The documentation that I found regarding this issue wasn't that good - it didn't help me that much. Later on I managed to join the win2k-domain after a lot of work. Thus I'm writing this letter in order to help people who were in my situation. This was my problem and the solution I devised for it: I was using samba-2.2.3a (debian package) and the windows-domain I tried to join is managed by two win2k domain controllers using active directory (AD). Since Samba 2.* doesn't support AD (3.* does though) you have to make sure that your PDC allows you to join the domain without using AD (using NT-style trust relationship). Therefore I think that the server has to be in something called "mixed" mode, but I'm not sure about this. One of the problems I faced was that our system-administrators didn't know how SMB worked. Since I weren't allowed to touch the servers without having them looking over my back this proved to a big hassle. I asked them wether the server were in native or mixed mode but they didn't know(!) I can't understand how they manage to run the network without such basic knowledge about smb-networks. However, this is what I did: 1. Install samba-2.2.3a with debian-packages (other 2.* version should work equally well) 2. Configured my smb.conf. Theses option has to be set: workgroup = YOUR-WORKGROUP encrypt passwords = yes security = domain password server = * 3. I went to the win2k-dc and created a machine-account manually according to the instructions on this page: http://unix.derkeiler.com/Mailing-Lists/SunManagers/2003-06/0512.html 3. Run: smbpasswd -j your-win2k-domain -r your-domain-controller's-netbios-name -U an-administration-account In my case this command returned a message saying "failed to join domain", but this step proved to be important later on. 4. Run: smbpasswd -j your-win2k-domain -r your-domain-controller's-netbios-name -m This changes the password of the machine-account. "Joined domain your-win2k-domain" should be returned which means that you've successfully joined the domain. Conclusion: I'm not really sure wether I'm doing the right thing or not, but it works for me where samba's howto failed. The reason that I need to run smbpasswd twice may be because of an authentication problem with the server (the server may be running in wrong "mode"). I anyone has any clue about this I would be greatfull if he/she could drop me a line. Also, if you've get stuck anyway you're free to contact me if you've got questions. Best regards, Ville Jutvik ville.jutvik@home.se -----Original Message----- From: Craig Taylor <craig.taylor@theforwardgroup.com> To: Ville Jutvik <ville.jutvik@home.se> Date: Mon, 15 Sep 2003 09:48:53 +0100 Subject: Re: Samba-join-problem Yes definitely, I will let you know if I find a solution Thanks Craig -- Craig Taylor IT Director Forward Ltd 84-86 Regent Street London W1B 5DD Telephone: +44 (0)20 7734 2303 Fax: +44 (0)20 7494 2570 http://www.theforwardgroup.com *********************************************************************** Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Forward Ltd ***********************************************************************> From: "Ville Jutvik" <ville.jutvik@home.se> > Date: Sun, 14 Sep 2003 01:14:42 +0200 > To: craig.taylor@theforwardgroup.com > Subject: Samba-join-problem > > Hi > > I saw you message on the samba-mailing-list. I just want you to know that I > got exactly the same problem. I suggest that we notice eachother if one of us > finds the solution to the problem. > > Best regards, > Ville Jutvik > ville.jutvik@home.se >one: +44 (0)20 7734 2303 Fax: +44 (0)20 7494 2570 http://www.theforwardgroup.com *********************************************************************** Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Forward Ltd ***********************************************************************> From: "Ville Jutvik" <ville.jutvik@home.se> > Date: Sun, 14 Sep 2003 01:14:42 +0200 > To: craig.taylor@theforwardgroup.com > Subject: Samba-join-problem > > Hi > > I saw you message on the samba-mailing-list. I just want you to know that
On 21.Sept.2003, Ville Jutnik wrote :> The documentation that I found regarding this issue wasn't that good > - it didn't help me that much. Later on I managed to join the > win2k-domain after a lot of workI've joined many Samba 2.2.x servers to our NT4 domain, and for us it all works just as documented in the "DOMAIN_MEMBER.html" document supplied in the Samba source distro : root# smbpasswd -j DOM -r DOMPDC -UAdministrator%password or, to avoid entering the password on the command line, omit the password part of the -U argument : root# smbpasswd -j DOM -r DOMPDC -UAdministrator which will cause a "password:" prompt.> Samba 2.* doesn't support AD (3.* does though) you have to make > sure that your PDC allows you to join the domain without using AD > (using NT-style trust relationship). Therefore I think that the server > has to be in something called "mixed" modeErm - Active Directory "mixed mode" is required if you need to have a mixture of fully native ADS domain controllers and pre-Win2K domain controllers, but *not* AFAIK to allow ordinary member servers to participate in the "domain" ("tree", "forest", whatever). I'm just quoting what I've read - we have no W2K ADS here. However, I can well imagine that, as you describe, it's necessary to pre-create the member server accounts in the ADS, and mark them as "Allow pre-Windows 2000 computers to use this account". Interesting ... thanks for the pointer.> I was using samba-2.2.3a (debian package)If you need the cutting-edge Samba domain-management features then I strongly advise you don't do that - instead, use the Samba 2.2.8a Debian package available using this apt source line : deb http://people.debian.org/~peloy/samba/ woody main This is the latest Samba release, packaged for Debian Woody, rather than the functionally old Samba with security fixes applied ("backported"), that is officially part of Woody - and should work better for people with complex needs. It may be unofficial, but it's packaged by one of the Debian Samba package maintainers ... I found 2.2.8a gave us a better effect with "winbind" functionality.> I anyone has any clue about this I would be greatfull if he/she > could drop me a lineSorry, I have no idea why you have to run the second "-m" smbpasswd call in your scenario - maybe it's an ADS thing, or maybe it's a buggette in Samba 2.2.3a secure channels protocol handling ;-) Nick Boyce EDS, Bristol, UK