Tony Fugere
2004-Jun-11 14:58 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a backend. I'm getting to typical "The user name could not be found." error upon trying to join a Windows box. I've gone through every digest on lists.samba.org and other sites and nothing has worked yet. Any suggestions: Here's what I've done so far: 1. Installed everything via RPMS: [root@smbtest root]# rpm -qa | grep openldap openldap-2.1.29-1 openldap-clients-2.1.29-1 openldap-servers-2.1.29-1 openldap-devel-2.1.29-1 [root@smbtest root]# rpm -qa | grep samba samba-3.0.3-5 samba-client-3.0.3-5 samba-common-3.0.3-5 samba-swat-3.0.3-5 [root@smbtest root]# rpm -qa | grep smbldap smbldap-tools-0.8.4-1.1.fc2.dag [root@smbtest root]# 2. Made my SSL certificates and put them in /var/ssl. 3. Made my slapd.conf: --- Start slapd.conf --- include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/samba.schema allow bind_v2 passwd-hash {SSHA] pidfile /var/run/slapd.pid TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /var/ssl/cacert.pem TLSCertificateFile /var/ssl/ldapcrt.pem TLSCertificateKeyFile /var/ssl/ldapkey.pem TLSVerifyClient 0 security ssf=1 update_ssf=112 simple_bind=64 access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write by self write by * auth access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write by self write by * auth access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu" by * read access to dn=".*,dc=soil,dc=ncsu,dc=edu" by self write by * read database ldbm suffix "dc=soil,dc=ncsu,dc=edu" rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu" rootpw _thepassword_ directory /var/lib/ldap index objectClass,uid,uidNumber,gidNumber,memberUid eq index cn,mail,surname,givenname eq,subinitial --- End slapd.conf --- 4. Made the smb.conf: --- Start smb.conf --- [global] ; Basic server settings workgroup = testdomain netbios name = smbtest server string = Samba Server %v security = user allow trusted domains = yes log level = 0 log file = /var/log/samba/log.%m max log size = 50 domain logons = Yes os level = 65 local master = yes domain master = yes preferred master = yes encrypt passwords = yes passwd program = /usr/local/sbin/smbldap-passwd %u passwd chat = *new*password* %n\n *new*password* %n\n *successfully* unix password sync = yes ; User and Machine Account Backends ldap ssl = start_tls passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 ldap suffix = dc=soil,dc=ncsu,dc=edu ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu ldap delete dn = no ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers admin users = administrator socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 ; where to store user profiles logon home logon path ldap delete dn = Yes add user script = /usr/local/sbin/smbldap-useradd -m "%u" add machine script = /usr/local/sbin/smbldap-useradd -w "%u" add group script = /usr/local/sbin/smbldap-groupadd -p "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" delete group script = /usr/local/sbin/smbldap-groupdel "%g" [netlogon] comment = Network Logon Service path = /usr/local/samba/lib/netlogon read only = yes write list = dom_admins [Homes] username = tfugere writeable = Yes force create mode = 0770 force directory mode = 02770 browseable = No --- End smb.conf --- 5. Made my smbldap*.conf: --- Start smbldap.conf --- UID_START="1000" GID_START="1000" SID="S-1-5-21-2625200706-2048882972-3065312840" slaveLDAP="smbtest.soil.ncsu.edu" slavePort="389" masterLDAP="smbtest.soil.ncsu.edu" masterPort="389" ldapTLS="1" verify="require" cafile="/var/ssl/cacert.pem" clientcert="/var/ssl/ldapcrt.pem" clientkey="/var/ssl/ldapkey.pem" suffix="dc=soil,dc=ncsu,dc=edu" usersdn="ou=People,dc=soil,dc=ncsu,dc=edu" computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu" groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu" scope="sub" hash_encrypt="SSHA" userLoginShell="/bin/bash" userHomePrefix="/home/" userGecos="System User" defaultUserGid="513" defaultComputerGid="553" skeletonDir="/etc/skel" defaultMaxPasswordAge="45" userSmbHome="" userProfile="" userHomeDrive="logondrive" userScript="" with_smbpasswd="0" smbpasswd="/usr/bin/smbpasswd" mk_ntpasswd="/usr/sbin/mkntpwd" --- End smbldap.conf --- --- Begin smbldap_bind.conf --- slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" slavePw="_hidden_" masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" masterPw="_hidden_" --- End smbldap_bind.conf --- 6. Started up the services: /etc/init.d/ldap start /etc/init.d/smb start 7. Set the root password: smbpasswd -w _thepassword_ 8. Put in some test data: soil.ncsu.edu/tony_temp/smbtest.ldif 9. Did a search on the LDAP DB: ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)' Results: soil.ncsu.edu/tony_temp/ldapsearch.out 10. Set the root user password: smbldap-passwd root 11. Changed the local security policy on the Windows XP machine: Domain member: Digitally encrypt or sign secure data channel (always) Disabled Domain member: Digitally encrypt secure data channel (when possible) Disabled Domain member: Digitally sign secure data channel (when possible) Disabled 12. Tried to join the domain through a Windows XP machine and got this error when using root user: The following error occurred when attempting to join the domain "testdomain": The user name could not be found. 13. Tried to navigate to the domain via my network places and was successful. -- Tony Fugere tony_fugere@ncsu.edu
Paul Gienger
2004-Jun-11 15:07 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a > backend. I'm getting to typical "The user name could not be found." > error upon trying to join a Windows box. I've gone through every > digest on lists.samba.org and other sites and nothing has worked yet. > Any suggestions:You must have missed the ou=Computers discussion then, it comes up about every 2 weeks.> ; User and Machine Account Backends > ldap ssl = start_tls > passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 > ldap suffix = dc=soil,dc=ncsu,dc=edu > ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computerschange this to ou=People or do one of the workarounds people have suggested, those being to reconfigure your nss library to search to a point in your ldap structure that contains both ou=People and ou=Computers (dc=soil,dc=ncsu,dc=edu). I guess that's the only suggested one, but I've thought about a couple others, one being to make an ou=Accounts which would contain aliases to ou=People and ou=Computers, but I haven't tested it yet... -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: ae-solutions.com mailto:pgienger@ae-solutions.com
Joshua Schmidlkofer
2004-Jun-11 18:00 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
Tony Fugere wrote:> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a > backend. I'm getting to typical "The user name could not be found." > error upon trying to join a Windows box. I've gone through every digest > on lists.samba.org and other sites and nothing has worked yet. Any > suggestions: > > Here's what I've done so far: > > 1. Installed everything via RPMS: > [root@smbtest root]# rpm -qa | grep openldap > openldap-2.1.29-1 > openldap-clients-2.1.29-1 > openldap-servers-2.1.29-1 > openldap-devel-2.1.29-1 > [root@smbtest root]# rpm -qa | grep samba > samba-3.0.3-5 > samba-client-3.0.3-5 > samba-common-3.0.3-5 > samba-swat-3.0.3-5 > [root@smbtest root]# rpm -qa | grep smbldap > smbldap-tools-0.8.4-1.1.fc2.dag > [root@smbtest root]# > > 2. Made my SSL certificates and put them in /var/ssl. > > 3. Made my slapd.conf: > --- Start slapd.conf --- > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > > allow bind_v2 > > passwd-hash {SSHA] > > pidfile /var/run/slapd.pid > > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCACertificateFile /var/ssl/cacert.pem > TLSCertificateFile /var/ssl/ldapcrt.pem > TLSCertificateKeyFile /var/ssl/ldapkey.pem > TLSVerifyClient 0 > > security ssf=1 update_ssf=112 simple_bind=64 > > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu" > by * read > access to dn=".*,dc=soil,dc=ncsu,dc=edu" > by self write > by * read > > database ldbm > suffix "dc=soil,dc=ncsu,dc=edu" > rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu" > rootpw _thepassword_ > > directory /var/lib/ldap > > index objectClass,uid,uidNumber,gidNumber,memberUid eq > index cn,mail,surname,givenname eq,subinitial > --- End slapd.conf --- > > 4. Made the smb.conf: > --- Start smb.conf --- > [global] > > ; Basic server settings > workgroup = testdomain > netbios name = smbtest > server string = Samba Server %v > security = user > allow trusted domains = yes > > log level = 0 > log file = /var/log/samba/log.%m > max log size = 50 > > domain logons = Yes > os level = 65 > local master = yes > domain master = yes > preferred master = yes > encrypt passwords = yes > > passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *new*password* %n\n *new*password* %n\n *successfully* > unix password sync = yes > > ; User and Machine Account Backends > ldap ssl = start_tls > passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 > ldap suffix = dc=soil,dc=ncsu,dc=edu > ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > admin users = administrator > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > ; where to store user profiles > logon home > logon path > > ldap delete dn = Yes > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > delete user script = /usr/local/sbin/smbldap-userdel "%u" > delete group script = /usr/local/sbin/smbldap-groupdel "%g" > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/lib/netlogon > read only = yes > write list = dom_admins > > [Homes] > username = tfugere > writeable = Yes > force create mode = 0770 > force directory mode = 02770 > browseable = No > --- End smb.conf --- > > 5. Made my smbldap*.conf: > --- Start smbldap.conf --- > UID_START="1000" > GID_START="1000" > SID="S-1-5-21-2625200706-2048882972-3065312840" > slaveLDAP="smbtest.soil.ncsu.edu" > slavePort="389" > masterLDAP="smbtest.soil.ncsu.edu" > masterPort="389" > ldapTLS="1" > verify="require" > cafile="/var/ssl/cacert.pem" > clientcert="/var/ssl/ldapcrt.pem" > clientkey="/var/ssl/ldapkey.pem" > suffix="dc=soil,dc=ncsu,dc=edu" > usersdn="ou=People,dc=soil,dc=ncsu,dc=edu" > computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu" > groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu" > scope="sub" > hash_encrypt="SSHA" > userLoginShell="/bin/bash" > userHomePrefix="/home/" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="553" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userHomeDrive="logondrive" > userScript="" > with_smbpasswd="0" > smbpasswd="/usr/bin/smbpasswd" > mk_ntpasswd="/usr/sbin/mkntpwd" > --- End smbldap.conf --- > --- Begin smbldap_bind.conf --- > slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > slavePw="_hidden_" > masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > masterPw="_hidden_" > --- End smbldap_bind.conf --- > > 6. Started up the services: > /etc/init.d/ldap start > /etc/init.d/smb start > > 7. Set the root password: > smbpasswd -w _thepassword_ > > 8. Put in some test data: > soil.ncsu.edu/tony_temp/smbtest.ldif > > 9. Did a search on the LDAP DB: > ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b > 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)' > Results: soil.ncsu.edu/tony_temp/ldapsearch.out > > 10. Set the root user password: > smbldap-passwd root > > 11. Changed the local security policy on the Windows XP machine: > Domain member: Digitally encrypt or sign secure data channel > (always) Disabled > Domain member: Digitally encrypt secure data channel (when > possible) Disabled > Domain member: Digitally sign secure data channel (when > possible) Disabled > > 12. Tried to join the domain through a Windows XP machine and got this > error when using root user: > The following error occurred when attempting to join the domain > "testdomain": > The user name could not be found. > > 13. Tried to navigate to the domain via my network places and was > successful. >Tony, Please be sure that the account you are using to add the machines to the domain has a uidNumber of '0'. That is the only factor that was holding me back. thanks, Joshua
Seemingly Similar Threads
- Re: Samba 3.0.3 on FC2: windows machine cannot join domain
- Re: Samba 3.0.3 on FC2: windows machine cannot join domain
- getent not showing domain users and groups with winbind but works with sssd
- trouble with german special chars on smb shares
- getent not showing domain users and groups with winbind but works with sssd