Hi guys, Can anyone comment on my setup steps? I follow instructions from many Howto's website,the below steps worked well until yesterday. It suddenly refused WindowsXp machine to join domain by giving the error "The following error occurs....Access denied" CENTOS 5.1 + fedora-ds-dsgw-1.1.1-1.fc6 + samba-client-3.0.25b-0.el5.4 fedora-idm-console-1.1.1-1.fc6 fedora-ds-base-1.1.3-2.fc6 fedora-ds-console-1.1.2-1.fc6 fedora-ds-admin-1.1.6-1.fc6 fedora-ds-1.1.2-1.fc6 fedora-ds-admin-console-1.1.2-1.fc6 Fedora directory server on this server is to be act as a slave for local ldap authentication which receive ldap account update from Master Fedora director server in other location. ====================================================================1. /etc/hosts 127.0.0.1 centserver centserver.abc.com 192.168.1.1 centserver centserver.abc.com 1.1 Reboot computer ====================================================================2. Install Fedora-ds Set up the new directory server and admin server 2.1 /usr/sbin/setup-ds-admin.pl <<screen dump>>>> >>=============================================================================>>This program will set up the Fedora Directory and Administration Servers. >> >> >>Would you like to continue with set up? [yes]: yes >> >>Do you agree to the license terms? [no]: yes >> >> >>Would you like to continue? [no]: yes >> >> >>Choose a setup type [2]: 2 >> >> >>Computer name [centserver.riderman.co.th]: centserver.abc.com >> >> >>System User [nobody]: ldap >> >> >>System Group [nobody]: ldap >>Do you want to register this software with an existing >>configuration directory server? [no]: >> >> >>administrator ID [admin]: csadmin >>Password: csadminpassword >>Password (confirm): csadminpassword >> >> >>Administration Domain [abc.com]: abc.com >> >>Directory server network port [389]: 389 >> >> >>Directory server identifier [centserver]: centserver >> >> >>Suffix [dc=riderman, dc=com]: dc=riderman, dc=com >> >> >>Directory Manager DN [cn=Directory Manager]: cn=Directory Manager >>Password: ldapadminpassword >>Password (confirm): ldapadminpassword >> >> >>Administration port [9830]: 22137 >> >>=============================================================================>>The interactive phase is complete. The script will now set up your >>servers. Enter No or go Back if you want to change something. >> >>Are you ready to set up your servers? [yes]: >>Creating directory server . . . >>Your new DS instance 'centserver' was successfully created. >>Creating the configuration directory server . . . >>Beginning Admin Server creation . . . >>Creating Admin Server files and directories . . . >>Updating adm.conf . . . >>Updating admpw . . . >>Registering admin server with the configuration directory server . . . >>Updating adm.conf with information from configuration directory server. . .>>Updating the configuration for the httpd engine . . . >>Starting admin server . . . >>output: httpd.worker: Could not reliably determine the server's fullyqualified domain name, using 127.0.0.1 for ServerName>>The admin server was successfully started. >>Admin server was successfully created, configured, and started. >>Exiting . . . >>Log file is '/tmp/setupOYDg5L.log' >> >><<screen dump>> ==================================================================== 3. Import samba.schema into FDS 3.1 Copy file 61samba.ldif to /etc/dirsrv/schema and /etc/dirsrv/slapd-centserver/schema 3.2 service dirsrv restart ==================================================================== 4. Modify file migrate_common.ph /usr/share/openldap/migration/migrate_common.ph 4.1 Search for the following OrganizationalUnit : $NAMINGCONTEXT{'group'} = "ou=Group"; 4.2 Modify as shown below: $NAMINGCONTEXT{'group'} = "ou=Groups"; 4.3 Modify section Default DNS domain # Default DNS domain $DEFAULT_MAIL_DOMAIN = "riderman.com"; 4.4 Modify section Defaut base # Default base $DEFAULT_BASE = "dc=riderman,dc=com"; 4.5 Modify EXTENDED_SCHEMA $EXTENDED_SCHEMA = 1; ==================================================================== 5. Samba Setup 5.1 /etc/samba/smb.conf [global] server string = Linux Domain Controller workgroup = ridermangrp security = user passdb backend = ldapsam:ldap://centserver.abc.com ldap admin dn = cn=Directory Manager ldap suffix = dc=riderman,dc=com ldap user suffix = ou=People ldap machine suffix = ou=People ldap group suffix = ou=Groups add user script /usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-useradd -m "%u" add machine script /usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-useradd -t 5 -w "%u" add group script = /opt/IDEALX/sbin/smbldap-groupadd -p "%g" add user to group script /usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -m "%u" "%g" delete user from group script /usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-groupmod -x "%u" "%g" set primary group script /usr/share/doc/samba-3.0.28/LDAP/smbldap-tools-0.9.2/smbldap-usermod -g "%g" "%u" log file = /var/log/%m.log socket options = TCP_NODELAY SO_SNDBUF=65536 SO_RCVBUF=65536 IPTOS_LOWDELAY os level = 33 domain logons = yes domain master = yes local master = yes preferred master = yes wins support = yes logon home logon path logon drive template shell = /bin/false winbind use default domain = no enable privileges = yes logon script = mapdrivectrl.bat nt acl support = yes map acl inherit = yes [netlogon] path = /var/lib/samba/netlogon/scripts read only = yes browsable = no [share02] security mask = 0777 force security mode = 0 directory security mask = 0777 force directory security mode = 0 force directory mode = 0777 force create mode = 0777 nt acl support = yes writeable = yes valid users = @"Domain Admins",@"Domain Computers",@"Domain Users",@Domain_Admins,@Domain_Users path = /share02 [share01] nt acl support = yes writeable = yes valid users = @"Domain Admins",@"Domain Computers",@"Domain Users",@Domain_Admins,@Domain_Users path = /share01 inherit acls = yes inherit permissions = yes oplocks = yes level2 oplocks = yes share modes = yes veto oplock files = /*.mdb/*.MDB/*.dbf/*.DBF/ 5.2 testparm <<screen dump>>>> >>Load smb config files from /etc/samba/smb.conf >>Processing section "[netlogon]" >>Processing section "[profiles]" >>Processing section "[homes]" >>Loaded services file OK. >>Server role: ROLE_DOMAIN_PDC<<screen dump>> 5.3 mkdir -p /var/lib/samba mkdir /var/lib/samba/{netlogon,profiles} chown root:root -R /var/lib/samba chmod 0755 /var/lib/samba/netlogon chmod 1755 /var/lib/samba/profiles mkdir /var/lib/samba/netlogon/scripts 5.4 Add Samba admin password smbpasswd -w ldapadminpassword 5.5 Restart Samba service service smb restart ====================================================================6. Restart Directory server service service dirsrv restart ====================================================================7. Change LocalSID number net setlocalsid S-1-5-21-231587965-5978642536-3325898745 7.1 Check if LocalSID number is changed as desired net getlocalsid <<screen dump>>>> >>SID for domain centserver is: S-1-5-21-231587965-5978642536-3325898745 >><<screen dump>> ====================================================================8. Import Samba Domain, Groups and Samba Admin account into Directory server 8.1 Copy three .ldif files to /root/Desktop: sambaDomain.ldif sambaGroups.ldif sambaAdmin.ldif 8.2 Import sambaDomain.ldif to FDS /usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager" ldapadminpassword /root/Desktop/sambaDomain.ldif 8.3 Import sambaGroups.ldif to FDS /usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager" ldapadminpassword /root/Desktop/sambaGroups.ldif 8.4 Import sambaAdmin.ldif to FDS /usr/lib/dirsrv/slapd-centserver/ldif2ldap "cn=Directory manager" ldapadminpassword /root/Desktop/sambaAdmin.ldif ====================================================================9. Create Unix Group as follows groupadd -g 2512 Domain_Admins groupadd -g 2513 Domain_Users groupadd -g 2514 Domain_Guests groupadd -g 2515 Domain_Computers ====================================================================10. Group mapping net groupmap add rid=2512 ntgroup='Domain Admins' unixgroup='Domain_Admins' net groupmap add rid=2513 ntgroup='Domain Users' unixgroup='Domain_Users' net groupmap add rid=2514 ntgroup='Domain Guests' unixgroup='Domain_Guests' net groupmap add rid=2515 ntgroup='Domain Computers' unixgroup='Domain_Computers' ====================================================================11. Config PAM 11.1 Edit ldap.conf in /etc/openldap/ldap.conf <<screen dump>> # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. #BASE dc=example, dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never URI ldap://192.168.1.1:389/ BASE dc=riderman,dc=com TLS_CACERTDIR /etc/openldap/cacerts <<screen dump>> 11.2 /etc/ldap.conf <<screen dump>> # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library and the LDAP PAM module. # # The man pages for this file are nss_ldap(5) and pam_ldap(5) # # PADL Software # http://www.padl.com # # Your LDAP server. Must be resolvable without using LDAP. # Multiple hosts may be specified, each separated by a # space. How long nss_ldap takes to failover depends on # whether your LDAP client library supports configurable # network or connect timeouts (see bind_timelimit). #host # The distinguished name of the search base. base dc=riderman,dc=com # Another way to specify your LDAP server is to provide an # uri with the server name. This allows to use # Unix Domain Sockets to connect to a local LDAP Server. #uri ldap://127.0.0.1/ #uri ldaps://127.0.0.1/ #uri ldapi://%2fvar%2frun%2fldapi_sock/ # Note: %2f encodes the '/' used as directory separator # The LDAP version to use (defaults to 3 # if supported by client library) #ldap_version 3 # The distinguished name to bind to the server with. # Optional: default is to bind anonymously. #binddn cn=proxyuser,dc=example,dc=com # The credentials to bind with. # Optional: default is no credential. #bindpw secret # The distinguished name to bind to the server with # if the effective user ID is root. Password is # stored in /etc/ldap.secret (mode 600) #rootbinddn cn=manager,dc=example,dc=com # The port. # Optional: default is 389. #port 389 # The search scope. #scope sub #scope one #scope base # Search timelimit #timelimit 30 timelimit 120 # Bind/connect timelimit #bind_timelimit 30 bind_timelimit 120 # Reconnect policy: hard (default) will retry connecting to # the software with exponential backoff, soft will fail # immediately. #bind_policy hard # Idle timelimit; client will close connections # (nss_ldap only) if the server has not been contacted # for the number of seconds specified below. #idle_timelimit 3600 idle_timelimit 3600 # Filter to AND with uid=%s #pam_filter objectclass=account # The user ID attribute (defaults to uid) #pam_login_attribute uid # Search the root DSE for the password policy (works # with Netscape Directory Server) #pam_lookup_policy yes # Check the 'host' attribute for access control # Default is no; if set to yes, and user has no # value for the host attribute, and pam_ldap is # configured for account management (authorization) # then the user will not be allowed to login. #pam_check_host_attr yes # Check the 'authorizedService' attribute for access # control # Default is no; if set to yes, and the user has no # value for the authorizedService attribute, and # pam_ldap is configured for account management # (authorization) then the user will not be allowed # to login. #pam_check_service_attr yes # Group to enforce membership of #pam_groupdn cn=PAM,ou=Groups,dc=example,dc=com # Group member attribute #pam_member_attribute uniquemember # Specify a minium or maximum UID number allowed #pam_min_uid 0 #pam_max_uid 0 # Template login attribute, default template user # (can be overriden by value of former attribute # in user's entry) #pam_login_attribute userPrincipalName #pam_template_login_attribute uid #pam_template_login nobody # HEADS UP: the pam_crypt, pam_nds_passwd, # and pam_ad_passwd options are no # longer supported. # # Do not hash the password at all; presume # the directory server will do it, if # necessary. This is the default. #pam_password clear # Hash password locally; required for University of # Michigan LDAP server, and works with Netscape # Directory Server if you're using the UNIX-Crypt # hash mechanism and not using the NT Synchronization # service. #pam_password crypt # Remove old password first, then update in # cleartext. Necessary for use with Novell # Directory Services (NDS) #pam_password clear_remove_old #pam_password nds # RACF is an alias for the above. For use with # IBM RACF #pam_password racf # Update Active Directory password, by # creating Unicode password and updating # unicodePwd attribute. #pam_password ad # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop # Redirect users to a URL or somesuch on password # changes. #pam_password_prohibit_message Please visit http://internal to change your password. # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd ou=People,dc=example,dc=com?one #nss_base_shadow ou=People,dc=example,dc=com?one #nss_base_group ou=Group,dc=example,dc=com?one #nss_base_hosts ou=Hosts,dc=example,dc=com?one #nss_base_services ou=Services,dc=example,dc=com?one #nss_base_networks ou=Networks,dc=example,dc=com?one #nss_base_protocols ou=Protocols,dc=example,dc=com?one #nss_base_rpc ou=Rpc,dc=example,dc=com?one #nss_base_ethers ou=Ethers,dc=example,dc=com?one #nss_base_netmasks ou=Networks,dc=example,dc=com?ne #nss_base_bootparams ou=Ethers,dc=example,dc=com?one #nss_base_aliases ou=Aliases,dc=example,dc=com?one #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one # Just assume that there are no supplemental groups for these named users nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd # attribute/objectclass mapping # Syntax: #nss_map_attribute rfc2307attribute mapped_attribute #nss_map_objectclass rfc2307objectclass mapped_objectclass # configure --enable-nds is no longer supported. # NDS mappings #nss_map_attribute uniqueMember member # Services for UNIX 3.5 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount User #nss_map_attribute uid msSFU30Name #nss_map_attribute uniqueMember msSFU30PosixMember #nss_map_attribute userPassword msSFU30Password #nss_map_attribute homeDirectory msSFU30HomeDirectory #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_objectclass posixGroup Group #pam_login_attribute msSFU30Name #pam_filter objectclass=User #pam_password ad # configure --enable-mssfu-schema is no longer supported. # Services for UNIX 2.0 mappings #nss_map_objectclass posixAccount User #nss_map_objectclass shadowAccount user #nss_map_attribute uid msSFUName #nss_map_attribute uniqueMember posixMember #nss_map_attribute userPassword msSFUPassword #nss_map_attribute homeDirectory msSFUHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup Group #nss_map_attribute cn msSFUName #pam_login_attribute msSFUName #pam_filter objectclass=User #pam_password ad # RFC 2307 (AD) mappings #nss_map_objectclass posixAccount user #nss_map_objectclass shadowAccount user #nss_map_attribute uid sAMAccountName #nss_map_attribute homeDirectory unixHomeDirectory #nss_map_attribute shadowLastChange pwdLastSet #nss_map_objectclass posixGroup group #nss_map_attribute uniqueMember member #pam_login_attribute sAMAccountName #pam_filter objectclass=User #pam_password ad # configure --enable-authpassword is no longer supported # AuthPassword mappings #nss_map_attribute userPassword authPassword # AIX SecureWay mappings #nss_map_objectclass posixAccount aixAccount #nss_base_passwd ou=aixaccount,?one #nss_map_attribute uid userName #nss_map_attribute gidNumber gid #nss_map_attribute uidNumber uid #nss_map_attribute userPassword passwordChar #nss_map_objectclass posixGroup aixAccessGroup #nss_base_group ou=aixgroup,?one #nss_map_attribute cn groupName #nss_map_attribute uniqueMember member #pam_login_attribute userName #pam_filter objectclass=aixAccount #pam_password clear # Netscape SDK LDAPS #ssl on # Netscape SDK SSL options #sslpath /etc/ssl/certs # OpenLDAP SSL mechanism # start_tls mechanism uses the normal LDAP port, LDAPS typically 636 #ssl start_tls #ssl on # OpenLDAP SSL options # Require and verify server certificate (yes/no) # Default is to use libldap's default behavior, which can be configured in # /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for # OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes". #tls_checkpeer yes # CA certificates for server certificate verification # At least one of these are required if tls_checkpeer is "yes" #tls_cacertfile /etc/ssl/ca.cert #tls_cacertdir /etc/ssl/certs # Seed the PRNG if /dev/urandom is not provided #tls_randfile /var/run/egd-pool # SSL cipher suite # See man ciphers for syntax #tls_ciphers TLSv1 # Client certificate and key # Use these, if your server requires client authentication. #tls_cert #tls_key # Disable SASL security layers. This is needed for AD. #sasl_secprops maxssf=0 # Override the default Kerberos ticket cache location. #krb5_ccname FILE:/etc/.ldapcache # SASL mechanism for PAM authentication - use is experimental # at present and does not support password policy control #pam_sasl_mech DIGEST-MD5 uri ldap://centserver.abc.com:389/ ssl no tls_cacertdir /etc/openldap/cacerts pam_password md5 12.authconfig-tui Mark at the position shown below: ?????????????????? Authentication Configuration ??????????????????? ? ? User Information Authentication ? [*] Cache Information [*] Use MD5 Passwords ? [ ] Use Hesiod [*] Use Shadow Passwords ? [*] Use LDAP [*] Use LDAP Authentication ? [ ] Use NIS [ ] Use Kerberos ? [ ] Use Winbind [ ] Use SMB Authentication ? [ ] Use Winbind Authentication ? [ ] Local authorization is sufficient ? ? ?????????? ???????? ? ? Cancel ? ? Next ? ? ?????????? ???????? ? ? ??????????????????????????????????????????????????????????????????? 12.1 Enter Server address and Base DN as shown below: ??????????????????? LDAP Settings ??????????????????? ? ? [ ] Use TLS ? Server: ldap://192.168.1.1:389/_________________ ? Base DN: dc=riderman,dc=com___________________ ? ? ???????? ?????? ? ? Back ? ? Ok ? ? ???????? ?????? ? ? ??????????????????????????????????????????????? 13. Edit sys-auth file /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok likeauth auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so retry=3 password sufficient pam_unix.so md5 shadow nullok use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so ==================================================================================================================================== 14. Before Join Windows user to PDC 14.1 Install LAM (Ldap Account Manager) http://lam.sourceforge.net on domain control machine service httpd restart 14.2 Open Web browser type address "http://127.0.0.1/lamlocal" 14.3 Add Domain user into Ldap directory by LAM web interface. 14.4 Computer name(machine name) of Windows must be added to Ldap directory as a "Host" in LAM webinterface. otherwise joining a machine to the domain will be failed. ====================================================================15. Reboot server machine and make sure to start all smb,drsrv and httpd service 16. Test join domain from Windows machine ==================================================================== These are the error messages when I tried to join machine name "test1" [root@centserver /var/log/samba]# vim /var/log/test1.log [2009/03/04 13:34:59, 0] passdb/secrets.c:secrets_restore_schannel_session_info(1193) secrets_restore_schannel_session_info: Failed to find entry with key SECRETS/SCHANNEL/TEST1 [2009/03/04 13:34:59, 0] rpc_server/srv_pipe.c:pipe_schannel_auth_bind(1333) pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2 [2009/03/04 13:34:59, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 13:36:31, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 14:29:06, 1] smbd/service.c:make_connection_snum(1033) test1 (192.168.1.254) connect to service filearea02 initially as user bkk.tom (uid=53, gid=2512) (pid 9618) [2009/03/04 14:29:45, 1] smbd/service.c:close_cnum(1230) test1 (192.168.1.254) closed connection to service filearea02 [2009/03/04 14:53:47, 0] lib/util_sock.c:read_data(534) read_data: read failure for 4 bytes to client 192.168.1.254. Error = No route to host [2009/03/04 16:43:59, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 16:44:51, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 17:12:16, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 17:24:00, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ [2009/03/04 17:32:05, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(478) _net_auth2: creds_server_check failed. Rejecting auth request from client TEST1 machine account TEST1$ Thank you & Best Regards, Tom