samba - Sep 2006 - problems xp joining samba pdc

Morning,

I have three machines, two xp and one win2k, that join the samba pdc fine.
I have tried to join others to this same samba pdc using the same
accounts for authentication without success. The xp machine first says
the user does not exist, I click ok and go back to the screen for the
domain account authorized to join the domain and press ok (or next) again
and this time the xp box says the user already exists.

I think something is having an issue with the machine$ accounts in ldap.
I added a '-t 5' in smb.conf to the smbadd-useradd command for adding
a machine. I could tell a longer time before the first messages (missing
user) is returned, but I still have the same final situation with the
xp box not being a part of the samba pdc.

Any ideas?

Mike

fedora core 5 with all patches
$ uname -a
Linux elo.company.com 2.6.17-1.2174_FC5smp #1 SMP Tue Aug 8 16:00:39 EDT 2006
i686 i686 i386 GNU/Linux
$ rpm -qa | grep samba
samba-client-3.0.23a-1.fc5.1
system-config-samba-1.2.34-1
samba-common-3.0.23a-1.fc5.1
samba-swat-3.0.23a-1.fc5.1
samba-3.0.23a-1.fc5.1


------------------------------------ /etc/samba/smb.conf

# Samba config file created using SWAT
# from 10.1.2.43 (10.1.2.43)
# Date: 2006/08/03 15:11:35

[global]
	security = USER
	client plaintext auth = Yes
	client lanman auth = Yes
	encrypt passwords = Yes
	lanman auth = No
	ntlm auth = Yes
	password level = 0
	guest account = nobody
	#admin users = manager, root, mikee, jrc, bdhein
	admin users = 
	hosts allow = 10.1.2., 10.1.3.
	cups options = raw
	wins support = yes
	usershare allow guests = yes

	workgroup = PWI
	netbios aliases = loghost, mailhost, backuphost, ldaphost
	server string = Samba Server (%h)
	logon drive = P:
	logon home = \\%N\%U
	logon path = \\%N\%U\profile
	logon script = /etc/samba/login.bat
	ldap suffix = dc=company,dc=com
	ldap admin dn = cn=manager,dc=company,dc=com
	ldap user suffix = ou=people
	ldap group suffix = ou=groups
	ldap machine suffix = ou=machines
	ldap ssl = off
	ldapsam:trusted = Yes
	ldap timeout = 15
	utmp directory = /var/run
	wtmp directory = /var/log
	utmp = Yes

	password server = ldaphost.company.com
	passdb backend = ldapsam:ldap://ldaphost.company.com
	ldap passwd sync = Yes
	#unix password sync = Yes
	#passwd program = /usr/sbin/smbldap-passwd %u
	#passwd chat = "Changing * password*for*\nNew password*" %n\n
"*Retype new password*" %n\n"
	#passwd chat debug = Yes

	os level = 66
	preferred master = Yes
	local master = Yes
	domain master = Yes
	domain logons = Yes
	allow trusted domains = Yes
	dns proxy = No

#	log level = 255
#	log level = 4
#	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
	log level = 3
	log file = /var/log/samba/%m.log
	max log size = 500

	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536

	#add user script = /usr/sbin/smbldap-useradd -m '%u'
	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c
"%u" -d /home/%u -C "\\\\%h\\%u" -D 'H:' -M
"%u@company.com" %u
	delete user script = /usr/sbin/smbldap-userdel %u
	add group script = /usr/sbin/smbldap-groupadd -p '%g'
	delete group script = /usr/sbin/smbldap-groupdel '%g'
	add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
'%u'
	delete user from group script = /usr/sbin/smbldap-groupmod -x '%g'
'%u'
	set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
	#add machine script = /usr/sbin/smbldap-useradd -w '%u'
	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false -c
"%u machine account" -d /dev/null %u
	add machine script = /usr/sbin/smbldap-useradd -w -i '%u' -t 5

[netlogon]
	path = /etc/samba/netlogon
	browseable = No
	writable = Yes

[homes]
	comment = Home Directories
	read only = No
	guest ok = No
	browseable = No

[printers]
	comment = All Printers
	path = /usr/spool/samba
	printable = Yes
	browseable = No

[company]
	comment = Company Corporate Files
	path = /opt/company
	create mask = 0765
	browseable = Yes
	printable = No

[Backups]
	comment = Backup files are stored here
	path = /opt/backups
	browseable = Yes
	printable = No

[Data]
	comment = Storage for support and other data.
	path = /opt/data
	browseable = Yes
	printable = No

[Cygwin]
	comment = Company Cygwin Repositiory
	path = /opt/cygwin
	browseable = Yes
	printable = No
	guest ok = Yes
	guest only = No
	writeable = No
	read only = Yes
------------------------------------ /etc/samba/smb.conf

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/18/2006 09:23 AM, Mike escreveu:
> Morning,
> 
> I have three machines, two xp and one win2k, that join the 
> samba pdc fine. I have tried to join others to this same
> samba pdc using the same accounts for authentication without
> success. The xp machine first says the user does not exist,
> I click ok and go back to the screen for the domain account
> authorized to join the domain and press ok (or next) again
> and this time the xp box says the user already exists.
> 
> I think something is having an issue with the machine$ 
> accounts in ldap. I added a '-t 5' in smb.conf to the
> smbadd-useradd command for adding a machine. I could
> tell a longer time before the first messages (missing user)
> is returned, but I still have the same final situation with
> the xp box not being a part of the samba pdc.
	Any chances that the "Sign or Seal" problem still exists?

> Any ideas?
> Mike
[...]
> ------------------------------------ /etc/samba/smb.conf
> 
> # Samba config file created using SWAT
> # from 10.1.2.43 (10.1.2.43)
> # Date: 2006/08/03 15:11:35
> 
> [global]
> 	security = USER
> 	client plaintext auth = Yes
> 	client lanman auth = Yes
> 	encrypt passwords = Yes
> 	lanman auth = No
> 	ntlm auth = Yes
> 	password level = 0
> 	guest account = nobody
> 	#admin users = manager, root, mikee, jrc, bdhein
> 	admin users = 
> 	hosts allow = 10.1.2., 10.1.3.
> 	cups options = raw
> 	wins support = yes
> 	usershare allow guests = yes
> 
> 	workgroup = PWI
> 	netbios aliases = loghost, mailhost, backuphost, ldaphost
> 	server string = Samba Server (%h)
> 	logon drive = P:
> 	logon home = \\%N\%U
> 	logon path = \\%N\%U\profile
> 	logon script = /etc/samba/login.bat
> 	ldap suffix = dc=company,dc=com
> 	ldap admin dn = cn=manager,dc=company,dc=com
> 	ldap user suffix = ou=people
> 	ldap group suffix = ou=groups
> 	ldap machine suffix = ou=machines
> 	ldap ssl = off
> 	ldapsam:trusted = Yes
> 	ldap timeout = 15
> 	utmp directory = /var/run
> 	wtmp directory = /var/log
> 	utmp = Yes
> 
> 	password server = ldaphost.company.com
> 	passdb backend = ldapsam:ldap://ldaphost.company.com
> 	ldap passwd sync = Yes
> 	#unix password sync = Yes
> 	#passwd program = /usr/sbin/smbldap-passwd %u
> 	#passwd chat = "Changing * password*for*\nNew password*" %n\n
"*Retype new password*" %n\n"
> 	#passwd chat debug = Yes
> 
> 	os level = 66
> 	preferred master = Yes
> 	local master = Yes
> 	domain master = Yes
> 	domain logons = Yes
> 	allow trusted domains = Yes
> 	dns proxy = No
> 
> #	log level = 255
> #	log level = 4
> #	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
> 	log level = 3
> 	log file = /var/log/samba/%m.log
> 	max log size = 500
> 
> 	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536
SO_SNDBUF=65536
> 
> 	#add user script = /usr/sbin/smbldap-useradd -m '%u'
> 	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c
"%u" -d /home/%u -C "\\\\%h\\%u" -D 'H:' -M
"%u@company.com" %u
> 	delete user script = /usr/sbin/smbldap-userdel %u
> 	add group script = /usr/sbin/smbldap-groupadd -p '%g'
> 	delete group script = /usr/sbin/smbldap-groupdel '%g'
> 	add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
'%u'
> 	delete user from group script = /usr/sbin/smbldap-groupmod -x '%g'
'%u'
> 	set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
> 	#add machine script = /usr/sbin/smbldap-useradd -w '%u'
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false
-c "%u machine account" -d /dev/null %u
> 	add machine script = /usr/sbin/smbldap-useradd -w -i '%u' -t 5
> 
> [netlogon]
> 	path = /etc/samba/netlogon
> 	browseable = No
> 	writable = Yes
> 
> [homes]
> 	comment = Home Directories
> 	read only = No
> 	guest ok = No
> 	browseable = No
> 
> [printers]
> 	comment = All Printers
> 	path = /usr/spool/samba
> 	printable = Yes
> 	browseable = No
> 
> [company]
> 	comment = Company Corporate Files
> 	path = /opt/company
> 	create mask = 0765
> 	browseable = Yes
> 	printable = No
> 
> [Backups]
> 	comment = Backup files are stored here
> 	path = /opt/backups
> 	browseable = Yes
> 	printable = No
> 
> [Data]
> 	comment = Storage for support and other data.
> 	path = /opt/data
> 	browseable = Yes
> 	printable = No
> 
> [Cygwin]
> 	comment = Company Cygwin Repositiory
> 	path = /opt/cygwin
> 	browseable = Yes
> 	printable = No
> 	guest ok = Yes
> 	guest only = No
> 	writeable = No
> 	read only = Yes
> ------------------------------------ /etc/samba/smb.conf
> 
- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFD+6JCj65ZxU4gPQRAtFGAJ41tQuXbHjubugQ8f4p/U30A7l+dQCgwo8W
hCqQWgEaJ/puJ/9qFje2T0k=YM5+
-----END PGP SIGNATURE-----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, now let's try to first answer the mail and then send it. :)


On 09/18/2006 09:23 AM, Mike escreveu:
> Morning,
> 
> I have three machines, two xp and one win2k, that join the 
> samba pdc fine. I have tried to join others to this same
> samba pdc using the same accounts for authentication without
> success. The xp machine first says the user does not exist,
> I click ok and go back to the screen for the domain account
> authorized to join the domain and press ok (or next) again
> and this time the xp box says the user already exists.
> 
> I think something is having an issue with the machine$ 
> accounts in ldap. I added a '-t 5' in smb.conf to the
> smbadd-useradd command for adding a machine. I could
> tell a longer time before the first messages (missing user)
> is returned, but I still have the same final situation with
> the xp box not being a part of the samba pdc.
	Any chances that the "Sign or Seal" problem still exists?

> Any ideas?
> Mike
[...]
> ------------------------------------ /etc/samba/smb.conf
> 
> # Samba config file created using SWAT
> # from 10.1.2.43 (10.1.2.43)
> # Date: 2006/08/03 15:11:35
> 
> [global]
> 	security = USER
> 	client plaintext auth = Yes
> 	client lanman auth = Yes
> 	encrypt passwords = Yes
> 	lanman auth = No
> 	ntlm auth = Yes
> 	password level = 0
> 	guest account = nobody
> 	#admin users = manager, root, mikee, jrc, bdhein
> 	admin users = 
> 	hosts allow = 10.1.2., 10.1.3.
> 	cups options = raw
> 	wins support = yes
> 	usershare allow guests = yes
[...]
> 	password server = ldaphost.company.com
> 	passdb backend = ldapsam:ldap://ldaphost.company.com
	Hmmm, you should not use password server option when
you are in 'security = user' mode. Even if it is the same
server, you should not set this option unless you want to use
another password server in 'security = domain|ads|server'.

> 	ldap passwd sync = Yes
> 	#unix password sync = Yes
> 	#passwd program = /usr/sbin/smbldap-passwd %u
> 	#passwd chat = "Changing * password*for*\nNew password*" %n\n
"*Retype new password*" %n\n"
> 	#passwd chat debug = Yes
> 
> 	os level = 66
> 	preferred master = Yes
> 	local master = Yes
> 	domain master = Yes
> 	domain logons = Yes
> 	allow trusted domains = Yes
> 	dns proxy = No
> 
> #	log level = 255
> #	log level = 4
> #	log level = 3 ldap:10 passdb:10 auth:10 winbind:10
> 	log level = 3
> 	log file = /var/log/samba/%m.log
> 	max log size = 500
> 
> 	socket options = IPTOS_LOWDELAY TCP_NODELAY SO_RCVBUF=65536
SO_SNDBUF=65536
> 
> 	#add user script = /usr/sbin/smbldap-useradd -m '%u'
> 	add user script = /usr/sbin/smbldap-useradd -a -A 1 -B 1 -s /bin/bash -c
"%u" -d /home/%u -C "\\\\%h\\%u" -D 'H:' -M
"%u@company.com" %u
> 	delete user script = /usr/sbin/smbldap-userdel %u
> 	add group script = /usr/sbin/smbldap-groupadd -p '%g'
> 	delete group script = /usr/sbin/smbldap-groupdel '%g'
> 	add user to group script = /usr/sbin/smbldap-groupmod -m '%g'
'%u'
> 	delete user from group script = /usr/sbin/smbldap-groupmod -x '%g'
'%u'
> 	set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
> 	#add machine script = /usr/sbin/smbldap-useradd -w '%u'
> 	#add machine script = /usr/sbin/smbldap-useradd -w -A 0 -B 0 -s /bin/false
-c "%u machine account" -d /dev/null %u
> 	add machine script = /usr/sbin/smbldap-useradd -w -i '%u' -t 5
	Do you really need -i?

	-i Creates an interdomain trust account (machine
	   Workstation). A password will be asked for the
	   trust account.



- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFD/DfCj65ZxU4gPQRAk5OAKDJ92myNvM77XuSBa4A0ppxUCSvXwCgnG3Y
vz4jEctYTqNlMEWSMwCHN+8=p+A+
-----END PGP SIGNATURE-----