Tony Fugere
2004-Sep-23 18:11 UTC
[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain
After, oh, six months of attempts here and there to read everyone's
experiences with Samba/LDAP and inability for a windows 2000/XP machine
to join the domain, I finally discovered what was not working properly.
In my smb.conf I put:
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
As instructed by many How-to's and Idealx. However, I thought to myself,
%m means machine name right? So, I change the .conf to:
add machine script = /usr/local/sbin/smbldap-useradd -w "%m"
Restarted Samba and tried to join the domain and VOILA! Just thought I'd
let the community know so that when people in my previous position
search Google for this subject they'll find this answer.
As of this e-mail, I'm using Samba 3.0.7, OpenLDAP 2.1.29, and
Smbldap-tools 0.8.5.
--
Tony Fugere
tony_fugere@ncsu.edu
I wrote:
I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a
backend. I'm getting to typical "The user name could not be
found."
error upon trying to join a Windows box. I've gone through every digest
on lists.samba.org and other sites and nothing has worked yet. Any
suggestions:
Here's what I've done so far:
1. Installed everything via RPMS:
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#
rpm -qa | grep openldap
openldap-2.1.29-1
openldap-clients-2.1.29-1
openldap-servers-2.1.29-1
openldap-devel-2.1.29-1
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#
rpm -qa | grep samba
samba-3.0.3-5
samba-client-3.0.3-5
samba-common-3.0.3-5
samba-swat-3.0.3-5
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#
rpm -qa | grep smbldap
smbldap-tools-0.8.4-1.1.fc2.dag
[root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]#
2. Made my SSL certificates and put them in /var/ssl.
3. Made my slapd.conf:
--- Start slapd.conf ---
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/samba.schema
allow bind_v2
passwd-hash {SSHA]
pidfile /var/run/slapd.pid
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /var/ssl/cacert.pem
TLSCertificateFile /var/ssl/ldapcrt.pem
TLSCertificateKeyFile /var/ssl/ldapkey.pem
TLSVerifyClient 0
security ssf=1 update_ssf=112 simple_bind=64
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail
by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write
by self write
by * auth
access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu"
by * read
access to dn=".*,dc=soil,dc=ncsu,dc=edu"
by self write
by * read
database ldbm
suffix "dc=soil,dc=ncsu,dc=edu"
rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu"
rootpw _thepassword_
directory /var/lib/ldap
index objectClass,uid,uidNumber,gidNumber,memberUid eq
index cn,mail,surname,givenname eq,subinitial
--- End slapd.conf ---
4. Made the smb.conf:
--- Start smb.conf ---
[global]
; Basic server settings
workgroup = testdomain
netbios name = smbtest
server string = Samba Server %v
security = user
allow trusted domains = yes
log level = 0
log file = /var/log/samba/log.%m
max log size = 50
domain logons = Yes
os level = 65
local master = yes
domain master = yes
preferred master = yes
encrypt passwords = yes
passwd program = /usr/local/sbin/smbldap-passwd %u
passwd chat = *new*password* %n\n *new*password* %n\n *successfully*
unix password sync = yes
; User and Machine Account Backends
ldap ssl = start_tls
passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389
ldap suffix = dc=soil,dc=ncsu,dc=edu
ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu
ldap delete dn = no
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
admin users = administrator
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
; where to store user profiles
logon home logon path
ldap delete dn = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
delete user from group script = /usr/local/sbin/smbldap-groupmod -x
"%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
delete user script = /usr/local/sbin/smbldap-userdel "%u"
delete group script = /usr/local/sbin/smbldap-groupdel "%g"
[netlogon]
comment = Network Logon Service
path = /usr/local/samba/lib/netlogon
read only = yes
write list = dom_admins
[Homes]
username = tfugere
writeable = Yes
force create mode = 0770
force directory mode = 02770
browseable = No
--- End smb.conf ---
5. Made my smbldap*.conf:
--- Start smbldap.conf ---
UID_START="1000"
GID_START="1000"
SID="S-1-5-21-2625200706-2048882972-3065312840"
slaveLDAP="smbtest.soil.ncsu.edu"
slavePort="389"
masterLDAP="smbtest.soil.ncsu.edu"
masterPort="389"
ldapTLS="1"
verify="require"
cafile="/var/ssl/cacert.pem"
clientcert="/var/ssl/ldapcrt.pem"
clientkey="/var/ssl/ldapkey.pem"
suffix="dc=soil,dc=ncsu,dc=edu"
usersdn="ou=People,dc=soil,dc=ncsu,dc=edu"
computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu"
groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu"
scope="sub"
hash_encrypt="SSHA"
userLoginShell="/bin/bash"
userHomePrefix="/home/"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="553"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"
userSmbHome=""
userProfile=""
userHomeDrive="logondrive"
userScript=""
with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"
mk_ntpasswd="/usr/sbin/mkntpwd"
--- End smbldap.conf ---
--- Begin smbldap_bind.conf ---
slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
slavePw="_hidden_"
masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu"
masterPw="_hidden_"
--- End smbldap_bind.conf ---
6. Started up the services:
/etc/init.d/ldap start
/etc/init.d/smb start
7. Set the root password:
smbpasswd -w _thepassword_
8. Put in some test data:
http://www.soil.ncsu.edu/tony_temp/smbtest.ldif
9. Did a search on the LDAP DB:
ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b
'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)'
Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out
10. Set the root user password:
smbldap-passwd root
11. Changed the local security policy on the Windows XP machine:
Domain member: Digitally encrypt or sign secure data channel
(always) Disabled
Domain member: Digitally encrypt secure data channel (when
possible) Disabled
Domain member: Digitally sign secure data channel (when
possible) Disabled
12. Tried to join the domain through a Windows XP machine and got this
error when using root user:
The following error occurred when attempting to join the domain
"testdomain":
The user name could not be found.
13. Tried to navigate to the domain via my network places and was
successful.
--
Tony Fugere
tony_fugere at ncsu.edu <http://lists.samba.org/mailman/listinfo/samba>
John H Terpstra
2004-Sep-23 18:55 UTC
[Samba] Re: Samba 3.0.3 on FC2: windows machine cannot join domain
Tony, I do not have any proof to contradict your information, however, the source code suggests that this advice is perhaps suspect. The particular module that handles automatic account creation is in ~samba/source/rpc_server/srv_samr_nt.c and specifically at line 2253. Here is the very line that does the parameter substitution: all_string_sub(add_script, "%u", account, sizeof(add_script)); As you can see, it is the "%u" parameter that is being substituted. Maybe I am reading this incorrectly? However, I have performed many hundreds of installations and have always used the "%u" parameter - and it has worked. Given this background I respectfully suggest that we should understand precisely what is happening in your situation by examining the samba logs for the use of this function give both the "%u" and again with the "%m" parameters. You can turn up the debug level on just this module by setting in smb.conf [globals]: log level = 0 rpc_srv:5 sam:5 log file = /var/log/samba/%m.log max log size = 0 Please would test this and report the findings. If our documentation is in error I want to fix it immediately. Thanks so much for your input. Cheers, John T. On Thursday 23 September 2004 12:11, Tony Fugere wrote:> After, oh, six months of attempts here and there to read everyone's > experiences with Samba/LDAP and inability for a windows 2000/XP machine > to join the domain, I finally discovered what was not working properly. > > In my smb.conf I put: > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > > As instructed by many How-to's and Idealx. However, I thought to myself, > %m means machine name right? So, I change the .conf to: > > add machine script = /usr/local/sbin/smbldap-useradd -w "%m" > > > Restarted Samba and tried to join the domain and VOILA! Just thought I'd > let the community know so that when people in my previous position > search Google for this subject they'll find this answer. > > As of this e-mail, I'm using Samba 3.0.7, OpenLDAP 2.1.29, and > Smbldap-tools 0.8.5. > > -- > Tony Fugere > tony_fugere@ncsu.edu > > I wrote: > > I'm using Samba 3.0.3 on Fedora Core 2 with OpenLDAP 2.1.29 for a > backend. I'm getting to typical "The user name could not be found." > error upon trying to join a Windows box. I've gone through every digest > on lists.samba.org and other sites and nothing has worked yet. Any > suggestions: > > Here's what I've done so far: > > 1. Installed everything via RPMS: > [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm > -qa | grep openldap openldap-2.1.29-1 > openldap-clients-2.1.29-1 > openldap-servers-2.1.29-1 > openldap-devel-2.1.29-1 > [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm > -qa | grep samba samba-3.0.3-5 > samba-client-3.0.3-5 > samba-common-3.0.3-5 > samba-swat-3.0.3-5 > [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# rpm > -qa | grep smbldap smbldap-tools-0.8.4-1.1.fc2.dag > [root at smbtest <http://lists.samba.org/mailman/listinfo/samba> root]# > > 2. Made my SSL certificates and put them in /var/ssl. > > 3. Made my slapd.conf: > --- Start slapd.conf --- > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/samba.schema > > allow bind_v2 > > passwd-hash {SSHA] > > pidfile /var/run/slapd.pid > > TLSCipherSuite HIGH:MEDIUM:+SSLv2 > TLSCACertificateFile /var/ssl/cacert.pem > TLSCertificateFile /var/ssl/ldapcrt.pem > TLSCertificateKeyFile /var/ssl/ldapkey.pem > TLSVerifyClient 0 > > security ssf=1 update_ssf=112 simple_bind=64 > > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=userPassword > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,dc=soil,dc=ncsu,dc=edu" attr=mail > by dn="cn=Manager,dc=soil,dc=ncsu,dc=edu" write > by self write > by * auth > access to dn=".*,ou=People,dc=soil,dc=ncsu,dc=edu" > by * read > access to dn=".*,dc=soil,dc=ncsu,dc=edu" > by self write > by * read > > database ldbm > suffix "dc=soil,dc=ncsu,dc=edu" > rootdn "cn=Manager,dc=soil,dc=ncsu,dc=edu" > rootpw _thepassword_ > > directory /var/lib/ldap > > index objectClass,uid,uidNumber,gidNumber,memberUid eq > index cn,mail,surname,givenname eq,subinitial > --- End slapd.conf --- > > 4. Made the smb.conf: > --- Start smb.conf --- > [global] > > ; Basic server settings > workgroup = testdomain > netbios name = smbtest > server string = Samba Server %v > security = user > allow trusted domains = yes > > log level = 0 > log file = /var/log/samba/log.%m > max log size = 50 > > domain logons = Yes > os level = 65 > local master = yes > domain master = yes > preferred master = yes > encrypt passwords = yes > > passwd program = /usr/local/sbin/smbldap-passwd %u > passwd chat = *new*password* %n\n *new*password* %n\n *successfully* > unix password sync = yes > > ; User and Machine Account Backends > ldap ssl = start_tls > passdb backend = ldapsam:ldap://smbtest.soil.ncsu.edu:389 > ldap suffix = dc=soil,dc=ncsu,dc=edu > ldap admin dn = cn=Manager,dc=soil,dc=ncsu,dc=edu > ldap delete dn = no > ldap user suffix = ou=People > ldap group suffix = ou=Groups > ldap machine suffix = ou=Computers > admin users = administrator > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > ; where to store user profiles > logon home > logon path > > ldap delete dn = Yes > add user script = /usr/local/sbin/smbldap-useradd -m "%u" > add machine script = /usr/local/sbin/smbldap-useradd -w "%u" > add group script = /usr/local/sbin/smbldap-groupadd -p "%g" > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" > delete user from group script = /usr/local/sbin/smbldap-groupmod -x > "%u" "%g" > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" > delete user script = /usr/local/sbin/smbldap-userdel "%u" > delete group script = /usr/local/sbin/smbldap-groupdel "%g" > > [netlogon] > comment = Network Logon Service > path = /usr/local/samba/lib/netlogon > read only = yes > write list = dom_admins > > [Homes] > username = tfugere > writeable = Yes > force create mode = 0770 > force directory mode = 02770 > browseable = No > --- End smb.conf --- > > 5. Made my smbldap*.conf: > --- Start smbldap.conf --- > UID_START="1000" > GID_START="1000" > SID="S-1-5-21-2625200706-2048882972-3065312840" > slaveLDAP="smbtest.soil.ncsu.edu" > slavePort="389" > masterLDAP="smbtest.soil.ncsu.edu" > masterPort="389" > ldapTLS="1" > verify="require" > cafile="/var/ssl/cacert.pem" > clientcert="/var/ssl/ldapcrt.pem" > clientkey="/var/ssl/ldapkey.pem" > suffix="dc=soil,dc=ncsu,dc=edu" > usersdn="ou=People,dc=soil,dc=ncsu,dc=edu" > computersdn="ou=Computers,dc=soil,dc=ncsu,dc=edu" > groupsdn="ou=Groups,dc=soil,dc=ncsu,dc=edu" > scope="sub" > hash_encrypt="SSHA" > userLoginShell="/bin/bash" > userHomePrefix="/home/" > userGecos="System User" > defaultUserGid="513" > defaultComputerGid="553" > skeletonDir="/etc/skel" > defaultMaxPasswordAge="45" > userSmbHome="" > userProfile="" > userHomeDrive="logondrive" > userScript="" > with_smbpasswd="0" > smbpasswd="/usr/bin/smbpasswd" > mk_ntpasswd="/usr/sbin/mkntpwd" > --- End smbldap.conf --- > --- Begin smbldap_bind.conf --- > slaveDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > slavePw="_hidden_" > masterDN="cn=Manager,dc=soil,dc=ncsu,dc=edu" > masterPw="_hidden_" > --- End smbldap_bind.conf --- > > 6. Started up the services: > /etc/init.d/ldap start > /etc/init.d/smb start > > 7. Set the root password: > smbpasswd -w _thepassword_ > > 8. Put in some test data: > http://www.soil.ncsu.edu/tony_temp/smbtest.ldif > > 9. Did a search on the LDAP DB: > ldapsearch -x -Z -D 'cn=Manager,dc=soil,dc=ncsu,dc=edu' -b > 'dc=soil,dc=ncsu,dc=edu' -W '(objectclass=*)' > Results: http://www.soil.ncsu.edu/tony_temp/ldapsearch.out > > 10. Set the root user password: > smbldap-passwd root > > 11. Changed the local security policy on the Windows XP machine: > Domain member: Digitally encrypt or sign secure data channel > (always) Disabled > Domain member: Digitally encrypt secure data channel (when > possible) Disabled > Domain member: Digitally sign secure data channel (when > possible) Disabled > > 12. Tried to join the domain through a Windows XP machine and got this > error when using root user: > The following error occurred when attempting to join the domain > "testdomain": > The user name could not be found. > > 13. Tried to navigate to the domain via my network places and was > successful. > > -- > Tony Fugere > tony_fugere at ncsu.edu <http://lists.samba.org/mailman/listinfo/samba>-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 OpenLDAP by Example, ISBN: 0131488732 Other books in production.
Possibly Parallel Threads
- Samba 3.0.3 on FC2: windows machine cannot join domain
- Re: Samba 3.0.3 on FC2: windows machine cannot join domain
- getent not showing domain users and groups with winbind but works with sssd
- trouble with german special chars on smb shares
- getent not showing domain users and groups with winbind but works with sssd