samba - Oct 2007 - Unable to join domain in remote subnet...

Dear Help,

Here is my situation:
We have offices located in several areas around the country, all of which can
communicate with each other through VPNs we have established.  I have set up a
Samba domain in which the PDC is located here in our home office, and there are
BDCs for the same domain in each of the remote offices.

I have been able to successfully join machines here in our home office to the
domain through Windows, but am not having any luck when I try to join the domain
at one of the remote locations.  When I go through the manual process of joining
the domain on a Windows XP machine, I get a password prompt for the domain user
that can add the machine (so I know it's at least finding the BDC)... but
then
after I type in the username and password, I get the following error:
"The following error occurred attempting to join the domain
"ourdomain": The
specified domain either does not exist or could not be contacted."

I've searched Google for this error and have not found anything useful. 
I've
gone back through the Samba-HowTo on BDC configuration and have not yet found
anything.

Any help would be greatly appreciated!  -Matt

Here are my configuration files.  (Oh, and for whatever reason, even with a log
level of 5, whenever I attempt to join the machine to the domain, no log entry
is created).

For the PDC:
[global]
	netbios name = ds-pdc-1
	workgroup = OURDOMAIN
	server string = Samba PDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://IP.HERE ldaps://IP.HERE"
	security = user
	log level = 3 
	log file = /var/log/samba/%m.log
	max log size = 5000 
	add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g machine -c
'Machine Account for %u' -s /bin/false %u
	logon path = 
	logon home = 
	domain logons = Yes
	os level = 128
	preferred master = Yes
	domain master = Yes
	ldap admin dn = cn=admin,o=ORGANIZATION
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap user suffix = 
	ldap filter = (cn=%u)
	ldap suffix = o=ORGANZIATION
	ldap passwd sync = No 
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *Retype*new*password* %n\n
	idmap backend = "ldaps://IP.HERE ldaps://IP.HERE"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins support = Yes 
	encrypt passwords = Yes
	logon script = %U.bat

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	write list = root
	browseable = No
	share modes = No

And here is a BDC -- located offsite:
[global]
	workgroup = OURDOMAIN
	server string = Samba BDC %v %h
	obey pam restrictions = Yes
	passdb backend = "ldapsam:ldaps://IP.HERE ldaps://IP.HERE"
	log level = 2 
	log file = /var/log/samba/%m.log
	max log size = 1000
	logon path = 
	logon home 	domain logons = Yes
	domain master = No
	preferred master = Yes
	ldap admin dn = cn=admin,o=ORGANIZATION
	ldap group suffix = ou=Groups
	ldap idmap suffix = ou=IDMap
	ldap machine suffix = ou=Workstations
	ldap suffix = o=ORGANIZATION
	ldap passwd sync = No
	unix password sync = Yes
	passwd program = /usr/sbin/smbldap-passwd -u %u
	passwd chat = *New*password* %n\n *retype*new*password* %n\n
	idmap backend = "ldaps://IP.HERE ldaps://IP.HERE"
	idmap uid = 10000-20000
	idmap gid = 10000-20000
	veto files = /.?*/
	dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
	wins server = IP.OF.PDC.HERE

[netlogon]
	comment = Network Logon Service
	path = /var/lib/samba/netlogon
	write list = root
	browseable = No
	share modes = No

The problem is caused by the client not having the address of the
domain controller.

On a windows client, you need to populate
%SYSTEM_ROOT%\system32\drivers\etc\lmhosts

use UPPERCASE names regardless of what the MS docs say.



On 10/10/2007, Matt Anderson <sokkerstud_11@hotmail.com>
wrote:
> Dear Help,
>
> Here is my situation:
> We have offices located in several areas around the country, all of which
can
> communicate with each other through VPNs we have established.  I have set
up a
> Samba domain in which the PDC is located here in our home office, and there
are
> BDCs for the same domain in each of the remote offices.
>
> I have been able to successfully join machines here in our home office to
the
> domain through Windows, but am not having any luck when I try to join the
domain
> at one of the remote locations.  When I go through the manual process of
joining
> the domain on a Windows XP machine, I get a password prompt for the domain
user
> that can add the machine (so I know it's at least finding the BDC)...
but then
> after I type in the username and password, I get the following error:
> "The following error occurred attempting to join the domain
"ourdomain": The
> specified domain either does not exist or could not be contacted."
>
> I've searched Google for this error and have not found anything useful.
I've
> gone back through the Samba-HowTo on BDC configuration and have not yet
found
> anything.
>
> Any help would be greatly appreciated!  -Matt
>
> Here are my configuration files.  (Oh, and for whatever reason, even with a
log
> level of 5, whenever I attempt to join the machine to the domain, no log
entry
> is created).
>
> For the PDC:
> [global]
>         netbios name = ds-pdc-1
>         workgroup = OURDOMAIN
>         server string = Samba PDC %v %h
>         obey pam restrictions = Yes
>         passdb backend = "ldapsam:ldaps://IP.HERE
ldaps://IP.HERE"
>         security = user
>         log level = 3
>         log file = /var/log/samba/%m.log
>         max log size = 5000
>         add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null/ -g
machine -c
> 'Machine Account for %u' -s /bin/false %u
>         logon path >         logon home >         domain logons = Yes
>         os level = 128
>         preferred master = Yes
>         domain master = Yes
>         ldap admin dn = cn=admin,o=ORGANIZATION
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=IDMap
>         ldap machine suffix = ou=Workstations
>         ldap user suffix >         ldap filter = (cn=%u)
>         ldap suffix = o=ORGANZIATION
>         ldap passwd sync = No
>         unix password sync = Yes
>         passwd program = /usr/sbin/smbldap-passwd -u %u
>         passwd chat = *New*password* %n\n *Retype*new*password* %n\n
>         idmap backend = "ldaps://IP.HERE ldaps://IP.HERE"
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         veto files = /.?*/
>         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>         wins support = Yes
>         encrypt passwords = Yes
>         logon script = %U.bat
>
> [netlogon]
>         comment = Network Logon Service
>         path = /var/lib/samba/netlogon
>         write list = root
>         browseable = No
>         share modes = No
>
> And here is a BDC -- located offsite:
> [global]
>         workgroup = OURDOMAIN
>         server string = Samba BDC %v %h
>         obey pam restrictions = Yes
>         passdb backend = "ldapsam:ldaps://IP.HERE
ldaps://IP.HERE"
>         log level = 2
>         log file = /var/log/samba/%m.log
>         max log size = 1000
>         logon path >         logon home >         domain logons = Yes
>         domain master = No
>         preferred master = Yes
>         ldap admin dn = cn=admin,o=ORGANIZATION
>         ldap group suffix = ou=Groups
>         ldap idmap suffix = ou=IDMap
>         ldap machine suffix = ou=Workstations
>         ldap suffix = o=ORGANIZATION
>         ldap passwd sync = No
>         unix password sync = Yes
>         passwd program = /usr/sbin/smbldap-passwd -u %u
>         passwd chat = *New*password* %n\n *retype*new*password* %n\n
>         idmap backend = "ldaps://IP.HERE ldaps://IP.HERE"
>         idmap uid = 10000-20000
>         idmap gid = 10000-20000
>         veto files = /.?*/
>         dont descend = /proc,/dev,/etc,/lib,/lost+found,/initrd
>         wins server = IP.OF.PDC.HERE
>
> [netlogon]
>         comment = Network Logon Service
>         path = /var/lib/samba/netlogon
>         write list = root
>         browseable = No
>         share modes = No
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>