Tony Fugere
2004-Jun-11 14:58 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
backend. I'm getting to typical "The user name could not be
found."
error upon trying to join a Windows box. I've gone through every digest
on lists.samba.org and other sites and nothing has worked yet. Any
suggestions:
Here's what I've done so far:
1. Installed everything via RPMS:
[root@smbtest root]# rpm -qa | grep openldap
openldap-2.1.29-1
openldap-clients-2.1.29-1
openldap-servers-2.1.29-1
openldap-devel-2.1.29-1
[root@smbtest root]# rpm -qa | grep samba
samba-3.0.3-5
samba-client-3.0.3-5
samba-common-3.0.3-5
samba-swat-3.0.3-5
[root@smbtest root]# rpm -qa | grep smbldap
smbldap-tools-0.8.4-1.1.fc2.dag
[root@smbtest root]#
2. Made my SSL certificates and put them in /var/ssl.
3. Made my slapd.conf:
--- Start slapd.conf ---
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
passwd-hash {SSHA]
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ssl/cacert.pem
TLSCertificateFile /var/ssl/ldapcrt.pem
TLSCertificateKeyFile /var/ssl/ldapkey.pem
TLSVerifyClient 0
security ssf=1 update_ssf=112 simple_bind=64
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
by * read
access to dn=".*,dc=soil,dc=ncsu,dc=edu"
by self write
by * read
database ldbm
suffix "dc=soil,dc=ncsu,dc=edu"
rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu"
rootpw _thepassword_
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
--- End slapd.conf ---
4. Made the smb.conf:
--- Start smb.conf ---
[global]
; Basic server settings
workgroup = testdomain
netbios name = smbtest
server string = Samba Server %v
security = user
allow trusted domains = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 50
domain logons = Yes
os level = 65
local master = yes
domain master = yes
preferred master = yes
encrypt passwords = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
unix password sync = yes
; User and Machine Account Backends
ldap ssl = start_tls
passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
ldap suffix = dc=soil,dc=ncsu,dc=edu
ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
admin users = administrator
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; where to store user profiles
logon home logon path
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = dom_admins
[Homes]
username = tfugere
writeable = Yes
force create mode = 0770
force directory mode = 02770
browseable = No
--- End smb.conf ---
5. Made my smbldap*.conf:
--- Start smbldap.conf ---
UID_START="1000"
GID_START="1000"
SID="S-1-5-21-2625200706-2048882972-3065312840"
slaveLDAP="smbtest.soil.ncsu.edu"
slavePort="389"
masterLDAP="smbtest.soil.ncsu.edu"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/var/ssl/cacert.pem"
clientcert="/var/ssl/ldapcrt.pem"
clientkey="/var/ssl/ldapkey.pem"
suffix="dc=soil,dc=ncsu,dc=edu"
usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHomePrefix="/home/"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="553"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive="logondrive"
userScript=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/sbin/mkntpwd"
--- End smbldap.conf ---
--- Begin smbldap_bind.conf ---
slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
slavePw="_hidden_"
masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
masterPw="_hidden_"
--- End smbldap_bind.conf ---
6. Started up the services:
/etc/init.d/ldap start
/etc/init.d/smb start
7. Set the root password:
smbpasswd -w _thepassword_
8. Put in some test data:
http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
9. Did a search on the LDAP DB:
ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b
'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
10. Set the root user password:
smbldap-passwd root
11. Changed the local security policy on the Windows XP machine:
Domain member: Digitally encrypt or sign secure data channel
(always) Disabled
Domain member: Digitally encrypt secure data channel (when
possible) Disabled
Domain member: Digitally sign secure data channel (when
possible) Disabled
12. Tried to join the domain through a Windows XP machine and got this
error when using root user:
The following error occurred when attempting to join the domain
"testdomain":
The user name could not be found.
13. Tried to navigate to the domain via my network places and was
successful.
--
Tony Fugere
tony_fugere@ncsu.edu
Paul Gienger
2004-Jun-11 15:07 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a > backend. I'm getting to typical "The user name could not be found." > error upon trying to join a Windows box. I've gone through every > digest on lists.samba.org and other sites and nothing has worked yet. > Any suggestions:You must have missed the ou=Computers discussion then, it comes up about every 2 weeks.> ; User and Machine Account Backends > ldap ssl = start_tls > passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 > ldap suffix = dc=soil,dc=ncsu,dc=edu > ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computerschange this to ou=People or do one of the workarounds people have suggested, those being to reconfigure your nss library to search to a point in your ldap structure that contains both ou=People and ou=Computers (dc=soil,dc=ncsu,dc=edu). I guess that's the only suggested one, but I've thought about a couple others, one being to make an ou=Accounts which would contain aliases to ou=People and ou=Computers, but I haven't tested it yet... -- Paul Gienger Office: 701-281-1884 Applied Engineering Inc. Cell: 701-306-6254 Information Systems Consultant Fax: 701-281-1322 URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com
Joshua Schmidlkofer
2004-Jun-11 18:00 UTC
[Samba] Samba 3.0.3 on FC2: windows machine cannot join domain
Tony Fugere wrote:> I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a > backend. I'm getting to typical "The user name could not be found." > error upon trying to join a Windows box. I've gone through every digest > on lists.samba.org and other sites and nothing has worked yet. Any > suggestions: > > Here's what I've done so far: > > 1. Installed everything via RPMS: > [root@smbtest root]# rpm -qa | grep openldap > openldap-2.1.29-1 > openldap-clients-2.1.29-1 > openldap-servers-2.1.29-1 > openldap-devel-2.1.29-1 > [root@smbtest root]# rpm -qa | grep samba > samba-3.0.3-5 > samba-client-3.0.3-5 > samba-common-3.0.3-5 > samba-swat-3.0.3-5 > [root@smbtest root]# rpm -qa | grep smbldap > smbldap-tools-0.8.4-1.1.fc2.dag > [root@smbtest root]# > > 2. Made my SSL certificates and put them in /var/ssl. > > 3. Made my slapd.conf: > --- Start slapd.conf --- > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > > allow bind_v2 > > passwd-hash {SSHA] > > pidfile /var/run/slapd.pid > > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCACertificateFile /var/ssl/cacert.pem > TLSCertificateFile /var/ssl/ldapcrt.pem > TLSCertificateKeyFile /var/ssl/ldapkey.pem > TLSVerifyClient 0 > > security ssf=1 update_ssf=112 simple_bind=64 > > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu" > by * read > access to dn=".*,dc=soil,dc=ncsu,dc=edu" > by self write > by * read > > database ldbm > suffix "dc=soil,dc=ncsu,dc=edu" > rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu" > rootpw _thepassword_ > > directory /var/lib/ldap > > index objectClass,uid,uidNumber,gidNumber,memberUid eq > index cn,mail,surname,givenname eq,subinitial > --- End slapd.conf --- > > 4. Made the smb.conf: > --- Start smb.conf --- > [global] > > ; Basic server settings > workgroup = testdomain > netbios name = smbtest > server string = Samba Server %v > security = user > allow trusted domains = yes > > log level = 0 > log file = /var/log/samba/log.%m > max log size = 50 > > domain logons = Yes > os level = 65 > local master = yes > domain master = yes > preferred master = yes > encrypt passwords = yes > > passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *new*password* %n\n *new*password* %n\n *successfully* > unix password sync = yes > > ; User and Machine Account Backends > ldap ssl = start_tls > passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 > ldap suffix = dc=soil,dc=ncsu,dc=edu > ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > admin users = administrator > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > ; where to store user profiles > logon home > logon path > > ldap delete dn = Yes > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > delete user script = /usr/local/sbin/smbldap-userdel "%u" > delete group script = /usr/local/sbin/smbldap-groupdel "%g" > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/lib/netlogon > read only = yes > write list = dom_admins > > [Homes] > username = tfugere > writeable = Yes > force create mode = 0770 > force directory mode = 02770 > browseable = No > --- End smb.conf --- > > 5. Made my smbldap*.conf: > --- Start smbldap.conf --- > UID_START="1000" > GID_START="1000" > SID="S-1-5-21-2625200706-2048882972-3065312840" > slaveLDAP="smbtest.soil.ncsu.edu" > slavePort="389" > masterLDAP="smbtest.soil.ncsu.edu" > masterPort="389" > ldapTLS="1" > verify="require" > cafile="/var/ssl/cacert.pem" > clientcert="/var/ssl/ldapcrt.pem" > clientkey="/var/ssl/ldapkey.pem" > suffix="dc=soil,dc=ncsu,dc=edu" > usersdn="ou=People,dc=soil,dc=ncsu,dc=edu" > computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu" > groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu" > scope="sub" > hash_encrypt="SSHA" > userLoginShell="/bin/bash" > userHomePrefix="/home/" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="553" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userHomeDrive="logondrive" > userScript="" > with_smbpasswd="0" > smbpasswd="/usr/bin/smbpasswd" > mk_ntpasswd="/usr/sbin/mkntpwd" > --- End smbldap.conf --- > --- Begin smbldap_bind.conf --- > slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > slavePw="_hidden_" > masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > masterPw="_hidden_" > --- End smbldap_bind.conf --- > > 6. Started up the services: > /etc/init.d/ldap start > /etc/init.d/smb start > > 7. Set the root password: > smbpasswd -w _thepassword_ > > 8. Put in some test data: > http://www.soil.ncsu.edu/tony_temp/smbtest.ldif > > 9. Did a search on the LDAP DB: > ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b > 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)' > Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out > > 10. Set the root user password: > smbldap-passwd root > > 11. Changed the local security policy on the Windows XP machine: > Domain member: Digitally encrypt or sign secure data channel > (always) Disabled > Domain member: Digitally encrypt secure data channel (when > possible) Disabled > Domain member: Digitally sign secure data channel (when > possible) Disabled > > 12. Tried to join the domain through a Windows XP machine and got this > error when using root user: > The following error occurred when attempting to join the domain > "testdomain": > The user name could not be found. > > 13. Tried to navigate to the domain via my network places and was > successful. >Tony, Please be sure that the account you are using to add the machines to the domain has a uidNumber of '0'. That is the only factor that was holding me back. thanks, Joshua
Apparently Analagous Threads
- Re: Samba 3.0.3 on FC2: windows machine cannot join domain
- Re: Samba 3.0.3 on FC2: windows machine cannot join domain
- getent not showing domain users and groups with winbind but works with sssd
- trouble with german special chars on smb shares
- getent not showing domain users and groups with winbind but works with sssd