Felipe Alfaro Solana
2006-May-19 11:13 UTC
[Samba] net rpc join fails the first time but succeeds the second
Hi. I'm having some trouble when trying to join a SAMBA machine, acting as a member server, to a NT-style domain server managed by a SAMBA PDC using an LDAP back-end. Both machines are running samba-3.0.10-1.4E.6 on Red Hat Enterprise Linux 4.1 Update 3 for AMD64. When trying to add the member server to the domain, it fails with an error message. However, if I try to add it again, the operation succeeds. The first try to add the member server fails with this error message: [root@member ~]# net rpc join CENTRAL -U Administrator%password [2006/05/19 13:01:08, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319) Error domain join verification (reused connection): NT_STATUS_ACCESS_DENIED Unable to join domain CENTRAL. I can see the SAMBA machine account has been created: [root@pdc ~]# pdbedit -L Administrator:0:Domain Administrator member$:10001:Machine Then, immediately, I try to add the member server, once again: [root@member ~]# net rpc join CENTRAL -U Administrator%password Joined domain CENTRAL. Both, the member server and PDC are using nss_ldap. Thus: [root@member ~]# id Administrator uid=0(root) gid=0(root) groups=0(root) The smb.conf for the PDC is: [global] # Store SAMBA data into an LDAP backend passdb backend = ldapsam:ldap://ldap/ ldap admin dn = cn=Directory Manager ldap suffix = dc=central ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups # Scripts for managing users and computers add user script = /usr/sbin/luseradd -g "Domain Users" %u delete user script = /usr/sbin/luserdel -r %u add group script = /usr/sbin/lgroupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/lgroupmod -A %u %g delete user from group script = /usr/sbin/lgroupmod -R %u %g add machine script = /usr/sbin/luseradd -g "Domain Computers" -c "Machine" -s /bin/false -d /dev/null -n -M "%u" workgroup = CENTRAL netbios name = NDS1 server string = CENTRAL Samba Domain Controller load printers = no log file = /var/log/samba/%m.log security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 35 local master = yes domain master = yes preferred master = yes domain logons = yes logon path wins support = yes The smb.conf for the member server is: [global] workgroup = CENTRAL server string = CENTRAL File Server netbios name = FS1 log file = /var/log/samba/%m.log max log size = 50 security = domain encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Any ideas? Thank you very much.
Mark Proehl
2006-May-19 13:18 UTC
[Samba] net rpc join fails the first time but succeeds the second
Hi, if you create a new user with luseradd, is this new user immediately available? Or do you have to wait some time between the following two commands: > /usr/sbin/luseradd -g "Domain Computers" -c "Machine" -s /bin/false -d /dev/null -n -M testuser > id testuser Mark On Fri, May 19, 2006 at 01:13:21PM +0200, Felipe Alfaro Solana wrote:> Hi. > > I'm having some trouble when trying to join a SAMBA machine, acting as > a member server, to a NT-style domain server managed by a SAMBA PDC > using an LDAP back-end. Both machines are running samba-3.0.10-1.4E.6 > on Red Hat Enterprise Linux 4.1 Update 3 for AMD64. > > When trying to add the member server to the domain, it fails with an > error message. However, if I try to add it again, the operation > succeeds. > > The first try to add the member server fails with this error message: > > [root@member ~]# net rpc join CENTRAL -U Administrator%password > [2006/05/19 13:01:08, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319) > Error domain join verification (reused connection): NT_STATUS_ACCESS_DENIED > > Unable to join domain CENTRAL. > > I can see the SAMBA machine account has been created: > > [root@pdc ~]# pdbedit -L > Administrator:0:Domain Administrator > member$:10001:Machine > > Then, immediately, I try to add the member server, once again: > > [root@member ~]# net rpc join CENTRAL -U Administrator%password > Joined domain CENTRAL. > > Both, the member server and PDC are using nss_ldap. > Thus: > > [root@member ~]# id Administrator > uid=0(root) gid=0(root) groups=0(root) > > The smb.conf for the PDC is: > > [global] > > # Store SAMBA data into an LDAP backend > passdb backend = ldapsam:ldap://ldap/ > ldap admin dn = cn=Directory Manager > ldap suffix = dc=central > ldap user suffix = ou=People > ldap machine suffix = ou=Computers > ldap group suffix = ou=Groups > > # Scripts for managing users and computers > add user script = /usr/sbin/luseradd -g "Domain Users" %u > delete user script = /usr/sbin/luserdel -r %u > add group script = /usr/sbin/lgroupadd %g > delete group script = /usr/sbin/groupdel %g > add user to group script = /usr/sbin/lgroupmod -A %u %g > delete user from group script = /usr/sbin/lgroupmod -R %u %g > add machine script = /usr/sbin/luseradd -g "Domain Computers" -c > "Machine" -s /bin/false -d /dev/null -n -M "%u" > > workgroup = CENTRAL > netbios name = NDS1 > server string = CENTRAL Samba Domain Controller > > load printers = no > > log file = /var/log/samba/%m.log > > security = user > encrypt passwords = yes > > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > os level = 35 > local master = yes > domain master = yes > preferred master = yes > domain logons = yes > logon path > > wins support = yes > > The smb.conf for the member server is: > > [global] > > workgroup = CENTRAL > server string = CENTRAL File Server > netbios name = FS1 > log file = /var/log/samba/%m.log > max log size = 50 > security = domain > encrypt passwords = yes > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 > > Any ideas? > Thank you very much. > --
adrian sender
2006-May-19 16:33 UTC
[Samba] net rpc join fails the first time but succeeds the second
Your domain member is not configured correctly, you need it to be able to authenticate with ldap. Should look something like this as per Chapter 7 Samba 3 by Example.. http://samba.org/samba/docs/man/Samba-Guide/unixclients.html#sdcsdmldap Example 7.1. Samba Domain Member in Samba Domain Using LDAP smb.conf File # Global parameters [global] unix charset = LOCALE workgroup = MEGANET2 security = DOMAIN username map = /etc/samba/smbusers log level = 10 syslog = 0 log file = /var/log/samba/%m max log size = 50 smb ports = 139 name resolve order = wins bcast hosts printcap name = CUPS wins server = 192.168.2.1 ldap suffix = dc=abmas,dc=biz ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap admin dn = cn=Manager,dc=abmas,dc=biz idmap backend = ldap:ldap://lapdc.abmas.biz idmap uid = 10000-20000 idmap gid = 10000-20000 winbind trusted domains only = Yes printer admin = root printing = cups Stick to the official docs, will save you days/years of time. Adrian Sender. From: Felipe Alfaro Solana <felipe.alfaro@gmail.com> To: "Samba Mailing List" <samba@lists.samba.org> Subject: [Samba] net rpc join fails the first time but succeeds the second Sent: Friday, 19 May 2006 9:13:21 PM Hi. I'm having some trouble when trying to join a SAMBA machine, acting as a member server, to a NT-style domain server managed by a SAMBA PDC using an LDAP back-end. Both machines are running samba-3.0.10-1.4E.6 on Red Hat Enterprise Linux 4.1 Update 3 for AMD64. When trying to add the member server to the domain, it fails with an error message. However, if I try to add it again, the operation succeeds. The first try to add the member server fails with this error message: [root@member ~]# net rpc join CENTRAL -U Administrator%password [2006/05/19 13:01:08, 0] utils/net_rpc_join.c:net_rpc_join_newstyle(319) Error domain join verification (reused connection): NT_STATUS_ACCESS_DENIED Unable to join domain CENTRAL. I can see the SAMBA machine account has been created: [root@pdc ~]# pdbedit -L Administrator:0:Domain Administrator member$:10001:Machine Then, immediately, I try to add the member server, once again: [root@member ~]# net rpc join CENTRAL -U Administrator%password Joined domain CENTRAL. Both, the member server and PDC are using nss_ldap. Thus: [root@member ~]# id Administrator uid=0(root) gid=0(root) groups=0(root) The smb.conf for the PDC is: [global] # Store SAMBA data into an LDAP backend passdb backend = ldapsam:ldap://ldap/ ldap admin dn = cn=Directory Manager ldap suffix = dc=central ldap user suffix = ou=People ldap machine suffix = ou=Computers ldap group suffix = ou=Groups # Scripts for managing users and computers add user script = /usr/sbin/luseradd -g "Domain Users" %u delete user script = /usr/sbin/luserdel -r %u add group script = /usr/sbin/lgroupadd %g delete group script = /usr/sbin/groupdel %g add user to group script = /usr/sbin/lgroupmod -A %u %g delete user from group script = /usr/sbin/lgroupmod -R %u %g add machine script = /usr/sbin/luseradd -g "Domain Computers" -c "Machine" -s /bin/false -d /dev/null -n -M "%u" workgroup = CENTRAL netbios name = NDS1 server string = CENTRAL Samba Domain Controller load printers = no log file = /var/log/samba/%m.log security = user encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 os level = 35 local master = yes domain master = yes preferred master = yes domain logons = yes logon path wins support = yes The smb.conf for the member server is: [global] workgroup = CENTRAL server string = CENTRAL File Server netbios name = FS1 log file = /var/log/samba/%m.log max log size = 50 security = domain encrypt passwords = yes socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Any ideas? Thank you very much.