Re: [Samba] Unable to join new machines to the domain

[Sandra]

I have a samba server configured that is the domain controller of a samba 
domain called PRODESAN.COM.BR. After we had to reinstall the domain 
controller, we are currently unable to join any new machines to the domain. 
Whenever I try to join the domain I get this message on the clients: 

# net join -U root
root's password:
[2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
  ads_connect: No results returned
Creation of workstation account failed
Unable to join domain PRODESAN.COM.BR.

On the PDC side I get this: 

[2007/06/19 14:25:27, 2] lib/smbldap.c:smbldap_open_connection(788)
  smbldap_open_connection: connection opened
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
  init_sam_from_ldap: Entry found for user: root
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_group_from_ldap(2140)
  init_group_from_ldap: Entry found for group: 513
[2007/06/19 14:25:27, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] - [root] - [root] 
succeeded
[2007/06/19 14:25:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(541)
  init_sam_from_ldap: Entry found for user: root
[2007/06/19 14:25:27, 2] smbd/reply.c:reply_tcon_and_X(711)
  Serving IPC$ as a Dfs root
[2007/06/19 14:25:28, 0] passdb/pdb_interface.c:pdb_default_create_user(368)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -
w servproducao$' gave 9

On my LDAP backend I have this entry: 

gidNumber   1058
objectClass sambaDomain
objectClass sambaUnixIdPool
sambaAlgorithmicRidBase 1000
sambaDomainName prodesan.com.br
sambaNextGroupRid   41001
sambaNextUserRid41000
sambaSIDS-1-5-21-3756370324-611414431-635963119
uidNumber   1519

The sambaSID is the same that was before the migration. Do I need to set 
this SID somewhere else? 






-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Unable to join new machines to the domain

[Chris Smith]

On Tuesday 19 June 2007, Sandra wrote:
 [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
   ads_connect: No results returned
 Creation of workstation account failed
 Unable to join domain PRODESAN.COM.BR.

Correct me if I'm wrong as I have no experience with ldap setups but AFAIK 
Samba domains are NetBIOS domains which are flat, not hierarchical. If so 
your domain name should be something more like PRODESAN and not 
PRODESAN.COM.BR.

Also you didn't post your smb.conf but I'm curious about the use of 
ads_connect, which seems like you're trying to work with an AD domain instead 
of a NetBIOS (Samba) domain. So I'm wondering if you have something other 
than security - user in the PDC's smb.conf and security - domain in the 
member servers smb.conf.

Chris
--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

Re: [Samba] Unable to join new machines to the domain

[Sandra]

Here is the PDC's smb.conf:

[global]
netbios name= servsso 
workgroup   = prodesan.com.br
log file= /var/log/samba/%m.log 
max log size= 500
unix password sync  = yes
passwd program  = /usr/bin/passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %
n\n *passwd:*all*authentication*tokens*updated*successfully*
smb passwd file = /etc/samba/smbpasswd
socket options  = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

domain logons   = yes
os level= 180 
preferred master= yes
domain master   = yes
security= user
guest ok= no
invalid users   = bin daemon sys man postfix mail ftp
admin users = root 
encrypt passwords   = yes   
logon script = scripts\logon.bat
ldap ssl= no
printing= lprng
hide dot files  = yes
time server = yes
log level   = 2

passdb backend = ldapsam:ldap://127.0.0.1
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
ldap suffix = dc=prodesan,dc=com,dc=br
ldap machine suffix = ou=computadores
ldap user suffix = ou=pessoas
ldap group suffix = ou=grupos
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 1-2
idmap gid = 1-2
winbind separator = \
winbind enum users = yes
winbind enum groups = yes

add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %
g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u

And here is the member server's smb.conf:

[global] 
workgroup = prodesan.com.br
realm = PRODESAN.COM.BR
preferred master = no 
netbios name  = Servproducao
server string = Servproducao
security = domain 
encrypt passwords = true
log level = 3 
log file = /var/log/samba/%m 
max log size = 50 
winbind separator = + 
printcap name = cups 
printing = cups 
idmap uid = 1-2 
idmap gid = 1-2 

passdb backend = ldapsam:ldap://192.168.131.104
ldap passwd sync = yes
ldap delete dn = Yes
ldap admin dn = cn=admin,dc=prodesan,dc=com,dc=br
ldap suffix = dc=prodesan,dc=com,dc=br
ldap machine suffix = ou=computadores
ldap user suffix = ou=pessoas
ldap group suffix = ou=grupos
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://192.168.131.104
idmap uid = 1-2
idmap gid = 1-2
winbind separator = \
winbind enum users = yes
winbind enum groups = yes

add user script = /usr/sbin/smbldap-useradd -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u
add machine script = /usr/sbin/smbldap-useradd -w %u
 



On Tue, 19 Jun 2007 14:18:58 -0400, Chris Smith wrote
 On Tuesday 19 June 2007, Sandra wrote:
  [2007/06/19 14:27:41, 0] utils/net_ads.c:ads_startup(191)
    ads_connect: No results returned
  Creation of workstation account failed
  Unable to join domain PRODESAN.COM.BR.
 
 Correct me if I'm wrong as I have no experience with ldap setups but 
 AFAIK Samba domains are NetBIOS domains which are flat, not 
 hierarchical. If so your domain name should be something more like 
 PRODESAN and not PRODESAN.COM.BR.
 
 Also you didn't post your smb.conf but I'm curious about the use of 
 ads_connect, which seems like you're trying to work with an AD 
 domain instead of a NetBIOS (Samba) domain. So I'm wondering if you 
 have something other than security - user in the PDC's smb.conf 
 and security - domain in the member servers smb.conf.
 
 Chris
 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba
 
 -- 
 Esta mensagem foi verificada pelo sistema de antivírus e
  acredita-se estar livre de perigo.


Sandra Nascimento
Analista de Suporte
[EMAIL PROTECTED]
(13)3229.8000 Ramal 135/176 
--
Prefeitura Municipal de Santos (http://www.santos.sp.gov.br)


-- 
Esta mensagem foi verificada pelo sistema de antivírus e
 acredita-se estar livre de perigo.

Re: [Samba] Unable to join new machines to the domain

[Chris Smith]

On Tuesday 19 June 2007, Sandra wrote:
 workgroup   = prodesan.com.br

I thought this should read:

workgroup = PRODESAN

...in both smb.conf files.

But apparently it is OK as is and I can't seem to find any docs that support 
my thought, prodesan.com.br does meet the max 15 character limit and 
apparently .'s are an allowed character in NetBIOS names (although i 
personally never use them). It also seems, in general, that NetBIOS names are 
by convention capitalized in the smb.conf file.

Sorry to lead you down a false trail.

Chris

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba