may be > it has nothing to do with admin priviledges?). Well, if you use the smbldap-tools, then you would ensure that the group domainadmins has read permissonon the smldap_conf.pmand execute+read rights on the smbldap-scripts and module. And, of course, the LDAP dn in the smbldap_conf.pm needs to have sufficient access to the LDAP server. > (II) Then, in samba logfiles (at the end of the e-mail - exerpts, the > whole thing is 1MB) I can see, that samba at certain points fails to > accept 'somebodies' credencials. I cannot figure out whos credencials they > are, and how to change it :(. > > But, I also tried to add the workstation account directly at samba BEFORE > I try to execute the above at the workstation itself. The result is: > example$ getent passwd WYDAWNIC-LDC0LG\$ > **pass*> WYDAWNIC-LDC0LG$:x:60000:65534:Komputer \ > WYDAWNIC-LDC0LG:/home/hosts: > to no avail - the W2K still gets decline from samba. > > Any clue what's wrong here? Samba needs to be able to change the workstations trust account password ... Regards, Buchan -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
