Re: [Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version 3.5.4

[Sean Crosby]

Try removing 

||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
|

These options used to be needed, but were not needed when I joined my R2 
machine to my Samba3.5 server - and when those reg keys were added, the join 
worked, but you couldn't log on.

Sean



-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

[Samba] Fail to join a Windows 2008 R2 to a Samba+LDAP PDC version 3.5.4

[German Molano]

Hi there, this is my config, I have a CentOS 5.3  x86_64 full updated  
with Xen enabled with Samba 3.5.4 sernet RPMs. I have a virtual machine 
running Windows 2008 R2 Foundation running  full  virtualized on the 
same machine.

When i tried to join the Windows 2008 to the domain i get this message:
The following error ocurred attempting to join the domain "MYDOMAIN":
A device attached to the system is not functioning.

The Windows 2008 registry was modified to be able to join the domain as 
recommended on internet:

|HKLM\System\CurrentControlSet\Services\LanmanWorkstation\Parameters
DWORD DomainCompatibilityMode = 1
DWORD DNSNameResolutionRequired = 0
||HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
DWORD RequireSignOrSeal = 0
DWORD RequireStrongKey = 0
|
This is my config:
smb.conf
[global]

   unix charset = ISO8859-1
   workgroup = MYDOMAIN
   netbios name = pdc
   passdb backend = ldapsam:ldap://127.0.0.1
   username map = /etc/samba/smbusers
   log level = 10
   log file = /var/log/samba/%m.log
   max log size = 50
   name resolve order = hosts lmhost wins bcast
   wins support = yes
   time server = Yes
   show add printer wizard = No
   add user script = /usr/sbin/smbldap-useradd -a -m %u
   delete user script = /usr/sbin/smbldap-userdel -r %u
   add group script = /usr/sbin/smbldap-groupadd -p %g
   delete group script = /usr/sbin/smbldap-groupdel %g
   add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
   delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
   set primary group script = /usr/sbin/smbldap-usermod -g %g %u
   add machine script = /usr/sbin/smbldap-useradd -w -i %u
   passwd program = /usr/sbin/smbldap-passwd %u
   passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*all*authentication*tokens*updated*

   ldap password sync = Yes
   enable privileges = Yes
   logon script = %U.bat OR netlogon.bat
   logon path = \\%L\profiles\%U
   logon drive = H:
   domain logons = Yes
   preferred master = Yes
   domain master = Yes
   ldap admin dn = cn=Administrador,dc=mydomain,dc=local
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   ldap machine suffix = ou=Computers
   ldap passwd sync = Yes
   ldap suffix = dc=mydomain,dc=local
   ldap user suffix = ou=Users
   ldap ssl = off
   idmap backend = ldap:ldap://127.0.0.1
   idmap uid = 1-2
   idmap gid = 1-2
   printer admin = Administrador
   map acl inherit = Yes
   printing = cups
   printcap name = CUPS

[homes]
   comment = Home Directories
   valid users = %S
   read only = No
   browseable = No

[netlogon]
   comment = Network Logon Service
   path = /var/lib/samba/netlogon
   guest ok = Yes
   locking = No

[profiles]
   comment = Network Profiles Share
   path = /var/lib/samba/profiles
   read only = No
   profile acls = Yes
   create mode = 0600
   directory mode = 0700
   writable = yes
   browseable = No
   store dos attributes = Yes


slapd.conf

#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include/etc/openldap/schema/core.schema
include/etc/openldap/schema/cosine.schema
include/etc/openldap/schema/inetorgperson.schema
include/etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba3.schema
include /etc/openldap/schema/dyngroup.schema

# Allow LDAPv2 client connections.  This is NOT the default.
allow bind_v2

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referralldap://root.openldap.org

pidfile/var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath/usr/lib64/openldap

# Modules available in openldap-servers-overlays RPM package
# Module syncprov.la is now statically linked with slapd and there
# is no need to load it here
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload denyop.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload lastmod.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload smbk5pwd.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la

# modules available in openldap-servers-sql RPM package:
# moduleload back_sql.la

# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by changing to
# /etc/pki/tls/certs, running "make slapd.pem", and fixing permissions on
# slapd.pem so that the ldap user or group can read it.  Your client 
software

# may balk at self-signed certificates, however.
# TLSCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
# TLSCertificateFile /etc/pki/tls/certs/slapd.pem
# TLSCertificateKeyFile /etc/pki/tls/certs/slapd.pem

# Sample security restrictions
#Require integrity protection (prevent hijacking)
#Require 112-bit (3DES or better) encryption for updates
#