Re: [Samba] Cannot make Windows join Samba domain
Fixed! In the "add machine script" I replaced the -i argument with -W. Don't know why it does not work with -i (trust machine account). Now the machine fails to join the domain in the first attempt (same error message), but in the second attempt it joins successfully. The problem now is that the machine cannot list the domain's users/groups without asking for the root credentials, but that's another story. Thanks, Célio. Em 09/10/2012, às 08:47, Michael Starling escreveu: > Do you have an /etc/ldap.conf or /etc/pam_ldap.conf file? > > > > On Oct 9, 2012, at 7:43 AM, "Celio Cidral Jr" wrote: > >> Hi Michael, thanks for the reply. >> >> I'm not sure if I have correctly checked the things you asked. I've >> installed Samba via apt-get, and I had to compile OpenLDAP by hand (I failed >> miserably trying to make it work from the apt packages). The NSLCD and SSSD >> packages are not installed, and there is no occurrence of "nslcd" nor "sssd" >> under the /usr directory. Regarding the scope filter, the only >> configuration I found (that I think is related to scope) is the following >> line from the smbldap.conf file: >> >> scope="sub" >> >> >> Célio >> >> Em 08/10/2012, às 23:25, Michael Starling >> escreveu: >> >> >>> I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD >>> and pam_ldap? >>> >>> I'd make sure you aren't using scope filters as this has caused me similar >>> headaches in the past. >>> >>> >>> >>> On Oct 8, 2012, at 9:04 PM, "Celio Cidral Jr" wrote: >>> >>>> Hi, >>>> >>>> I'm having an issue trying to make a Windows machine sambaserveroin a >>>> Samba domain. Samba is running with LDAP backend (OpenLDAP). When I try >>>> to join the domain, Windows says that the machine account does not exist. >>>> The machine account, however, is successfully created in the LDAP >>>> directory after the join fails. When I try to join again, Windows says >>>> that the account already exists. >>>> >>>> Has anyone here already experienced such problem? This is a fresh install >>>> of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts >>>> and groups are present in the database. >>>> >>>> Some info: >>>> >>>> >>>> >>>> OpenLDAP 2.4.32 >>>> Samba 3.6.3-2ubuntu2.3 (amb64) >>>> >>>> >>>> >>>> smb.conf: >>>> >>>> [global] >>>> workgroup = RTS >>>> server string = %h >>>> map to guest = Bad User >>>> passdb backend = ldapsam:ldap://127.0.0.1 >>>> passwd program = /usr/sbin/smbldap-passwd %u >>>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* >>>> %n\n *password\supdated\ssuccessfully* . >>>> syslog = 0 >>>> log file = /var/log/samba/log.%m >>>> max log size = 1000 >>>> add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u >>>> delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u >>>> add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g >>>> delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g >>>> add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd >>>> -m "%u" "%g" >>>> delete user from group script = >>>> /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g" >>>> set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd >>>> -g "%g" "%u" >>>> add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0 >>>> "%u" >>>> domain logons = Yes >>>> preferred master = Yes >>>> domain master = Yes >>>> wins support = Yes >>>> ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br >>>> ldap delete dn = Yes >>>> ldap group suffix = ou=Groups >>>> ldap idmap suffix = ou=Idmap >>>> ldap machine suffix = ou=Computers >>>> ldap passwd sync = yes >>>> ldap suffix = dc=rtsbrasil,dc=com,dc=br >>>> ldap ssl = no >>>> ldap user suffix = ou=Users >>>> panic ac
Re: [Samba] Cannot make Windows join Samba domain
Hi Michael, thanks for the reply.
I'm not sure if I have correctly checked the things you asked. I've installed
Samba via apt-get, and I had to compile OpenLDAP by hand (I failed miserably
trying to make it work from the apt packages). The NSLCD and SSSD packages are
not installed, and there is no occurrence of "nslcd" nor "sssd" under the /usr
directory. Regarding the scope filter, the only configuration I found (that I
think is related to scope) is the following line from the smbldap.conf file:
scope="sub"
Célio
Em 08/10/2012, às 23:25, Michael Starling escreveu:
> I'm curious as to what modules you're using for NSS lookups? SSSD, or NSLCD
> and pam_ldap?
>
> I'd make sure you aren't using scope filters as this has caused me similar
> headaches in the past.
>
>
>
> On Oct 8, 2012, at 9:04 PM, "Celio Cidral Jr" wrote:
>
>> Hi,
>>
>> I'm having an issue trying to make a Windows machine sambaserveroin a Samba
>> domain. Samba is running with LDAP backend (OpenLDAP). When I try to join
>> the domain, Windows says that the machine account does not exist. The
>> machine account, however, is successfully created in the LDAP directory
>> after the join fails. When I try to join again, Windows says that the
>> account already exists.
>>
>> Has anyone here already experienced such problem? This is a fresh install
>> of Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts
>> and groups are present in the database.
>>
>> Some info:
>>
>>
>>
>> OpenLDAP 2.4.32
>> Samba 3.6.3-2ubuntu2.3 (amb64)
>>
>>
>>
>> smb.conf:
>>
>> [global]
>> workgroup = RTS
>> server string = %h
>> map to guest = Bad User
>> passdb backend = ldapsam:ldap://127.0.0.1
>> passwd program = /usr/sbin/smbldap-passwd %u
>> passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:*
>> %n\n *password\supdated\ssuccessfully* .
>> syslog = 0
>> log file = /var/log/samba/log.%m
>> max log size = 1000
>> add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u
>> delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u
>> add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g
>> delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g
>> add user to group script = /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd
>> -m "%u" "%g"
>> delete user from group script =
>> /root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g"
>> set primary group script = /root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g
>> "%g" "%u"
>> add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i -t 0
>> "%u"
>> domain logons = Yes
>> preferred master = Yes
>> domain master = Yes
>> wins support = Yes
>> ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br
>> ldap delete dn = Yes
>> ldap group suffix = ou=Groups
>> ldap idmap suffix = ou=Idmap
>> ldap machine suffix = ou=Computers
>> ldap passwd sync = yes
>> ldap suffix = dc=rtsbrasil,dc=com,dc=br
>> ldap ssl = no
>> ldap user suffix = ou=Users
>> panic action = /usr/share/samba/panic-action %d
>> idmap config * : backend = tdb
>>
>>
>>
>> smbldap.conf:
>>
>> SID="S-1-5-21-2940977410-1091208426-162815782"
>> sambaDomain="RTS"
>> masterLDAP="localhost"
>> masterPort="389"
>> ldapTLS="0"
>> ldapSSL="0"
>> verify="none"
>> cafile="/etc/ssl/certs/cacert.pem"
>> suffix="dc=rtsbrasil,dc=com,dc=br"
>> usersdn="ou=Users,${suffix}"
>> computersdn="ou=Computers,${suffix}"
>> groupsdn="ou=Groups,${suffix}"
>> idmapdn="ou=Idmap,${suffix}"
>> sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
>> scope="sub"
>> hash_encrypt="SSHA"
>> crypt_salt_format="%s"
>> userLoginShell="/bin/bash"
>> userHome="/home/%U"
>> userHomeDirectoryMode="700"
>> userGecos="System User"
>> defaultUserGid="513"
>> defaultComputerGid="515"
>> skeletonDir="/etc/skel"
>> defaultMaxPasswordAge="45"
>> userSmbHome="\\D0-SMBDOM\%U"
>> userProfile="\\D0-SMBDOM\profiles\%U"
>
[Samba] Cannot make Windows join Samba domain
Hi,
I'm having an issue trying to make a Windows machine sambaserveroin a Samba
domain. Samba is running with LDAP backend (OpenLDAP). When I try to join the
domain, Windows says that the machine account does not exist. The machine
account, however, is successfully created in the LDAP directory after the join
fails. When I try to join again, Windows says that the account already exists.
Has anyone here already experienced such problem? This is a fresh install of
Samba + OpenLDAP. I already ran smbldap-populate, all initial accounts and
groups are present in the database.
Some info:
OpenLDAP 2.4.32
Samba 3.6.3-2ubuntu2.3 (amb64)
smb.conf:
[global]
workgroup = RTS
server string = %h
map to guest = Bad User
passdb backend = ldapsam:ldap://127.0.0.1
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
syslog = 0
log file = /var/log/samba/log.%m
max log size = 1000
add user script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -a %u
delete user script = /root/smbldap-tools-0.9.9/smbldap-userdel.cmd %u
add group script = /root/smbldap-tools-0.9.9/smbldap-groupadd.cmd -p %g
delete group script = /root/smbldap-tools-0.9.9/smbldap-groupdel.cmd %g
add user to group script =
/root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -m "%u" "%g"
delete user from group script =
/root/smbldap-tools-0.9.9/smbldap-groupmod.cmd -x "%u" "%g"
set primary group script =
/root/smbldap-tools-0.9.9/smbldap-usermod.cmd -g "%g" "%u"
add machine script = /root/smbldap-tools-0.9.9/smbldap-useradd.cmd -i
-t 0 "%u"
domain logons = Yes
preferred master = Yes
domain master = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=rtsbrasil,dc=com,dc=br
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap passwd sync = yes
ldap suffix = dc=rtsbrasil,dc=com,dc=br
ldap ssl = no
ldap user suffix = ou=Users
panic action = /usr/share/samba/panic-action %d
idmap config * : backend = tdb
smbldap.conf:
SID="S-1-5-21-2940977410-1091208426-162815782"
sambaDomain="RTS"
masterLDAP="localhost"
masterPort="389"
ldapTLS="0"
ldapSSL="0"
verify="none"
cafile="/etc/ssl/certs/cacert.pem"
suffix="dc=rtsbrasil,dc=com,dc=br"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
scope="sub"
hash_encrypt="SSHA"
crypt_salt_format="%s"
userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome="\\D0-SMBDOM\%U"
userProfile="\\D0-SMBDOM\profiles\%U"
userHomeDrive="H:"
userScript="logon.bat"
mailDomain="itfor.it"
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"
samba's log:
[2012/10/08 21:54:37.044857, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3)
Auth failed (NT_STATUS_NO_SUCH_USER)
[2012/10/08 21:54:37.115070, 0]
rpc_server/netlogon/srv_netlog_nt.c:931(_netr_ServerAuthenticate3)
_netr_ServerAuthenticate3: no challenge sent to client PROJETOS
[2012/10/08 21:54:37.146424, 0] rpc_server/srv_pipe.c:1254(api_pipe_bind_auth3)
Auth failed (NT_STATUS_NO_SUCH_USER)
Use of qw(...) as parentheses is deprecated at
/usr/share/perl5/smbldap_tools.pm line 1423, line 522.
Use of uninitialized value $pass in string ne at
/root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349.
Use of uninitialized value $pass2 in string ne at
/root/smbldap-tools-0.9.9/smbldap-useradd.cmd line 349.
slapd's log:
Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH base="" scope=2
deref=0 filter="(objectClass=sambaTrustedDomainPassword)"
Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SRCH
attr=sambaDomainName sambaSID
Oct 8 21:54:29 sambaserver slapd[2572]: conn=1000 op=315 SEARCH RESULT tag=101
err=32 nentries=0 text=
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 fd=25 ACCEPT from
IP=127.0.0.1:60893 (IP=0.0.0.0:389)
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 BIND
dn="cn=Manager,dc=rtsbrasil,dc=com,dc=br" method=128
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 BIND
dn="cn=Manager,dc=rtsbrasil,dc=com,dc=br" mech=SIMPLE ssf=0
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=0 RESULT tag=97 err=0
text=
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=1 SRCH base="" scope=0
deref=0 filter="(objectClass=*)"
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=1 SRCH
attr=supportedControl
Oct 8 21:54:37 sambaserver slapd[2572]: conn=1115 op=
