samba - Dec 2004 - Joining XP clients to a Samba PDC

Greetings,

I've been pulling my hair out on this problem for several days and I'm 
not really any closer to a solution. I hope someone out there can help 
me.

I'm trying to set up a samba PDC on a Fedora Core 2 box using an LDAP 
backend (on another server). The base install of everything is working 
fine. At the unix level LDAP connectivity is configured and working 
properly for users and groups. I've also installed idealix's 
smbldap-tools and used their script to configure the ldap directory for 
SAMBA. As far as I can tell that's all configured and working properly 
too. I can add users and groups with smbldap-useradd and groupadd tools 
and they show up in the proper places when I browse the LDAP directory 
with a gui tool I have. (Note, the SAMBA PDC and the LDAP server are 
two separate machines)

Here's what's installed for samba on my FC2 box:

samba-swat-3.0.7-2.FC2
samba-common-3.0.7-2.FC2
samba-client-3.0.7-2.FC2
samba-3.0.7-2.FC2

The relevant portions of my smb.conf file are as follows:


# Global parameters
[global]
         netbios name = LUNA
         workgroup = BI
         passdb backend = ldapsam:ldap://mercury.bibleinfo.com
         os level = 35
         preferred master = yes
         domain master = yes
         local master = yes
         security = user
         domain logons = yes
         logon path = \\LUNA\profiles\%u
         logon drive = H:
         logon home = \\LUNA\%u
         logon script = logon.cmd
         ldap delete dn = Yes
         add user script = /usr/sbin/smbldap-useradd -a -m "%u"
         add machine script = /usr/sbin/smbldap-useradd -w "%u"
         add group script = /usr/sbin/smbldap-groupadd -p "%g"
         add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
         delete user from group script = /usr/sbin/smbldap-groupmod -x 
"%u" "%g"
         set primary group script = /usr/sbin/smbldap-usermod -g "%g" 
"%u"
         server string = Bibleinfo.com file server
         log file = /var/log/samba/%m.log
         log level = 10
         max log size = 50
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         printcap name = /etc/printcap
         dns proxy = No
         ldap suffix = dc=bibleinfo,dc=iiw
         ldap machine suffix = ou=Computers
         ldap user suffix = ou=People
         ldap group suffix = ou=Groups
         ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
         ldap admin dn = "cn=Manager,dc=bibleinfo,dc=iiw"
         ldap ssl = start tls
         ldap passwd sync = Yes
         idmap uid = 16777216-33554431
         idmap gid = 16777216-33554431

[netlogon]
         path = /var/lib/samba/netlogon

<snip>


As far as I can tell I should be able to join the domain with the root 
account (added with smbldap-useradd -a -G 512 -m -s /bin/false -d 
/dev/null -F "" -P root). But all I get for my efforts is an error 
dialog "The following error occurred attempting to join the domain 
'BI': The network path was not found".

The log of this attempt server side is as follows:

[Administrator@luna samba]# cat 10.10.10.153.log
[2004/12/07 17:02:59, 6] param/loadparm.c:lp_file_list_changed(2684)
   lp_file_list_changed()
   file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue 
Dec  7 16:51:08 2004

[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1302)
   open_oplock_ipc: opening loopback UDP socket.
[2004/12/07 17:02:59, 10] lib/util_sock.c:open_socket_in(717)
   bind succeeded on port 0
[2004/12/07 17:02:59, 3] 
smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
   Linux kernel oplocks enabled
[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1333)
   open_oplock ipc: pid = 12086, global_oplock_port = 32895
[2004/12/07 17:02:59, 4] lib/time.c:get_serverzone(122)
   Serverzone is 28800
[2004/12/07 17:02:59, 10] lib/smbldap.c:smbldap_idle_fn(1118)
   ldap connection not idle...
[2004/12/07 17:02:59, 10] 
lib/util_sock.c:read_smb_length_return_keepalive(505)
   got smb length of 68
[2004/12/07 17:02:59, 6] smbd/process.c:process_smb(1091)
   got message type 0x81 of len 0x44
[2004/12/07 17:02:59, 3] smbd/process.c:process_smb(1092)
   Transaction 0 of length 72
[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(235)
   netbios connect: name1=LUNA            name2=OLDDELL
[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(242)
   netbios connect: local=luna remote=olddell, name type = 0


the other thing that's puzzling is that SAMBA never creates the machine 
trust account using the script denoted in smb.conf. If I run the script 
manually on the command line it works fine, but that still doesn't get 
my any further with joining the domain (Same error too fact).

Thanks for the help.

-Andrew

Hi Andrew,

I ran into a couple of XP issues when trying to join my Totalnet Advanced 
Server (TAS) domain.  Though not exactly Samba, this was a change on the XP 
end and may help.  I found that I had to change the local security policy 
such that "Domain member: Digitally encrypt or sign secure channel data 
(always)" had to be disabled.  A reboot afterwards is needed.  This is 
found under Control Panel -> Performance and Maintenance -> Administrative
Tools -> Local Security Policy -> Security Settings -> Local Policies
->
Security Options.  I also had to disable the Internet Connection Firewall, 
at least with non-SP2.  SP2 will generally prompt you as to whether to 
allow programs to get through the firewall.  If you are not using domain 
membership, this may not apply, but it would be good to check into the 
firewall angle in any case.

Chuck


At 05:07 PM 12/7/2004, Andrew wrote:
>Greetings,
>
>I've been pulling my hair out on this problem for several days and
I'm not
>really any closer to a solution. I hope someone out there can help me.
>
>I'm trying to set up a samba PDC on a Fedora Core 2 box using an LDAP 
>backend (on another server). The base install of everything is working 
>fine. At the unix level LDAP connectivity is configured and working 
>properly for users and groups. I've also installed idealix's
smbldap-tools
>and used their script to configure the ldap directory for SAMBA. As far as 
>I can tell that's all configured and working properly too. I can add
users
>and groups with smbldap-useradd and groupadd tools and they show up in the 
>proper places when I browse the LDAP directory with a gui tool I have. 
>(Note, the SAMBA PDC and the LDAP server are two separate machines)
>
>Here's what's installed for samba on my FC2 box:
>
>samba-swat-3.0.7-2.FC2
>samba-common-3.0.7-2.FC2
>samba-client-3.0.7-2.FC2
>samba-3.0.7-2.FC2
>
>The relevant portions of my smb.conf file are as follows:
>
>
># Global parameters
>[global]
>         netbios name = LUNA
>         workgroup = BI
>         passdb backend = ldapsam:ldap://mercury.bibleinfo.com
>         os level = 35
>         preferred master = yes
>         domain master = yes
>         local master = yes
>         security = user
>         domain logons = yes
>         logon path = \\LUNA\profiles\%u
>         logon drive = H:
>         logon home = \\LUNA\%u
>         logon script = logon.cmd
>         ldap delete dn = Yes
>         add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>         add group script = /usr/sbin/smbldap-groupadd -p "%g"
>         add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x 
> "%u" "%g"
>         set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
>         server string = Bibleinfo.com file server
>         log file = /var/log/samba/%m.log
>         log level = 10
>         max log size = 50
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         printcap name = /etc/printcap
>         dns proxy = No
>         ldap suffix = dc=bibleinfo,dc=iiw
>         ldap machine suffix = ou=Computers
>         ldap user suffix = ou=People
>         ldap group suffix = ou=Groups
>         ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
>         ldap admin dn = "cn=Manager,dc=bibleinfo,dc=iiw"
>         ldap ssl = start tls
>         ldap passwd sync = Yes
>         idmap uid = 16777216-33554431
>         idmap gid = 16777216-33554431
>
>[netlogon]
>         path = /var/lib/samba/netlogon
>
><snip>
>
>
>As far as I can tell I should be able to join the domain with the root 
>account (added with smbldap-useradd -a -G 512 -m -s /bin/false -d 
>/dev/null -F "" -P root). But all I get for my efforts is an error
dialog
>"The following error occurred attempting to join the domain
'BI': The
>network path was not found".
>
>The log of this attempt server side is as follows:
>
>[Administrator@luna samba]# cat 10.10.10.153.log
>[2004/12/07 17:02:59, 6] param/loadparm.c:lp_file_list_changed(2684)
>   lp_file_list_changed()
>   file /etc/samba/smb.conf -> /etc/samba/smb.conf  last mod_time: Tue 
> Dec  7 16:51:08 2004
>
>[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1302)
>   open_oplock_ipc: opening loopback UDP socket.
>[2004/12/07 17:02:59, 10] lib/util_sock.c:open_socket_in(717)
>   bind succeeded on port 0
>[2004/12/07 17:02:59, 3] smbd/oplock_linux.c:linux_init_kernel_oplocks(303)
>   Linux kernel oplocks enabled
>[2004/12/07 17:02:59, 3] smbd/oplock.c:init_oplocks(1333)
>   open_oplock ipc: pid = 12086, global_oplock_port = 32895
>[2004/12/07 17:02:59, 4] lib/time.c:get_serverzone(122)
>   Serverzone is 28800
>[2004/12/07 17:02:59, 10] lib/smbldap.c:smbldap_idle_fn(1118)
>   ldap connection not idle...
>[2004/12/07 17:02:59, 10] 
>lib/util_sock.c:read_smb_length_return_keepalive(505)
>   got smb length of 68
>[2004/12/07 17:02:59, 6] smbd/process.c:process_smb(1091)
>   got message type 0x81 of len 0x44
>[2004/12/07 17:02:59, 3] smbd/process.c:process_smb(1092)
>   Transaction 0 of length 72
>[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(235)
>   netbios connect: name1=LUNA            name2=OLDDELL
>[2004/12/07 17:02:59, 2] smbd/reply.c:reply_special(242)
>   netbios connect: local=luna remote=olddell, name type = 0
>
>
>the other thing that's puzzling is that SAMBA never creates the machine 
>trust account using the script denoted in smb.conf. If I run the script 
>manually on the command line it works fine, but that still doesn't get
my
>any further with joining the domain (Same error too fact).
>
>Thanks for the help.
>
>-Andrew
>
>--
>To unsubscribe from this list go to the following URL and read the
>instructions:  http://lists.samba.org/mailman/listinfo/samba
Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

> As far as I can tell I should be able to join the domain with the root 
> account (added with smbldap-useradd -a -G 512 -m -s /bin/false -d 
> /dev/null -F "" -P root). But all I get for my efforts is an
error
> dialog "The following error occurred attempting to join the domain 
> 'BI': The network path was not found".
If you're using the stock idealx setup (I believe) that you could be 
using the Administrator account, make sure that you have the password 
for that account, change it with smbpasswd if not.  Your root user may 
or may not be set up right, I don't know the syntax of the command off 
hand. 

Try to change your double quotes to single quotes, I believe that has 
been known to cause issues.

Have you set the password for your manager DN?  Does your sambaDomain 
object exist?

Grasping at straws a bit here since your log doesn't seem to say 
anything blatantly obvious.


-- 
--
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

>> As far as I can tell I should be able to join the domain with the  
>> root account (added with smbldap-useradd -a -G 512 -m -s /bin/false  
>> -d /dev/null -F "" -P root). But all I get for my efforts is
an error
>> dialog "The following error occurred attempting to join the domain
>> 'BI': The network path was not found".
>
> If you're using the stock idealx setup (I believe) that you could be  
> using the Administrator account, make sure that you have the password  
> for that account, change it with smbpasswd if not.  Your root user may  
> or may not be set up right, I don't know the syntax of the command off
> hand.
I've set the passwords for Administrator and for root with smbpassword  
and that doesn't seem to help.

> Try to change your double quotes to single quotes, I believe that has  
> been known to cause issues.
Do you mean the double quotes in the smbldap-useradd command above?

>
> Have you set the password for your manager DN?  Does your sambaDomain  
> object exist?
The sambaDomain object does exist and was created by the idealx setup  
script I believe. At any rate it shows up in my LDAP tree. From my gui  
LDAP browser, this is what my directory looks like:

World
	> iiw
		> bibleinfo
			> bi  #sambaDomain object?
			* Computers
			* Groups
			* Idmap
			% Manager
			% NextFreeUnixId
			* People
				% Administrator
				% User1
				% User2
				.
				.
				% nobody
				% proxyagent
				% root
				% user3
				.
				.
		
I'm using JXplorer and the symbols > * % above translate to icons as  
follows:
		
		> = small round circle (generic object icon I think)
		* = an icon looking like a cluster or tree of boxes (container for  
objects?)
		% = an icon consisting of a little face (user) and a sheet of paper  
(properties)
>
> Grasping at straws a bit here since your log doesn't seem to say  
> anything blatantly obvious.
Speaking of logs. I bumped the log level down to 2 and this is what was  
printed for two consecutive domain joining attempts (one with the root  
user, and one with the Administrator user)

[2004/12/08 09:03:34, 2] smbd/sesssetup.c:setup_new_vc_session(608)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close  
all old resources.
[2004/12/08 09:03:34, 2] smbd/sesssetup.c:setup_new_vc_session(608)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close  
all old resources.
[2004/12/08 09:03:34, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
   init_sam_from_ldap: Entry found for user: root
[2004/12/08 09:03:35, 2] passdb/pdb_ldap.c:init_group_from_ldap(1902)
   init_group_from_ldap: Entry found for group: 512
[2004/12/08 09:03:35, 2] passdb/pdb_ldap.c:init_group_from_ldap(1902)
   init_group_from_ldap: Entry found for group: 1000
[2004/12/08 09:03:35, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [root] -> [root] ->  
[root] succeeded
[2004/12/08 09:03:36, 2] smbd/server.c:exit_server(571)
   Closing connections


[2004/12/08 09:10:53, 2] smbd/sesssetup.c:setup_new_vc_session(608)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close  
all old resources.
[2004/12/08 09:10:53, 2] smbd/sesssetup.c:setup_new_vc_session(608)
   setup_new_vc_session: New VC == 0, if NT4.x compatible we would close  
all old resources.
[2004/12/08 09:10:53, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485)
   init_sam_from_ldap: Entry found for user: Administrator
[2004/12/08 09:10:53, 2] passdb/pdb_ldap.c:init_group_from_ldap(1902)
   init_group_from_ldap: Entry found for group: 512
[2004/12/08 09:10:53, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [Administrator] ->  
[Administrator] -> [Administrator] succeeded
[2004/12/08 09:10:54, 2] smbd/server.c:exit_server(571)
   Closing connections


A log level of 3 gives much more detail, but that's a lot to post here  
and I don't see anything that jumps out at me error-wise. Would it be a  
problem with an obscure setting on the XP machine somehow?

I've tried disabling "Domain member: Digitally encrypt or sign secure  
channel data (always)" as suggested by Chuck, but I still get the same  
error. ("The network path was not found")

I presume this is the same as another suggestion I found about changing  
the registry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameter 
s]
"requiresignorseal"=dword:00000000
"signsecurechannel"=dword:00000000

So the bottom line is still no luck. Anyone have additional suggestions?

-Andrew