Marek Szuba
2005-Dec-04 02:18 UTC
[Samba] Samba PDC with ldapsam - unable to join the domain
Hello everyone, That's it, I give up - I've got no idea what's going on with the damn thing... Maybe you will be able to help. Here is the deal: I've got a Linux machine running Samba which is to operate as a PDC for a bunch of W2k Pro and XP Pro machines. Since all user data on that server is stored in LDAP, I figured it would be good to have Samba use it as well. While setting things up I followed a bunch of guides I found on the net and used smbldap-tools to handle adding of machine accounts. There is one difference though - instead of giving my domain administrator account UID 0, I enabled Windows privileges in Samba and gave the account in question SeMachineAccountPrivilege; if I use "net rights" I can see it has it. Now, here is what happens when I want to test things by adding the same machine to the domain: # net join DOMAIN -U domadm domadm's password: [2005/12/04 03:08:30, 0] utils/net_ads.c:ads_startup(191) ads_connect: No results returned Unable to join domain DOMAIN. # The only thing the logs show (at level 1) is samba is_any_privilege_assigned: no privileges in check_mask! At first I thought I got the privileges wrong after all, but a quick look inside the LDAP database shows the machine accound HAS been added successfully. Moreover, having switched the log level to 255 I could see that the aforementioned message appears long before the end of the session, so it seems to be unrelated (or if it is, I don't know how). On the other hand, even at 255 I could see nothing even remotely resembling the message the client got - no mention of "ads" anywhere! Please let me know if you need any more information about the system, my Samba configuration, log snippets or anything. I would really like to get this thing over with. Regards, -- MS
Craig White
2005-Dec-04 04:30 UTC
[Samba] Samba PDC with ldapsam - unable to join the domain
On Sun, 2005-12-04 at 03:17 +0100, Marek Szuba wrote:> Hello everyone, > > That's it, I give up - I've got no idea what's going on with the damn > thing... Maybe you will be able to help. > > Here is the deal: I've got a Linux machine running Samba which is to > operate as a PDC for a bunch of W2k Pro and XP Pro machines. Since all > user data on that server is stored in LDAP, I figured it would be good > to have Samba use it as well. While setting things up I followed a > bunch of guides I found on the net and used smbldap-tools to handle > adding of machine accounts. There is one difference though - instead of > giving my domain administrator account UID 0, I enabled Windows > privileges in Samba and gave the account in question > SeMachineAccountPrivilege; if I use "net rights" I can see it has it. > > Now, here is what happens when I want to test things by adding the same > machine to the domain: > > # net join DOMAIN -U domadm > domadm's password: > [2005/12/04 03:08:30, 0] utils/net_ads.c:ads_startup(191) > ads_connect: No results returned > Unable to join domain DOMAIN. > # > > The only thing the logs show (at level 1) is > > samba is_any_privilege_assigned: no privileges in check_mask! > > At first I thought I got the privileges wrong after all, but a quick > look inside the LDAP database shows the machine accound HAS been added > successfully. Moreover, having switched the log level to 255 I could > see that the aforementioned message appears long before the end of the > session, so it seems to be unrelated (or if it is, I don't know how). > On the other hand, even at 255 I could see nothing even remotely > resembling the message the client got - no mention of "ads" anywhere! > > Please let me know if you need any more information about the system, > my Samba configuration, log snippets or anything. I would really like > to get this thing over with.---- If Linux is PDC... security = user net join is pointless for the PDC but another Linux system would probably want to join the domain to get samba data. You don't state what settings in smb.conf are for 'security =' and it's not clear what you are trying to accomplish with 'net join' command. SeMachineAccountPrivilege is for samba 3.0.11 or higher, otherwise you would have to have an account with UID=0 to join the domain. You don't state which version of samba you are using. Craig