samba - Jun 2010 - windows 7 unable to join domain

Hi,

I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5.  I currently have
many Windows XP clients associated with the domain and behaving correctly.
However, I am unable to join a Windows 7 PC.  I receive "The specified
network name is no longer available."

I've verified that DNS is configured correctly, and as stated XP machines
have no problem joining.

Per some googling, I've turned off both:

*- Network security:Minimum session security for NTLM SSP (including RPC
based) Clients*
- *Network security:Minimum session security for NTLM SSP (including RPC
based) Servers*

and changed "*Network Security LAN Manager authentication level*" to
"*Send
LM & NTLM ? use NTLMv2 session security if negotiated*" in the Local
Security Policies.

These are the errors I receive at log level 5:

-- from log.winbindd-idmap
[2010/06/14 19:56:29,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
[2010/06/14 19:56:29,  4] winbindd/winbindd_dual.c:fork_domain_child(1439)
  child daemon request 53
[2010/06/14 19:56:29,  3]
winbindd/winbindd_idmap.c:winbindd_dual_gid2sid(508)
  [ 9876]: gid 99 to sid
[2010/06/14 19:56:29,  4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
  ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=99))

-- from log.wb-DOMAIN
[2010/06/14 19:57:04,  2] winbindd/winbindd.c:remove_client(744)
  final write to client failed: Broken pipe

-- from log.smbd
[2010/06/14 19:57:04,  3] smbd/process.c:smbd_process(1952)
  receive_message_or_smb failed: NT_STATUS_ACCESS_DENIED, exiting

My smb.conf is as follows:

[global]
workgroup = DOMAIN.COM
netbios name = domain-fs
passdb backend = ldapsam:ldap://127.0.0.1
printcap name = cups
printing = cups
security = domain
log level = 5
socket options = TCP_NODELAY IPTOS_LOWDELAY SO_KEEPALIVE SO_RCVBUF=8192
SO_SNDBUF=8192
name resolve order = wins bcast hosts

ldap ssl = off
ldap admin dn = cn=root,dc=domain,dc=com
ldap suffix = dc=domain,dc=com
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers

ldap delete dn = Yes
add user script = /usr/sbin/smbldap-useradd -m "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
delete group script = /usr/sbin/smbldap-groupdel "%g"

logon path = \\domain-fs\profiles\%u
logon drive = H:
logon home = \\domain-fs\%U
#logon script = %U.bat
logon script = logon.bat

domain master = Yes
domain logons = Yes
os level = 35
preferred master = Yes

idmap uid = 10000-20000
idmap gid = 10000-20000

passwd program = /usr/bin/passwd '%u'
unix password sync = yes
passwd chat = "*New UNIX password*" %n\n "*Retype new UNIX
password*" %n\n
"*updated successfully*"
enable privileges = yes
username map = /etc/samba/smbusers

wins support = Yes

[homes]
comment = Home Directories
valid users = %S
browseable = no
writable = yes

[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = Yes
writable = no

[profiles]
comment = Network Profiles Share
path = /data/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
hide files = /desktop.ini/outlook*.lnk/*Briefcase*/

In LDAP, the Domain Computers GID is 515 and not 99 as suggested by the
above error but I do not know why it is looking for that particular GID.

Any ideas?  My google-fu has become ineffective on this problem.

Thanks,
Matt

SNIP
>
> I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5.  I currently 
> have
> many Windows XP clients associated with the domain and behaving 
> correctly.
> However, I am unable to join a Windows 7 PC.  I receive "The specified
> network name is no longer available."
>
> I've verified that DNS is configured correctly, and as stated XP 
> machines
> have no problem joining.
>
http://wiki.samba.org/index.php/Windows7

There's a reg file that comes with the source code.  Not sure about 
binary packages.

Cheers,

SNIP

>
> --- Original message ---
> Subject: Re: [Samba] windows 7 unable to join domain
> From: Alberto Moreno <portsbsd at gmail.com>
> To: <samba at lists.samba.org>
> Date: Monday, 14/06/2010 11:03 PM
>
> On Mon, Jun 14, 2010 at 6:11 PM,  <tms3 at tms3.com> wrote:
>>
>>
>>
>>
>>
>> SNIP
>>>
>>>
>>> I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5.  I
currently
>>> have
>>> many Windows XP clients associated with the domain and behaving 
>>> correctly.
>>> However, I am unable to join a Windows 7 PC.  I receive "The
specified
>>> network name is no longer available."
>>>
>>> I've verified that DNS is configured correctly, and as stated
XP
>>> machines
>>> have no problem joining.
>>>
>> http://wiki.samba.org/index.php/Windows7
>>
>> There's a reg file that comes with the source code.  Not sure about
>> binary
>> packages.
>>
>> Cheers,
>>
>> SNIP
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba
>>
>
> Like tms3 told u, we have to make some changes to the register before
> we join ms 7 to the domain, I already did and works, no issue.
>
> Another thing I see in your smb.conf:
>
> security = DOMAIN.
>
> In my little knowledge about samba, if u have a PDC it must say:
>
> security = user.
>
> Went u add a BDC it must say:
>
> security = DOMAIN.
I disagree on the last point.

Security = user is default, so no entry necessary.

For PDC I use:

        os level = 64
        preferred master = Yes
        domain logons =Yes
        domain master = Yes

For BDC I use (if on separate nodes)

        os level = 64
        preferred master = Yes
        domain logons =Yes
        domain master = no

If on same node

        os level = 60
        preferred master = Auto
        domain logons =Yes
        domain master = no
>
>
>
> "In domain security mode, the Samba server has a machine account
> (domain security trust account) and causes all authentication requests
> to be passed through to the domain controllers. The Samba server is
> made into a domain member server by using the following directives in
> smb.conf."
>
> "security = domain"
>
> Last thing, smbldap-tools using the base repo from Centos 5.5 depend
> on Samba-3.0.x, u must build your own rpm to work with samba3x.
>
> My two cents.
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba

Hi,


D?a 15. 6. 2010 3:05, delpheye  wrote / nap?sal(a):
> Hi,
>
> I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5.  I currently
have
> many Windows XP clients associated with the domain and behaving correctly.
> However, I am unable to join a Windows 7 PC.  I receive "The specified
> network name is no longer available."
I use Samba 3.4.5 on FreeBSD 7.2.
>
> I've verified that DNS is configured correctly, and as stated XP
machines
> have no problem joining.
>
> Per some googling, I've turned off both:
>
> *- Network security:Minimum session security for NTLM SSP (including RPC
> based) Clients*
> - *Network security:Minimum session security for NTLM SSP (including RPC
> based) Servers*
>
> and changed "*Network Security LAN Manager authentication level*"
to "*Send
> LM&  NTLM ? use NTLMv2 session security if negotiated*" in the
Local
> Security Policies.
It is not needed to make these changes (I think you should change them 
back to origininal settings), I just added in registry:

Computer\HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters\DomainCompatibilityMode
= dword 1
Computer\HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters\DNSNameResolutionRequired
= dword 0

and after joining domain changed

Computer\HKLM\System\CurrentControlSet\services\Tcpip\Parameters\NV 
Domain from DOMAIN to domain.local

> Any ideas?  My google-fu has become ineffective on this problem.
I am sorry, but I really don't know where I found this :(

Tomas.

On Tue, Jun 15, 2010 at 9:57 AM,  <tms3 at tms3.com>
wrote:
>
>
>
> On Tuesday 15/06/2010 at 9:17 am, Alberto Moreno wrote:
>
> On Mon, Jun 14, 2010 at 11:45 PM, <tms3 at tms3.com> wrote:
>
>
>
> --- Original message ---
> Subject: Re: [Samba] windows 7 unable to join domain
> From: Alberto Moreno <portsbsd at gmail.com>
> To: <samba at lists.samba.org>
> Date: Monday, 14/06/2010 11:03 PM
>
> On Mon, Jun 14, 2010 at 6:11 PM, <tms3 at tms3.com> wrote:
>
>
>
>
> SNIP
>
> I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5. ?I currently
have
> many Windows XP clients associated with the domain and behaving correctly.
> However, I am unable to join a Windows 7 PC. ?I receive "The specified
> network name is no longer available."
>
> I've verified that DNS is configured correctly, and as stated XP
machines
> have no problem joining.
>
> http://wiki.samba.org/index.php/Windows7
>
> There's a reg file that comes with the source code. ?Not sure about
binary
> packages.
>
> Cheers,
>
> SNIP
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: ?https://lists.samba.org/mailman/options/samba
>
>
> Like tms3 told u, we have to make some changes to the register before
> we join ms 7 to the domain, I already did and works, no issue.
>
> Another thing I see in your smb.conf:
>
> security = DOMAIN.
>
> In my little knowledge about samba, if u have a PDC it must say:
>
> security = user.
>
> Went u add a BDC it must say:
>
> security = DOMAIN.
>
> I disagree on the last point.
>
> Security = user is default, so no entry necessary.
>
> For PDC I use:
>
> ??????? os level = 64
> ??????? preferred master = Yes
> ??????? domain logons =Yes
> ??????? domain master = Yes
>
> For BDC I use (if on separate nodes)
>
> ???????? os level = 64
> ??????? preferred master = Yes
> ??????? domain logons =Yes
> ??????? domain master = no
>
> If on same node
>
> ??????? os level = 60
> ??????? preferred master = Auto
> ??????? domain logons =Yes
> ??????? domain master = no
>
>
> "In domain security mode, the Samba server has a machine account
> (domain security trust account) and causes all authentication requests
> to be passed through to the domain controllers. The Samba server is
> made into a domain member server by using the following directives in
> smb.conf."
>
> "security = domain"
>
> Hi.
>
> I point this because on his smb.conf file he us using security=domain,
> by default like u say is =user.
>
> Oh, not trying to be a snit, just that if you use sec=domain then the BDC
> will call the PDC for authing.? It will work, it's just that it kinda
(IMHO)
> makes the BDC sorta useless.? And over WAN links wastes bandwidth.
>
> Cheers,
>
>
> Thanks!!!
>
> Last thing, smbldap-tools using the base repo from Centos 5.5 depend
> on Samba-3.0.x, u must build your own rpm to work with samba3x.
>
> My two cents.
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
>
> --
> LIving the dream...
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
No problem my friend, we are here to learn, thanks for sharing.

-- 
LIving the dream...

On Tue, Jun 15, 2010 at 1:04 PM, delpheye <delpheye at gmail.com>
wrote:
> results of testparm -v:
>
> Load smb config files from /etc/samba/smb.conf
> Processing section "[homes]"
> Processing section "[netlogon]"
> Processing section "[profiles]"
> Processing section "[public]"
> Processing section "[former.employees]"
> Processing section "[temp]"
> Processing section "[joadmin]"
> Processing section "[labs]"
> Processing section "[business]"
> Loaded services file OK.
> WARNING: You have some share names that are longer than 12 characters.
> These may not be accessible to some older clients.
> (Eg. Windows9x, WindowsMe, and smbclient prior to Samba 3.0.)
> Server role: ROLE_DOMAIN_PDC
> Press enter to see a dump of your service definitions
>
> [global]
> ??? dos charset = CP850
> ??? unix charset = UTF-8
> ??? display charset = LOCALE
> ??? workgroup = DOMAIN.COM
> ??? realm > ??? netbios name = DOMAIN-FS
> ??? netbios aliases > ??? netbios scope > ??? server string = Samba
3.3.8-0.51.el5
> ??? interfaces > ??? bind interfaces only = No
> ??? config backend = file
> ??? security = USER
> ??? auth methods > ??? encrypt passwords = Yes
> ??? update encrypted = No
> ??? client schannel = Auto
> ??? server schannel = Auto
> ??? allow trusted domains = Yes
> ??? map to guest = Never
> ??? null passwords = No
> ??? obey pam restrictions = No
> ??? password server = *
> ??? smb passwd file = /var/lib/samba/private/smbpasswd
> ??? private dir = /var/lib/samba/private
> ??? passdb backend = ldapsam:ldap://127.0.0.1
> ??? algorithmic rid base = 1000
> ??? root directory > ??? guest account = nobody
> ??? enable privileges = Yes
> ??? pam password change = No
> ??? passwd program = /usr/bin/passwd '%u'
> ??? passwd chat = "*New UNIX password*" %n\n "*Retype new
UNIX password*"
> %n\n "*updated successfully*"
> ??? passwd chat debug = No
> ??? passwd chat timeout = 2
> ??? check password script > ??? username map = /etc/samba/smbusers
> ??? password level = 0
> ??? username level = 0
> ??? unix password sync = Yes
> ??? restrict anonymous = 0
> ??? lanman auth = No
> ??? ntlm auth = Yes
> ??? client NTLMv2 auth = No
> ??? client lanman auth = No
> ??? client plaintext auth = No
> ??? preload modules > ??? use kerberos keytab = No
> ??? log level = 5
> ??? syslog = 1
> ??? syslog only = No
> ??? log file > ??? max log size = 5000
> ??? debug timestamp = Yes
> ??? debug prefix timestamp = No
> ??? debug hires timestamp = No
> ??? debug pid = No
> ??? debug uid = No
> ??? debug class = No
> ??? enable core files = Yes
> ??? smb ports = 445 139
> ??? large readwrite = Yes
> ??? max protocol = NT1
> ??? min protocol = CORE
> ??? min receivefile size = 0
> ??? read raw = Yes
> ??? write raw = Yes
> ??? disable netbios = No
> ??? reset on zero vc = No
> ??? acl compatibility = auto
> ??? defer sharing violations = Yes
> ??? nt pipe support = Yes
> ??? nt status support = Yes
> ??? announce version = 4.9
> ??? announce as = NT
> ??? max mux = 50
> ??? max xmit = 16644
> ??? name resolve order = wins bcast hosts
> ??? max ttl = 259200
> ??? max wins ttl = 518400
> ??? min wins ttl = 21600
> ??? time server = No
> ??? unix extensions = Yes
> ??? use spnego = Yes
> ??? client signing = auto
> ??? server signing = No
> ??? client use spnego = Yes
> ??? client ldap sasl wrapping = plain
> ??? enable asu support = No
> ??? svcctl list > ??? deadtime = 0
> ??? getwd cache = Yes
> ??? keepalive = 300
> ??? lpq cache time = 30
> ??? max smbd processes = 0
> ??? paranoid server security = Yes
> ??? max disk size = 0
> ??? max open files = 10000
> ??? socket options = TCP_NODELAY
> ??? use mmap = Yes
> ??? hostname lookups = No
> ??? name cache timeout = 660
> ??? ctdbd socket > ??? cluster addresses > ??? clustering = No
> ??? load printers = Yes
> ??? printcap cache time = 750
> ??? printcap name = cups
> ??? cups server > ??? cups connection timeout = 30
> ??? iprint server > ??? disable spoolss = No
> ??? addport command > ??? enumports command > ??? addprinter command
> ??? deleteprinter command > ??? show add printer wizard = Yes
> ??? os2 driver map > ??? mangling method = hash2
> ??? mangle prefix = 1
> ??? max stat cache size = 256
> ??? stat cache = Yes
> ??? machine password timeout = 604800
> ??? add user script = /usr/sbin/smbldap-useradd -m "%u"
> ??? rename user script > ??? delete user script =
/usr/sbin/smbldap-userdel "%u"
> ??? add group script = /usr/sbin/smbldap-groupadd -p "%g"
> ??? delete group script = /usr/sbin/smbldap-groupdel "%g"
> ??? add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> ??? delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> ??? set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> ??? add machine script = /usr/sbin/smbldap-useradd -w "%u"
> ??? shutdown script > ??? abort shutdown script > ??? username map
script > ??? logon script = logon.bat
> ??? logon path = \\domain-fs\profiles\%u
> ??? logon drive = H:
> ??? logon home = \\domain-fs\%U
> ??? domain logons = Yes
> ??? init logon delayed hosts > ??? init logon delay = 100
> ??? os level = 64
> ??? lm announce = Auto
> ??? lm interval = 5
> ??? preferred master = Yes
> ??? local master = Yes
> ??? domain master = Yes
> ??? browse list = Yes
> ??? enhanced browsing = Yes
> ??? dns proxy = Yes
> ??? wins proxy = No
> ??? wins server > ??? wins support = Yes
> ??? wins hook > ??? kernel oplocks = Yes
> ??? lock spin time = 200
> ??? oplock break wait time = 0
> ??? ldap admin dn = cn=root,dc=domain,dc=com
> ??? ldap delete dn = Yes
> ??? ldap group suffix = ou=Groups
> ??? ldap idmap suffix = ou=Idmap
> ??? ldap machine suffix = ou=Computers
> ??? ldap passwd sync = no
> ??? ldap replication sleep = 1000
> ??? ldap suffix = dc=domain,dc=com
> ??? ldap ssl = no
> ??? ldap ssl ads = No
> ??? ldap timeout = 15
> ??? ldap connection timeout = 2
> ??? ldap page size = 1024
> ??? ldap user suffix = ou=Users
> ??? ldap debug level = 0
> ??? ldap debug threshold = 10
> ??? eventlog list > ??? add share command > ??? change share command
> ??? delete share command > ??? config file > ??? preload > ???
lock directory = /var/lib/samba
> ??? pid directory = /var/run
> ??? utmp directory > ??? wtmp directory > ??? utmp = No
> ??? default service > ??? message command > ??? get quota command
> ??? set quota command > ??? remote announce > ??? remote browse sync
> ??? socket address = 0.0.0.0
> ??? homedir map = auto.home
> ??? afs username map > ??? afs token lifetime = 604800
> ??? log nt token command > ??? time offset = 0
> ??? NIS homedir = No
> ??? registry shares = No
> ??? usershare allow guests = No
> ??? usershare max shares = 0
> ??? usershare owner only = Yes
> ??? usershare path = /var/lib/samba/usershares
> ??? usershare prefix allow list > ??? usershare prefix deny list >
??? usershare template share > ??? panic action > ??? host msdfs = Yes
> ??? passdb expand explicit = No
> ??? idmap backend = tdb
> ??? idmap alloc backend > ??? idmap cache time = 604800
> ??? idmap negative cache time = 120
> ??? idmap uid = 10000-20000
> ??? idmap gid = 10000-20000
> ??? template homedir = /home/%D/%U
> ??? template shell = /bin/false
> ??? winbind separator = \
> ??? winbind cache time = 300
> ??? winbind reconnect delay = 30
> ??? winbind enum users = No
> ??? winbind enum groups = No
> ??? winbind use default domain = No
> ??? winbind trusted domains only = No
> ??? winbind nested groups = Yes
> ??? winbind expand groups = 1
> ??? winbind nss info = template
> ??? winbind refresh tickets = No
> ??? winbind offline logon = No
> ??? winbind normalize names = No
> ??? winbind rpc only = No
> ??? comment > ??? path > ??? username > ??? invalid users > ???
valid users > ??? admin users > ??? read list > ??? write list > ???
printer admin > ??? force user > ??? force group > ??? read only = Yes
> ??? acl check permissions = Yes
> ??? acl group control = No
> ??? acl map full control = Yes
> ??? create mask = 0744
> ??? force create mode = 00
> ??? security mask = 0777
> ??? force security mode = 00
> ??? directory mask = 0755
> ??? force directory mode = 00
> ??? directory security mask = 0777
> ??? force directory security mode = 00
> ??? force unknown acl user = No
> ??? inherit permissions = No
> ??? inherit acls = No
> ??? inherit owner = No
> ??? guest only = No
> ??? administrative share = No
> ??? guest ok = No
> ??? only user = No
> ??? hosts allow > ??? hosts deny > ??? allocation roundup size =
1048576
> ??? aio read size = 0
> ??? aio write size = 0
> ??? aio write behind > ??? ea support = No
> ??? nt acl support = Yes
> ??? profile acls = No
> ??? map acl inherit = No
> ??? afs share = No
> ??? smb encrypt = auto
> ??? block size = 1024
> ??? change notify = Yes
> ??? directory name cache size = 100
> ??? kernel change notify = Yes
> ??? max connections = 0
> ??? min print space = 0
> ??? strict allocate = No
> ??? strict sync = No
> ??? sync always = No
> ??? use sendfile = No
> ??? write cache size = 0
> ??? max reported print jobs = 0
> ??? max print jobs = 1000
> ??? printable = No
> ??? printing = cups
> ??? cups options > ??? print command > ??? lpq command = %p
> ??? lprm command > ??? lppause command > ??? lpresume command >
??? queuepause command > ??? queueresume command > ??? printer name >
??? use client driver = No
> ??? default devmode = Yes
> ??? force printername = No
> ??? printjob username = %U
> ??? default case = lower
> ??? case sensitive = Auto
> ??? preserve case = Yes
> ??? short preserve case = Yes
> ??? mangling char = ~
> ??? hide dot files = Yes
> ??? hide special files = No
> ??? hide unreadable = No
> ??? hide unwriteable files = No
> ??? delete veto files = No
> ??? veto files > ??? hide files > ??? veto oplock files > ??? map
archive = Yes
> ??? map hidden = No
> ??? map system = No
> ??? map readonly = yes
> ??? mangled names = Yes
> ??? store dos attributes = No
> ??? dmapi support = No
> ??? browseable = Yes
> ??? blocking locks = Yes
> ??? csc policy = manual
> ??? fake oplocks = No
> ??? locking = Yes
> ??? oplocks = Yes
> ??? level2 oplocks = Yes
> ??? oplock contention limit = 2
> ??? posix locking = Yes
> ??? strict locking = Auto
> ??? share modes = Yes
> ??? dfree cache time = 0
> ??? dfree command > ??? copy > ??? include > ??? preexec > ???
preexec close = No
> ??? postexec > ??? root preexec > ??? root preexec close = No
> ??? root postexec > ??? available = Yes
> ??? volume > ??? fstype = NTFS
> ??? set directory = No
> ??? wide links = Yes
> ??? follow symlinks = Yes
> ??? dont descend > ??? magic script > ??? magic output > ???
delete readonly = No
> ??? dos filemode = No
> ??? dos filetimes = Yes
> ??? dos filetime resolution = No
> ??? fake directory create times = No
> ??? vfs objects > ??? msdfs root = No
> ??? msdfs proxy >
> [homes]
> ??? comment = Home Directories
> ??? valid users = %S
> ??? read only = No
> ??? browseable = No
>
> [netlogon]
> ??? comment = Network Logon Service
> ??? path = /home/netlogon
> ??? guest ok = Yes
>
> [profiles]
> ??? comment = Network Profiles Share
> ??? path = /data/profiles
> ??? read only = No
> ??? create mask = 0600
> ??? directory mask = 0700
> ??? hide files = /desktop.ini/outlook*.lnk/*Briefcase*/
> ??? store dos attributes = Yes
> ??? browseable = No
>
> [public]
> ??? path = /data/public
> ??? valid users = "@Domain Users"
> ??? read only = No
> ??? create mask = 0755
> ??? guest ok = Yes
>
> [former.employees]
> ??? path = /data/former.employees
> ??? valid users = "@Domain Users"
> ??? read only = No
> ??? create mask = 0755
> ??? guest ok = Yes
>
> [temp]
> ??? path = /data/temp
> ??? valid users = "@Domain Users"
> ??? read only = No
> ??? create mask = 0755
> ??? guest ok = Yes
>
>
> [joadmin]
> ??? comment = Jo Admin
> ??? path = /data/jo-admin
> ??? valid users = joxxx
> ??? write list = "@domain users"
> ??? read only = No
> ??? create mask = 0775
> ??? directory mask = 0775
>
> [labs]
> ??? comment = Labs Data
> ??? path = /data/labs
> ??? valid users = "@Domain Users"
> ??? write list = "@Domain Users"
> ??? read only = No
> ??? create mask = 0775
> ??? directory mask = 0770
> ??? guest ok = Yes
>
> [business]
> ??? comment = Business Docs
> ??? path = /data/Business
> ??? valid users = "@Business Users"
> ??? read only = No
> ??? create mask = 0775
> ??? directory mask = 0775
>
>
> On Tue, Jun 15, 2010 at 12:52 PM, Alberto Moreno <portsbsd at
gmail.com> wrote:
>>
>> On Tue, Jun 15, 2010 at 10:40 AM, Alberto Moreno <portsbsd at
gmail.com>
>> wrote:
>> > On Tue, Jun 15, 2010 at 9:57 AM, ?<tms3 at tms3.com> wrote:
>> >>
>> >>
>> >>
>> >> On Tuesday 15/06/2010 at 9:17 am, Alberto Moreno wrote:
>> >>
>> >> On Mon, Jun 14, 2010 at 11:45 PM, <tms3 at tms3.com>
wrote:
>> >>
>> >>
>> >>
>> >> --- Original message ---
>> >> Subject: Re: [Samba] windows 7 unable to join domain
>> >> From: Alberto Moreno <portsbsd at gmail.com>
>> >> To: <samba at lists.samba.org>
>> >> Date: Monday, 14/06/2010 11:03 PM
>> >>
>> >> On Mon, Jun 14, 2010 at 6:11 PM, <tms3 at tms3.com>
wrote:
>> >>
>> >>
>> >>
>> >>
>> >> SNIP
>> >>
>> >> I'm currently running Samba3x-3.3.8-0.51 on CentOS 5.5. ?I
currently
>> >> have
>> >> many Windows XP clients associated with the domain and
behaving
>> >> correctly.
>> >> However, I am unable to join a Windows 7 PC. ?I receive
"The specified
>> >> network name is no longer available."
>> >>
>> >> I've verified that DNS is configured correctly, and as
stated XP
>> >> machines
>> >> have no problem joining.
>> >>
>> >> http://wiki.samba.org/index.php/Windows7
>> >>
>> >> There's a reg file that comes with the source code. ?Not
sure about
>> >> binary
>> >> packages.
>> >>
>> >> Cheers,
>> >>
>> >> SNIP
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions: ?https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >> Like tms3 told u, we have to make some changes to the register
before
>> >> we join ms 7 to the domain, I already did and works, no issue.
>> >>
>> >> Another thing I see in your smb.conf:
>> >>
>> >> security = DOMAIN.
>> >>
>> >> In my little knowledge about samba, if u have a PDC it must
say:
>> >>
>> >> security = user.
>> >>
>> >> Went u add a BDC it must say:
>> >>
>> >> security = DOMAIN.
>> >>
>> >> I disagree on the last point.
>> >>
>> >> Security = user is default, so no entry necessary.
>> >>
>> >> For PDC I use:
>> >>
>> >> ??????? os level = 64
>> >> ??????? preferred master = Yes
>> >> ??????? domain logons =Yes
>> >> ??????? domain master = Yes
>> >>
>> >> For BDC I use (if on separate nodes)
>> >>
>> >> ???????? os level = 64
>> >> ??????? preferred master = Yes
>> >> ??????? domain logons =Yes
>> >> ??????? domain master = no
>> >>
>> >> If on same node
>> >>
>> >> ??????? os level = 60
>> >> ??????? preferred master = Auto
>> >> ??????? domain logons =Yes
>> >> ??????? domain master = no
>> >>
>> >>
>> >> "In domain security mode, the Samba server has a machine
account
>> >> (domain security trust account) and causes all authentication
requests
>> >> to be passed through to the domain controllers. The Samba
server is
>> >> made into a domain member server by using the following
directives in
>> >> smb.conf."
>> >>
>> >> "security = domain"
>> >>
>> >> Hi.
>> >>
>> >> I point this because on his smb.conf file he us using
security=domain,
>> >> by default like u say is =user.
>> >>
>> >> Oh, not trying to be a snit, just that if you use sec=domain
then the
>> >> BDC
>> >> will call the PDC for authing.? It will work, it's just
that it kinda
>> >> (IMHO)
>> >> makes the BDC sorta useless.? And over WAN links wastes
bandwidth.
>> >>
>> >> Cheers,
>> >>
>> >>
>> >> Thanks!!!
>> >>
>> >> Last thing, smbldap-tools using the base repo from Centos 5.5
depend
>> >> on Samba-3.0.x, u must build your own rpm to work with
samba3x.
>> >>
>> >> My two cents.
>> >> --
>> >> LIving the dream...
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >>
>> >> --
>> >> LIving the dream...
>> >> --
>> >> To unsubscribe from this list go to the following URL and read
the
>> >> instructions: https://lists.samba.org/mailman/options/samba
>> >>
>> >>
>> >
>> > No problem my friend, we are here to learn, thanks for sharing.
>> >
>> > --
>> > LIving the dream...
>> >
>>
>> U say that u already have some XP clients on your domain, which meant
>> that works.
>>
>> U are trying to add a Windows 7 capable of being able to be part of a
>> Domain, like Ultimate Edition or compatible right? not a Home Edition.
>>
>> U are using ldap on centos, which is working? Because u have XP
>> clients inside the domain, they can see the PDC of your domain?
>>
>> Could u please give us the output of testparm+testparm of your PDC.
>>
>> Thanks!!!
>>
>> --
>> LIving the dream...
>> --
>> To unsubscribe from this list go to the following URL and read the
>> instructions: ?https://lists.samba.org/mailman/options/samba
>
This is my smb.conf which I had setup this week, I have here Windows
XP+Windows 7 UE.

[global]
        unix charset = UTF8
        workgroup = BOMBOM
        server string = PDC Server
        interfaces = eth0, lo
        bind interfaces only = Yes
        passdb backend = ldapsam:ldap://172.16.5.152/
        pam password change = Yes
        passwd program = /usr/bin/passwd %u
        passwd chat = *New*UNIX*password* %nn
*ReType*new*UNIX*password* %nn *
passwd:*all*authentication*tokens*updated*successfully*
        username map = /etc/samba/usermap
        password level = 6
        unix password sync = Yes
        log level = 1
        log file = /var/log/samba/%m.log
        max log size = 500
        name resolve order = wins hosts bcast lmhost
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        load printers = No
        show add printer wizard = No
        add user script = /usr/sbin/smbldap-useradd -m %u
        delete user script = /usr/sbin/smbldap-userdel %u
        add group script = /usr/sbin/smbldap-groupadd -p %g
        delete group script = /usr/sbin/smbldap-groupdel %g
        add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
        delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
        set primary group script = /usr/sbin/smbldap-usermod -g %g %u
        add machine script = /usr/sbin/smbldap-useradd -w %m
        logon path         logon home         domain logons = Yes
        os level = 64
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        ldap admin dn = cn=Manager,dc=bombom,dc=com
        ldap group suffix = ou=Groups
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = yes
        ldap suffix = dc=bombom,dc=com
        ldap ssl = no
        ldap user suffix = ou=Users
        host msdfs = No
        idmap backend = ldap:ldap://172.16.5.152
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        hosts allow = 172.16.0.0/16, 127.
        hosts deny = 0.0.0.0
        map acl inherit = Yes
        map archive = No[netlogon]
        comment = Network Logon Service
        path = /home/samba/netlogon
        guest ok = Yes
        locking = No

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[Public]
        comment = Public Folder
        path = /opt/public
        read only = No
        create mask = 0775
        directory mask = 0775
        guest ok = Yes

[IT]
        path = /opt/it
        valid users = @it
        write list = @BOMBOM\it
        force group = @BOMBOM\it
        read only = No
        force create mode = 0770
        directory mask = 0770

[Account]
        path = /opt/account
        valid users = @account
        write list = @BOMBOM\accounts
        force group = @BOMBOM\account
        read only = No
        force create mode = 0770
        directory mask = 0770
        map readonly = no
        store dos attributes = Yes

This is my account for the windows 7 client:

pdbedit -Lv bom-win7ue$

Unix username:        bom-win7ue$
NT username:          bom-win7ue$
Account Flags:        [W          ]
User SID:             S-1-5-21-506473411-1786020119-2248725859-1002
Primary Group SID:    S-1-5-21-506473411-1786020119-2248725859-515
Full Name:            BOM-WIN7UE$
Home Directory:
HomeDir Drive:
Logon Script:
Profile Path:
Domain:               BOMBOM
Account desc:         Computer
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Mon, 14 Jun 2010 07:33:00 PDT
Password can change:  Mon, 14 Jun 2010 07:33:00 PDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

net groupmap list

Domain Admins (S-1-5-21-506473411-1786020119-2248725859-512) -> Domain Admins
Domain Users (S-1-5-21-506473411-1786020119-2248725859-513) -> Domain Users
Domain Guests (S-1-5-21-506473411-1786020119-2248725859-514) -> Domain Guests
Domain Computers (S-1-5-21-506473411-1786020119-2248725859-515) ->
Domain Computers
Administrators (S-1-5-32-544) -> Administrators
Account Operators (S-1-5-32-548) -> Account Operators
Print Operators (S-1-5-32-550) -> Print Operators
Backup Operators (S-1-5-32-551) -> Backup Operators
Replicators (S-1-5-32-552) -> Replicators
it (S-1-5-21-506473411-1786020119-2248725859-3007) -> it
account (S-1-5-21-506473411-1786020119-2248725859-3009) -> account


My domain groups are there.

smbclient -L \\pdc-srv -U test1
Enter test1's password:
Domain=[BOMBOM] OS=[Unix] Server=[Samba 3.3.8-0.51.el5]

        Sharename       Type      Comment
        ---------       ----      -------
        IPC$            IPC       IPC Service (PDC Server)
        Contabilidad    Disk
        Sistemas        Disk
        Public          Disk      Public Folder
        netlogon        Disk      Network Logon Service
        test1           Disk      Home Directories
Domain=[BOMBOM] OS=[Unix] Server=[Samba 3.3.8-0.51.el5]

        Server               Comment
        ---------            -------
        BOM-WIN7UE           Windows 7 Domain
        PIM-WINXPA           vbWinXP
        PDC-SRV              PDC Server

        Workgroup            Master
        ---------            -------
        BOMBOM               PDC-SRV


I didn't disable anything from windows 7 like the firewall, I just
make the change to the register on windows 7 like the wiki told us,
restart windows 7 and done, I could add the client to the domain.

Hope this file help to find the issue, u could setup a vm with windows
7 and start from scratch.

See u latter!!!


-- 
LIving the dream...