samba - Jun 2007 - Samba and LDAP: Trouble adding Win XP machines to the domain

I have had the same problem with a similar setup for at least 3 years.
My solution is to create the account for the windows workstation
either via the smbldap-useradd and the linux useradd commands or a gui
wizard that does this for me. I currently use ldap-account-manager
http://lam.sourceforge.net/ for as well as user management. And then
after the account is created the windows add to domain boxes work.

John

Hi all,

I am doing some research on Samba+OpenLDAP (+DHCP+DNS) with the intention of
getting rid of the Micro$oft licenses necessary to maintain the Server
products from such company. One of the aims I have is to demonstrate other
people in my company that an open source alternative can work as well as (or
even better than) a propietary solution.

At the moment, I am getting desperated trying to find out what is going
wrong when I try to add a Win XP machine to the domain I have recently
created.

I have read about 6-7 tutorials to date and changed the *.conf files a
hundred times and still the Win XP machine refuses to join the domain. I
have already searched the samba forums and checked the bugs present in the
version I am using and I have found nothing related to my problem.

The technical details are the following:

When I attempt to join the domain via the GUI, Win tells me "username could
not be found" and so does when I try the same thing via CLI (the domain is
called "eremu" and the user, password and machinename are ok):

8<--------------------------------------------------------------------------------------------

C:\>netdom /domain:eremu /user:root /password:SECRETPASS member mikelvm
/joindomain
NetDom 1.8 @1997-98. Written by Christophe Robert - Microsoft.

Searching PDC for domain EREMU ...
Found PDC \\SAMBA
Connecting to \\SAMBA with user account root ...
Querying domain information on PDC \\SAMBA ...
Querying domain information on computer \\MIKELVM ...
Verifying if computer account exists on \\SAMBA ...
Connecting to \\SAMBA with user account root ...
Resetting secure channel ...
Changing computer account on PDC \\SAMBA ...
The username could not be found.

8<--------------------------------------------------------------------------------------------

?Have you ever experienced such error? I have read about some people that
have dealt with such error, but they have posted no solution at all.

FYI, I can access samba shares using the same user (root) but the machine
cannot join the domain. I have fixed all the machine policies and registry
stuff (requiresignorseal and so on...) and still nothing.

Also, the command:
ldapsearch -x -h localhost -D 'cn=root,dc=eremu,dc=org' -W
'(ou=Users)'
works like a charm.

The smb.conf is the following:

8<--------------------------------------------------------------------------------------------
       
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
        netbios name = SAMBA
        workgroup = EREMU
        server string = Servidor centralizado
        security = user
        enable privileges = yes
        interfaces = lo eth0
#       bind interfaces = yes
        encrypt passwords = yes
        domain master = yes
        preferred master = yes
        null passwords = yes
        hide unreadable = yes
        hide dot files = yes
        browseable = yes
        domain logons = yes
        logon script = login.bat  OR %U.bat
        logon path = \\%L\profiles\%U
        logon drive = Z:
        logon home = \\%L\%U\.9xprofile
        time server = yes
        printcap name = cups
        printing = cups
        show add printer wizard = no
        wins support = yes
        name resolve order = wins lmhosts host bcast
        dns proxy = no
        log file = /var/log/samba/log.%m
        log level = 1
        max log size = 10000
        unix charset = ISO8859-1
        dos charset = 850
        # LDAP
        add user script = /usr/sbin/smbldap-useradd -m "%u"
        delete user script = /usr/sbin/smbldap-userdel -r "%u"
        add group script = /usr/sbin/smbldap-groupadd "%g"
        delete group script = /usr/sbin/smbldap-groupdel "%g"
        add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
        delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
"%g"
        set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
        add machine script = /usr/sbin/smbldap-useradd -w "%u"
        passdb backend = ldapsam:ldap://localhost:389/
        ldap delete dn = Yes
        ldap ssl = no
        ldap suffix = dc=eremu,dc=org
        ldap admin dn = cn=root,dc=eremu,dc=org
        ldap group suffix = ou=Groups
        ldap user suffix = ou=Users
        ldap machine suffix = ou=Computers
        ldap idmap suffix = ou=Idmap
        ldap passwd sync = yes

[netlogon]
        path = /var/lib/samba/netlogon
        guest ok = Yes
        browseable = no
        write list = root
[profiles]
        path = /var/lib/samba/profiles
        writable = yes
        browsable = no
        create mode = 0644
        directory mode = 0755
        guest ok = yes
[homes]
        path = /home/%U
        browseable = no
        valid users = %S
        read only = no
        create mask = 0664
        directory mask = 0775
8<--------------------------------------------------------------------------------------------

The slapd.conf is the following:

8<--------------------------------------------------------------------------------------------

include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema

password-hash {md5}

pidfile         /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args
loglevel        1024

database        bdb
suffix          "dc=eremu,dc=org"
checkpoint      32      30 # <kbyte> <min>
rootdn          "cn=root,dc=eremu,dc=org"
rootpw          {MD5}HEREGOESTHEHASH
directory       /var/lib/openldap-data

        index   sambaSID                                        eq
        index   sambaPrimaryGroupSID                            eq
        index   sambaDomainName                                 eq
        index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
        index   cn,mail,surname,givenname                      
eq,subinitial
        index   default                                         eq
        index   phpgwContactOwner                               pres,eq,sub

access  to attrs=userPassword
          by self               write
          by anonymous          auth
          by *                  none

access to attrs=userPassword,sambaLMPassword,sambaNTPassword
        by self write
        by anonymous auth
        by * none

access to *
        by self write
        by * read

8<--------------------------------------------------------------------------------------------

The smbldap.conf is the following:

8<--------------------------------------------------------------------------------------------

# Put your own SID. To obtain this number do: "net getlocalsid".
# If not defined, parameter is taking from "net getlocalsid" return
SID="S-1-5-21-3696253194-4255541209-1824430252"

sambaDomain="eremu"

slaveLDAP="localhost"
slavePort="389"
masterLDAP="localhost"
masterPort="389"

ldapTLS="0"
verify="none"
hash_encrypt="MD5"

suffix="dc=eremu,dc=org"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=eremu,${suffix}"
scope="sub"

crypt_salt_format="%s"

userLoginShell="/bin/bash"
userHome="/home/%U"
userHomeDirectoryMode="700"
userGecos="System User"
defaultUserGid="513"
defaultComputerGid="515"
skeletonDir="/etc/skel"
defaultMaxPasswordAge="45"

userSmbHome="\\SAMBA\%U"
userProfile="\\SAMBA\profiles\%U"

userHomeDrive="Z:"

mailDomain="eremu.org"

with_smbpasswd="0"
smbpasswd="/usr/bin/smbpasswd"

with_slappasswd="0"
slappasswd="/usr/sbin/slappasswd"

8<--------------------------------------------------------------------------------------------


Should you need further details, please just let me know.
Any help would be appreciated. Thanks a lot.

P.S.: ?Can it have anything to do with other stuff such as the DNS server?
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11301709
Sent from the Samba - General mailing list archive at Nabble.com.

Great!!!

I have created a couple of machine accounts through the LAM utility and I
have eventually been able to join the domain.

Thank you very much for your help.


John Drescher-2 wrote:
> 
> I have had the same problem with a similar setup for at least 3 years.
> My solution is to create the account for the windows workstation
> either via the smbldap-useradd and the linux useradd commands or a gui
> wizard that does this for me. I currently use ldap-account-manager
> http://lam.sourceforge.net/ for as well as user management. And then
> after the account is created the windows add to domain boxes work.
> 
> John
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11310118
Sent from the Samba - General mailing list archive at Nabble.com.

El Martes, 26 de Junio de 2007 10:23, mikelOn escribi?:
>         add user script = /usr/sbin/smbldap-useradd -m "%u"
If your users are Windows users you should add an '-a' here, and add the
users
with the '-a' flag. Like this:

	add user script = /usr/sbin/smbldap-useradd -m -a "%u"
>         delete user script = /usr/sbin/smbldap-userdel -r "%u"
>         add group script = /usr/sbin/smbldap-groupadd "%g"
You should add '-a -p' here:

         add group script = /usr/sbin/smbldap-groupadd -m -a "%g"
> P.S.: ?Can it have anything to do with other stuff such as the DNS server?
Perhaps yes... I have a Samba server with OpenLDAP acting as a PDC and we use 
dnsmasq as our DNS server. It's small, fast and deals very well with Samba 
and Windows clients. We use it also as DHCP server so all the machines have 
the correct IP, DNS server, WINS Server and so on.

One question... the user "mikelvm" is a regular UNIX user or one added
with
the smbldap-useradd tool?
-- 
Asier.

Just to make it clear that its not normal a system really need to have 
accounts created that way. I dont think is a good idea to call a 
workaround used on a system that someone didnt got it working properly 
(who knows why) as a solution, samba works very fine creating 
workstation accounts automatically when joining the clients and can even 
use accounts other than root trough privileges to join the client.

The list has several posts about that and the samba documentation shows 
how to do that automatically and manually.

But anyway if the user that asked simply said that its fine for him that 
way, and dropped the thread ...

Regards.

Edmundo Valle Neto



mikelOn escreveu:
> Great!!!
>
> I have created a couple of machine accounts through the LAM utility and I
> have eventually been able to join the domain.
>
> Thank you very much for your help.
>
>
> John Drescher-2 wrote:
>   
>> I have had the same problem with a similar setup for at least 3 years.
>> My solution is to create the account for the windows workstation
>> either via the smbldap-useradd and the linux useradd commands or a gui
>> wizard that does this for me. I currently use ldap-account-manager
>> http://lam.sourceforge.net/ for as well as user management. And then
>> after the account is created the windows add to domain boxes work.
>>
>> John
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>     
>
>

Hi Edmundo,

I do agree with you. The first thing I wanted was to be able to add a
machine to the domain and once I have been able to do so, I have been
debugging to get to know why LAM was succeeding and the console scripts not. 
Yesterday, I found out that when the windows machine is added through the
console script, the uidNumber assigned is superior to 1000 (1001, 1002 and
so on...) but when added through the LAM it requested a number superior to
50000. I do not exactly know why, but if I create the machiness via the
console script (smbldap-useradd -w) the "username not found message
appears"
and the machine is assigned a number superior to 1000. If I then change such
uidNumber to 5000x, the machine can then join the domain.

This morning I wanted to review the smbldap-useradd perl script to see if
there is any place (config file or so) where I can indicate the base number
I want for the machines.

?Do I need to set that "base" uidNumber somewhere? ?Why must it be set
to
above than 50000?
?Did you ever experience anything similar?

Thanks for your help.


Edmundo Valle Neto wrote:
> 
> Just to make it clear that its not normal a system really need to have 
> accounts created that way. I dont think is a good idea to call a 
> workaround used on a system that someone didnt got it working properly 
> (who knows why) as a solution, samba works very fine creating 
> workstation accounts automatically when joining the clients and can even 
> use accounts other than root trough privileges to join the client.
> 
> The list has several posts about that and the samba documentation shows 
> how to do that automatically and manually.
> 
> But anyway if the user that asked simply said that its fine for him that 
> way, and dropped the thread ...
> 
> Regards.
> 
> Edmundo Valle Neto
> 
> 
> 
> mikelOn escreveu:
>> Great!!!
>>
>> I have created a couple of machine accounts through the LAM utility and
I
>> have eventually been able to join the domain.
>>
>> Thank you very much for your help.
>>
>>
>> John Drescher-2 wrote:
>>   
>>> I have had the same problem with a similar setup for at least 3
years.
>>> My solution is to create the account for the windows workstation
>>> either via the smbldap-useradd and the linux useradd commands or a
gui
>>> wizard that does this for me. I currently use ldap-account-manager
>>> http://lam.sourceforge.net/ for as well as user management. And
then
>>> after the account is created the windows add to domain boxes work.
>>>
>>> John
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>     
>>
>>   
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320015
Sent from the Samba - General mailing list archive at Nabble.com.

Hi all,

I finally found where the problem is. The samba attributes are not being
added when the workstation entry is created. The "sambaSamAccount"
objectclass is missing. 

Why is it not being added if it is suppossed to be a windows workstation? Is
there a bug in the "smbldap-useradd" script when invoked with the
"-w"
parameter?



mikelOn wrote:
> 
> Hi all,
> 
> I am doing some research on Samba+OpenLDAP (+DHCP+DNS) with the intention
> of getting rid of the Micro$oft licenses necessary to maintain the Server
> products from such company. One of the aims I have is to demonstrate other
> people in my company that an open source alternative can work as well as
> (or even better than) a propietary solution.
> 
> At the moment, I am getting desperated trying to find out what is going
> wrong when I try to add a Win XP machine to the domain I have recently
> created.
> 
> I have read about 6-7 tutorials to date and changed the *.conf files a
> hundred times and still the Win XP machine refuses to join the domain. I
> have already searched the samba forums and checked the bugs present in the
> version I am using and I have found nothing related to my problem.
> 
> The technical details are the following:
> 
> When I attempt to join the domain via the GUI, Win tells me "username
> could not be found" and so does when I try the same thing via CLI (the
> domain is called "eremu" and the user, password and machinename
are ok):
> 
>
8<--------------------------------------------------------------------------------------------
> 
> C:\>netdom /domain:eremu /user:root /password:SECRETPASS member mikelvm
> /joindomain
> NetDom 1.8 @1997-98. Written by Christophe Robert - Microsoft.
> 
> Searching PDC for domain EREMU ...
> Found PDC \\SAMBA
> Connecting to \\SAMBA with user account root ...
> Querying domain information on PDC \\SAMBA ...
> Querying domain information on computer \\MIKELVM ...
> Verifying if computer account exists on \\SAMBA ...
> Connecting to \\SAMBA with user account root ...
> Resetting secure channel ...
> Changing computer account on PDC \\SAMBA ...
> The username could not be found.
> 
>
8<--------------------------------------------------------------------------------------------
> 
> ?Have you ever experienced such error? I have read about some people that
> have dealt with such error, but they have posted no solution at all.
> 
> FYI, I can access samba shares using the same user (root) but the machine
> cannot join the domain. I have fixed all the machine policies and registry
> stuff (requiresignorseal and so on...) and still nothing.
> 
> Also, the command:
> ldapsearch -x -h localhost -D 'cn=root,dc=eremu,dc=org' -W
'(ou=Users)'
> works like a charm.
> 
> The smb.conf is the following:
> 
>
8<--------------------------------------------------------------------------------------------
>        
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         netbios name = SAMBA
>         workgroup = EREMU
>         server string = Servidor centralizado
>         security = user
>         enable privileges = yes
>         interfaces = lo eth0
> #       bind interfaces = yes
>         encrypt passwords = yes
>         domain master = yes
>         preferred master = yes
>         null passwords = yes
>         hide unreadable = yes
>         hide dot files = yes
>         browseable = yes
>         domain logons = yes
>         logon script = login.bat  OR %U.bat
>         logon path = \\%L\profiles\%U
>         logon drive = Z:
>         logon home = \\%L\%U\.9xprofile
>         time server = yes
>         printcap name = cups
>         printing = cups
>         show add printer wizard = no
>         wins support = yes
>         name resolve order = wins lmhosts host bcast
>         dns proxy = no
>         log file = /var/log/samba/log.%m
>         log level = 1
>         max log size = 10000
>         unix charset = ISO8859-1
>         dos charset = 850
>         # LDAP
>         add user script = /usr/sbin/smbldap-useradd -m "%u"
>         delete user script = /usr/sbin/smbldap-userdel -r "%u"
>         add group script = /usr/sbin/smbldap-groupadd "%g"
>         delete group script = /usr/sbin/smbldap-groupdel "%g"
>         add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
>         delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u"
> "%g"
>         set primary group script = /usr/sbin/smbldap-usermod -g
"%g" "%u"
>         add machine script = /usr/sbin/smbldap-useradd -w "%u"
>         passdb backend = ldapsam:ldap://localhost:389/
>         ldap delete dn = Yes
>         ldap ssl = no
>         ldap suffix = dc=eremu,dc=org
>         ldap admin dn = cn=root,dc=eremu,dc=org
>         ldap group suffix = ou=Groups
>         ldap user suffix = ou=Users
>         ldap machine suffix = ou=Computers
>         ldap idmap suffix = ou=Idmap
>         ldap passwd sync = yes
> 
> [netlogon]
>         path = /var/lib/samba/netlogon
>         guest ok = Yes
>         browseable = no
>         write list = root
> [profiles]
>         path = /var/lib/samba/profiles
>         writable = yes
>         browsable = no
>         create mode = 0644
>         directory mode = 0755
>         guest ok = yes
> [homes]
>         path = /home/%U
>         browseable = no
>         valid users = %S
>         read only = no
>         create mask = 0664
>         directory mask = 0775
>
8<--------------------------------------------------------------------------------------------
> 
> The slapd.conf is the following:
> 
>
8<--------------------------------------------------------------------------------------------
> 
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> 
> password-hash {md5}
> 
> pidfile         /var/run/openldap/slapd.pid
> argsfile        /var/run/openldap/slapd.args
> loglevel        1024
> 
> database        bdb
> suffix          "dc=eremu,dc=org"
> checkpoint      32      30 # <kbyte> <min>
> rootdn          "cn=root,dc=eremu,dc=org"
> rootpw          {MD5}HEREGOESTHEHASH
> directory       /var/lib/openldap-data
> 
>         index   sambaSID                                        eq
>         index   sambaPrimaryGroupSID                            eq
>         index   sambaDomainName                                 eq
>         index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
>         index   cn,mail,surname,givenname                      
> eq,subinitial
>         index   default                                         eq
>         index   phpgwContactOwner                              
> pres,eq,sub
> 
> access  to attrs=userPassword
>           by self               write
>           by anonymous          auth
>           by *                  none
> 
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>         by self write
>         by anonymous auth
>         by * none
> 
> access to *
>         by self write
>         by * read
> 
>
8<--------------------------------------------------------------------------------------------
> 
> The smbldap.conf is the following:
> 
>
8<--------------------------------------------------------------------------------------------
> 
> # Put your own SID. To obtain this number do: "net getlocalsid".
> # If not defined, parameter is taking from "net getlocalsid"
return
> SID="S-1-5-21-3696253194-4255541209-1824430252"
> 
> sambaDomain="eremu"
> 
> slaveLDAP="localhost"
> slavePort="389"
> masterLDAP="localhost"
> masterPort="389"
> 
> ldapTLS="0"
> verify="none"
> hash_encrypt="MD5"
> 
> suffix="dc=eremu,dc=org"
> usersdn="ou=Users,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=eremu,${suffix}"
> scope="sub"
> 
> crypt_salt_format="%s"
> 
> userLoginShell="/bin/bash"
> userHome="/home/%U"
> userHomeDirectoryMode="700"
> userGecos="System User"
> defaultUserGid="513"
> defaultComputerGid="515"
> skeletonDir="/etc/skel"
> defaultMaxPasswordAge="45"
> 
> userSmbHome="\\SAMBA\%U"
> userProfile="\\SAMBA\profiles\%U"
> 
> userHomeDrive="Z:"
> 
> mailDomain="eremu.org"
> 
> with_smbpasswd="0"
> smbpasswd="/usr/bin/smbpasswd"
> 
> with_slappasswd="0"
> slappasswd="/usr/sbin/slappasswd"
> 
>
8<--------------------------------------------------------------------------------------------
> 
> 
> Should you need further details, please just let me know.
> Any help would be appreciated. Thanks a lot.
> 
> P.S.: ?Can it have anything to do with other stuff such as the DNS server?
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320579
Sent from the Samba - General mailing list archive at Nabble.com.

On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote:
> 
> Hi all,
> 
> I finally found where the problem is. The samba attributes are not being
> added when the workstation entry is created. The
"sambaSamAccount"
> objectclass is missing. 
> 
> Why is it not being added if it is suppossed to be a windows workstation?
Is
> there a bug in the "smbldap-useradd" script when invoked with the
"-w"
> parameter?
> 
You need both "-a" and "-m" passwd to smbldap-useradd for
the samba
attributes to be added, IMHO.

Alex

Hi Alex,

I don?t think those modifiers would change anything but I have tried them
anyway and the objectclass is still not being added.

Thanks for the suggestion.


Alex Crow wrote:
> 
> On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote:
>> 
>> Hi all,
>> 
>> I finally found where the problem is. The samba attributes are not
being
>> added when the workstation entry is created. The
"sambaSamAccount"
>> objectclass is missing. 
>> 
>> Why is it not being added if it is suppossed to be a windows
workstation?
>> Is
>> there a bug in the "smbldap-useradd" script when invoked with
the "-w"
>> parameter?
>> 
> 
> You need both "-a" and "-m" passwd to smbldap-useradd
for the samba
> attributes to be added, IMHO.
> 
> Alex
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11320957
Sent from the Samba - General mailing list archive at Nabble.com.

mikelOn escreveu:
> Hi Alex,
>
> I don?t think those modifiers would change anything but I have tried them
> anyway and the objectclass is still not being added.
>
> Thanks for the suggestion.
>
>
> Alex Crow wrote:
>   
>> On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote:
>>     
>>> Hi all,
>>>
>>> I finally found where the problem is. The samba attributes are not
being
>>> added when the workstation entry is created. The
"sambaSamAccount"
>>> objectclass is missing. 
>>>
>>> Why is it not being added if it is suppossed to be a windows
workstation?
>>> Is
>>> there a bug in the "smbldap-useradd" script when invoked
with the "-w"
>>> parameter?
>>>
>>>       
>> You need both "-a" and "-m" passwd to
smbldap-useradd for the samba
>> attributes to be added, IMHO.
>>
>> Alex
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>     
Again, those scripts are used only by tools that create accounts trough 
samba, like net or usrmgr, if you dont use it those lines will not be used.

About the samba attributes, when you add a machine account the script 
"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does
that
alone. Refer to the idealx documentation (if you really want that things 
work properly, reading the documentation is not an option), it was 
already discussed here and the documentation explains how to configure 
that and how it should work.

http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108

About knowing what is happening, put a log level 2 or 3 and try to join 
a machine. Look at the logs, it should say what exit the script gave and 
what samba tried to do.

Regards.

Edmundo Valle Neto

> About the samba attributes, when you add a machine account the script
> "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba
does that
> alone. Refer to the idealx documentation (if you really want that things
> work properly, reading the documentation is not an option), it was
> already discussed here and the documentation explains how to configure
> that and how it should work.
>
>
http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108
>
Very strange as it appears that it will only work for me if the
sambaSAMAccount is there before having windows join to the domain via
the windows XP dialogs. This is what LAM is doing that the idealx
scripts are not doing.

John

>About the samba attributes, when you add a machine account the script 
>"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba
does that
>alone. Refer to the idealx documentation (if you really want that things 
>work properly, reading the documentation is not an option), it was 
>already discussed here and the documentation explains how to configure 
>that and how it should work.
I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER (or
something alike) but no more specific details. The machine account (posix)
gets created automatically but the samba attributes are not added by samba.
>Again, those scripts are used only by tools that create accounts trough 
>samba, like net or usrmgr, if you dont use it those lines will not be used.
I think you are wrong, because the "add machine script" DOES get
executed
when adding a machine to a domain.
>http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108
>About knowing what is happening, put a log level 2 or 3 and try to join 
>a machine. Look at the logs, it should say what exit the script gave and 
>what samba tried to do.
I have read the documentation you point out and many other tutorials and
howtos but I find myself in the same situation I was some days ago. I have
even tried to install everything in three different linux distros and in one
of them I have reinstalled everything from scratch three or four times. This
is why I am trying alternate methods.

So, samba is not doing its job and it may be because I am missing something
but I still do not know what it is. Anyway, I can post the samba log if you
think it is helpful to find out the source of the error.

Thanks for the advice,

Mikel


Edmundo Valle Neto wrote:
> 
> mikelOn escreveu:
>> Hi Alex,
>>
>> I don?t think those modifiers would change anything but I have tried
them
>> anyway and the objectclass is still not being added.
>>
>> Thanks for the suggestion.
>>
>>
>> Alex Crow wrote:
>>   
>>> On Wed, 2007-06-27 at 01:42 -0700, mikelOn wrote:
>>>     
>>>> Hi all,
>>>>
>>>> I finally found where the problem is. The samba attributes are
not
>>>> being
>>>> added when the workstation entry is created. The
"sambaSamAccount"
>>>> objectclass is missing. 
>>>>
>>>> Why is it not being added if it is suppossed to be a windows
>>>> workstation?
>>>> Is
>>>> there a bug in the "smbldap-useradd" script when
invoked with the "-w"
>>>> parameter?
>>>>
>>>>       
>>> You need both "-a" and "-m" passwd to
smbldap-useradd for the samba
>>> attributes to be added, IMHO.
>>>
>>> Alex
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>     
> 
> Again, those scripts are used only by tools that create accounts trough 
> samba, like net or usrmgr, if you dont use it those lines will not be
> used.
> 
> About the samba attributes, when you add a machine account the script 
> "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba
does that
> alone. Refer to the idealx documentation (if you really want that things 
> work properly, reading the documentation is not an option), it was 
> already discussed here and the documentation explains how to configure 
> that and how it should work.
> 
>
http://sourceforge.net/docman/display_doc.php?docid=33543&group_id=166108
> 
> About knowing what is happening, put a log level 2 or 3 and try to join 
> a machine. Look at the logs, it should say what exit the script gave and 
> what samba tried to do.
> 
> Regards.
> 
> Edmundo Valle Neto
> 
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11328114
Sent from the Samba - General mailing list archive at Nabble.com.

On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
> 
> >About the samba attributes, when you add a machine account the script 
> >"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix,
samba does that
> >alone. Refer to the idealx documentation (if you really want that
things
> >work properly, reading the documentation is not an option), it was 
> >already discussed here and the documentation explains how to configure 
> >that and how it should work.
> 
> I did set a debug level of 4 and what I saw was a NT_STATUS_NO_SUCH_USER
(or
> something alike) but no more specific details. The machine account (posix)
> gets created automatically but the samba attributes are not added by samba.
look for nscd running, it may cache a negative response and samba never
see the created posix attributes in time to add samba stuff.

Simo.

-- 
Simo Sorce
Samba Team GPL Compliance Officer
email: idra@samba.org
http://samba.org

I am not running nscd :(

Thanks for your response


simo-7 wrote:
> 
> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>> 
>> >About the samba attributes, when you add a machine account the
script
>> >"add machine" must NOT ADD SAMBA ATTRIBUTES, only posix,
samba does that
>> >alone. Refer to the idealx documentation (if you really want that
things
>> >work properly, reading the documentation is not an option), it was 
>> >already discussed here and the documentation explains how to
configure
>> >that and how it should work.
>> 
>> I did set a debug level of 4 and what I saw was a
NT_STATUS_NO_SUCH_USER
>> (or
>> something alike) but no more specific details. The machine account
>> (posix)
>> gets created automatically but the samba attributes are not added by
>> samba.
> 
> look for nscd running, it may cache a negative response and samba never
> see the created posix attributes in time to add samba stuff.
> 
> Simo.
> 
> -- 
> Simo Sorce
> Samba Team GPL Compliance Officer
> email: idra@samba.org
> http://samba.org
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11328840
Sent from the Samba - General mailing list archive at Nabble.com.

What distro are you using?
How did you populate it?
I use Debian (its a little different), but how did you configured NSS? 
("getent passwd" shows your machine accounts?)
What user are you using to join? (if root, "smbclient -L localhost 
-Uroot" works on the shell to list the shares?)

Regards.

Edmundo Valle Neto

mikelOn escreveu:
>
> I am not running nscd :(
>
> Thanks for your response
>
>
> simo-7 wrote:
>   
>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>     
>>>> About the samba attributes, when you add a machine account the
script
>>>> "add machine" must NOT ADD SAMBA ATTRIBUTES, only
posix, samba does that
>>>> alone. Refer to the idealx documentation (if you really want
that things
>>>> work properly, reading the documentation is not an option), it
was
>>>> already discussed here and the documentation explains how to
configure
>>>> that and how it should work.
>>>>         
>>> I did set a debug level of 4 and what I saw was a
NT_STATUS_NO_SUCH_USER
>>> (or
>>> something alike) but no more specific details. The machine account
>>> (posix)
>>> gets created automatically but the samba attributes are not added
by
>>> samba.
>>>       
>> look for nscd running, it may cache a negative response and samba never
>> see the created posix attributes in time to add samba stuff.
>>
>> Simo.
>>
>> -- 
>> Simo Sorce
>> Samba Team GPL Compliance Officer
>> email: idra@samba.org
>> http://samba.org
>>
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>     
>
>

I am using debian etch for the testing but I have had the same problem with
gentoo 2007.0. I used smbldap-populate (the admin user is "root" so no
parameters at all) and I also tried with "-u 50000 and -g 50000" so
that
user ids do not overlap.

Do I need anything else (nss) if I am not authenticating *nix clients?

getent passwd does not show the machine accounts, should they be also be
there and not only in the ldap? I thought that was not necessary.

I user the root user to join the machines and the smb query you suggest
works properly. I can even list the samba shares from the windows machines.

Thanks again


Edmundo Valle Neto wrote:
> 
> What distro are you using?
> How did you populate it?
> I use Debian (its a little different), but how did you configured NSS? 
> ("getent passwd" shows your machine accounts?)
> What user are you using to join? (if root, "smbclient -L localhost 
> -Uroot" works on the shell to list the shares?)
> 
> Regards.
> 
> Edmundo Valle Neto
> 
> mikelOn escreveu:
>>
>> I am not running nscd :(
>>
>> Thanks for your response
>>
>>
>> simo-7 wrote:
>>   
>>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>>     
>>>>> About the samba attributes, when you add a machine account
the script
>>>>> "add machine" must NOT ADD SAMBA ATTRIBUTES, only
posix, samba does
>>>>> that 
>>>>> alone. Refer to the idealx documentation (if you really
want that
>>>>> things 
>>>>> work properly, reading the documentation is not an option),
it was
>>>>> already discussed here and the documentation explains how
to configure
>>>>> that and how it should work.
>>>>>         
>>>> I did set a debug level of 4 and what I saw was a
>>>> NT_STATUS_NO_SUCH_USER
>>>> (or
>>>> something alike) but no more specific details. The machine
account
>>>> (posix)
>>>> gets created automatically but the samba attributes are not
added by
>>>> samba.
>>>>       
>>> look for nscd running, it may cache a negative response and samba
never
>>> see the created posix attributes in time to add samba stuff.
>>>
>>> Simo.
>>>
>>> -- 
>>> Simo Sorce
>>> Samba Team GPL Compliance Officer
>>> email: idra@samba.org
>>> http://samba.org
>>>
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>     
>>
>>   
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11329305
Sent from the Samba - General mailing list archive at Nabble.com.

mikelOn escreveu:
> I am using debian etch for the testing but I have had the same problem with
> gentoo 2007.0. I used smbldap-populate (the admin user is "root"
so no
> parameters at all) and I also tried with "-u 50000 and -g 50000"
so that
> user ids do not overlap.
>   
Probably you didnt configured something in all the distros.
High ids are used principally in migrations when you dont want them to 
clash with old ids (made who knows how).
> Do I need anything else (nss) if I am not authenticating *nix clients?
>
> getent passwd does not show the machine accounts, should they be also be
> there and not only in the ldap? I thought that was not necessary.
>   
Yes, do you need NSS working. I dont know where exactly it breaks when 
you dont have it. If you dont want to use posix accounts with samba 
simply give them a null shell (set the loginShell attribute with 
/bin/false) and they will not be able to be used (if you dont have 
configured PAM, I doubt that you can use them too). (If I remember right 
smbldap-tools in debian already creates accounts with a null shell)

Samba has an option called "ldap:trusted = yes", but I dont know if
NSS
is really NOT USED even if you do that in recent versions of samba. 
Maybe the developers can answer that.

Anyway the system uses NSS to resolve posix account names. And samba 
need posix accounts to map samba accounts.

In debian you install and configure the package libnss-ldap and set it 
to be used in /etc/nsswitch.conf.

You can test NSS with "getent passwd" and "getent group",
your accounts
in ldap must be visible then.


Regards.

Edmundo Valle Neto
> I user the root user to join the machines and the smb query you suggest
> works properly. I can even list the samba shares from the windows machines.
>
> Thanks again
>
>
> Edmundo Valle Neto wrote:
>   
>> What distro are you using?
>> How did you populate it?
>> I use Debian (its a little different), but how did you configured NSS? 
>> ("getent passwd" shows your machine accounts?)
>> What user are you using to join? (if root, "smbclient -L localhost
>> -Uroot" works on the shell to list the shares?)
>>
>> Regards.
>>
>> Edmundo Valle Neto
>>
>> mikelOn escreveu:
>>     
>>> I am not running nscd :(
>>>
>>> Thanks for your response
>>>
>>>
>>> simo-7 wrote:
>>>   
>>>       
>>>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>>>     
>>>>         
>>>>>> About the samba attributes, when you add a machine
account the script
>>>>>> "add machine" must NOT ADD SAMBA ATTRIBUTES,
only posix, samba does
>>>>>> that 
>>>>>> alone. Refer to the idealx documentation (if you really
want that
>>>>>> things 
>>>>>> work properly, reading the documentation is not an
option), it was
>>>>>> already discussed here and the documentation explains
how to configure
>>>>>> that and how it should work.
>>>>>>         
>>>>>>             
>>>>> I did set a debug level of 4 and what I saw was a
>>>>> NT_STATUS_NO_SUCH_USER
>>>>> (or
>>>>> something alike) but no more specific details. The machine
account
>>>>> (posix)
>>>>> gets created automatically but the samba attributes are not
added by
>>>>> samba.
>>>>>       
>>>>>           
>>>> look for nscd running, it may cache a negative response and
samba never
>>>> see the created posix attributes in time to add samba stuff.
>>>>
>>>> Simo.
>>>>
>>>> -- 
>>>> Simo Sorce
>>>> Samba Team GPL Compliance Officer
>>>> email: idra@samba.org
>>>> http://samba.org
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read
the
>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>     
>>>>         
>>>   
>>>       
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>     
>
>

John Drescher escreveu:
> Sorry if it is a bit of a pain that I am also answering this thread
> but I do experience the same  problem...
>
>> Theres a LOT of things that can got wrong when using LDAP as you can
>> populate and use it the way YOU want, but samba expects it in a 
>> proper way.
>>
>> Its recommended that you populate it using smbldap-populate.
> Did not do that.
Its just recommended not necessary. I think its more error prone to that 
using ldif files (idealx scripts already does the initial population for 
you, without problems).  Of course, in a clean install.
>
>> You need to have the tools configured properly.
> Yes, according to the docs I have this correct.
>
>> You need to have an user that have rights to join machines, a root
>> account WITH samba attributes, or another user with proper privileges
>> assigned by hand.
> Yes. It does not matter weather I use root or a user with the correct
> privelages.
Would be easyer just looking the log errors.
 
>
>> Samba must know the password of the ldap administrator to be able to
>> change it.
>>
> Samba has that for me.
>
> John

Regards.

Edmundo Valle Neto

I will install nss tomorrow I soon as I get to work and I will give feedback
of the experience. I hope the problem is there!

Thank you very much


Edmundo Valle Neto wrote:
> 
> mikelOn escreveu:
>> I am using debian etch for the testing but I have had the same problem
>> with
>> gentoo 2007.0. I used smbldap-populate (the admin user is
"root" so no
>> parameters at all) and I also tried with "-u 50000 and -g
50000" so that
>> user ids do not overlap.
>>   
> 
> Probably you didnt configured something in all the distros.
> High ids are used principally in migrations when you dont want them to 
> clash with old ids (made who knows how).
> 
>> Do I need anything else (nss) if I am not authenticating *nix clients?
>>
>> getent passwd does not show the machine accounts, should they be also
be
>> there and not only in the ldap? I thought that was not necessary.
>>   
> 
> Yes, do you need NSS working. I dont know where exactly it breaks when 
> you dont have it. If you dont want to use posix accounts with samba 
> simply give them a null shell (set the loginShell attribute with 
> /bin/false) and they will not be able to be used (if you dont have 
> configured PAM, I doubt that you can use them too). (If I remember right 
> smbldap-tools in debian already creates accounts with a null shell)
> 
> Samba has an option called "ldap:trusted = yes", but I dont know
if NSS
> is really NOT USED even if you do that in recent versions of samba. 
> Maybe the developers can answer that.
> 
> Anyway the system uses NSS to resolve posix account names. And samba 
> need posix accounts to map samba accounts.
> 
> In debian you install and configure the package libnss-ldap and set it 
> to be used in /etc/nsswitch.conf.
> 
> You can test NSS with "getent passwd" and "getent
group", your accounts
> in ldap must be visible then.
> 
> 
> Regards.
> 
> Edmundo Valle Neto
> 
>> I user the root user to join the machines and the smb query you suggest
>> works properly. I can even list the samba shares from the windows
>> machines.
>>
>> Thanks again
>>
>>
>> Edmundo Valle Neto wrote:
>>   
>>> What distro are you using?
>>> How did you populate it?
>>> I use Debian (its a little different), but how did you configured
NSS?
>>> ("getent passwd" shows your machine accounts?)
>>> What user are you using to join? (if root, "smbclient -L
localhost
>>> -Uroot" works on the shell to list the shares?)
>>>
>>> Regards.
>>>
>>> Edmundo Valle Neto
>>>
>>> mikelOn escreveu:
>>>     
>>>> I am not running nscd :(
>>>>
>>>> Thanks for your response
>>>>
>>>>
>>>> simo-7 wrote:
>>>>   
>>>>       
>>>>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>>>>     
>>>>>         
>>>>>>> About the samba attributes, when you add a machine
account the
>>>>>>> script 
>>>>>>> "add machine" must NOT ADD SAMBA
ATTRIBUTES, only posix, samba does
>>>>>>> that 
>>>>>>> alone. Refer to the idealx documentation (if you
really want that
>>>>>>> things 
>>>>>>> work properly, reading the documentation is not an
option), it was
>>>>>>> already discussed here and the documentation
explains how to
>>>>>>> configure 
>>>>>>> that and how it should work.
>>>>>>>         
>>>>>>>             
>>>>>> I did set a debug level of 4 and what I saw was a
>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>> (or
>>>>>> something alike) but no more specific details. The
machine account
>>>>>> (posix)
>>>>>> gets created automatically but the samba attributes are
not added by
>>>>>> samba.
>>>>>>       
>>>>>>           
>>>>> look for nscd running, it may cache a negative response and
samba
>>>>> never
>>>>> see the created posix attributes in time to add samba
stuff.
>>>>>
>>>>> Simo.
>>>>>
>>>>> -- 
>>>>> Simo Sorce
>>>>> Samba Team GPL Compliance Officer
>>>>> email: idra@samba.org
>>>>> http://samba.org
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and
read the
>>>>> instructions: 
https://lists.samba.org/mailman/listinfo/samba
>>>>>
>>>>>
>>>>>     
>>>>>         
>>>>   
>>>>       
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>     
>>
>>   
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330033
Sent from the Samba - General mailing list archive at Nabble.com.

Regarding the "primary group of [root] not found" message, the
sambaSID of
"Domain Admins" is the same as the sambaPrimaryGroupSID in
"root". The user
root is inside the group "Users".

http://www.nabble.com/file/p11330386/ldap_view.gif 

Hope it helps. Thanks.
-- 
View this message in context:
http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330386
Sent from the Samba - General mailing list archive at Nabble.com.

On 7/11/07, Mikel.Santos@idom.com <Mikel.Santos@idom.com>
wrote:
>
> Yes, but I had to install nss which I thought was not neccesary. After that
> samba got perfectly integrated (the "getent group" and
"getent passwd"
> showed the samba users in the ldap apart from the system users). The
> packages are "libnss-ldap" for debian/ubuntu and
"nss_ldap" for gentoo.
> After that, the users could join the domain perfectly and the samba
> attributes were added by samba itself (as it should be).
>
> If you need any further information or config files just let me know. Hope
> it helps.
>
Thanks for the info. I will have to try to track this down when I get
time as I know this is not my problem as I have been using nss_ldap
under gentoo for 3 years and both getent commands work correctly.

John