samba - Jun 2004 - samba ldap with smbldap-tools cant join domain.

Dear Lists

I have problem regarding configuring samba as domain controller with 
ldap authentication 
I use Samba-3.0.3-5 with Openldap-2.1.29 (running on Fedora Core 2).
I  follow guide from  www.idealx.org/prj/samba/smbldap-howto.en.html, 
with recent smbldap-tools for RedHat RPM,
Installation those packet was successfull,  so did  user management with 
smbldap-tools, i can login from another unix machine (ssh) with ldap 
account.
But when i try to join my windows machine to new domain controller with 
samba Administrator account and password , workstation always complain 
something about Logon Failure  "Unknown user name or Bad Password"
Log form my domain controller machine is (syslog 4) :
# tail -f log.smbd
[2004/06/09 11:54:12, 2] lib/smbldap.c:smbldap_search_domain_info(1344)
  Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=SMB3))]
[2004/06/09 11:54:12, 2] lib/smbldap.c:smbldap_open_connection(639)
  smbldap_open_connection: connection opened
[2004/06/09 11:54:12, 3] lib/smbldap.c:smbldap_connect_system(806)
  ldap_connect_system: succesful connection to the LDAP server
[2004/06/09 11:54:12, 4] lib/smbldap.c:smbldap_open(857)
  The LDAP server is succesful connected
#tail -f log.(windows machine)[2004/06/09 11:54:12, 3] 
smbd/oplock.c:init_oplocks(1257)
  open_oplock ipc: pid = 2740, global_oplock_port = 1025
[2004/06/09 11:54:12, 4] lib/time.c:get_serverzone(122)
  Serverzone is -25200
[2004/06/09 11:54:12, 3] smbd/process.c:process_smb(890)
  Transaction 0 of length 72
[2004/06/09 11:54:12, 2] smbd/reply.c:reply_special(208)
  netbios connect: name1=PDC-SMB3        name2=BACKUP        
[2004/06/09 11:54:12, 2] smbd/reply.c:reply_special(215)
  netbios connect: local=pdc-smb3 remote=backup, name type = 0

#cat /etc/samba/smb.conf
# Global parameters
[global]
        workgroup = SMB3
        netbios name = PDC-SMB3
        interfaces = 172.16.0.232
        username map = /etc/samba/smbusers
        admin users= Administrator @"Domain Admins"
        server string = Samba Server %v
        security = user
        encrypt passwords = Yes
        min passwd length = 3
        obey pam restrictions = No
        passwd chat = *New*password* %n\n *Retype*new*password* %n\n 
*all*authentication*tokens*updated*
        passwd program = /usr/local/sbin/smbldap-passwd %u
        ldap passwd sync = Yes
        log level = 4
        syslog = 0
        log file = /var/log/samba/log.%m
        max log size = 100000
        time server = Yes
        socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        mangling method = hash2
        Dos charset = 850
        Unix charset = ISO8859-1

        logon script = logon.bat
        logon drive = H:
        logon home         logon path 
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        passdb backend = ldapsam:ldap://127.0.0.1/
        # passdb backend = ldapsam:"ldap://127.0.0.1/ 
ldap://slave.idealx.com"
        ldap admin dn = cn=Manager,dc=mragroup,dc=net
        ldap suffix = dc=mragroup,dc=net
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Users
        #ldap ssl = start tls
        add user script = /usr/local/sbin/smbldap-useradd -m "%u"
        ldap delete dn = Yes
        #delete user script = /usr/local/sbin/smbldap-userdel "%u"
        add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
        add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
        #delete group script = /usr/local/sbin/smbldap-groupdel "%g"
add
user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/local/sbin/smbldap-groupmod 
-x "%u" "%g"
        set primary group script = /usr/local/sbin/smbldap-usermod -g 
"%g" "%u"
        add user to group script = /usr/local/sbin/smbldap-groupmod -m 
"%u" "%g"
--snip---

Is there something i missed ? i assumed that samba now can connect to 
ldap service, and  i have an Adminstrator account at ldap DIT  and at 
secret.tdb with right password why still i can join my windows machine ? 
i even add mahine name to DIT.

Please help me, any suggest is very appriciate, and sorry for my poor 
english

regards
reza

On Tue, 2004-06-08 at 23:48, Muhammad Reza wrote:
>         passdb backend = ldapsam:ldap://127.0.0.1/
>         ldap admin dn = cn=Manager,dc=mragroup,dc=net
>         ldap suffix = dc=mragroup,dc=net
>         ldap group suffix = ou=Groups
Currently samba needs the groups to be in the same directory branch as
the users. Move your machine accounts from ou=Computers to
ou=Users,dc=mragroup,dc=net. I should think that will help. Don't forget
to change the pam/nss confs too.
>         ldap user suffix = ou=Users
>         ldap machine suffix = ou=Computers
>         ldap idmap suffix = ou=Users
> Is there something i missed ? i assumed that samba now can connect to 
> ldap service, and  i have an Adminstrator account at ldap DIT  and at 
> secret.tdb with right password why still i can join my windows machine ? 
> i even add mahine name to DIT.
> 
> Please help me, any suggest is very appriciate, and sorry for my poor 
> english
> 
> regards
> reza     
Cheers,
lance
-- 
Lance Levsen, Catprint Computing
Linux Systems and programming
gpg --keyserver wwwkeys.pgp.net --recv-keys 0xF2DA79C8
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20040609/f0c32a51/attachment.bin