[Samba] Cannot join domain: The user name could not be found
Hello! I'm trying to join a Windows XP (64 bit version) machine to a Samba 3.0.21a domain via smbldap-tools 0.9.1 on FreeBSD 6.0-RELEASE-p4 and I'm continually getting the message The user name could not be found. I am attempting to join using members of the Domain Admins group (mapped to Unix group 515), and I'm noticing in the logs (below) that even though the machine successfully authenticates as that user, it tries the domain Administrator account anyhow. When attempting to join using the domain Administrator account, it fails with the same error. I have included my smb.conf as well as the smbtools.conf below as well, and would greatly appreciate any assistance that I could get with this. Thanks! -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] --8---cut here---start-8--- [2006/03/06 14:49:45, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: acc [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 512 [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 544 [2006/03/06 14:49:45, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [acc] - [acc] - [acc] succeeded [2006/03/06 14:49:45, 0] lib/debug.c:reopen_logs(597) Unable to open new log file /var/log/samba/log.myhost: Permission denied [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: Administrator [2006/03/06 14:49:45, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2006/03/06 14:49:45, 2] smbd/server.c:exit_server(614) Closing connections [2006/03/06 14:49:45, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: acc [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 512 [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 544 [2006/03/06 14:49:45, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [acc] - [acc] - [acc] succeeded [2006/03/06 14:49:45, 0] lib/debug.c:reopen_logs(597) Unable to open new log file /var/log/samba/log.myhost: Permission denied [2006/03/06 14:49:45, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: Administrator [2006/03/06 14:49:45, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [Administrator] - [Administrator] - [Administrator] succeeded [2006/03/06 14:49:45, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2610) Returning domain sid for domain MYDOMAIN - S-MYSID [2006/03/06 14:49:46, 2] smbd/server.c:exit_server(614) Closing connections --8---cut here---end---8--- --8---cut here---start-8--- # Global parameters [global] workgroup = MYDOMAIN server string = MYDOMAIN Master Server interfaces = lo0, fxp0 bind interfaces only = Yes socket options = TCP_NODELAY log level = 2 log file = /var/log/samba/log.%m max log size = 50 logon drive = Z: logon home = \\%N\%U logon path = \\%N\profiles\%U logon script = %U.bat domain logons = Yes wins support = Yes os level = 34 time server = Yes printing = cups printcap name = cups show add printer wizard = No idmap backend = ldap:ldapi://%2fvar%2frun%2fopenldap%2fldapi/ idmap uid = 64512-65532 idmap gid = 64512-65532 ### winbind nested groups = Yes ### winbind use default domain = Yes enable privileges = Yes template homedir = /home/%U template shell = /usr/sbin/nologin passdb backend = ldapsam:ldapi://%2fvar%2frun%2fopenldap%2fldapi/ ldap passwd sync = Yes ldap suffix = dc=mydomain,dc=com ldap machine suffix = ou=Users ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=mydomain,dc=com ldap timeout = 5 add user script = /usr/local/sbin/smbldap-useradd -m %u delete user script = /usr/local/sbin/smbldap-userdel %u add group script = /usr/local/sbin/smbldap-groupadd -p %g delete group script = /usr/local/sbin/smbldap-groupdel %g add user
[Samba] Re: Renaming a PDC hostname/domain remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sat, 16 Jul 2005 16:28:46 -0600 John H Terpstra [EMAIL PROTECTED] wrote: See the book: Samba-3 by Example, Chapter 8. Got it, read it. Yet again, it clarified a lot for me. Thanks. If this information is not sufficient please email me. I wouldn't go so far as to say that it is insufficient. The Samba documentation has been quite informative. Through it, I have reached an understanding of SMB/NetBIOS protocols that I never though possible. So I, for one, very much appreciate the level of depth that it reaches. More to the point, I think that it simply does not touch on my problem (described in more depth below). On Sat, 16 Jul 2005 17:16:04 -0600 John H Terpstra [EMAIL PROTECTED] wrote: Yes. The Samba domain SID is derived from the workgroup (domain) name. ... as detailed in paragraph 6 of the Security Identifiers (SIDs) subsection of Cautions and Notes in the aforementioned chapter: The SID is generated in a nondeterminative manner. This means that each time it is generated for a particular combination of machine name (hostname) and domain name (workgroup), it will be different. Thanks again. Workstations only care about the domain SID. The document I pointed you towards explains in detail how to migrate systems, and/or change the domain name. This is somewhat confusing. Under the Change of hostname subsection of Cautions and Notes, it clearly states that if a PDC's hostname changes, the domain SID will also change. However, in the paragraph just above that subsection, it states that the profiles utility could be used to remedy non-functional roaming profiles in the event that the domain SID were changed. So, according to the Samba documentation, if I were to change both the hostname and domain name of my PDC, I would wind up with a new domain SID but my roaming profiles could be repaired to work under this new domain. But based on my experiences with NetBIOS domains, I expect to have to re-join every machine to that new domain. So what I'm really after are tools that could assist in re-joining these workstations to their new domain. In this particular instance, I will need to do everything remotely. VNC is a definite possibility, but rather than doing this with each workstation individually, I would much rather automate the process. Thanks for the pointers and the very well-written documentation. Keep up the good work, John. - -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQttRofAIdTFWAbdTAQr5iQgAtupI45TeZREqOnAJmicj3/bRGxtkcj8A pP3dBQb4qoloncIDeKvj05HSf+xhMM12jTR4GoRTQC2BWqcZy4jmXrVCcDZiBWlu OIP4Tx1Bm7mN0ECf7Y7JylgNgFDyPvmPhKE3n6k2aYUWxPg9jkCO98bL0+ReVb5s WFpgkG4cNsZnT496KdJSjYaJyubGVBdaManQoO1MDSJ5g6mkVNeRDtV/rJBsy/n9 GSfkpPXeeD8DqE80Jt3slN4itvg958ttkaVpi+trrc8bey9M5DJAU9PVf+OYIfha IBbXrW1f65T8eY3oswlK6+4iPy9Zk5zl7PWkgAeK8FtydApSedCA1g== =H69R -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renaming a PDC hostname/domain remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Mon, 18 Jul 2005 08:34:26 -0600 John H Terpstra [EMAIL PROTECTED] wrote: On Monday 18 July 2005 00:52, you wrote: So what I'm really after are tools that could assist in re-joining these workstations to their new domain. In this particular instance, I will need to do everything remotely. VNC is a definite possibility, but rather than doing this with each workstation individually, I would much rather automate the process. The solution is VERY simple! Before you change the hostname and the domain name, save the domain SID. Then change both as you wish, finally, restore the SID. Done! No other changes are necessary and your domain members are still members - no need to re-join the domain. I see, so workstations will use the domain SID when communicating with the PDC, and the PDC will not verify that with it's configured (hostname, domain name) from which the SID was generated? This is good news! Thank you yet again! - -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQtvgiPAIdTFWAbdTAQpkjgf/Sh1/GXttPjbMyPff9gVXO0CQY+Ejn6NJ BJqYkhNc5cn6FXgSLT1XtvM+82n4O+hMTuV62P3Xsp2RLsd2nDqkBY4ufZlQWHiv KUlxRpXfrojWpKiiyxY3McOY3obUPRYHjYtVvxyCQc1BZhBO7+7dDPY7WN+Gc7I4 i41zLbOmy6UuvFrUTL8VRlKSJnw2UsAiJsALAdivxKCq40ZvzBdZ4P5pfOEuo9Wx Cczag9ZH51UOjvhHTZFNB+5FPvMEvMr68OELpBlpxuk763JuYoiaOHjNfOJS1F6K J4X16DendsVGv12NK5H/Ot+XXVekPfs2rzWP1sdIwP0uiRAMmhTPNQ== =2wET -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Renaming a PDC hostname/domain remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Assuming they exist, could someone point me to any resources that could assist me in renaming a Samba PDC's hostname and the domain it serves remotely *without* forcing the client workstations to have to manually-rejoin? If such things do not exist, 1) what effects should I expect in undertaking such an action, and 2) is there a standard procedure for the steps that I should take on the workstations to make the effort go as smoothly as possible? Thanks! - -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQtlq/vAIdTFWAbdTAQqIxAf+PFrePCfi1IgLVAIyBRFLTIeplRR3QHC3 deJ4r1Hqt0N0+EDxKhCJbJaC/+puHJeiwCJyr/9o5rSh05KS+uJSjRnRHbn5Q9rd 1qRzwcQJiAQDI6YngBA9iOSK+Wrzx9pGG4p2YT8JiWxxTzLVho0ea25Q6IFXjir+ l78nrKBtrIsHwf4q2h1IMHU6sC0A4ypism+aQDu3TWnuKGwbwFE71EiHwGcEHRuT YukAs/Q7XoFyFU1rJkpmCY3jXtlwuxqtoS0jgjXxdWE8xlwOeaTFtyfi/kQSWhOA 8otEwiVyWyKqnxxSdGMrzsDYrDTAJkfob1tNdt//2TH2vO98dGkDvg== =dFfz -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renaming a PDC hostname/domain remotely
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 On Sat, 16 Jul 2005 14:15:55 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: Assuming they exist, could someone point me to any resources that could assist me in renaming a Samba PDC's hostname and the domain it serves remotely *without* forcing the client workstations to have to manually-rejoin? Along those lines, does Samba generate a domain SID based on the name of that domain? Or could I rename the domain by manually changing the name but retaining the SID? And if I'm using passdb backend = tdbsam, in which files would I need to do this? If such things do not exist, 1) what effects should I expect in undertaking such an action, and 2) is there a standard procedure for the steps that I should take on the workstations to make the effort go as smoothly as possible? Thanks again! - -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQtlsS/AIdTFWAbdTAQr2sQf/cAMvHi4flyBBMdR3sto8pCNk1ctjOdBI k5XhafOKueTdJ56fnxO1rfmIiqb5MBFPYI3fQLsHb3XHon5OqBOhJy77Av4se4Kg qsXcx7fNjJ69Zy4pqLWz+TFqXkflOuQBr0N+dqFxInwNlXd+rDYZx3EWX0d2+GMm MMiPc3Cu51HjJLRnFrYBG2q7wM1UXqIVH5w5anRrdsHE0/I+cky0vIDGxtFZwNtg RHly1ZHoqkEy7lXRlRJtKAqX24VptiFpWKIcsP/SB3dN7N2/yEUPkyfAIh45I4PV dBPnBGn7Xo6PlHjOmIxzD9OXxZOZpdpV63hG6f7eWHnAxSBSbyh3sg== =Abpr -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Samba + LDAP slave
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 I just came across the following in the Samba HOWTO: It is important that all LDAP IDMAP clients use only the master LDAP server because the idmap backend facility in the smb.conf file does not correctly handle LDAP redirects. It's found in Chapter 13, section Samba Server Deployment Types and IDMAP, subsection Domain Member Server or Domain Member client, underneath the Winbind with an NSS/LDAP backend-based IDMAP facility header---[1] is close by. Is this statement current? I seem to recall reading that configuring a BDC to talk to an LDAP slave was entirely possible. Thanks! [1] http://us4.samba.org/samba/docs/man/Samba-HOWTO-Collection/idmapper.html#id2584963 - -- Anthony Chavez http://anthonychavez.org/ mailto:[EMAIL PROTECTED] jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (Darwin) iQEVAwUBQthWlPAIdTFWAbdTAQptsAf+O+7U6Ig3M8x9tk6Lx+joPLzCNZFJggd4 1kyPcu2p07mJXykqiA0QnLMQLE+ABQfKoLWQ6SZ8ePVhbYIAaMpFr4hsvO54gYP7 T9RNi+tnM5V+kNn5T005pkPsbl36mLOpJBcIFdKxUGLwspH4Gu3jFiaFcprRXvLK ngwUepOv31jJqN4YsG3oVXf7Vd6zLXuzVxszxrJLW2pICm2B6f5u6jtDnoGWoDro 1AYW08TYKzyxJ48z28PBN4/gJ4suwpBih+fU7SKXgIp5+BCIdqPYWgwBIMMTtn0L cIGTnsBg6lkpcZS2AZu3IyTVEzychri/fe/CZBpB4CY1VgiQvsqjHQ== =mmF2 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I don't mean to be a pest, but I felt that I should reiterate my questions again because I feel that it is an issue that recurrs enough to warrant inclusion in the HOWTO (or is it there and I'm just not seeing it?). And I'd like to re-emphasize that I'm offering to patch it. ;-) On Tue, 04 May 2004 10:24:05 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote: On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote: On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) However, as a warning to others - this can happen. There was an issue (and it still happens for domain members, for their 'local' users) where if you rename a Samba machine, it can regenerate the local SAM sid. On a PDC, this is also the domain SID. After I had replaced the cable, I discovered that the problem was that the user was assigned a new SID after all. Fortunately, the affected user stated that trashing the local profile was an option, so I just deleted the local copy and had the workstation snarf a fresh one off the server. A few questions, however: 1) Is a patch for this issue desirable? Do we *want* users to retain their SIDs after a machine gets a new name? My initial response would be yes, but I don't consider myself a M$ administration guru. 2a) What would be the proper procedure to follow in renaming a PDC? 2b) During a discussion on IRC, it was suggested (after I had already mucked about a bit and brought about the error in the first place) that I configure my new server name in the NetBIOS name parameter and my old one in the NetBIOS alias parameter. I wasn't told that this would actually fix the problem, but I was given the impression that if I were to do that first, then disjoin and rejoin my workstations to the domain, it might. Would it? 3) When I've got multiple workstations involved, one of my biggest concerns is that any changes that happen to the local profile during the name change get propagated to the server. Is this going to have to be done by hand if the SIDs change and the workstation doesn't reassociate the server UID with the new SID? P.S.: I know what an SID is. No, really. ;-) P.P.S.: Sorry for not mentioning this in my first post (I'm usually really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD 4.9-STABLE. I also apologize for not posting my smb.conf---I usually do that as well. I was in a bit of a hurry at the time. - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAoSStbZTbIaRBRXERAgtLAKCBWyUvHWPoWfYCJ4eGNgL0KeV4uACfaeYP QVHfU+FjScMdxUO67e/DucU= =YFgh -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Tue, 04 May 2004 13:58:25 +1000 Andrew Bartlett [EMAIL PROTECTED] wrote: On Tue, 2004-05-04 at 11:46, Anthony Chavez wrote: On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) However, as a warning to others - this can happen. There was an issue (and it still happens for domain members, for their 'local' users) where if you rename a Samba machine, it can regenerate the local SAM sid. On a PDC, this is also the domain SID. After I had replaced the cable, I discovered that the problem was that the user was assigned a new SID after all. Fortunately, the affected user stated that trashing the local profile was an option, so I just deleted the local copy and had the workstation snarf a fresh one off the server. A few questions, however: 1) Is a patch for this issue desirable? Do we *want* users to retain their SIDs after a machine gets a new name? My initial response would be yes, but I don't consider myself a M$ administration guru. 2a) What would be the proper procedure to follow in renaming a PDC? 2b) During a discussion on IRC, it was suggested (after I had already mucked about a bit and brought about the error in the first place) that I configure my new server name in the NetBIOS name parameter and my old one in the NetBIOS alias parameter. I wasn't told that this would actually fix the problem, but I was given the impression that if I were to do that first, then disjoin and rejoin my workstations to the domain, it might. Would it? 3) When I've got multiple workstations involved, one of my biggest concerns is that any changes that happen to the local profile during the name change get propagated to the server. Is this going to have to be done by hand if the SIDs change and the workstation doesn't reassociate the server UID with the new SID? P.S.: I know what an SID is. No, really. ;-) P.P.S.: Sorry for not mentioning this in my first post (I'm usually really good about doing so), but FWIW, I'm running 2.2.8a on FreeBSD 4.9-STABLE. I also apologize for not posting my smb.conf---I usually do that as well. I was in a bit of a hurry at the time. - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAl8OlbZTbIaRBRXERAk6gAJ0VqdwfAZo0KsZNF3ngeWWSTKUH5wCffl1e NAP6nOh4FiUQ+EtmyB9rRlw= =nXgN -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. Also, System Properties|User Profiles shows that the account has been switched to a local profile and has been *deleted.* Worse yet, I've tried disjoining and re-joining the domian repeatedly, with and without NetBIOS aliases, to no avail. Help? - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAlu+ybZTbIaRBRXERAtWRAJ4oV5UHl8aWtl72XEp3bpHhJIhmcACfTloZ Us6eZUyajOad5Z2iR/OUPT4= =9KUL -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] Re: Renamed PDC, now user profiles don't work
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 03 May 2004 19:19:41 -0600 Anthony Chavez [EMAIL PROTECTED] wrote: I just changed the NetBIOS name of my PDC (*not* the name of the domain) and now the security properties of the domain user profile on my Win2kSP4 workstation shows S-1-5-21-... as the user rather than the username. It turned out that this particular machine had a very shaky network connection. Please disregard my post. ;-) - -- Anthony Chavez http://www.anthonychavez.org/ mailto:[EMAIL PROTECTED]jabber:[EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (Darwin) iD8DBQFAlvYObZTbIaRBRXERAh0SAJ4rTe7+kLCS9WudItD93WipbtXmqQCeKJwA 9qZg+T4Y+4ZiIA30y5ciQaI= =3VD0 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba