I tried exactly what you tried last week, and I was happy because everything worked. I folloed a tutorial on suse, also if I am using 10.3 version. What I did differently was NOT to start winbind, NOT to create any groups in linux. What I did wrong first time and gave me problems I posted was that I did't issue the net getlocalsid command and used the tutorial's one...(no comment,please..) When I realize the error I had to go inside ldap, using phpldapadmin, and manually modify the value .
I didn't need to create the windows xp account. When I had to join it, I just gave the root/administrator password and everything was fine.: the computer account was created on the ldap, and I can log on to the domain whith an account I created with smbldap-adduser another thing : I created a new domain with a new ldap backend. I thought you where doing the same. But what do you mean when you tried to join the domain from pdc (point 12) ? PDC is the PDC of that domain....You don't have to join it. when creating account with smbldap-adduser , I specify -a and -m (and not only -m as was suggested in the tutorial I followed.) HTH, Andrea p.s. the tutorial(s) I follwed are: Riferimenti http://en.opensuse.org/Howto_setup_SUSE_10.1_as_Samba_PDC http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10 > -----Messaggio originale----- > Da: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > ] Per conto di Paul Furness > Inviato: venerdì 15 febbraio 2008 18.53 > A: Samba Mail List > Oggetto: [Samba] Joining a Windows XP pc to Samba / LDAP domain > > Hi, guys, > > I'm trying to create a PDC using Samba with an LDAP backend. > According to all the guides I read, this should be fairly > easy really, but I've done nothing else for the last week and > it still doesn't work the way the manual says it should! As > far as I can see, everything is set up and working correctly > right up to the point when I try and join a machine to the domain. > > I've posted some extracts of my config files, log files, > errors and the versions of various things, below. > > I pretty much exactly followed the "Making Happy Users" > chapter of the Samba guide. > These are the steps I've gone through (in summary), starting > with a clean build of linux on the server and WinXP on the > client. It starts going wrong at step 8. > Oh just for completeness, both the new domain controller and > the windows PC are on their own, completely separate network, > to ensure that the existing domain / windows clients can have > no effect whatsoever. > > 1. Install samba and LDAP on the server, together with phpldapadmin. > > 2. Configure slapd and got the ldap server working, and > configure phpldapadmin to let me connect and see what's going > on, and create LDAP entries directly if needed. Also > configured PAM and NSS. > > 3. Configure samba as a PDC with an LDAP backend. Set the > LDAP manager password in samba. Got the SID. > > 5. Configured smbldap-tools, setting up the SID and LDAP details. > > 6. Created the linux groups for Domain Admins, Domain Users, > Domain Guests and Domain Computers. > > 7. Started LDAP and did an smbldap-populate. This gave > exactly the right response and a look at the ldap database > proved it had created all the appropriate entries. tested the > ldap with "ldapsearch" and got the expected response. Also > checked NSS with getent and got the right answers. > > 8. Added a user with smbldap-useradd then set the password > for that user with smbldap-passwd. This worked fine. > > 9. Checked that the root UID is set to 0. It is. > > 10. Checked that the user account is being read properly > using pdbedit -Lv. It is. > > 11. start nmb, smb and winbind, and checked the logs to see > if they are behaving. They are. > > 12. Tried to join the domain from the pdc (which is named > "PDC") with "net rpc join -S PDC -U root%PASSWORD > > 13. It fails. The message I get is: > Creation of workstation account failed > Unable to join domain LDAPTEST. > > 14. Tried to join a windows XP PC to the domain. It finds the > domain controller ok, and then gives the error "The username > could not be found" which, from what I've been able to find > out, means that the PC account isn't being created properly > on the domain. > > > What's *really* odd is that it seems to be creating the > computer accounts correctly in the ldap (you can see that in > the ldif export below). And yet, despite actually creating > the account, it's insisting that it isn't. > > I tried deleting the ldap entry for the computer, then > creating it by hand (smbldap-adduser -w pdc$) and it works > fine. But the client still insists that it's not joined the domain. > > I *know* I'm typing the password correctly, and the log seems > to bear this out. It simply doesn't work, and I've completely > run out of steam trying to understand why. I'm presumably > missing something significant (and probably very simple). Can > anyone offer some pointers - or even the > answer- before I quit computing and start driving trucks for > a living... :) > > Thanks, > > Paul. > > > Software versions: > ============= > Fedora linux 8 (fully patched as of 12 Feb), with samba > 3.0.28, openldap 2.3.39-1. > Windows XP with SP2 and all current updates as of 12 Feb. > > Error messages: > =========== > in log.smb I get this when trying to join the domain: > > [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324) > netbios connect: name1=PDC name2=PDC > [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331) > netbios connect: local=pdc remote=pdc, name type = 0 > [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786) > smbldap_open_connection: connection opened > [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242) > get_md4pw: Workstation PDC$: no account in domain > [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461) > _net_auth2: failed to get machine password for account PDC$: > NT_STATUS_ACCESS_DENIED > [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324) > netbios connect: name1=PDC name2=PDC > [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331) > netbios connect: local=pdc remote=pdc, name type = 0 > [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786) > smbldap_open_connection: connection opened > [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545) > init_sam_from_ldap: Entry found for user: root > [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158) > init_group_from_ldap: Entry found for group: 512 > [2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309) > check_ntlm_password: authentication for user [root] -> > [root] -> [root] succeeded > [2008/02/15 17:21:45, 0] > passdb/pdb_interface.c:pdb_default_create_user(329) > _samr_create_user: Running the command > `/usr/sbin/smbldap-useradd -w 'pdc$'' gave 9 > > > Config file extracts: > ============== > > slapd.conf > ----------- > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > ... > access to attrs=userPassword > by self write > by * auth > > access to attrs=shadowLastChange > by self write > by * read > > access to * > by * read > by anonymous auth > ... > database bdb > suffix "dc=vi-lab,dc=net" > rootdn "cn=Manager,dc=vi-lab,dc=net" > rootpw {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P > directory /var/lib/ldap > > > LDIF of running database > ---------------------------- > dn: dc=vi-lab,dc=net > > objectClass: dcObject > objectClass: organization > o: vi-lab > dc: vi-lab > > dn: ou=Computers,dc=vi-lab,dc=net > objectClass: top > objectClass: organizationalUnit > ou: Computers > > dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net > objectClass: top > objectClass: account > objectClass: posixAccount > cn: pdc$ > uid: pdc$ > uidNumber: 1005 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > > dn: ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: organizationalUnit > ou: Groups > > dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 548 > cn: Account Operators > description: Netbios Domain Users to manipulate users accounts > sambaSID: S-1-5-32-548 > sambaGroupType: 5 > displayName: Account Operators > > dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 544 > cn: Administrators > description: Netbios Domain Members can fully administer the > computer/sambaD omainName > sambaSID: S-1-5-32-544 > sambaGroupType: 5 > displayName: Administrators > > dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 551 > cn: Backup Operators > description: Netbios Domain Members can bypass file security > to back up file s > sambaSID: S-1-5-32-551 > sambaGroupType: 5 > displayName: Backup Operators > > dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 512 > cn: Domain Admins > memberUid: root > description: Netbios Domain Administrators > sambaSID: S-1-5-21-314791047-4281314283-1819700115-512 > sambaGroupType: 2 > displayName: Domain Admins > > dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 515 > cn: Domain Computers > description: Netbios Domain Computers accounts > sambaSID: S-1-5-21-314791047-4281314283-1819700115-515 > sambaGroupType: 2 > displayName: Domain Computers > > dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 514 > cn: Domain Guests > description: Netbios Domain Guests Users > sambaSID: S-1-5-21-314791047-4281314283-1819700115-514 > sambaGroupType: 2 > displayName: Domain Guests > > dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 513 > cn: Domain Users > description: Netbios Domain Users > sambaSID: S-1-5-21-314791047-4281314283-1819700115-513 > sambaGroupType: 2 > displayName: Domain Users > > dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 550 > cn: Print Operators > description: Netbios Domain Print Operators > sambaSID: S-1-5-32-550 > sambaGroupType: 5 > displayName: Print Operators > > dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net > objectClass: top > objectClass: posixGroup > objectClass: sambaGroupMapping > gidNumber: 552 > cn: Replicators > description: Netbios Domain Supports file replication in a > sambaDomainName > sambaSID: S-1-5-32-552 > sambaGroupType: 5 > displayName: Replicators > > dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net > objectClass: sambaSidEntry > objectClass: sambaGroupMapping > sambaSID: S-1-5-32-545 > sambaGroupType: 4 > displayName: Users > gidNumber: 10000 > sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513 > > dn: ou=Idmap,dc=vi-lab,dc=net > objectClass: top > objectClass: organizationalUnit > objectClass: sambaUnixIdPool > ou: Idmap > uidNumber: 10000 > gidNumber: 10005 > > dn: ou=People,dc=vi-lab,dc=net > objectClass: top > objectClass: organizationalUnit > ou: People > > dn: uid=furnesp,ou=People,dc=vi-lab,dc=net > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: shadowAccount > objectClass: sambaSamAccount > cn: furnesp > sn: furnesp > givenName: furnesp > uid: furnesp > uidNumber: 1000 > gidNumber: 513 > homeDirectory: /home/furnesp > loginShell: /bin/bash > gecos: System User > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > displayName: furnesp > sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000 > sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513 > sambaLogonScript: \export\netlogon\logon.bat > sambaProfilePath: \\%L\Profiles\furnesp > sambaHomePath: \\%L\furnesp > sambaHomeDrive: H: > sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE > sambaAcctFlags: [U] > sambaNTPassword: 15094F33692DB11DE3361C044289B84C > sambaPwdLastSet: 1203092614 > sambaPwdMustChange: 1206980614 > userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g== > shadowLastChange: 13924 > shadowMax: 45 > > dn: uid=nobody,ou=People,dc=vi-lab,dc=net > cn: nobody > sn: nobody > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: sambaSamAccount > objectClass: posixAccount > objectClass: shadowAccount > gidNumber: 514 > uid: nobody > uidNumber: 999 > homeDirectory: /dev/null > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > sambaHomePath: \\%L\nobody > sambaHomeDrive: H: > sambaProfilePath: \\%L\Profiles\nobody > sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514 > sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX > sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX > sambaAcctFlags: [NUD ] > sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998 > loginShell: /bin/false > > dn: uid=root,ou=People,dc=vi-lab,dc=net > cn: root > sn: root > objectClass: top > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: sambaSamAccount > objectClass: posixAccount > objectClass: shadowAccount > uid: root > uidNumber: 0 > homeDirectory: /home/root > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaHomePath: \\%L\root > sambaHomeDrive: H: > sambaProfilePath: \\%L\Profiles\root > sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512 > sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000 > loginShell: /bin/false > gecos: Netbios Domain Administrator > sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B > sambaAcctFlags: [U] > sambaNTPassword: 7681889A48EB666054D449D996329A26 > sambaPwdLastSet: 1203092468 > sambaPwdMustChange: 1206980468 > userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w== > shadowLastChange: 13924 > shadowMax: 45 > gidNumber: 0 > > dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net > objectClass: top > objectClass: sambaDomain > objectClass: sambaUnixIdPool > sambaDomainName: LDAPTEST > sambaSID: S-1-5-21-314791047-4281314283-1819700115 > gidNumber: 1000 > sambaNextRid: 1000 > sambaPwdHistoryLength: 0 > sambaMinPwdAge: 0 > sambaMaxPwdAge: -1 > uidNumber: 1006 > > > smb.conf > ---------- > workgroup = LDAPTEST > netbios name = PDC > ... > passdb backend = ldapsam:ldap://localhost enable privileges = > Yes username map = /etc/samba/smbusers smb ports = 139 name > resolve order = wins bcast hosts ... > add user script = /usr/sbin/smbldap-useradd -m '%u' > delete user script = /usr/sbin/smbldap-userdel %u add group > script = /usr/sbin/smbldap-groupadd -p '%g' > delete group script = /usr/sbin/smbldap-groupdel '%g' > add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' > delete user from group script = /usr/sbin/smbldap-groupmod -x > '%u' '%g' > set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' > add machine script = /usr/sbin/smbldap-useradd -w '%u' > ...http://10.226.210.245 > logon script = \export\netlogon\logon.bat ... > local master = yes > os level = 35 > domain master = Yes > preferred master = Yes > domain logons = Yes > security = user > encrypt passwords = Yes > wins support = Yes > dns proxy = Yes > ldap suffix = dc=vi-lab,dc=net > ldap machine suffix = ou=Computers > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap idmap suffix = ou=Idmap > ldap admin dn = cn=Manager,dc=vi-lab,dc=net ldap ssl = no > ldap passwd sync = Yes idmap backend = ldap:ldap://localhost > idmap uid = 10000-20000 idmap gid = 10000-20000 > > [homes] > comment = Home Directories > valid users = %S > read only = No > browseable = No > > [printers] > comment = SMB Print Spool > path = /var/spool/samba > guest ok = Yes > printable = Yes > browseable = No > > [netlogon] > comment = Local general disk on %h > path = /export/netlogon > guest ok = Yes > locking = No > public = yes > writable = yes > > [profiles] > comment = Profile Share > path = /export/profiles > read only = No > profile acls = Yes > > [print$] > comment = Printer Drivers > path = /export/drivers > browseable = yes > guest ok = no > read only = yes > write list = root, furnesp > > > smbusers > ----------- > # Unix_name = SMB_name1 SMB_name2 ... > root = administrator admin > nobody = guest pcguest smbguest > > smbldap.conf > --------------- > SID="S-1-5-21-314791047-4281314283-1819700115" > sambaDomain="LDAPTEST" > slaveLDAP="localhost" > slavePort="389" > masterLDAP="localhost" > masterPort="389" > ldapTLS="0" > ... > > suffix="dc=vi-lab,dc=org" > usersdn="ou=People,${suffix}" > computersdn="ou=Computers,${suffix}" > groupsdn="ou=Groups,${suffix}" > idmapdn="ou=Idmap,${suffix}" > sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}" > scope="sub" > ... > defaultUserGid="513" > defaultComputerGid="515" > > > > --- > > Paul Furness BEng(Hons) MBCS > Systems Manager > > MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V > VISUAL INFORMATION LABORATORY 20, Frederick Sanger Road The > Surrey Research Park Guildford, Surrey GU2 7YD UK Registered > Branch BR 003158 DDI Telephone: +44 1483 885826 > Tel: +44 1483 885800 Fax: +44 1483 579107 > >
smime.p7s
Description: S/MIME cryptographic signature
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
