I have successfully joined the XP machine to the domain. The strange part is, that it only wanted to be joined if it connected to the PDC and not the BDC. The way it is set-up is that the XP machine and a BDC is in one branch and the PDC is in another. Every time I would try to connect via the BDC, it would return a value ACCESS DENIED I stopped the smb service on the BDC, and got it to connect via the PDC. I then got it to log into the domain using the BDC for authentication..I made sure of this by looking at the recent log.machine-name files for the BDC and PDC and it only showed up in the BDC. So I am wondering if this is expected behavior?? That it can only join via the PDC? Additionally, some notes on the topic to help others...after connecting, I started to recieve these windows messages at logon: Cannot locate server copy of your profile and am attempting to log you in with you local profile..... Cannot find the local profile and is logging in with temporary profile. cannot locate your roaming profile (read only) and is attempting to log you on with your local profile. Some of this I found to be with the SID changing between the NT network and the new SAMBA controlled network. I needed to reassign the local copies of the profiles security accounts, and that took care of that. Additionally, since I am not using roaming profiles, I wanted to turn those messages off. Using gpedit.msc and changing the following keys solved all those messages boxes from appearing and it only using the local profile: local computer policy->computer->system->user profile only allow user local profile ENABLED prevent roaming profile changes from propagating to the server ENABLED do not check ownership of raoming profile folder ENABLED> -----Original Message----- > From: Buchan Milne [mailto:bgmilne@cae.co.za] > Sent: Friday, May 16, 2003 8:00 AM > To: samba@lists.samba.org > Cc: Chris McKeever > Subject: Re: [Samba] XP Joining Samba Domain - Cry For Help > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > Message: 18 > > Date: Fri, 16 May 2003 03:52:59 -0500 > > From: Chris McKeever <cgmckeever@prupref.com> > > Subject: [Samba] XP Joining Samba Domain - Cry For Help > > To: samba@lists.samba.org > > Message-ID: <5F71B3C180C8D4119F3200B0D049A7AE01E72DB0@PRUPREF-MAIL> > > Content-Type: text/plain; charset="iso-8859-1" > > > > It is way too late to be wrestling with this, but being the > obsessive > > compulsive I am..... > > > > I can not get an XP machine to join a samba-ldap domain > > > > The machine account has been made > > The XP registry and local policies have been set > > > > I continue to get 'specified domain does not exist' > > > > Either the name of the workgroup that the WindowsXP box is in is the > same as the domain you are trying to join, or you have other name > resolution problems (which can be solved by using WINS normally). > > I suspect the former. Change the workgroup name to anything that is > different from your domain name, apply, and then join the > domain. (this > problem is not samba-specific BTW). > > Buchan > > - -- > |--------------Another happy Mandrake Club member--------------| > Buchan Milne Mechanical Engineer, Network Manager > Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 > Stellenbosch Automotive Engineering http://www.cae.co.za > GPG Key http://ranger.dnsalias.com/bgmilne.asc > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.1 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+xODrrJK6UGDSBKcRAldUAJ4951Wmj71tiEtutFba74MJSwmvagCeLSzr > cTfSnarKwH1FJ/0PIAobSWo> =EBR9 > -----END PGP SIGNATURE----- >
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _Chris McKeever_ wrote:> I have successfully joined the XP machine to the domain. The strange part > is, that it only wanted to be joined if it connected to the PDC andnot the> BDC. > > The way it is set-up is that the XP machine and a BDC is in one branch and > the PDC is in another. Every time I would try to connect via the BDC, it > would return a value ACCESS DENIED > > I stopped the smb service on the BDC, and got it to connect via thePDC. I> then got it to log into the domain using the BDC for authentication..Imade> sure of this by looking at the recent log.machine-name files for theBDC and> PDC and it only showed up in the BDC. > > So I am wondering if this is expected behavior?? That it can only join via > the PDC? >No, my test network worked joining via the BDC (I stopped smbd on the PDC to be sure). The issue is that samba does the following: 1)Check for machine account 2)If no machine account, run 'add user script' 3)Check for machine account, if it exists, join, if not return 'access denied'. If your LDAP server does not replicate the machine account to the slave/BDC in the time between samba running 'add user script' and checking again, you will see this behaviour. I solved this (suggestion seen on this list) by adding a ';sleep 5' to the end of the add user script, which assumes your replication occurs in under 5 seconds. We haven't tested this on our real network again (where our BDC is an hour's drive away).> > Additionally, some notes on the topic to help others...after connecting, I > started to recieve these windows messages at logon: > > Cannot locate server copy of your profile and am attempting to log you in > with you local profile..... > > Cannot find the local profile and is logging in with temporary profile. > > cannot locate your roaming profile (read only) and is attempting tolog you> on with your local profile. > > > Some of this I found to be with the SID changing between the NTnetwork and> the new SAMBA controlled network. I needed to reassign the localcopies of> the profiles security accounts, and that took care of that. >This is a known issue if you don't retain SIDs, which is only possible with samba3.> Additionally, since I am not using roaming profiles, I wanted to turnthose> messages off. Using gpedit.msc and changing the following keys solved all > those messages boxes from appearing and it only using the local profile:You could also likely make the user's profilepath an empty string in LDAP. We use profiles, and replicate them using rsync (hoping users don't log in on both sides before rsync's finish). Regards, Buchan - -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE+yhI6rJK6UGDSBKcRAoEVAKCm8VzebVNrCtaB8e49BvPz1PfTfgCffis0 zGgm7OAlIG1q5RtNsS1McWc=3rqL -----END PGP SIGNATURE----- ****************************************************************** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer. ******************************************************************
Here is my log file when I try to join a new computer (XP) as well as the
ldap entry for it
I have tried with the account pre-existing and with the account not
existing, and I get the same error.
Please Note: that authenticating with an already joined machine works fine.
and that the other machine is called marketing-x so I know that the hyphen
is not the issue.
Can anyone help me with this, I am going in circles.
-----------------------------
ldap_connect_system: Binding to ldap server as
"cn=ldap,dc=prupref,dc=com"
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_connect_system(331)
ldap_connect_system: succesful connection to the LDAP server
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_search_one_user(343)
ldap_search_one_user: searching
for:[(&(uid=marketing-y$)(objectclass=sambaAccount))]
[2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:init_ldap_from_sam(756)
Setting entry for user: marketing-y$
[2003/05/20 09:44:13, 0] passdb/pdb_ldap.c:pdb_update_sam_account(1104)
failed to modify user with uid = marketing-y$ with: No such object
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_debug(60)
000000 samr_io_r_set_userinfo
[2003/05/20 09:44:13, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
0000 status: NT_STATUS_ACCESS_DENIED
--------------------------
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(124)
challenge : 0A9EBAA624DECD5A
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(125)
calculated: 0000000000000000
[2003/05/20 10:03:03, 5] libsmb/credentials.c:cred_assert(134)
credentials check wrong
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_debug(60)
000000 net_io_r_auth
[2003/05/20 10:03:03, 6] rpc_parse/parse_prs.c:prs_debug(60)
000000 smb_io_chal
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_uint8s(675)
0000 data: 27 81 12 42 f0 33 21 08
[2003/05/20 10:03:03, 5] rpc_parse/parse_prs.c:prs_ntstatus(617)
0008 status: NT_STATUS_ACCESS_DENIED
[2003/05/20 10:03:03, 5] rpc_server/srv_pipe.c:api_rpcTNP(1235)
api_rpcTNP: called api_netlog_rpc successfully
[2003/05/20 10:03:03, 3] rpc_server/srv_pipe_hnd.c:free_pipe_context(444)
free_pipe_context: destroying talloc pool of size 80
[2003/05/20 10:03:03, 10] rpc_server/srv_pipe_hnd.c:write_to_pipe(766)
write_to_pipe: data_used = 140
----------------------------
dn: uid=marketing-y$,ou=Computers,dc=prupref,dc=com
objectClass: top
objectClass: posixAccount
objectClass: sambaAccount
uidNumber: 501
gidNumber: 1010
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
uid: marketing-y$
pwdLastSet: 1053442890
logonTime: 0
logoffTime: 2147483647
kickoffTime: 2147483647
pwdCanChange: 0
pwdMustChange: 2147483647
displayName: marketing-y$
cn: marketing-y$
rid: 2002
primaryGroupID: 3021
acctFlags: [W ]
> -----Original Message-----
> From: Buchan Milne [mailto:bgmilne@cae.co.za]
> Sent: Tuesday, May 20, 2003 6:32 AM
> To: samba@lists.samba.org
> Cc: _Chris McKeever_
> Subject: Re: [Samba] XP Joining Samba Domain
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> _Chris McKeever_ wrote:
> > I have successfully joined the XP machine to the domain.
> The strange part
> > is, that it only wanted to be joined if it connected to the PDC and
> not the
> > BDC.
> >
> > The way it is set-up is that the XP machine and a BDC is in
> one branch and
> > the PDC is in another. Every time I would try to connect
> via the BDC, it
> > would return a value ACCESS DENIED
> >
> > I stopped the smb service on the BDC, and got it to connect via the
> PDC. I
> > then got it to log into the domain using the BDC for
> authentication..I
> made
> > sure of this by looking at the recent log.machine-name files for the
> BDC and
> > PDC and it only showed up in the BDC.
> >
> > So I am wondering if this is expected behavior?? That it
> can only join via
> > the PDC?
> >
>
> No, my test network worked joining via the BDC (I stopped smbd on the
> PDC to be sure).
>
> The issue is that samba does the following:
>
> 1)Check for machine account
> 2)If no machine account, run 'add user script'
> 3)Check for machine account, if it exists, join, if not return 'access
> denied'.
>
> If your LDAP server does not replicate the machine account to the
> slave/BDC in the time between samba running 'add user script' and
> checking again, you will see this behaviour. I solved this (suggestion
> seen on this list) by adding a ';sleep 5' to the end of the add
user
> script, which assumes your replication occurs in under 5 seconds.
>
> We haven't tested this on our real network again (where our BDC is an
> hour's drive away).
>
> >
> > Additionally, some notes on the topic to help
> others...after connecting, I
> > started to recieve these windows messages at logon:
> >
> > Cannot locate server copy of your profile and am attempting
> to log you in
> > with you local profile.....
> >
> > Cannot find the local profile and is logging in with
> temporary profile.
> >
> > cannot locate your roaming profile (read only) and is attempting to
> log you
> > on with your local profile.
> >
> >
> > Some of this I found to be with the SID changing between the NT
> network and
> > the new SAMBA controlled network. I needed to reassign the local
> copies of
> > the profiles security accounts, and that took care of that.
> >
>
> This is a known issue if you don't retain SIDs, which is only possible
> with samba3.
>
> > Additionally, since I am not using roaming profiles, I
> wanted to turn
> those
> > messages off. Using gpedit.msc and changing the following
> keys solved all
> > those messages boxes from appearing and it only using the
> local profile:
>
> You could also likely make the user's profilepath an empty
> string in LDAP.
>
> We use profiles, and replicate them using rsync (hoping users
> don't log
> in on both sides before rsync's finish).
>
> Regards,
> Buchan
>
> - --
> |--------------Another happy Mandrake Club member--------------|
> Buchan Milne Mechanical Engineer, Network Manager
> Cellphone * Work +27 82 472 2231 * +27 21 8828820x202
> Stellenbosch Automotive Engineering http://www.cae.co.za
> GPG Key http://ranger.dnsalias.com/bgmilne.asc
> 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQE+yhI6rJK6UGDSBKcRAoEVAKCm8VzebVNrCtaB8e49BvPz1PfTfgCffis0
> zGgm7OAlIG1q5RtNsS1McWc> =3rqL
> -----END PGP SIGNATURE-----
>
> ******************************************************************
> Please click on http://www.cae.co.za/disclaimer.htm to read our
> e-mail disclaimer.
> ******************************************************************
>
Buchan..thanks again for the support!> _Chris McKeever_ wrote: > > Here is my log file when I try to join a new computer (XP) > as well as the > > ldap entry for it > > I have tried with the account pre-existing and with the account not > > existing, and I get the same error. > > > > Is this joining to the PDC or the BDC?Those logs are from when it tries to join the BDC when the machine account _already_ exists> > > Please Note: that authenticating with an already joined > machine works > fine. > > and that the other machine is called marketing-x so I know > that the hyphen > > is not the issue. > > > > Can anyone help me with this, I am going in circles. > > > > ----------------------------- > > ldap_connect_system: Binding to ldap server as > "cn=ldap,dc=prupref,dc=com" > > [2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_connect_system(331) > > ldap_connect_system: succesful connection to the LDAP server > > [2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:ldap_search_one_user(343) > > ldap_search_one_user: searching > > for:[(&(uid=marketing-y$)(objectclass=sambaAccount))] > > [2003/05/20 09:44:13, 2] passdb/pdb_ldap.c:init_ldap_from_sam(756) > > Setting entry for user: marketing-y$ > > [2003/05/20 09:44:13, 0] > passdb/pdb_ldap.c:pdb_update_sam_account(1104) > > failed to modify user with uid = marketing-y$ with: No such object > > In one join operation, you should see two subsequent LDAP searches, > seperated by a running of the add user script (you may hav to bump the > log level even higher to see this). > > If both fail, it means either > 1)The DN your BDC uses does not have write access to the LDAP master > where it wants to put the new account.When trying to join via the BDC without a machine account already, it populates the master ldap and BDC$ getent passwd does return the new machine .... would write access be a cause of joining failure if the machine account already exists?> 2)Replication does not workreplication is working> 3)Replication does not work fast enough. >possibly, but this does not explain why it fails when the machine account is already set-up in the LDAP> > dn: uid=marketing-y$,ou=Computers,dc=prupref,dc=com > > objectClass: top > > objectClass: posixAccount > > objectClass: sambaAccount > > uidNumber: 501 > > This seems a very low uid, is this uid unique? >yes...my user accounts start at 1000 original linux users (passwd) end under 100> > gidNumber: 1010 > > homeDirectory: /dev/null > > loginShell: /bin/false > > description: Computer > > uid: marketing-y$ > > pwdLastSet: 1053442890 > > logonTime: 0 > > logoffTime: 2147483647 > > kickoffTime: 2147483647 > > pwdCanChange: 0 > > pwdMustChange: 2147483647 > > displayName: marketing-y$ > > cn: marketing-y$ > > rid: 2002 > > primaryGroupID: 3021 > > acctFlags: [W ] > > Any system adding a machine account (except the *_nua backends in > samba3) will check for an account, run the add user script, and check > for an account again. But also note, that there must be a > system account > (ie 'getent passwd marketing-y$' should return the new entry). If your > /etc/ldap.conf is incorrectly set on the BDC, it may not pick > up the new > account.getent passwd marketing-y$ on the BDC correctly sees the account (either if it is pre-existing or if the add user script from the BDC creates it)> > If you still don't come right, either post the important settings from > smb.conf and /etc/ldap.conf on all DC's, or mail me the files > off-list. >Additional Comment: I added it via the PDC and it worked fine...afterwards it authenticates from the BDC without a hitch, so there is something not correct with it trying to let it join (with or wothout the machine account existing)> Regards, > Buchan > > - -- > |--------------Another happy Mandrake Club member--------------| > Buchan Milne Mechanical Engineer, Network Manager > Cellphone * Work +27 82 472 2231 * +27 21 8828820x202 > Stellenbosch Automotive Engineering http://www.cae.co.za > GPG Key http://ranger.dnsalias.com/bgmilne.asc > 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.2 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQE+ymr6rJK6UGDSBKcRAkFfAJkBsuFActsIMh0IXu0kFwCPVTPMCgCfZsCu > hcUhr6zHgprl4BaO8FTGVSs> =4KFz > -----END PGP SIGNATURE----- > > ****************************************************************** > Please click on http://www.cae.co.za/disclaimer.htm to read our > e-mail disclaimer. > ****************************************************************** >
Some more information from the afternoon trials (comments inline below): TRIAL 1: Master LDAP domain logons = no domain master = yes Slave LDAP/BDC domain master = no domain logons = yes result: cannot find domain TRIAL 2: Master LDAP domain logons = no domain master = no Slave LDAP/BDC domain master = yes domain logons = yes result: machine account created, ACCESS DENIED joining domain result 2 (checking replica delay): ACCESS DENIED TRIAL 3: Master LDAP domain logons = yes domain master = yes Slave LDAP/BDC domain master = no domain logons = yes result: successful join of machine via the MASTER LDAP using the machine account created in TRIAL 2...successful authentication via the BDC after reboot> >> _Chris McKeever_ wrote: > > > > Those logs are from when it tries to join the BDC when the machine > > account _already_ exists > > > > Then we know what the problem is by elimination ... >> > Assuming you have samba-2.2.8 or later, it should show that > it rebinds to > the master (assuming you slave returns a referral on a write > request). It > will of course rebind with the dn in the BDC's smb.conf with > the password > you set on the BDC with smbpasswd -w >I am using cn=root,dc=mylan,dc=net for both the rootdn and the ldap admin dn for samba re-ran smbpasswd -w THEPASSWORDHERE on both machine> So, your problem is either > 1)You haven't setup referralswouldn't this mean I couldnt create the machine account? Which I am able to do: updateref "ldaps://ldap.prupref.com"> 2)Your dn used in the smb.conf on the slave does not have > write access to > the machine account. Note, samba-2.2.x will want to write all the > attributes for the account (not just the ones that change).it is ldap admin dn = cn=root,dc=prupref,dc=com..but then again, I can get the machine account created when joinging via the BDC..it just wont finish the joining> 3)You didn't give samba on the BDC it's LDAP password. >smbpasswd -w THEPASSWORDHERE was run Is there a way I can test the referrals and the samba password? is this a sign of a problem? BDC# smbpasswd -a cgmckeever New SMB password: Retype new SMB password: ldap_connect_system: Binding to ldap server as "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to ldap server as "cn=root,dc=prupref,dc=com" failed to modify user with uid = cgmckeever with: No such object Password changed for user cgmckeever. Failed to modify entry for user cgmckeever. Failed to modify password entry for user cgmckeever updateref "ldaps://ldap.prupref.com" OR updateref "ldap://ldap.prupref.com" Searches definately show a uid=cgmckeever and I can access samba shares no problem fro both machines BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x "(uid=cgmckeever)" version: 1 dn: uid=cgmckeever, ou=People, dc=prupref,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: account objectClass: posixaccount objectClass: shadowaccount objectClass: kerberosSecurityObject objectClass: sambaAccount BDC# ldapsearch -LL -H ldap://ldap.prupref.com -b"dc=prupref,dc=com" -x "(uid=cgmckeever)" version: 1 dn: uid=cgmckeever, ou=People, dc=prupref,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: account objectClass: posixaccount objectClass: shadowaccount objectClass: kerberosSecurityObject objectClass: sambaAccount> Regards, > Buchan > >
Good News/Bad News Good News: I was able to get the XP machine to join via the BDC..but I had to fart with some smb.conf settings. The main problem was this: /etc/openldap/slapd.conf updatedn "cn=replicate,dc=prupref,dc=com" updateref "ldaps://ldap.prupref.com" I had the two lines reversed (you may want to make note of that in your how-to Buchan)...What clued me was running smbpasswd from the slave server gave a failure. Flipping them got smbpasswd to work from the remote server and then onto figuring out the joinging issue. Bad News: In the BDC server, I need to comment out domain master, otherwise I would continually return 'specified domain does not exist' (any ideas??)..I don't believe this then defaults to NO...any comment? The reason I feel this is that then I get a lot of log.smbd entries saying that it is trying to become the master but another already exists. Also, if I shutdown the smb service on the master/PDC I get the same 'domain does not exist message' (this may be attributed to the master/pdc being the wins server as well?) There are some comments below here as well ---->> > Some more information from the afternoon trials (comments > inline below): > > > TRIAL 3: > > > > Master LDAP > > domain logons = yes > > domain master = yes > > > > Slave LDAP/BDC > > domain master = no > > domain logons = yes > > Yes, this is as it should be. >as stated I need to comment out domain master from the BDC smb.conf> > > > result: successful join of machine via the MASTER LDAP > using the machine > > account created in TRIAL 2...successful authentication via > the BDC after > > reboot > > > > > >> >> _Chris McKeever_ wrote: > >> > > >> > Those logs are from when it tries to join the BDC when > the machine > >> account _already_ exists > >> > > >> > >> Then we know what the problem is by elimination ... > >> > > > >> > >> Assuming you have samba-2.2.8 or later, it should show that > >> it rebinds to > >> the master (assuming you slave returns a referral on a write > >> request). It > >> will of course rebind with the dn in the BDC's smb.conf with > >> the password > >> you set on the BDC with smbpasswd -w > >> > > > > I am using cn=root,dc=mylan,dc=net for both the rootdn and the ldap > > admin dn for samba > > > > re-ran smbpasswd -w THEPASSWORDHERE on both machine > > > > > >> So, your problem is either > >> 1)You haven't setup referrals > > > > wouldn't this mean I couldnt create the machine account? Which I am > > able to do: updateref "ldaps://ldap.prupref.com" > > > >> 2)Your dn used in the smb.conf on the slave does not have > >> write access to > >> the machine account. Note, samba-2.2.x will want to write all the > >> attributes for the account (not just the ones that change). > > > > it is ldap admin dn = cn=root,dc=prupref,dc=com..but then > again, I can > > get the machine account created when joinging via the > BDC..it just wont > > finish the joining > > > >> 3)You didn't give samba on the BDC it's LDAP password. > >> > > > > smbpasswd -w THEPASSWORDHERE was run > > > > > > Is there a way I can test the referrals and the samba password? > > > > is this a sign of a problem? > > > > BDC# smbpasswd -a cgmckeever > > New SMB password: > > Retype new SMB password: > > ldap_connect_system: Binding to ldap server as > > "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to > ldap server > > as "cn=root,dc=prupref,dc=com" failed to modify user with uid > > cgmckeever with: No such object > > > > Password changed for user cgmckeever. > > Failed to modify entry for user cgmckeever. > > Failed to modify password entry for user cgmckeever > > Either it's not binding to the ldap server, or getpwname > (which you can > test via 'getent passwd cgmckeever') is not working for this account, > which may mean you haven't configured nss_ldap. >BINGO! but it was the flipped update statements in the slapd.conf> > > > > > updateref "ldaps://ldap.prupref.com" > > OR > > updateref "ldap://ldap.prupref.com" > > If you use ldaps, then you must be using the same hostname as > is on the > SSL cert the server uses ... > > > > > Searches definately show a uid=cgmckeever and I can access > samba shares > > no problem fro both machines > > > > BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x > > "(uid=cgmckeever)" > > version: 1 > > > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: account > > objectClass: posixaccount > > objectClass: shadowaccount > > objectClass: kerberosSecurityObject > > objectClass: sambaAccount > > > > > > BDC# ldapsearch -LL -H ldap://ldap.prupref.com > -b"dc=prupref,dc=com" -x > > "(uid=cgmckeever)" > > version: 1 > > > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com > > objectClass: top > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: account > > objectClass: posixaccount > > objectClass: shadowaccount > > objectClass: kerberosSecurityObject > > objectClass: sambaAccount > > > Is this the full entry? If so, you're missing a whole bunch > of attributes > that are required for a working account (or the dn you used can't see > them). You must ensure 'getent passwd <username>' works on > the BDC also > ..... but it's weird if samba authenticated you. >sorry, shoud have put cut marks there> It may be best for you to mail me your smb.conf, smbldap_conf.pm and > /etc/ldap.conf for the BDC ... and ensure ldap is in the > passwd line of > /etc/nsswitch.conf >I think everything is good other than why I need to comment out the domain master line in the smb.conf (redhat thing???) If you think you want to look through my config files, let me know, I will send them to you off-list. But now I just think it is figuring out why I need to comment out domain master for it all to work> Buchan > >
Buchan (or other knowledgeable list subscribers)...was wondering if you had any time to ponder my issue here? Thanks> > Good News/Bad News > > Good News: > I was able to get the XP machine to join via the BDC..but I > had to fart with > some smb.conf settings. The main problem was this: > > /etc/openldap/slapd.conf > updatedn "cn=replicate,dc=prupref,dc=com" > updateref "ldaps://ldap.prupref.com" > > I had the two lines reversed (you may want to make note of > that in your > how-to Buchan)...What clued me was running smbpasswd from the > slave server > gave a failure. Flipping them got smbpasswd to work from the > remote server > and then onto figuring out the joinging issue. > > Bad News: > In the BDC server, I need to comment out domain master, > otherwise I would > continually return 'specified domain does not exist' (any > ideas??)..I don't > believe this then defaults to NO...any comment? The reason I > feel this is > that then I get a lot of log.smbd entries saying that it is > trying to become > the master but another already exists. > > Also, if I shutdown the smb service on the master/PDC I get > the same 'domain > does not exist message' (this may be attributed to the > master/pdc being the > wins server as well?) > > > There are some comments below here as well ----> > > > > > Some more information from the afternoon trials (comments > > inline below): > > > > > TRIAL 3: > > > > > > Master LDAP > > > domain logons = yes > > > domain master = yes > > > > > > Slave LDAP/BDC > > > domain master = no > > > domain logons = yes > > > > Yes, this is as it should be. > > > > as stated I need to comment out domain master from the BDC smb.conf > > > > > > > result: successful join of machine via the MASTER LDAP > > using the machine > > > account created in TRIAL 2...successful authentication via > > the BDC after > > > reboot > > > > > > > > >> >> _Chris McKeever_ wrote: > > >> > > > >> > Those logs are from when it tries to join the BDC when > > the machine > > >> account _already_ exists > > >> > > > >> > > >> Then we know what the problem is by elimination ... > > >> > > > > > >> > > >> Assuming you have samba-2.2.8 or later, it should show that > > >> it rebinds to > > >> the master (assuming you slave returns a referral on a write > > >> request). It > > >> will of course rebind with the dn in the BDC's smb.conf with > > >> the password > > >> you set on the BDC with smbpasswd -w > > >> > > > > > > I am using cn=root,dc=mylan,dc=net for both the rootdn > and the ldap > > > admin dn for samba > > > > > > re-ran smbpasswd -w THEPASSWORDHERE on both machine > > > > > > > > >> So, your problem is either > > >> 1)You haven't setup referrals > > > > > > wouldn't this mean I couldnt create the machine account? > Which I am > > > able to do: updateref "ldaps://ldap.prupref.com" > > > > > >> 2)Your dn used in the smb.conf on the slave does not have > > >> write access to > > >> the machine account. Note, samba-2.2.x will want to write all the > > >> attributes for the account (not just the ones that change). > > > > > > it is ldap admin dn = cn=root,dc=prupref,dc=com..but then > > again, I can > > > get the machine account created when joinging via the > > BDC..it just wont > > > finish the joining > > > > > >> 3)You didn't give samba on the BDC it's LDAP password. > > >> > > > > > > smbpasswd -w THEPASSWORDHERE was run > > > > > > > > > Is there a way I can test the referrals and the samba password? > > > > > > is this a sign of a problem? > > > > > > BDC# smbpasswd -a cgmckeever > > > New SMB password: > > > Retype new SMB password: > > > ldap_connect_system: Binding to ldap server as > > > "cn=root,dc=prupref,dc=com" ldap_connect_system: Binding to > > ldap server > > > as "cn=root,dc=prupref,dc=com" failed to modify user with uid > > > cgmckeever with: No such object > > > > > > Password changed for user cgmckeever. > > > Failed to modify entry for user cgmckeever. > > > Failed to modify password entry for user cgmckeever > > > > Either it's not binding to the ldap server, or getpwname > > (which you can > > test via 'getent passwd cgmckeever') is not working for > this account, > > which may mean you haven't configured nss_ldap. > > > > BINGO! but it was the flipped update statements in the slapd.conf > > > > > > > > > > updateref "ldaps://ldap.prupref.com" > > > OR > > > updateref "ldap://ldap.prupref.com" > > > > If you use ldaps, then you must be using the same hostname as > > is on the > > SSL cert the server uses ... > > > > > > > > Searches definately show a uid=cgmckeever and I can access > > samba shares > > > no problem fro both machines > > > > > > BDC# ldapsearch -LL -H ldap://localhost -b"dc=prupref,dc=com" -x > > > "(uid=cgmckeever)" > > > version: 1 > > > > > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com > > > objectClass: top > > > objectClass: person > > > objectClass: organizationalPerson > > > objectClass: inetOrgPerson > > > objectClass: account > > > objectClass: posixaccount > > > objectClass: shadowaccount > > > objectClass: kerberosSecurityObject > > > objectClass: sambaAccount > > > > > > > > > BDC# ldapsearch -LL -H ldap://ldap.prupref.com > > -b"dc=prupref,dc=com" -x > > > "(uid=cgmckeever)" > > > version: 1 > > > > > > dn: uid=cgmckeever, ou=People, dc=prupref,dc=com > > > objectClass: top > > > objectClass: person > > > objectClass: organizationalPerson > > > objectClass: inetOrgPerson > > > objectClass: account > > > objectClass: posixaccount > > > objectClass: shadowaccount > > > objectClass: kerberosSecurityObject > > > objectClass: sambaAccount > > > > > > Is this the full entry? If so, you're missing a whole bunch > > of attributes > > that are required for a working account (or the dn you used > can't see > > them). You must ensure 'getent passwd <username>' works on > > the BDC also > > ..... but it's weird if samba authenticated you. > > > > > sorry, shoud have put cut marks there > > > It may be best for you to mail me your smb.conf, smbldap_conf.pm and > > /etc/ldap.conf for the BDC ... and ensure ldap is in the > > passwd line of > > /etc/nsswitch.conf > > > > I think everything is good other than why I need to comment > out the domain > master line in the smb.conf (redhat thing???) If you think > you want to look > through my config files, let me know, I will send them to you > off-list. But > now I just think it is figuring out why I need to comment out > domain master > for it all to work > > > > Buchan > > > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >