samba - Feb 2008 - Joining a Windows XP pc to Samba / LDAP domain

Hi, guys,

I'm trying to create a PDC using Samba with an LDAP backend. According
to all the guides I read, this should be fairly easy really, but I've
done nothing else for the last week and it still doesn't work the way
the manual says it should! As far as I can see, everything is set up and
working correctly right up to the point when I try and join a machine to
the domain.

I've posted some extracts of my config files, log files, errors and the
versions of various things, below.

I pretty much exactly followed the "Making Happy Users" chapter of the
Samba guide.
These are the steps I've gone through (in summary), starting with a
clean build of linux on the server and WinXP on the client. It starts
going wrong at step 8.
Oh just for completeness, both the new domain controller and the windows
PC are on their own, completely separate network, to ensure that the
existing domain / windows clients can have no effect whatsoever.

1. Install samba and LDAP on the server, together with phpldapadmin.

2. Configure slapd and got the ldap server working, and configure
phpldapadmin to let me connect and see what's going on, and create LDAP
entries directly if needed. Also configured PAM and NSS.

3. Configure samba as a PDC with an LDAP backend. Set the LDAP manager
password in samba. Got the SID.

5. Configured smbldap-tools, setting up the SID and LDAP details.

6. Created the linux groups for Domain Admins, Domain Users, Domain
Guests and Domain Computers.

7. Started LDAP and did an smbldap-populate. This gave exactly the right
response and a look at the ldap database proved it had created all the
appropriate entries. tested the ldap with "ldapsearch" and got the
expected response. Also checked NSS with getent and got the right
answers.

8. Added a user with smbldap-useradd then set the password for that user
with smbldap-passwd. This worked fine.

9. Checked that the root UID is set to 0. It is.

10. Checked that the user account is being read properly using pdbedit
-Lv. It is.

11. start nmb, smb and winbind, and checked the logs to see if they are
behaving. They are.

12. Tried to join the domain from the pdc (which is named "PDC") with
"net rpc join -S PDC -U root%PASSWORD

13. It fails. The message I get is: 
 Creation of workstation account failed
 Unable to join domain LDAPTEST.

14. Tried to join a windows XP PC to the domain. It finds the domain
controller ok, and then gives the error "The username could not be
found" which, from what I've been able to find out, means that the PC
account isn't being created properly on the domain.


What's *really* odd is that it seems to be creating the computer
accounts correctly in the ldap (you can see that in the ldif export
below). And yet, despite actually creating the account, it's insisting
that it isn't.

I tried deleting the ldap entry for the computer, then creating it by
hand (smbldap-adduser -w pdc$) and it works fine. But the client still
insists that it's not joined the domain.

I *know* I'm typing the password correctly, and the log seems to bear
this out. It simply doesn't work, and I've completely run out of steam
trying to understand why. I'm presumably missing something significant
(and probably very simple). Can anyone offer some pointers - or even the
answer- before I quit computing and start driving trucks for a
living... :)

Thanks,

Paul.


Software versions:
============Fedora linux 8 (fully patched as of 12 Feb), with samba 3.0.28,
openldap
2.3.39-1.
Windows XP with SP2 and all current updates as of 12 Feb.

Error messages:
==========in log.smb I get this when trying to join the domain:

[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
  netbios connect: name1=PDC             name2=PDC
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
  netbios connect: local=pdc remote=pdc, name type = 0
[2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
  smbldap_open_connection: connection opened
[2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
  get_md4pw: Workstation PDC$: no account in domain
[2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account PDC$:
NT_STATUS_ACCESS_DENIED
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
  netbios connect: name1=PDC             name2=PDC
[2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
  netbios connect: local=pdc remote=pdc, name type = 0
[2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
  smbldap_open_connection: connection opened
[2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
  init_sam_from_ldap: Entry found for user: root
[2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
  init_group_from_ldap: Entry found for group: 512
[2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] ->
[root] succeeded
[2008/02/15 17:21:45, 0]
passdb/pdb_interface.c:pdb_default_create_user(329)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
'pdc$'' gave 9


Config file extracts:
=============
slapd.conf
-----------
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
include         /etc/openldap/schema/samba.schema
...
access to attrs=userPassword
                by self write
                by * auth

access to attrs=shadowLastChange
                by self write
                by * read

access to *
                by * read
                by anonymous auth
...
database        bdb
suffix          "dc=vi-lab,dc=net"
rootdn          "cn=Manager,dc=vi-lab,dc=net"
rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
directory     /var/lib/ldap


LDIF of running database
----------------------------
dn: dc=vi-lab,dc=net

objectClass: dcObject
objectClass: organization
o: vi-lab
dc: vi-lab

dn: ou=Computers,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Computers

dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
cn: pdc$
uid: pdc$
uidNumber: 1005
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

dn: ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: Groups

dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 548
cn: Account Operators
description: Netbios Domain Users to manipulate users accounts
sambaSID: S-1-5-32-548
sambaGroupType: 5
displayName: Account Operators

dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the computer/sambaD
 omainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators

dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 551
cn: Backup Operators
description: Netbios Domain Members can bypass file security to back up file
 s
sambaSID: S-1-5-32-551
sambaGroupType: 5
displayName: Backup Operators

dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 512
cn: Domain Admins
memberUid: root
description: Netbios Domain Administrators
sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
sambaGroupType: 2
displayName: Domain Admins

dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 515
cn: Domain Computers
description: Netbios Domain Computers accounts
sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
sambaGroupType: 2
displayName: Domain Computers

dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 514
cn: Domain Guests
description: Netbios Domain Guests Users
sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
sambaGroupType: 2
displayName: Domain Guests

dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 513
cn: Domain Users
description: Netbios Domain Users
sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
sambaGroupType: 2
displayName: Domain Users

dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 550
cn: Print Operators
description: Netbios Domain Print Operators
sambaSID: S-1-5-32-550
sambaGroupType: 5
displayName: Print Operators

dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
objectClass: top
objectClass: posixGroup
objectClass: sambaGroupMapping
gidNumber: 552
cn: Replicators
description: Netbios Domain Supports file replication in a sambaDomainName
sambaSID: S-1-5-32-552
sambaGroupType: 5
displayName: Replicators

dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
objectClass: sambaSidEntry
objectClass: sambaGroupMapping
sambaSID: S-1-5-32-545
sambaGroupType: 4
displayName: Users
gidNumber: 10000
sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513

dn: ou=Idmap,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
objectClass: sambaUnixIdPool
ou: Idmap
uidNumber: 10000
gidNumber: 10005

dn: ou=People,dc=vi-lab,dc=net
objectClass: top
objectClass: organizationalUnit
ou: People

dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
cn: furnesp
sn: furnesp
givenName: furnesp
uid: furnesp
uidNumber: 1000
gidNumber: 513
homeDirectory: /home/furnesp
loginShell: /bin/bash
gecos: System User
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
displayName: furnesp
sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
sambaLogonScript: \export\netlogon\logon.bat
sambaProfilePath: \\%L\Profiles\furnesp
sambaHomePath: \\%L\furnesp
sambaHomeDrive: H:
sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
sambaAcctFlags: [U]
sambaNTPassword: 15094F33692DB11DE3361C044289B84C
sambaPwdLastSet: 1203092614
sambaPwdMustChange: 1206980614
userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g=shadowLastChange: 13924
shadowMax: 45

dn: uid=nobody,ou=People,dc=vi-lab,dc=net
cn: nobody
sn: nobody
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
gidNumber: 514
uid: nobody
uidNumber: 999
homeDirectory: /dev/null
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
sambaHomePath: \\%L\nobody
sambaHomeDrive: H:
sambaProfilePath: \\%L\Profiles\nobody
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [NUD        ]
sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
loginShell: /bin/false

dn: uid=root,ou=People,dc=vi-lab,dc=net
cn: root
sn: root
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: shadowAccount
uid: root
uidNumber: 0
homeDirectory: /home/root
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaHomePath: \\%L\root
sambaHomeDrive: H:
sambaProfilePath: \\%L\Profiles\root
sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
sambaAcctFlags: [U]
sambaNTPassword: 7681889A48EB666054D449D996329A26
sambaPwdLastSet: 1203092468
sambaPwdMustChange: 1206980468
userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w=shadowLastChange: 13924
shadowMax: 45
gidNumber: 0

dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
objectClass: top
objectClass: sambaDomain
objectClass: sambaUnixIdPool
sambaDomainName: LDAPTEST
sambaSID: S-1-5-21-314791047-4281314283-1819700115
gidNumber: 1000
sambaNextRid: 1000
sambaPwdHistoryLength: 0
sambaMinPwdAge: 0
sambaMaxPwdAge: -1
uidNumber: 1006


smb.conf
----------
workgroup = LDAPTEST
netbios name = PDC
...
passdb backend = ldapsam:ldap://localhost
enable privileges = Yes
username map = /etc/samba/smbusers
smb ports = 139
name resolve order = wins bcast hosts
...
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
...http://10.226.210.245
logon script = \export\netlogon\logon.bat
...
local master = yes
os level = 35
domain master = Yes
preferred master = Yes
domain logons = Yes
security = user
encrypt passwords = Yes
wins support = Yes
dns proxy = Yes
ldap suffix = dc=vi-lab,dc=net
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap admin dn = cn=Manager,dc=vi-lab,dc=net
ldap ssl = no
ldap passwd sync = Yes
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000

[homes]
                comment = Home Directories
                valid users = %S
                read only = No
                browseable = No

[printers]
                comment = SMB Print Spool
                path = /var/spool/samba
                guest ok = Yes
                printable = Yes
                browseable = No

[netlogon]
                comment = Local general disk on %h
                path = /export/netlogon
                guest ok = Yes
                locking = No
                public = yes
                writable = yes

[profiles]
                comment = Profile Share
                path = /export/profiles
                read only = No
                profile acls = Yes

[print$]
comment = Printer Drivers
path = /export/drivers
browseable = yes
guest ok = no
read only = yes
write list = root, furnesp


smbusers
-----------
# Unix_name = SMB_name1 SMB_name2 ...
root = administrator admin
nobody = guest pcguest smbguest

smbldap.conf
---------------
SID="S-1-5-21-314791047-4281314283-1819700115"
sambaDomain="LDAPTEST"
slaveLDAP="localhost"
slavePort="389"
masterLDAP="localhost"
masterPort="389"
ldapTLS="0"
...

suffix="dc=vi-lab,dc=org"
usersdn="ou=People,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=Idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
scope="sub"
...
defaultUserGid="513"
defaultComputerGid="515"



---

Paul Furness BEng(Hons) MBCS
Systems Manager

MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V
VISUAL INFORMATION LABORATORY
20, Frederick Sanger Road
The Surrey Research Park
Guildford, Surrey GU2 7YD
UK Registered Branch BR 003158
DDI Telephone: +44 1483 885826
Tel: +44 1483 885800   Fax: +44 1483 579107

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20080215/43c9da91/attachment.bin

seems like you have a machine account problem.  so you're trying to join 
a computer named pdc$ to the domain called PDC?

what is the output of

ldapsearch -D 'cn=Manager,dc=example,dc=com' 
-b"uid=pdc$,ou=People,dc=example,dc=com" -w xxxxxxxxxxx  -x

i load my machine accounts by hand, here's an example file:

[root@gomer ~]# cat domain2\$.ldif
dn: uid=domain2$,ou=People,dc=example,dc=com
objectClass: posixAccount
objectClass: account
objectClass: top
uid: domain2$
uidNumber: 2003
gidNumber: 514
homeDirectory: /dev/null
cn: domain2$

and load it with

ldapadd -D "cn=Manager,dc=example,dc=com" -w xxxxxxxxxxxx -x -v -f 
domain2\$.ldif

Paul Furness wrote:
> Hi, guys,
>
> I'm trying to create a PDC using Samba with an LDAP backend. According
> to all the guides I read, this should be fairly easy really, but I've
> done nothing else for the last week and it still doesn't work the way
> the manual says it should! As far as I can see, everything is set up and
> working correctly right up to the point when I try and join a machine to
> the domain.
>
> I've posted some extracts of my config files, log files, errors and the
> versions of various things, below.
>
> I pretty much exactly followed the "Making Happy Users" chapter
of the
> Samba guide.
> These are the steps I've gone through (in summary), starting with a
> clean build of linux on the server and WinXP on the client. It starts
> going wrong at step 8.
> Oh just for completeness, both the new domain controller and the windows
> PC are on their own, completely separate network, to ensure that the
> existing domain / windows clients can have no effect whatsoever.
>
> 1. Install samba and LDAP on the server, together with phpldapadmin.
>
> 2. Configure slapd and got the ldap server working, and configure
> phpldapadmin to let me connect and see what's going on, and create LDAP
> entries directly if needed. Also configured PAM and NSS.
>
> 3. Configure samba as a PDC with an LDAP backend. Set the LDAP manager
> password in samba. Got the SID.
>
> 5. Configured smbldap-tools, setting up the SID and LDAP details.
>
> 6. Created the linux groups for Domain Admins, Domain Users, Domain
> Guests and Domain Computers.
>
> 7. Started LDAP and did an smbldap-populate. This gave exactly the right
> response and a look at the ldap database proved it had created all the
> appropriate entries. tested the ldap with "ldapsearch" and got
the
> expected response. Also checked NSS with getent and got the right
> answers.
>
> 8. Added a user with smbldap-useradd then set the password for that user
> with smbldap-passwd. This worked fine.
>
> 9. Checked that the root UID is set to 0. It is.
>
> 10. Checked that the user account is being read properly using pdbedit
> -Lv. It is.
>
> 11. start nmb, smb and winbind, and checked the logs to see if they are
> behaving. They are.
>
> 12. Tried to join the domain from the pdc (which is named "PDC")
with
> "net rpc join -S PDC -U root%PASSWORD
>
> 13. It fails. The message I get is: 
>  Creation of workstation account failed
>  Unable to join domain LDAPTEST.
>
> 14. Tried to join a windows XP PC to the domain. It finds the domain
> controller ok, and then gives the error "The username could not be
> found" which, from what I've been able to find out, means that the
PC
> account isn't being created properly on the domain.
>
>
> What's *really* odd is that it seems to be creating the computer
> accounts correctly in the ldap (you can see that in the ldif export
> below). And yet, despite actually creating the account, it's insisting
> that it isn't.
>
> I tried deleting the ldap entry for the computer, then creating it by
> hand (smbldap-adduser -w pdc$) and it works fine. But the client still
> insists that it's not joined the domain.
>
> I *know* I'm typing the password correctly, and the log seems to bear
> this out. It simply doesn't work, and I've completely run out of
steam
> trying to understand why. I'm presumably missing something significant
> (and probably very simple). Can anyone offer some pointers - or even the
> answer- before I quit computing and start driving trucks for a
> living... :)
>
> Thanks,
>
> Paul.
>
>
> Software versions:
> ============> Fedora linux 8 (fully patched as of 12 Feb), with samba
3.0.28, openldap
> 2.3.39-1.
> Windows XP with SP2 and all current updates as of 12 Feb.
>
> Error messages:
> ==========> in log.smb I get this when trying to join the domain:
>
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
>   get_md4pw: Workstation PDC$: no account in domain
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
>   _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: root
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
>   init_group_from_ldap: Entry found for group: 512
> [2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [root] -> [root] ->
> [root] succeeded
> [2008/02/15 17:21:45, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
> 'pdc$'' gave 9
>
>
> Config file extracts:
> =============>
> slapd.conf
> -----------
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> ...
> access to attrs=userPassword
>                 by self write
>                 by * auth
>
> access to attrs=shadowLastChange
>                 by self write
>                 by * read
>
> access to *
>                 by * read
>                 by anonymous auth
> ...
> database        bdb
> suffix          "dc=vi-lab,dc=net"
> rootdn          "cn=Manager,dc=vi-lab,dc=net"
> rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
> directory     /var/lib/ldap
>
>
> LDIF of running database
> ----------------------------
> dn: dc=vi-lab,dc=net
>
> objectClass: dcObject
> objectClass: organization
> o: vi-lab
> dc: vi-lab
>
> dn: ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
>
> dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> cn: pdc$
> uid: pdc$
> uidNumber: 1005
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
> dn: ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
>
> dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 548
> cn: Account Operators
> description: Netbios Domain Users to manipulate users accounts
> sambaSID: S-1-5-32-548
> sambaGroupType: 5
> displayName: Account Operators
>
> dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the
computer/sambaD
>  omainName
> sambaSID: S-1-5-32-544
> sambaGroupType: 5
> displayName: Administrators
>
> dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 551
> cn: Backup Operators
> description: Netbios Domain Members can bypass file security to back up
file
>  s
> sambaSID: S-1-5-32-551
> sambaGroupType: 5
> displayName: Backup Operators
>
> dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaGroupType: 2
> displayName: Domain Admins
>
> dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 515
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
> sambaGroupType: 2
> displayName: Domain Computers
>
> dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaGroupType: 2
> displayName: Domain Guests
>
> dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaGroupType: 2
> displayName: Domain Users
>
> dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 550
> cn: Print Operators
> description: Netbios Domain Print Operators
> sambaSID: S-1-5-32-550
> sambaGroupType: 5
> displayName: Print Operators
>
> dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 552
> cn: Replicators
> description: Netbios Domain Supports file replication in a sambaDomainName
> sambaSID: S-1-5-32-552
> sambaGroupType: 5
> displayName: Replicators
>
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513
>
> dn: ou=Idmap,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> objectClass: sambaUnixIdPool
> ou: Idmap
> uidNumber: 10000
> gidNumber: 10005
>
> dn: ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: People
>
> dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: furnesp
> sn: furnesp
> givenName: furnesp
> uid: furnesp
> uidNumber: 1000
> gidNumber: 513
> homeDirectory: /home/furnesp
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: furnesp
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaLogonScript: \export\netlogon\logon.bat
> sambaProfilePath: \\%L\Profiles\furnesp
> sambaHomePath: \\%L\furnesp
> sambaHomeDrive: H:
> sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 15094F33692DB11DE3361C044289B84C
> sambaPwdLastSet: 1203092614
> sambaPwdMustChange: 1206980614
> userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g=> shadowLastChange: 13924
> shadowMax: 45
>
> dn: uid=nobody,ou=People,dc=vi-lab,dc=net
> cn: nobody
> sn: nobody
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 514
> uid: nobody
> uidNumber: 999
> homeDirectory: /dev/null
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\%L\nobody
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\nobody
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaAcctFlags: [NUD        ]
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
> loginShell: /bin/false
>
> dn: uid=root,ou=People,dc=vi-lab,dc=net
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaHomePath: \\%L\root
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\root
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
> sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
> sambaAcctFlags: [U]
> sambaNTPassword: 7681889A48EB666054D449D996329A26
> sambaPwdLastSet: 1203092468
> sambaPwdMustChange: 1206980468
> userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w=> shadowLastChange: 13924
> shadowMax: 45
> gidNumber: 0
>
> dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: LDAPTEST
> sambaSID: S-1-5-21-314791047-4281314283-1819700115
> gidNumber: 1000
> sambaNextRid: 1000
> sambaPwdHistoryLength: 0
> sambaMinPwdAge: 0
> sambaMaxPwdAge: -1
> uidNumber: 1006
>
>
> smb.conf
> ----------
> workgroup = LDAPTEST
> netbios name = PDC
> ...
> passdb backend = ldapsam:ldap://localhost
> enable privileges = Yes
> username map = /etc/samba/smbusers
> smb ports = 139
> name resolve order = wins bcast hosts
> ...
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u
> add group script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> ...http://10.226.210.245
> logon script = \export\netlogon\logon.bat
> ...
> local master = yes
> os level = 35
> domain master = Yes
> preferred master = Yes
> domain logons = Yes
> security = user
> encrypt passwords = Yes
> wins support = Yes
> dns proxy = Yes
> ldap suffix = dc=vi-lab,dc=net
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=vi-lab,dc=net
> ldap ssl = no
> ldap passwd sync = Yes
> idmap backend = ldap:ldap://localhost
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> [homes]
>                 comment = Home Directories
>                 valid users = %S
>                 read only = No
>                 browseable = No
>
> [printers]
>                 comment = SMB Print Spool
>                 path = /var/spool/samba
>                 guest ok = Yes
>                 printable = Yes
>                 browseable = No
>
> [netlogon]
>                 comment = Local general disk on %h
>                 path = /export/netlogon
>                 guest ok = Yes
>                 locking = No
>                 public = yes
>                 writable = yes
>
> [profiles]
>                 comment = Profile Share
>                 path = /export/profiles
>                 read only = No
>                 profile acls = Yes
>
> [print$]
> comment = Printer Drivers
> path = /export/drivers
> browseable = yes
> guest ok = no
> read only = yes
> write list = root, furnesp
>
>
> smbusers
> -----------
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
>
> smbldap.conf
> ---------------
> SID="S-1-5-21-314791047-4281314283-1819700115"
> sambaDomain="LDAPTEST"
> slaveLDAP="localhost"
> slavePort="389"
> masterLDAP="localhost"
> masterPort="389"
> ldapTLS="0"
> ...
>
> suffix="dc=vi-lab,dc=org"
> usersdn="ou=People,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
> scope="sub"
> ...
> defaultUserGid="513"
> defaultComputerGid="515"
>
>
>
> ---
>
> Paul Furness BEng(Hons) MBCS
> Systems Manager
>
> MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V
> VISUAL INFORMATION LABORATORY
> 20, Frederick Sanger Road
> The Surrey Research Park
> Guildford, Surrey GU2 7YD
> UK Registered Branch BR 003158
> DDI Telephone: +44 1483 885826
> Tel: +44 1483 885800   Fax: +44 1483 579107
>
>

I tried exactly what you tried last week, and I was happy because everything
worked.
I folloed a tutorial on suse, also if I am using 10.3 version.
What I did differently was NOT to start winbind, NOT to create any groups in
linux. What I did wrong first time and gave me problems I posted was that I
did't issue the
net getlocalsid   command and used the tutorial's one...(no
comment,please..)
When I realize the error I had to go inside ldap, using phpldapadmin, and
manually modify the value .

I didn't need to create the windows xp account. When I had to join it, I
just gave the 
root/administrator password and everything was fine.: the computer account
was
created on the ldap, and I can log on to the domain whith an account I
created with smbldap-adduser 

another thing : I created a new domain with a new ldap backend.
I thought you where doing the same.
But what do you mean when you tried to join the domain from pdc (point 12) ?

PDC is the PDC of that domain....You don't have to join it.

when creating account with smbldap-adduser , I specify -a and -m (and not
only -m as was suggested in the tutorial I followed.)

HTH,
Andrea
p.s. the tutorial(s) I follwed are:
Riferimenti

http://en.opensuse.org/Howto_setup_SUSE_10.1_as_Samba_PDC 
http://www.howtoforge.com/openldap-samba-domain-controller-ubuntu7.10 

> -----Messaggio originale-----
> Da: samba-bounces+andrea.lanza=frameweb.it@lists.samba.org 
> [mailto:samba-bounces+andrea.lanza=frameweb.it@lists.samba.org
> ] Per conto di Paul Furness
> Inviato: venerd? 15 febbraio 2008 18.53
> A: Samba Mail List
> Oggetto: [Samba] Joining a Windows XP pc to Samba / LDAP domain
> 
> Hi, guys,
> 
> I'm trying to create a PDC using Samba with an LDAP backend. 
> According to all the guides I read, this should be fairly 
> easy really, but I've done nothing else for the last week and 
> it still doesn't work the way the manual says it should! As 
> far as I can see, everything is set up and working correctly 
> right up to the point when I try and join a machine to the domain.
> 
> I've posted some extracts of my config files, log files, 
> errors and the versions of various things, below.
> 
> I pretty much exactly followed the "Making Happy Users" 
> chapter of the Samba guide.
> These are the steps I've gone through (in summary), starting 
> with a clean build of linux on the server and WinXP on the 
> client. It starts going wrong at step 8.
> Oh just for completeness, both the new domain controller and 
> the windows PC are on their own, completely separate network, 
> to ensure that the existing domain / windows clients can have 
> no effect whatsoever.
> 
> 1. Install samba and LDAP on the server, together with phpldapadmin.
> 
> 2. Configure slapd and got the ldap server working, and 
> configure phpldapadmin to let me connect and see what's going 
> on, and create LDAP entries directly if needed. Also 
> configured PAM and NSS.
> 
> 3. Configure samba as a PDC with an LDAP backend. Set the 
> LDAP manager password in samba. Got the SID.
> 
> 5. Configured smbldap-tools, setting up the SID and LDAP details.
> 
> 6. Created the linux groups for Domain Admins, Domain Users, 
> Domain Guests and Domain Computers.
> 
> 7. Started LDAP and did an smbldap-populate. This gave 
> exactly the right response and a look at the ldap database 
> proved it had created all the appropriate entries. tested the 
> ldap with "ldapsearch" and got the expected response. Also 
> checked NSS with getent and got the right answers.
> 
> 8. Added a user with smbldap-useradd then set the password 
> for that user with smbldap-passwd. This worked fine.
> 
> 9. Checked that the root UID is set to 0. It is.
> 
> 10. Checked that the user account is being read properly 
> using pdbedit -Lv. It is.
> 
> 11. start nmb, smb and winbind, and checked the logs to see 
> if they are behaving. They are.
> 
> 12. Tried to join the domain from the pdc (which is named 
> "PDC") with "net rpc join -S PDC -U root%PASSWORD
> 
> 13. It fails. The message I get is:
>  Creation of workstation account failed
>  Unable to join domain LDAPTEST.
> 
> 14. Tried to join a windows XP PC to the domain. It finds the 
> domain controller ok, and then gives the error "The username 
> could not be found" which, from what I've been able to find 
> out, means that the PC account isn't being created properly 
> on the domain.
> 
> 
> What's *really* odd is that it seems to be creating the 
> computer accounts correctly in the ldap (you can see that in 
> the ldif export below). And yet, despite actually creating 
> the account, it's insisting that it isn't.
> 
> I tried deleting the ldap entry for the computer, then 
> creating it by hand (smbldap-adduser -w pdc$) and it works 
> fine. But the client still insists that it's not joined the domain.
> 
> I *know* I'm typing the password correctly, and the log seems 
> to bear this out. It simply doesn't work, and I've completely 
> run out of steam trying to understand why. I'm presumably 
> missing something significant (and probably very simple). Can 
> anyone offer some pointers - or even the
> answer- before I quit computing and start driving trucks for 
> a living... :)
> 
> Thanks,
> 
> Paul.
> 
> 
> Software versions:
> ============> Fedora linux 8 (fully patched as of 12 Feb), with samba 
> 3.0.28, openldap 2.3.39-1.
> Windows XP with SP2 and all current updates as of 12 Feb.
> 
> Error messages:
> ==========> in log.smb I get this when trying to join the domain:
> 
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:get_md4pw(242)
>   get_md4pw: Workstation PDC$: no account in domain
> [2008/02/15 17:21:44, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
>   _net_auth2: failed to get machine password for account PDC$:
> NT_STATUS_ACCESS_DENIED
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(324)
>   netbios connect: name1=PDC             name2=PDC
> [2008/02/15 17:21:44, 2] smbd/reply.c:reply_special(331)
>   netbios connect: local=pdc remote=pdc, name type = 0
> [2008/02/15 17:21:44, 2] lib/smbldap.c:smbldap_open_connection(786)
>   smbldap_open_connection: connection opened
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_sam_from_ldap(545)
>   init_sam_from_ldap: Entry found for user: root
> [2008/02/15 17:21:44, 2] passdb/pdb_ldap.c:init_group_from_ldap(2158)
>   init_group_from_ldap: Entry found for group: 512
> [2008/02/15 17:21:44, 2] auth/auth.c:check_ntlm_password(309)
>   check_ntlm_password:  authentication for user [root] -> 
> [root] -> [root] succeeded
> [2008/02/15 17:21:45, 0]
> passdb/pdb_interface.c:pdb_default_create_user(329)
>   _samr_create_user: Running the command 
> `/usr/sbin/smbldap-useradd -w 'pdc$'' gave 9
> 
> 
> Config file extracts:
> =============> 
> slapd.conf
> -----------
> include         /etc/openldap/schema/core.schema
> include         /etc/openldap/schema/cosine.schema
> include         /etc/openldap/schema/inetorgperson.schema
> include         /etc/openldap/schema/nis.schema
> include         /etc/openldap/schema/samba.schema
> ...
> access to attrs=userPassword
>                 by self write
>                 by * auth
> 
> access to attrs=shadowLastChange
>                 by self write
>                 by * read
> 
> access to *
>                 by * read
>                 by anonymous auth
> ...
> database        bdb
> suffix          "dc=vi-lab,dc=net"
> rootdn          "cn=Manager,dc=vi-lab,dc=net"
> rootpw          {SSHA}06qDkonA8hk6W6SSnRzWj0/pBcU3m0/P
> directory     /var/lib/ldap
> 
> 
> LDIF of running database
> ----------------------------
> dn: dc=vi-lab,dc=net
> 
> objectClass: dcObject
> objectClass: organization
> o: vi-lab
> dc: vi-lab
> 
> dn: ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Computers
> 
> dn: uid=pdc$,ou=Computers,dc=vi-lab,dc=net
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> cn: pdc$
> uid: pdc$
> uidNumber: 1005
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
> 
> dn: ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: Groups
> 
> dn: cn=Account Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 548
> cn: Account Operators
> description: Netbios Domain Users to manipulate users accounts
> sambaSID: S-1-5-32-548
> sambaGroupType: 5
> displayName: Account Operators
> 
> dn: cn=Administrators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 544
> cn: Administrators
> description: Netbios Domain Members can fully administer the 
> computer/sambaD  omainName
> sambaSID: S-1-5-32-544
> sambaGroupType: 5
> displayName: Administrators
> 
> dn: cn=Backup Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 551
> cn: Backup Operators
> description: Netbios Domain Members can bypass file security 
> to back up file  s
> sambaSID: S-1-5-32-551
> sambaGroupType: 5
> displayName: Backup Operators
> 
> dn: cn=Domain Admins,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 512
> cn: Domain Admins
> memberUid: root
> description: Netbios Domain Administrators
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaGroupType: 2
> displayName: Domain Admins
> 
> dn: cn=Domain Computers,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 515
> cn: Domain Computers
> description: Netbios Domain Computers accounts
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-515
> sambaGroupType: 2
> displayName: Domain Computers
> 
> dn: cn=Domain Guests,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 514
> cn: Domain Guests
> description: Netbios Domain Guests Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaGroupType: 2
> displayName: Domain Guests
> 
> dn: cn=Domain Users,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 513
> cn: Domain Users
> description: Netbios Domain Users
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaGroupType: 2
> displayName: Domain Users
> 
> dn: cn=Print Operators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 550
> cn: Print Operators
> description: Netbios Domain Print Operators
> sambaSID: S-1-5-32-550
> sambaGroupType: 5
> displayName: Print Operators
> 
> dn: cn=Replicators,ou=Groups,dc=vi-lab,dc=net
> objectClass: top
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> gidNumber: 552
> cn: Replicators
> description: Netbios Domain Supports file replication in a 
> sambaDomainName
> sambaSID: S-1-5-32-552
> sambaGroupType: 5
> displayName: Replicators
> 
> dn: sambaSID=S-1-5-32-545,ou=Groups,dc=vi-lab,dc=net
> objectClass: sambaSidEntry
> objectClass: sambaGroupMapping
> sambaSID: S-1-5-32-545
> sambaGroupType: 4
> displayName: Users
> gidNumber: 10000
> sambaSIDList: S-1-5-21-314791047-4281314283-1819700115-513
> 
> dn: ou=Idmap,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> objectClass: sambaUnixIdPool
> ou: Idmap
> uidNumber: 10000
> gidNumber: 10005
> 
> dn: ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: organizationalUnit
> ou: People
> 
> dn: uid=furnesp,ou=People,dc=vi-lab,dc=net
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: posixAccount
> objectClass: shadowAccount
> objectClass: sambaSamAccount
> cn: furnesp
> sn: furnesp
> givenName: furnesp
> uid: furnesp
> uidNumber: 1000
> gidNumber: 513
> homeDirectory: /home/furnesp
> loginShell: /bin/bash
> gecos: System User
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> displayName: furnesp
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-3000
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-513
> sambaLogonScript: \export\netlogon\logon.bat
> sambaProfilePath: \\%L\Profiles\furnesp
> sambaHomePath: \\%L\furnesp
> sambaHomeDrive: H:
> sambaLMPassword: 6B7077BA8F8D8BD4AAD3B435B51404EE
> sambaAcctFlags: [U]
> sambaNTPassword: 15094F33692DB11DE3361C044289B84C
> sambaPwdLastSet: 1203092614
> sambaPwdMustChange: 1206980614
> userPassword: {MD5}AYtqSZjKzvLjGzGaZCHV8g=> shadowLastChange: 13924
> shadowMax: 45
> 
> dn: uid=nobody,ou=People,dc=vi-lab,dc=net
> cn: nobody
> sn: nobody
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> gidNumber: 514
> uid: nobody
> uidNumber: 999
> homeDirectory: /dev/null
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> sambaHomePath: \\%L\nobody
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\nobody
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-514
> sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX
> sambaAcctFlags: [NUD        ]
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-2998
> loginShell: /bin/false
> 
> dn: uid=root,ou=People,dc=vi-lab,dc=net
> cn: root
> sn: root
> objectClass: top
> objectClass: person
> objectClass: organizationalPerson
> objectClass: inetOrgPerson
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: shadowAccount
> uid: root
> uidNumber: 0
> homeDirectory: /home/root
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaHomePath: \\%L\root
> sambaHomeDrive: H:
> sambaProfilePath: \\%L\Profiles\root
> sambaPrimaryGroupSID: S-1-5-21-314791047-4281314283-1819700115-512
> sambaSID: S-1-5-21-314791047-4281314283-1819700115-1000
> loginShell: /bin/false
> gecos: Netbios Domain Administrator
> sambaLMPassword: BE6C2CB6DCCAB6C81AA818381E4E281B
> sambaAcctFlags: [U]
> sambaNTPassword: 7681889A48EB666054D449D996329A26
> sambaPwdLastSet: 1203092468
> sambaPwdMustChange: 1206980468
> userPassword: {MD5}cIDsCbTZptdIWyvi6lJS0w=> shadowLastChange: 13924
> shadowMax: 45
> gidNumber: 0
> 
> dn: sambaDomainName=LDAPTEST,dc=vi-lab,dc=net
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: LDAPTEST
> sambaSID: S-1-5-21-314791047-4281314283-1819700115
> gidNumber: 1000
> sambaNextRid: 1000
> sambaPwdHistoryLength: 0
> sambaMinPwdAge: 0
> sambaMaxPwdAge: -1
> uidNumber: 1006
> 
> 
> smb.conf
> ----------
> workgroup = LDAPTEST
> netbios name = PDC
> ...
> passdb backend = ldapsam:ldap://localhost enable privileges = 
> Yes username map = /etc/samba/smbusers smb ports = 139 name 
> resolve order = wins bcast hosts ...
> add user script = /usr/sbin/smbldap-useradd -m '%u'
> delete user script = /usr/sbin/smbldap-userdel %u add group 
> script = /usr/sbin/smbldap-groupadd -p '%g'
> delete group script = /usr/sbin/smbldap-groupdel '%g'
> add user to group script = /usr/sbin/smbldap-groupmod -m '%u'
'%g'
> delete user from group script = /usr/sbin/smbldap-groupmod -x 
> '%u' '%g'
> set primary group script = /usr/sbin/smbldap-usermod -g '%g'
'%u'
> add machine script = /usr/sbin/smbldap-useradd -w '%u'
> ...http://10.226.210.245
> logon script = \export\netlogon\logon.bat ...
> local master = yes
> os level = 35
> domain master = Yes
> preferred master = Yes
> domain logons = Yes
> security = user
> encrypt passwords = Yes
> wins support = Yes
> dns proxy = Yes
> ldap suffix = dc=vi-lab,dc=net
> ldap machine suffix = ou=Computers
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap idmap suffix = ou=Idmap
> ldap admin dn = cn=Manager,dc=vi-lab,dc=net ldap ssl = no 
> ldap passwd sync = Yes idmap backend = ldap:ldap://localhost 
> idmap uid = 10000-20000 idmap gid = 10000-20000
> 
> [homes]
>                 comment = Home Directories
>                 valid users = %S
>                 read only = No
>                 browseable = No
> 
> [printers]
>                 comment = SMB Print Spool
>                 path = /var/spool/samba
>                 guest ok = Yes
>                 printable = Yes
>                 browseable = No
> 
> [netlogon]
>                 comment = Local general disk on %h
>                 path = /export/netlogon
>                 guest ok = Yes
>                 locking = No
>                 public = yes
>                 writable = yes
> 
> [profiles]
>                 comment = Profile Share
>                 path = /export/profiles
>                 read only = No
>                 profile acls = Yes
> 
> [print$]
> comment = Printer Drivers
> path = /export/drivers
> browseable = yes
> guest ok = no
> read only = yes
> write list = root, furnesp
> 
> 
> smbusers
> -----------
> # Unix_name = SMB_name1 SMB_name2 ...
> root = administrator admin
> nobody = guest pcguest smbguest
> 
> smbldap.conf
> ---------------
> SID="S-1-5-21-314791047-4281314283-1819700115"
> sambaDomain="LDAPTEST"
> slaveLDAP="localhost"
> slavePort="389"
> masterLDAP="localhost"
> masterPort="389"
> ldapTLS="0"
> ...
> 
> suffix="dc=vi-lab,dc=org"
> usersdn="ou=People,${suffix}"
> computersdn="ou=Computers,${suffix}"
> groupsdn="ou=Groups,${suffix}"
> idmapdn="ou=Idmap,${suffix}"
> sambaUnixIdPooldn="sambaDomainName=LDAPTEST,${suffix}"
> scope="sub"
> ...
> defaultUserGid="513"
> defaultComputerGid="515"
> 
> 
> 
> ---
> 
> Paul Furness BEng(Hons) MBCS
> Systems Manager
> 
> MITSUBISHI ELECTRIC INFORMATION TECHNOLOGY CENTRE EUROPE B.V 
> VISUAL INFORMATION LABORATORY 20, Frederick Sanger Road The 
> Surrey Research Park Guildford, Surrey GU2 7YD UK Registered 
> Branch BR 003158 DDI Telephone: +44 1483 885826
> Tel: +44 1483 885800   Fax: +44 1483 579107
> 
> 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3092 bytes
Desc: not available
Url :
http://lists.samba.org/archive/samba/attachments/20080216/0333b9f4/smime.bin