samba - Jun 2004 - samba3 PDC+ldap domain logon problem

Hi,

I've got an issue with a samba 3 PDC with an ldap backend. I get a logon
failure (unknown username or bad password) when trying to add a win2k
box to the domain. I'm using Mandrake with Samba 3.0.2a and openldap 2.1.22.
I am able to set up the workgroup on the w2k box, and access folders for
users registered in the ldap database, however I am not able to join the
domain with the user Administrator. 

Any ideas on where I can look to find errors or test another way? (I cant find
anything
in the ldap logs or the samba logs).

Please CC me any response, as I'm not subscribed to the list.

Thanks.
- David

---Some relevant smb.conf

[global]

    ...
	username map = /etc/samba3/smbusers
	obey pam restrictions = No
	ldap passwd sync = yes
	passdb backend = ldapsam:ldap://127.0.0.1/
	unix password sync = yes
	pam password change = yes
	passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*LDAP*password*information*changed*for*dcaplan*\n
*passwd:*all*authentication*tokens*updated*successfully*
	ldap admin dn = cn=root,dc=cloudraker,dc=com
    ldap suffix = dc=cloudraker,dc=com
    ldap group suffix = ou=Group
    ldap user suffix = ou=People
    ldap machine suffix = ou=Hosts
    ldap idmap suffix = ou=People
    ldap ssl = off 
    #ldap ssl = start tls
    add user script = /usr/bin/smbldap-useradd3 -m "%u"
    ldap delete dn = Yes
    delete user script = /usr/bin/smbldap-userdel3 "%u"
    add machine script = /usr/bin/smbldap-useradd3 -w "%u"
    add group script = /usr/bin/smbldap-groupadd3 -p "%g" 
    #delete group script = /usr/bin/smbldap-groupdel3 "%g"
    add user to group script = /usr/bin/smbldap-groupmod3 -m "%u"
"%g"
    delete user from group script = /usr/bin/smbldap-groupmod3 -x "%u"
"%g"
    set primary group script = /usr/bin/smbldap-usermod3 -g "%g"
"%u"
	os level = 65
	security = user
	logon path = \\%L\profiles\%U
	logon drive = U:
	update encrypted = Yes
	encrypt passwords = yes
	domain master = yes
	domain logons = yes
	local master = yes
	preferred master = yes
	guest ok = no
	admin users = root Administrator
	
	#wins support = yes
	#wins proxy = yes
----


--
David Caplan <david at david.ath.cx>
Key fingerprint: AADC 53B6 D5FB 31FE E191  4E9A 8D5D 2952 9358

There is a bug with seperating the machine suffix and the user suffix, 
they both need to be the same container.

Please search the archives more, this topic comes up every week or so.

David Caplan wrote:
>Hi,
>
>I've got an issue with a samba 3 PDC with an ldap backend. I get a logon
>failure (unknown username or bad password) when trying to add a win2k
>box to the domain. I'm using Mandrake with Samba 3.0.2a and openldap
2.1.22.
>I am able to set up the workgroup on the w2k box, and access folders for
>users registered in the ldap database, however I am not able to join the
>domain with the user Administrator. 
>
>Any ideas on where I can look to find errors or test another way? (I cant
find anything
>in the ldap logs or the samba logs).
>
>Please CC me any response, as I'm not subscribed to the list.
>
>Thanks.
>- David
>
>---Some relevant smb.conf
>
>[global]
>
>    ...
>	username map = /etc/samba3/smbusers
>	obey pam restrictions = No
>	ldap passwd sync = yes
>	passdb backend = ldapsam:ldap://127.0.0.1/
>	unix password sync = yes
>	pam password change = yes
>	passwd chat = *New*UNIX*password* %n\n *Retype*new*UNIX*password* %n\n
*LDAP*password*information*changed*for*dcaplan*\n
*passwd:*all*authentication*tokens*updated*successfully*
>	ldap admin dn = cn=root,dc=cloudraker,dc=com
>    ldap suffix = dc=cloudraker,dc=com
>    ldap group suffix = ou=Group
>    ldap user suffix = ou=People
>    ldap machine suffix = ou=Hosts
>    ldap idmap suffix = ou=People
>    ldap ssl = off 
>    #ldap ssl = start tls
>    add user script = /usr/bin/smbldap-useradd3 -m "%u"
>    ldap delete dn = Yes
>    delete user script = /usr/bin/smbldap-userdel3 "%u"
>    add machine script = /usr/bin/smbldap-useradd3 -w "%u"
>    add group script = /usr/bin/smbldap-groupadd3 -p "%g" 
>    #delete group script = /usr/bin/smbldap-groupdel3 "%g"
>    add user to group script = /usr/bin/smbldap-groupmod3 -m "%u"
"%g"
>    delete user from group script = /usr/bin/smbldap-groupmod3 -x
"%u" "%g"
>    set primary group script = /usr/bin/smbldap-usermod3 -g "%g"
"%u"
>	os level = 65
>	security = user
>	logon path = \\%L\profiles\%U
>	logon drive = U:
>	update encrypted = Yes
>	encrypt passwords = yes
>	domain master = yes
>	domain logons = yes
>	local master = yes
>	preferred master = yes
>	guest ok = no
>	admin users = root Administrator
>	
>	#wins support = yes
>	#wins proxy = yes
>----
>
>
>--
>David Caplan <david at david.ath.cx>
>Key fingerprint: AADC 53B6 D5FB 31FE E191  4E9A 8D5D 2952 9358  
>
>  
>
-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com