Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
Hi, my user is a domain admin, ie. a member of group RID 512. When I try to join the domain, I'm prompted for username and password. This means that the Windows server has successfully located the Samba PDC using Wins resolution. So far so good, but when I enter my credentials I get the error message after 3-5 secs. That means the credentials you're entering don't have enough access. ## Add Samba machine account sudo useradd -g 515 -d /dev/null -s /bin/false devsrv01$ sudo pdbedit -a -u devsrv01$ Here you're adding the machine account as root, but are you entering in root's username and password when adding the machine to the domain? I'm not familiar enough with how all the Samba permissions are set up, but I would guess that your domain admin account doesn't have the access it should. If you can add the machine to the domain as the SAMBAPC\root user or the like then that would definitely be the case. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
09/09/2009 00:51:59:650 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDC' for 'DEVSRV01$' failed: 0x8b0 09/09/2009 00:51:59:655 NetpSetMachineAccountPasswordAndTypeEx: Broken account type 0x11 -- error out 09/09/2009 00:51:59:657 NetpManageMachineAccountWithSid: status of attempting to set password on '\\PDC' for 'DEVSRV01$': 0x524 09/09/2009 00:51:59:657 NetpJoinDomain: status of creating account: 0x524 09/09/2009 00:51:59:657 NetpJoinDomain: initiaing a rollback due to earlier errors It definitely looks like it can't set the machine password. ... When you add the Windows machine to the domain it should ask you for a username and password, so use one that has lots of access :-) Cheers, Adam. Hi, my user is a domain admin, ie. a member of group RID 512. When I try to join the domain, I'm prompted for username and password. This means that the Windows server has successfully located the Samba PDC using Wins resolution. So far so good, but when I enter my credentials I get the error message after 3-5 secs. Could it be that my Samba users is badly setup? I'm using tdbsam password backend. I performed the following procedure when I created my Samba users: ## Add essential Samba groups sudo groupadd --gid 512 smb-domain-admins sudo groupadd --gid 513 smb-domain-users sudo groupadd --gid 514 smb-domain-guests sudo groupadd --gid 515 smb-domain-computers ## Add Samba group mapping sudo net groupmap add ntgroup=Domain Admins unixgroup=smb-domain-admins rid=512 sudo net groupmap add ntgroup=Domain Users unixgroup=smb-domain-users rid=513 sudo net groupmap add ntgroup=Domain Guests unixgroup=smb-domain-guests rid=514 sudo net groupmap add ntgroup=Domain Computers unixgroup=smb-domain-computers rid=515 ## Add Samba domain admin sudo useradd -g 512 -d /dev/null -s /bin/false devadm sudo passwd devadm sudo pdbedit -a -u devadm ## Add Samba machine account sudo useradd -g 515 -d /dev/null -s /bin/false devsrv01$ sudo pdbedit -a -u devsrv01$ Here is a dump of smb.conf, using testparm: Load smb config files from /etc/samba/smb.conf Processing section [netlogon] Loaded services file OK. Server role: ROLE_DOMAIN_PDC Press enter to see a dump of your service definitions [global] workgroup = DEVNET netbios name = PDC passdb backend = tdbsam:/etc/samba/passdb.tdb log level = 2 log file = /var/log/samba/samba.log name resolve order = wins load printers = No disable spoolss = Yes logon path = logon home = domain logons = Yes os level = 33 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes [netlogon] path = /var/lib/samba/netlogon -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
Emil, could you please open a bug about this on bugzilla.samba.org and include your C:\windows\debug\netsetup.log file ? I would like to reproduce that and see what is going wrong. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org Hello Günther, I'll be glad to do that! However, I do realise that my Samba version 3.0.28a is very old. Please let me know on which product I should post my bug report. Thank you, Emil Konow -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
I've been running Samba 3.0.28a on Ubuntu for a few months. One of my machines is running Windows Server 2008 SP2. This machine joined my Samba domain just fine months ago, however last week I reinstalled the PDC with Ubuntu and Samba. Now I'm unable to rejoin my Windows Server 2008 machine to Samba. When I try to join the domain I get this error: The following error occurred attempting to join the domain DEVNET: The specified account already exists. Just a guess, but have you deleted the computer object from AD before re-adding it? Or are you using an account with write access to the object? If the PC already exists in AD you will need certain privileges to overwrite it. Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
I've been running Samba 3.0.28a on Ubuntu for a few months. One of my machines is running Windows Server 2008 SP2. This machine joined my Samba domain just fine months ago, however last week I reinstalled the PDC with Ubuntu and Samba. Now I'm unable to rejoin my Windows Server 2008 machine to Samba. When I try to join the domain I get this error: The following error occurred attempting to join the domain DEVNET: The specified account already exists. Just a guess, but have you deleted the computer object from AD before re-adding it? Or are you using an account with write access to the object? If the PC already exists in AD you will need certain privileges to overwrite it. Cheers, Adam. Hi Adam, I'm also under the impression that something needs to be removed from the system. Could you please elaborate on how to remove the machine from the AD? Thx! (I've always thought that the term Active Directory isn't relevant to a Samba PDC, since Samba-3 only functions an MS Windows NT4-style domain controller.) On the other hand, I guess I've found some very interesting stuff in C:\windows\debug\netsetup.log It looks like a complete log of the joining process on the Windows server. Now I'm hoping for someone to make anything out of it :) Thanks! 09/09/2009 00:51:52:645 - 09/09/2009 00:51:52:645 NetpValidateName: checking to see if 'DEVSRV01' is valid as type 1 name 09/09/2009 00:51:52:645 NetpCheckNetBiosNameNotInUse for 'DEVSRV01' [MACHINE] returned 0x0 09/09/2009 00:51:52:645 NetpValidateName: name 'DEVSRV01' is valid for type 1 09/09/2009 00:51:52:646 - 09/09/2009 00:51:52:646 NetpValidateName: checking to see if 'DEVSRV01' is valid as type 5 name 09/09/2009 00:51:52:646 NetpValidateName: name 'DEVSRV01' is valid for type 5 09/09/2009 00:51:52:647 - 09/09/2009 00:51:52:647 NetpValidateName: checking to see if 'DEVNET' is valid as type 3 name 09/09/2009 00:51:52:751 NetpCheckDomainNameIsValid [ Exists ] for 'DEVNET' returned 0x0 09/09/2009 00:51:52:751 NetpValidateName: name 'DEVNET' is valid for type 3 09/09/2009 00:51:58:450 - 09/09/2009 00:51:58:450 NetpDoDomainJoin 09/09/2009 00:51:58:451 NetpMachineValidToJoin: 'DEVSRV01' 09/09/2009 00:51:58:451 OS Version: 6.0 09/09/2009 00:51:58:451 Build number: 6002 09/09/2009 00:51:58:451 ServicePack: Service Pack 2 09/09/2009 00:51:58:451 SKU: Windows Server® 2008 Standard 09/09/2009 00:51:58:451 NetpDomainJoinLicensingCheck: ulLicenseValue=1, Status: 0x0 09/09/2009 00:51:58:451 NetpGetLsaPrimaryDomain: status: 0x0 09/09/2009 00:51:58:452 NetpMachineValidToJoin: status: 0x0 09/09/2009 00:51:58:452 NetpJoinDomain 09/09/2009 00:51:58:452 Machine: DEVSRV01 09/09/2009 00:51:58:452 Domain: DEVNET 09/09/2009 00:51:58:452 MachineAccountOU: (NULL) 09/09/2009 00:51:58:452 Account: DEVNET\devadm 09/09/2009 00:51:58:452 Options: 0x25 09/09/2009 00:51:58:452 NetpLoadParameters: loading registry parameters... 09/09/2009 00:51:58:452 NetpLoadParameters: DNSNameResolutionRequired not found, defaulting to '1' 0x2 09/09/2009 00:51:58:452 NetpLoadParameters: status: 0x2 09/09/2009 00:51:58:452 NetpValidateName: checking to see if 'DEVNET' is valid as type 3 name 09/09/2009 00:51:58:556 NetpCheckDomainNameIsValid [ Exists ] for 'DEVNET' returned 0x0 09/09/2009 00:51:58:556 NetpValidateName: name 'DEVNET' is valid for type 3 09/09/2009 00:51:58:556 NetpDsGetDcName: trying to find DC in domain 'DEVNET', flags: 0x40001010 09/09/2009 00:51:59:274 NetpDsGetDcName: found DC '\\PDC' in the specified domain 09/09/2009 00:51:59:350 NetpJoinDomain: status of connecting to dc '\\PDC': 0x0 09/09/2009 00:51:59:354 NetpGetLsaPrimaryDomain: status: 0x0 09/09/2009 00:51:59:354 NetpGetNt4RefusePasswordChangeStatus: trying to read from '\\PDC' 09/09/2009 00:51:59:363 NetpGetNt4RefusePasswordChangeStatus: RefusePasswordChange == 0 09/09/2009 00:51:59:365 NetpLsaOpenSecret: status: 0xc034 09/09/2009 00:51:59:365 NetpGetLsaPrimaryDomain: status: 0x0 09/09/2009 00:51:59:365 NetpLsaOpenSecret: status: 0xc034 09/09/2009 00:51:59:416 Failed to validate machine account for DEVSRV01 against \\PDC: 0xc002002e 09/09/2009 00:51:59:416 NetpJoinDomain: status of validating account using NL SC: 0x6d1 09/09/2009 00:51:59:416 NetpJoinDomain: initiaing a rollback due to earlier errors 09/09/2009 00:51:59:416 NetpLsaOpenSecret: status: 0x0 09/09/2009 00:51:59:446 NetpJoinDomain: rollback: status of deleting secret: 0x0 09/09/2009 00:51:59:448 NetpJoinDomain: status of disconnecting from '\\PDC': 0x0 09/09/2009 00:51:59:448 NetpDoDomainJoin: status: 0x6d1 09/09/2009 00:51:59:458 - 09/09/2009 00:51:59:458
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
Could you please elaborate on how to remove the machine from the AD? Thx! (I've always thought that the term Active Directory isn't relevant to a Samba PDC, since Samba-3 only functions an MS Windows NT4-style domain controller.) 09/09/2009 00:51:59:650 NetpManageMachineAccountWithSid: NetUserAdd on '\\PDC' for 'DEVSRV01$' failed: 0x8b0 09/09/2009 00:51:59:655 NetpSetMachineAccountPasswordAndTypeEx: Broken account type 0x11 -- error out 09/09/2009 00:51:59:657 NetpManageMachineAccountWithSid: status of attempting to set password on '\\PDC' for 'DEVSRV01$': 0x524 09/09/2009 00:51:59:657 NetpJoinDomain: status of creating account: 0x524 09/09/2009 00:51:59:657 NetpJoinDomain: initiaing a rollback due to earlier errors It definitely looks like it can't set the machine password. I didn't realise you were using Samba as the domain controller, I've only ever used MS servers for this (and their GUI tools to delete PCs.) If you don't know how to delete the machine account, then getting enough access to override it should be just as good. When you add the Windows machine to the domain it should ask you for a username and password, so use one that has lots of access :-) Cheers, Adam. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] unable to join w2k3 SP1 to samba 3 domain.
Emil, could you please open a bug about this on bugzilla.samba.org and include your C:\windows\debug\netsetup.log file ? I would like to reproduce that and see what is going wrong. Thanks, Guenther -- Günther DeschnerGPG-ID: 8EE11688 Red Hat gdesch...@redhat.com Samba Team g...@samba.org pgpxghdXi45r7.pgp Description: PGP signature -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
