samba - Feb 2008 - Windows 2000 pro doesn't join a domain with Samba+Ldap (linux)

Hello people...

I had to sign up in the list because I don't know what else I could
do... I can't find my error anywhere!! :(

The thing is that I have a Linux server with Ldap (openldap2.3) +
Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
windows 2000 Professional client machine against that server, but it
won't work!!

The domain is called "JOME", and the LDAP database structure is
something like this (I hope you'll be able to see it properly)

dc=jome
 |
 \-cn=Admin
 |
 \-ou=Group
 |  |
 |  \- cn= Account operators
 |  \- cn= Administrators
 |  \- cn= Backup Operators
 |  \- cn= Domain Admins
 |  \- cn= Domain Computers
 |  \- cn= Domain Guests
 |  \- cn= Domain Users
 |  \- cn= Print operators
 |  \- cn= Replicators
 |  \- cn= test
 |
 \-ou=Hosts
 |  |
 |  \- uid=Enano$
 |  \- uid=xxxx$
 |
 \-ou=Idmap
 |
 \-ou=People
 |  |
 |  \- uid=nobody
 |  \- uid=root
 |  \- uid=test
 \-sambaDomainName=JOME


The user root is the Netbios Domain Administrator and its
sambaPrimaryGroupSID is the same as Domain Admins.

All the Group accounts in ou=Group except "test" were created by
smbldap-populate.

The linux server is the host called "xxxx" and the windows client is
the host "enano"

When I try to join the domain "JOME" from Windows, I am prompted for a
user that has permission to create "things" in the domain. I fill the
textboxes with "root" and the "rootpass", and in the
samba.log file of
the server (if the debug level is 2 or higher), it appears:
"authentication for user [root] -> [root] -> [root] succeeded".
After
this, the machine (enano$) is properly created (if doesn't exist) in
the Ldap schema (a new entry called enano$ appears in
ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
everything seems to be fine until in the windows machine a "error
window dialog" appears with a very ugly red signal, saying ("username
not found"). I think it must be something wrong with the user
"root",
because if I try a username that is really non-existent (john, for
instance) or if I mistype the password, the message that appears in
windows is different (in my computer appears in Spanish, but it's
something like "session starting error: username not found or wrong
password")... I've tried to put a higher debug level in samba
(smb.conf-> debug level=3) and between several other messages, it
appears:
[2008/02/22 15:33:37, 3] passdb/pdb_interface.c:pdb_default_create_user(354)
 pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER

But I don't know what structure user it may be... and I don't know why
this error only appears when the debug level is that high (I've been
googling around, and this level was only recomended for developers).
Anyway, I'm attaching a part of the samba.log file (a complete
process). You can see on lines #108 and
#118 that it seems to be authenticating "root" properly, and on line
#482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
with debug level=3 so I don't know if it is very serious or not...)
I'm not sure what kind of "user structure" it is trying to create
and
why can't it (it was supposed to be able to create a "enano$"
user...
why can't it do the same now?). As you may see, it's not complete, but
I took away some lines that I didn't consider relevant (maybe they
were, but... ) I'm sorry a couple of attachments had to be compressed,
but otherwise, the mail wouldn't be accepted.

I have read somewhere
(http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
that I need an entry in /etc/passwd for each machine. Ldap is "making"
the passwd, but the machines (enano$ and xxxx$ are not "users"). A
getent passwd gives this:

root@xxxx# getent passwd
  root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/bin/sh
  bin:x:2:2:bin:/bin:/bin/sh
  sys:x:3:3:sys:/dev:/bin/sh
  sync:x:4:65534:sync:/bin:/bin/sync
  games:x:5:60:games:/usr/games:/bin/sh
  man:x:6:12:man:/var/cache/man:/bin/sh
  lp:x:7:7:lp:/var/spool/lpd:/bin/sh
  mail:x:8:8:mail:/var/mail:/bin/sh
  news:x:9:9:news:/var/spool/news:/bin/sh
  uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
  proxy:x:13:13:proxy:/bin:/bin/sh
  www-data:x:33:33:www-data:/var/www:/bin/sh
  backup:x:34:34:backup:/var/backups:/bin/sh
  list:x:38:38:Mailing List Manager:/var/list:/bin/sh
  irc:x:39:39:ircd:/var/run/ircd:/bin/sh
  gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
  nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
  dhcp:x:100:101::/nonexistent:/bin/false
  syslog:x:101:102::/home/syslog:/bin/false
  klog:x:102:103::/home/klog:/bin/false
  hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
  avahi-autoipd:x:104:112:Avahi autoip
daemon,,,:/var/lib/avahi-autoipd:/bin/false
  messagebus:x:105:113::/var/run/dbus:/bin/false
  avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
  gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
  haldaemon:x:108:117:Hardware abstraction layer,,,:/home/haldaemon:/bin/false
  hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
  openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
  sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
  test:x:2000:2000:Test User:/home/test:/bin/bash
  root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
  nobody:x:999:514:nobody:/dev/null:/bin/false

(the last three users: test, root and nobody only exist in the Ldap database)

Ah, and from the windows client I am able to access the shared
resources of the server when I login as "root" or "test"
(users from
the ldap entry ou=People)

Just in case... an anonymous (without password) smbclient -L to the
samba server gives this:

root@xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
Password:
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]

       Sharename    Type      Comment
       ---------          ----       -------
       netlogon      Disk       Network Logon Service
       profiles        Disk        Profile Share
       print$          Disk        Printer Drivers
       IPC$            IPC          IPC Service (xxxx PDC server
Version 3.0.26a)
Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]

       Server             Comment
       ---------            -------
       XXXX                xxxx PDC server Version 3.0.26a

       Workgroup       Master
       ---------            -------
       JOME                XXXX

I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
file and the
sambaldap-tools.conf file... just in case...

Sorry for such a huge message, but I have no idea of what's wrong...

Thank you very much in advance... Any hint (whatever) will be deeply
appreciated!!

have you ran smbpasswd -a root

Hector Blanco wrote:
> Hello people...
>
> I had to sign up in the list because I don't know what else I could
> do... I can't find my error anywhere!! :(
>
> The thing is that I have a Linux server with Ldap (openldap2.3) +
> Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
> windows 2000 Professional client machine against that server, but it
> won't work!!
>
> The domain is called "JOME", and the LDAP database structure is
> something like this (I hope you'll be able to see it properly)
>
> dc=jome
>  |
>  \-cn=Admin
>  |
>  \-ou=Group
>  |  |
>  |  \- cn= Account operators
>  |  \- cn= Administrators
>  |  \- cn= Backup Operators
>  |  \- cn= Domain Admins
>  |  \- cn= Domain Computers
>  |  \- cn= Domain Guests
>  |  \- cn= Domain Users
>  |  \- cn= Print operators
>  |  \- cn= Replicators
>  |  \- cn= test
>  |
>  \-ou=Hosts
>  |  |
>  |  \- uid=Enano$
>  |  \- uid=xxxx$
>  |
>  \-ou=Idmap
>  |
>  \-ou=People
>  |  |
>  |  \- uid=nobody
>  |  \- uid=root
>  |  \- uid=test
>  \-sambaDomainName=JOME
>
>
> The user root is the Netbios Domain Administrator and its
> sambaPrimaryGroupSID is the same as Domain Admins.
>
> All the Group accounts in ou=Group except "test" were created by
> smbldap-populate.
>
> The linux server is the host called "xxxx" and the windows client
is
> the host "enano"
>
> When I try to join the domain "JOME" from Windows, I am prompted
for a
> user that has permission to create "things" in the domain. I fill
the
> textboxes with "root" and the "rootpass", and in the
samba.log file of
> the server (if the debug level is 2 or higher), it appears:
> "authentication for user [root] -> [root] -> [root]
succeeded". After
> this, the machine (enano$) is properly created (if doesn't exist) in
> the Ldap schema (a new entry called enano$ appears in
> ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
> everything seems to be fine until in the windows machine a "error
> window dialog" appears with a very ugly red signal, saying
("username
> not found"). I think it must be something wrong with the user
"root",
> because if I try a username that is really non-existent (john, for
> instance) or if I mistype the password, the message that appears in
> windows is different (in my computer appears in Spanish, but it's
> something like "session starting error: username not found or wrong
> password")... I've tried to put a higher debug level in samba
> (smb.conf-> debug level=3) and between several other messages, it
> appears:
> [2008/02/22 15:33:37, 3]
passdb/pdb_interface.c:pdb_default_create_user(354)
>  pdb_default_create_user: failed to create a new user structure:
> NT_STATUS_NO_SUCH_USER
>
> But I don't know what structure user it may be... and I don't know
why
> this error only appears when the debug level is that high (I've been
> googling around, and this level was only recomended for developers).
> Anyway, I'm attaching a part of the samba.log file (a complete
> process). You can see on lines #108 and
> #118 that it seems to be authenticating "root" properly, and on
line
> #482 the error NT_STATUS_NO_SUCH_USER (as I said, this only appears
> with debug level=3 so I don't know if it is very serious or not...)
> I'm not sure what kind of "user structure" it is trying to
create and
> why can't it (it was supposed to be able to create a "enano$"
user...
> why can't it do the same now?). As you may see, it's not complete,
but
> I took away some lines that I didn't consider relevant (maybe they
> were, but... ) I'm sorry a couple of attachments had to be compressed,
> but otherwise, the mail wouldn't be accepted.
>
> I have read somewhere
>
(http://www.mami.net/univr/tng-ldap/howto/#how_to_join_windows_2000_to_domain)
> that I need an entry in /etc/passwd for each machine. Ldap is
"making"
> the passwd, but the machines (enano$ and xxxx$ are not "users").
A
> getent passwd gives this:
>
> root@xxxx# getent passwd
>   root:x:0:0:root:/root:/bin/bash
>   daemon:x:1:1:daemon:/usr/sbin:/bin/sh
>   bin:x:2:2:bin:/bin:/bin/sh
>   sys:x:3:3:sys:/dev:/bin/sh
>   sync:x:4:65534:sync:/bin:/bin/sync
>   games:x:5:60:games:/usr/games:/bin/sh
>   man:x:6:12:man:/var/cache/man:/bin/sh
>   lp:x:7:7:lp:/var/spool/lpd:/bin/sh
>   mail:x:8:8:mail:/var/mail:/bin/sh
>   news:x:9:9:news:/var/spool/news:/bin/sh
>   uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
>   proxy:x:13:13:proxy:/bin:/bin/sh
>   www-data:x:33:33:www-data:/var/www:/bin/sh
>   backup:x:34:34:backup:/var/backups:/bin/sh
>   list:x:38:38:Mailing List Manager:/var/list:/bin/sh
>   irc:x:39:39:ircd:/var/run/ircd:/bin/sh
>   gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
>   nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
>   dhcp:x:100:101::/nonexistent:/bin/false
>   syslog:x:101:102::/home/syslog:/bin/false
>   klog:x:102:103::/home/klog:/bin/false
>   hplip:x:103:7:HPLIP system user,,,:/var/run/hplip:/bin/false
>   avahi-autoipd:x:104:112:Avahi autoip
> daemon,,,:/var/lib/avahi-autoipd:/bin/false
>   messagebus:x:105:113::/var/run/dbus:/bin/false
>   avahi:x:106:114:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
>   gdm:x:107:116:Gnome Display Manager:/var/lib/gdm:/bin/false
>   haldaemon:x:108:117:Hardware abstraction
layer,,,:/home/haldaemon:/bin/false
>   hector:x:1000:1000:Hector Blanco,,,:/home/hector:/bin/bash
>   openldap:x:109:120:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
>   sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
>   test:x:2000:2000:Test User:/home/test:/bin/bash
>   root:x:0:0:Netbios Domain Administrator:/tmp:/bin/false
>   nobody:x:999:514:nobody:/dev/null:/bin/false
>
> (the last three users: test, root and nobody only exist in the Ldap
database)
>
> Ah, and from the windows client I am able to access the shared
> resources of the server when I login as "root" or
"test" (users from
> the ldap entry ou=People)
>
> Just in case... an anonymous (without password) smbclient -L to the
> samba server gives this:
>
> root@xxxx:/var/lib/samba/netlogon# smbclient -L 192.168.1.30
> Password:
> Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
>
>        Sharename    Type      Comment
>        ---------          ----       -------
>        netlogon      Disk       Network Logon Service
>        profiles        Disk        Profile Share
>        print$          Disk        Printer Drivers
>        IPC$            IPC          IPC Service (xxxx PDC server
> Version 3.0.26a)
> Domain=[JOME] OS=[Unix] Server=[Samba 3.0.26a]
>
>        Server             Comment
>        ---------            -------
>        XXXX                xxxx PDC server Version 3.0.26a
>
>        Workgroup       Master
>        ---------            -------
>        JOME                XXXX
>
> I am attaching too the Ldap tree (compressed too, sorry) the smb.conf
> file and the
> sambaldap-tools.conf file... just in case...
>
> Sorry for such a huge message, but I have no idea of what's wrong...
>
> Thank you very much in advance... Any hint (whatever) will be deeply
> appreciated!!
>

On Friday 22 February 2008, Hector Blanco wrote:
> Hello people...
<snip>
> The thing is that I have a Linux server with Ldap (openldap2.3) +
> Samba (3.0.26) + smldaptools (0.9.2-3), and I want to authenticate a
> windows 2000 Professional client machine against that server, but it
> won't work!!
<snip>
> When I try to join the domain "JOME" from Windows, I am prompted
for a
> user that has permission to create "things" in the domain. I fill
the
> textboxes with "root" and the "rootpass", and in the
samba.log file of
> the server (if the debug level is 2 or higher), it appears:
> "authentication for user [root] -> [root] -> [root]
succeeded". After
> this, the machine (enano$) is properly created (if doesn't exist) in
> the Ldap schema (a new entry called enano$ appears in
> ou=Hosts,dc=jome) as shown in the diagram above.The thing is that
> everything seems to be fine until in the windows machine a "error
> window dialog" appears with a very ugly red signal, saying
("username
> not found").
<snip>

Sounds suspiciously similiar to a problem I've been having, except I'm
not
using LDAP, and my problem is with XP SP2 only. Unfortunately, I haven't 
found a solution to my problem either...yet. Search the archives for 
the "Joining Domain Problem only with XP SP2" if you want to see my
thread.


-- 
Fail to learn history-repeat it.
Fail to learn rights-lose them.
Learn both-get screwed by previous two groups.

>Hector Blanco" <white.lists@gmail.com> wrote in message
news:86e693810802221551h7feaf5e8n2a504646b64ac900@mail.gmail.com...
> Hello people...
>
> I had to sign up in the list because I don't know what else I could
> do... I can't find my error anywhere!! :(
>
Hi Hector,

Can you post your /etc/ldap.conf file and your /etc/nsswitch.conf file?
Are there any other ldap.conf files in the /etc directory?

Are you able to add users to the the domain?

Please post the output from getent passwd group.