Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Daniel Müller : I had a test system running with the same rpms. Did the setup as described and could not change user passwords and sync things the way it should to my ldap slave. In the end I recognized I had to run winbind on the pdc!? And after all I was missing a real step by step setup. So I returned to smba/ldap smbldaptools setting up my system in an hour(Master - Master Repication). If you can post your editposix setup to me I would try a second time :-) --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Mike Brady [mailto:mike.br...@devnull.net.nz] Gesendet: Mittwoch, 23. Februar 2011 19:18 An: muel...@tropenklinik.de Cc: 'Jon Detert'; samba@lists.samba.org Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Daniel Müller : " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert : On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady wrote: Quoting Jon Detert : Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'="testfsclient$" from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Daniel Exactly how did ldapsam:editposix not "work right"? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike This mess
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
I had a test system running with the same rpms. Did the setup as described and could not change user passwords and sync things the way it should to my ldap slave. In the end I recognized I had to run winbind on the pdc!? And after all I was missing a real step by step setup. So I returned to smba/ldap smbldaptools setting up my system in an hour(Master - Master Repication). If you can post your editposix setup to me I would try a second time :-) --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: Mike Brady [mailto:mike.br...@devnull.net.nz] Gesendet: Mittwoch, 23. Februar 2011 19:18 An: muel...@tropenklinik.de Cc: 'Jon Detert'; samba@lists.samba.org Betreff: Re: AW: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Daniel Müller : > " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried > this it did not > Work right. And there is nowhere a good and new howto about this feature. No > description goes into the depth. > > --- > EDV Daniel Müller > > Leitung EDV > Tropenklinik Paul-Lechler-Krankenhaus > Paul-Lechler-Str. 24 > 72076 Tübingen > > Tel.: 07071/206-463, Fax: 07071/206-499 > eMail: muel...@tropenklinik.de > Internet: www.tropenklinik.de > --- > -Ursprüngliche Nachricht- > Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im > Auftrag von Mike Brady > Gesendet: Mittwoch, 23. Februar 2011 09:17 > An: Jon Detert > Cc: samba@lists.samba.org > Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP > environment > > Quoting Jon Detert : > >> On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady >> wrote: >>> Quoting Jon Detert : >>> >>>> Hello, >>>> >>>> I can't join a winxp box to my samba domain. I just have one samba >>>> server, meant to act as a PDC for domain='CHI'. >>>> Any ideas how to troubleshoot and/or remedy? >>>> >>>> Thanks, >>>> >>>> Jon >>>> >>>> Context: >>>> >>>> samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. >>>> smbldap-tools v0.9.6. >>>> I 'populated' the ldap with 'smbldap-populate'. >>>> >>>> I try to join the winxp box, authenticating to the domain as user >>>> 'jdetert', which is a member of the 'Administrators' group: >>>> # smbldap-groupshow Administrators >>>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com >>>> objectClass: top,posixGroup,sambaGroupMapping >>>> gidNumber: 544 >>>> cn: Administrators >>>> description: Netbios Domain Members can fully administer the >>>> computer/sambaDomainName >>>> sambaSID: S-1-5-32-544 >>>> sambaGroupType: 5 >>>> displayName: Administrators >>>> memberUid: jdetert,root >>>> >>>> What happens: >>>> -- >>>> a failure dialog window pops up on the winxp box with this message: >>>> 'The following error occurred attempting to join the domain "CHI": >>>> The user name could not be found.' >> >> -- snip -- >> >>> I am working through a similar setup at the moment. >>> >>> Looking at the smbldap-useradd source, status 9 is "user must not exist > in >>> LDAP", so I assume from that that the workstation userid already exists? >> >> >> Turns out you are correct. So, I deleted the 'user'="testfsclient$" >> from the ou=Computers, and retried, but it failed with the same error, >> and it re-created the user object. >> >> Any ideas how/why joining the domain is not fully working? >> >> Thanks, >> >> Jon >> > Jon > > A couple more things: > 1) smbldap-populate initializes the sambaGroupType for all the > S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this > probably isn't causing this issue. > 2) I think that root needs to be in the Domain Admins group in order > to join a machine to the domain, not the Administrators group which is > a local group. At least that is how I am set up. >
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On 23:39:39 wrote Mike Brady: > Daniel > > Exactly how did ldapsam:editposix not "work right"? > > I thought that the smb.conf man page described things well enough. > > I have converted my test set up from using smbldap-tools to using > ldapsam:posixedit and so far it is doing everything that I was using > smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. > > Mike I have two installions with ldapsam:editposix on debian lenny, samba 3.4.5. Both are running fine. No problems. -- Gruss Harry Jede -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Daniel Müller : " ldapsam:editposix"-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert : On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady wrote: Quoting Jon Detert : Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'="testfsclient$" from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Daniel Exactly how did ldapsam:editposix not "work right"? I thought that the smb.conf man page described things well enough. I have converted my test set up from using smbldap-tools to using ldapsam:posixedit and so far it is doing everything that I was using smbldap-tools for correctly. I am using the SerNet 3.5.6 RPMs. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
" ldapsam:editposix"-Is as I can tell not a good solution whenever I tried this it did not Work right. And there is nowhere a good and new howto about this feature. No description goes into the depth. --- EDV Daniel Müller Leitung EDV Tropenklinik Paul-Lechler-Krankenhaus Paul-Lechler-Str. 24 72076 Tübingen Tel.: 07071/206-463, Fax: 07071/206-499 eMail: muel...@tropenklinik.de Internet: www.tropenklinik.de --- -Ursprüngliche Nachricht- Von: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] Im Auftrag von Mike Brady Gesendet: Mittwoch, 23. Februar 2011 09:17 An: Jon Detert Cc: samba@lists.samba.org Betreff: Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment Quoting Jon Detert : > On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady > wrote: >> Quoting Jon Detert : >> >>> Hello, >>> >>> I can't join a winxp box to my samba domain. I just have one samba >>> server, meant to act as a PDC for domain='CHI'. >>> Any ideas how to troubleshoot and/or remedy? >>> >>> Thanks, >>> >>> Jon >>> >>> Context: >>> >>> samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. >>> smbldap-tools v0.9.6. >>> I 'populated' the ldap with 'smbldap-populate'. >>> >>> I try to join the winxp box, authenticating to the domain as user >>> 'jdetert', which is a member of the 'Administrators' group: >>> # smbldap-groupshow Administrators >>> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com >>> objectClass: top,posixGroup,sambaGroupMapping >>> gidNumber: 544 >>> cn: Administrators >>> description: Netbios Domain Members can fully administer the >>> computer/sambaDomainName >>> sambaSID: S-1-5-32-544 >>> sambaGroupType: 5 >>> displayName: Administrators >>> memberUid: jdetert,root >>> >>> What happens: >>> -- >>> a failure dialog window pops up on the winxp box with this message: >>> 'The following error occurred attempting to join the domain "CHI": >>> The user name could not be found.' > > -- snip -- > >> I am working through a similar setup at the moment. >> >> Looking at the smbldap-useradd source, status 9 is "user must not exist in >> LDAP", so I assume from that that the workstation userid already exists? > > > Turns out you are correct. So, I deleted the 'user'="testfsclient$" > from the ou=Computers, and retried, but it failed with the same error, > and it re-created the user object. > > Any ideas how/why joining the domain is not fully working? > > Thanks, > > Jon > Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert : On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady wrote: Quoting Jon Detert : Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'="testfsclient$" from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon A couple more things: 1) smbldap-populate initializes the sambaGroupType for all the S-1-5-32-* SIDs to 5. This is incorrect. It should be 4, but this probably isn't causing this issue. 2) I think that root needs to be in the Domain Admins group in order to join a machine to the domain, not the Administrators group which is a local group. At least that is how I am set up. 3) Depending on the details of your implementation you may not need to use smbldap-tools at all. Have a look at the ldapsam:editposix and ldapsam:trusted on the smb.conf man page. Note that using ldapsam:editposix is one case where winbind is required on a Samba PDC. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert : On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady wrote: Quoting Jon Detert : Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' -- snip -- I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'="testfsclient$" from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon Jon The error is returned if there is a successful LDAP query for the machine name "anywhere" in LDAP. Does the machine name exist somewhere else other than ou=Computers? You could also try running the full smbldap-useradd command as it is logged from the command line and see if it gives any more information. The smldap-user script does print out additional information that Samba doesn't look like it captures in the logs. Mike This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Natxo Asenjo : On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert wrote: I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba Those are LDAP errors. The smbldap-tools return their own set of errors. This message was sent using IMP, the Internet Messaging Program. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert wrote: > I assume that the 'group not found' log entries are not significant, > and that '9' was the return code from smbldap-useradd. > > Anyone know what return code 9 means? > Anyone have ideas how to remedy this problem? according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 4:15 PM, Mike Brady wrote: > Quoting Jon Detert : > >> Hello, >> >> I can't join a winxp box to my samba domain. I just have one samba >> server, meant to act as a PDC for domain='CHI'. >> Any ideas how to troubleshoot and/or remedy? >> >> Thanks, >> >> Jon >> >> Context: >> >> samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. >> smbldap-tools v0.9.6. >> I 'populated' the ldap with 'smbldap-populate'. >> >> I try to join the winxp box, authenticating to the domain as user >> 'jdetert', which is a member of the 'Administrators' group: >> # smbldap-groupshow Administrators >> dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com >> objectClass: top,posixGroup,sambaGroupMapping >> gidNumber: 544 >> cn: Administrators >> description: Netbios Domain Members can fully administer the >> computer/sambaDomainName >> sambaSID: S-1-5-32-544 >> sambaGroupType: 5 >> displayName: Administrators >> memberUid: jdetert,root >> >> What happens: >> -- >> a failure dialog window pops up on the winxp box with this message: >> 'The following error occurred attempting to join the domain "CHI": >> The user name could not be found.' -- snip -- > I am working through a similar setup at the moment. > > Looking at the smbldap-useradd source, status 9 is "user must not exist in > LDAP", so I assume from that that the workstation userid already exists? Turns out you are correct. So, I deleted the 'user'="testfsclient$" from the ou=Computers, and retried, but it failed with the same error, and it re-created the user object. Any ideas how/why joining the domain is not fully working? Thanks, Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert : Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' And here are the interesting bits (as far as I can tell) from the samba logs: [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))] [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected .. [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=0)) ... [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-500] ... <[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-501] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-514] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] interesting bits in the log., where clientMachineName=testfsclient [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) [editor's note: that's for the group 'Users'. Also couldn't find groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 ('Authenticated Users').] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11002] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11001] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] [editor's note: the SID ending in 11002 is the user 'jdetert' that attempted to join the machine, and the SID ending in 11001 is jdetert's primary GID.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 [editor's note: 'TESTFSCLIENT' is the name of the machine i was trying to join.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w -c "Workstation (testfsclient$)" "testfsclient$"' gave 9 [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? Thanks, Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://li
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: -- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' And here are the interesting bits (as far as I can tell) from the samba logs: [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))] [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected .. [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=0)) ... [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-500] ... <[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-501] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-514] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] interesting bits in the log., where clientMachineName=testfsclient [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) [editor's note: that's for the group 'Users'. Also couldn't find groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 ('Authenticated Users').] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11002] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11001] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] [editor's note: the SID ending in 11002 is the user 'jdetert' that attempted to join the machine, and the SID ending in 11001 is jdetert's primary GID.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 [editor's note: 'TESTFSCLIENT' is the name of the machine i was trying to join.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w -c "Workstation (testfsclient$)" "testfsclient$"' gave 9 [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? Thanks, Jon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/o