Re: [Samba] Cannot make Windows join Samba domain
Fixed! In the "add machine script" I replaced the -i argument with -W. Don't know why it does not work with -i (trust machine account). Now the machine fails to join the domain in the first attempt (same error message), but in the second attempt it joins successfully. The problem now is that the machine cannot list the domain's users/groups without asking for the root credentials, but that's another story. Thanks, Célio. Em 09/10/2012, às 08:47, Michael Starling escreveu: > Do you have an /etc/ldap.conf or /etc/pam_ldap.conf file? > > > > On Oct 9, 2012, at 7:43 AM, "Celio Cidral Jr" wrote: > >> Hi Michael, thanks for the reply. >> >> I'm not sure if I have correctly checked the things you asked. I've >> installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed >> miserably trying to make it work from the apt packages). The NSLCD and SSSD >> packages are not installed, and there is no occurrence of "nslcd" nor "sssd" >> under the /usr directory. Regarding the scope filter, the only >> configuration I found (that I think is related to scope) is the following >> line from the smbldap.conf file: >> >> scope="sub" >> >> >> Célio >> >> Em 08/10/2012, às 23:25, Michael Starling >> escreveu: >> >> >>> I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD >>> and pam_ldap? >>> >>> I'd make sure you aren't using scope filters as this has caused me similar >>> headaches in the past. >>> >>> >>> >>> On Oct 8, 2012, at 9:04 PM, "Celio Cidral Jr" wrote: >>> >>>> Hi, >>>> >>>> I'm having an issue trying to make a Windows machine sambaserveroin a >>>> Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try >>>> to join the domain, Windows says that the machine account does not exist. >>>> The machine account, however, is successfully created in the LDAP >>>> directory after the join fails. When I try to join again, Windows says >>>> that the account already exists. >>>> >>>> Has anyone here already experienced such problem? This is a fresh install >>>> of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts >>>> and groups are present in the database. >>>> >>>> Some info: >>>> >>>> >>>> >>>> OpenLDAP 2.4.32 >>>> Samba 3.6.3-2ubuntu2.3 (amb64) >>>> >>>> >>>> >>>> smb.conf: >>>> >>>> [global] >>>> workgroup = RTS >>>> server string = %h >>>> map to guest = Bad User >>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>> passwd program = /usr/sbin/smbldap-passwd %u >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* >>>> %n\n *password\supdated\ssuccessfully* . >>>> syslog = 0 >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u >>>> delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u >>>> add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g >>>> delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g >>>> add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd >>>> -m "%u" "%g" >>>> delete user from group script = >>>> /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g" >>>> set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd >>>> -g "%g" "%u" >>>> add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 >>>> "%u" >>>> domain logons = Yes >>>> preferred master = Yes >>>> domain master = Yes >>>> wins support = Yes >>>> ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br >>>> ldap delete dn = Yes >>>> ldap group suffix = ou=Groups >>>> ldap idmap suffix = ou=Idmap >>>> ldap machine suffix = ou=Computers >>>> ldap passwd sync = yes >>>> ldap suffix = dc=rtsbrasil,dc=com,dc=br >>>> ldap ssl = no >>>> ldap user suffix = ou=Users >>>> panic ac
Re: [Samba] Cannot make Windows join Samba domain
Hi Michael, thanks for the reply. I'm not sure if I have correctly checked the things you asked. I've installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed miserably trying to make it work from the apt packages). The NSLCD and SSSD packages are not installed, and there is no occurrence of "nslcd" nor "sssd" under the /usr directory. Regarding the scope filter, the only configuration I found (that I think is related to scope) is the following line from the smbldap.conf file: scope="sub" Célio Em 08/10/2012, às 23:25, Michael Starling escreveu: > I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD > and pam_ldap? > > I'd make sure you aren't using scope filters as this has caused me similar > headaches in the past. > > > > On Oct 8, 2012, at 9:04 PM, "Celio Cidral Jr" wrote: > >> Hi, >> >> I'm having an issue trying to make a Windows machine sambaserveroin a Samba >> domain. Samba is running with LDAP backend (OpenLDAP). When I try to join >> the domain, Windows says that the machine account does not exist. The >> machine account, however, is successfully created in the LDAP directory >> after the join fails. When I try to join again, Windows says that the >> account already exists. >> >> Has anyone here already experienced such problem? This is a fresh install >> of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts >> and groups are present in the database. >> >> Some info: >> >> >> >> OpenLDAP 2.4.32 >> Samba 3.6.3-2ubuntu2.3 (amb64) >> >> >> >> smb.conf: >> >> [global] >> workgroup = RTS >> server string = %h >> map to guest = Bad User >> passdb backend = ldapsam:ldap://127.0.0.1 >> passwd program = /usr/sbin/smbldap-passwd %u >> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* >> %n\n *password\supdated\ssuccessfully* . >> syslog = 0 >> log file = /var/log/samba/log.%m >> max log size = 1000 >> add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u >> delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u >> add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g >> delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g >> add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd >> -m "%u" "%g" >> delete user from group script = >> /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g" >> set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g >> "%g" "%u" >> add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 >> "%u" >> domain logons = Yes >> preferred master = Yes >> domain master = Yes >> wins support = Yes >> ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br >> ldap delete dn = Yes >> ldap group suffix = ou=Groups >> ldap idmap suffix = ou=Idmap >> ldap machine suffix = ou=Computers >> ldap passwd sync = yes >> ldap suffix = dc=rtsbrasil,dc=com,dc=br >> ldap ssl = no >> ldap user suffix = ou=Users >> panic action = /usr/share/samba/panic-action %d >> idmap config * : backend = tdb >> >> >> >> smbldap.conf: >> >> SID="S-1-5-21-2940977410-1091208426-162815782" >> sambaDomain="RTS" >> masterLDAP="localhost" >> masterPort="389" >> ldapTLS="0" >> ldapSSL="0" >> verify="none" >> cafile="/etc/ssl/certs/cacert.pem" >> suffix="dc=rtsbrasil,dc=com,dc=br" >> usersdn="ou=Users,${suffix}" >> computersdn="ou=Computers,${suffix}" >> groupsdn="ou=Groups,${suffix}" >> idmapdn="ou=Idmap,${suffix}" >> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" >> scope="sub" >> hash_encrypt="SSHA" >> crypt_salt_format="%s" >> userLoginShell="/bin/bash" >> userHome="/home/%U" >> userHomeDirectoryMode="700" >> userGecos="System User" >> defaultUserGid="513" >> defaultComputerGid="515" >> skeletonDir="/etc/skel" >> defaultMaxPasswordAge="45" >> userSmbHome="\\D0-SMBDOM\%U" >> userProfile="\\D0-SMBDOM\profiles\%U" >
[Samba] Cannot make Windows join Samba domain
Hi, I'm having an issue trying to make a Windows machine sambaserveroin a Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try to join the domain, Windows says that the machine account does not exist. The machine account, however, is successfully created in the LDAP directory after the join fails. When I try to join again, Windows says that the account already exists. Has anyone here already experienced such problem? This is a fresh install of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts and groups are present in the database. Some info: OpenLDAP 2.4.32 Samba 3.6.3-2ubuntu2.3 (amb64) smb.conf: [global] workgroup = RTS server string = %h map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1 passwd program = /usr/sbin/smbldap-passwd %u passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* . syslog = 0 log file = /var/log/samba/log.%m max log size = 1000 add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -m "%u" "%g" delete user from group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g" set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g "%g" "%u" add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 "%u" domain logons = Yes preferred master = Yes domain master = Yes wins support = Yes ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br ldap delete dn = Yes ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Computers ldap passwd sync = yes ldap suffix = dc=rtsbrasil,dc=com,dc=br ldap ssl = no ldap user suffix = ou=Users panic action = /usr/share/samba/panic-action %d idmap config * : backend = tdb smbldap.conf: SID="S-1-5-21-2940977410-1091208426-162815782" sambaDomain="RTS" masterLDAP="localhost" masterPort="389" ldapTLS="0" ldapSSL="0" verify="none" cafile="/etc/ssl/certs/cacert.pem" suffix="dc=rtsbrasil,dc=com,dc=br" usersdn="ou=Users,${suffix}" computersdn="ou=Computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=Idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}" scope="sub" hash_encrypt="SSHA" crypt_salt_format="%s" userLoginShell="/bin/bash" userHome="/home/%U" userHomeDirectoryMode="700" userGecos="System User" defaultUserGid="513" defaultComputerGid="515" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="\\D0-SMBDOM\%U" userProfile="\\D0-SMBDOM\profiles\%U" userHomeDrive="H:" userScript="logon.bat" mailDomain="itfor.it" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" with_slappasswd="0" slappasswd="/usr/sbin/slappasswd" samba's log: [2012/10/08 21:54:37.044857, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) [2012/10/08 21:54:37.115070, 0] rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3) _netr_ServerAuthenticate3: no challenge sent to client PROJETOS [2012/10/08 21:54:37.146424, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3) Auth failed (NT_STATUS_NO_SUCH_USER) Use of qw(...) as parentheses is deprecated at /usr/share/perl5/smbldap_tools.pm line 1423, line 522. Use of uninitialized value $pass in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. Use of uninitialized value $pass2 in string ne at /root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349. slapd's log: Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH base="" scope=2 deref=0 filter="(objectClass=sambaTrustedDomainPassword)" Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH attr=sambaDomainName sambaSID Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SEARCH RESULT tag=101 err=32 nentries=0 text= Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 fd=25 ACCEPT from IP=127.0.0.1:60893 (IP=0.0.0.0:389) Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 BIND dn="cn=Manager,dc=rtsbrasil,dc=com,dc=br" method=128 Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 BIND dn="cn=Manager,dc=rtsbrasil,dc=com,dc=br" mech=SIMPLE ssf=0 Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 RESULT tag=97 err=0 text= Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=1 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=1 SRCH attr=supportedControl Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=