Jon Detert
2011-Feb-21 21:14 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Hello,
I can't join a winxp box to my samba domain. I just have one samba
server, meant to act as a PDC for domain='CHI'.
Any ideas how to troubleshoot and/or remedy?
Thanks,
Jon
Context:
------------
samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'.
smbldap-tools v0.9.6.
I 'populated' the ldap with 'smbldap-populate'.
I try to join the winxp box, authenticating to the domain as user
'jdetert', which is a member of the 'Administrators' group:
# smbldap-groupshow Administrators
dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com
objectClass: top,posixGroup,sambaGroupMapping
gidNumber: 544
cn: Administrators
description: Netbios Domain Members can fully administer the
computer/sambaDomainName
sambaSID: S-1-5-32-544
sambaGroupType: 5
displayName: Administrators
memberUid: jdetert,root
What happens:
----------------------
a failure dialog window pops up on the winxp box with this message:
'The following error occurred attempting to join the domain "CHI":
The user name could not be found.'
And here are the interesting bits (as far as I can tell) from the samba logs:
<log.smb>
[2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277)
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))]
[2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856)
smbldap_open_connection: connection opened
[2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067)
ldap_connect_system: successful connection to the LDAP server
[2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143)
The LDAP server is successfully connected
..
[2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(gidNumber=0))
...
[2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
...
[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-500]
...
<[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-501]
[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-514]
[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-32-546]
</log.smb>
interesting bits in the log.<clientMachineName>, where
clientMachineName=testfsclient
<log.testfsclient>
[2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545))
.... [editor's note: that's for the group 'Users'. Also
couldn't find
groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and
S-1-5-11
('Authenticated Users').]
[2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-11002]
[2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID
[S-1-5-21-3685928793-4148883033-3314734756-11001]
[2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-2]
[2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63)
get_privileges: No privileges assigned to SID [S-1-5-11]
.... [editor's note: the SID ending in 11002 is the user 'jdetert'
that attempted to join the machine, and the SID ending in 11001 is
jdetert's primary GID.]
[2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519)
ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0
.... [editor's note: 'TESTFSCLIENT' is the name of the machine i was
trying to join.]
[2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481)
ldapsam_getgroup: Did not find group, filter was
(&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$)))
....
[2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342)
_samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
-c "Workstation (testfsclient$)" "testfsclient$"' gave 9
[2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359)
pdb_default_create_user: failed to create a new user structure:
NT_STATUS_NO_SUCH_USER
</log.testfsclient>
I assume that the 'group not found' log entries are not significant,
and that '9' was the return code from smbldap-useradd.
Anyone know what return code 9 means?
Anyone have ideas how to remedy this problem?
Thanks,
Jon
Mike Brady
2011-Feb-21 22:15 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert <jdetert at infinityhealthcare.com>:> Hello, > > I can't join a winxp box to my samba domain. I just have one samba > server, meant to act as a PDC for domain='CHI'. > Any ideas how to troubleshoot and/or remedy? > > Thanks, > > Jon > > Context: > ------------ > samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. > smbldap-tools v0.9.6. > I 'populated' the ldap with 'smbldap-populate'. > > I try to join the winxp box, authenticating to the domain as user > 'jdetert', which is a member of the 'Administrators' group: > # smbldap-groupshow Administrators > dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com > objectClass: top,posixGroup,sambaGroupMapping > gidNumber: 544 > cn: Administrators > description: Netbios Domain Members can fully administer the > computer/sambaDomainName > sambaSID: S-1-5-32-544 > sambaGroupType: 5 > displayName: Administrators > memberUid: jdetert,root > > What happens: > ---------------------- > a failure dialog window pops up on the winxp box with this message: > 'The following error occurred attempting to join the domain "CHI": > The user name could not be found.' > > And here are the interesting bits (as far as I can tell) from the samba logs: > > <log.smb> > [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))] > [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) > smbldap_open_connection: connection opened > [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) > ldap_connect_system: successful connection to the LDAP server > [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) > The LDAP server is successfully connected > .. > [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ... > [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) > ... > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-500] > ... > > <[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-501] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-514] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-2] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-32-546] > </log.smb> > > interesting bits in the log.<clientMachineName>, where > clientMachineName=testfsclient > <log.testfsclient> > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) > .... [editor's note: that's for the group 'Users'. Also couldn't find > groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 > ('Authenticated Users').] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-11002] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-11001] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-2] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-11] > .... [editor's note: the SID ending in 11002 is the user 'jdetert' > that attempted to join the machine, and the SID ending in 11001 is > jdetert's primary GID.] > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) > ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 > .... [editor's note: 'TESTFSCLIENT' is the name of the machine i was > trying to join.] > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) > .... > [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) > _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w > -c "Workstation (testfsclient$)" "testfsclient$"' gave 9 > [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) > pdb_default_create_user: failed to create a new user structure: > NT_STATUS_NO_SUCH_USER > </log.testfsclient> > > I assume that the 'group not found' log entries are not significant, > and that '9' was the return code from smbldap-useradd. > > Anyone know what return code 9 means? > Anyone have ideas how to remedy this problem? > > Thanks, > > Jon > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? I have just added a Window 7 machine to my domain and also get "No privileges assigned to SID" messages, but no group not found messages and the domain join works for me. Regards Mike ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Natxo Asenjo
2011-Feb-22 19:08 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert <jdetert at infinityhealthcare.com> wrote:> I assume that the 'group not found' log entries are not significant, > and that '9' was the return code from smbldap-useradd. > > Anyone know what return code 9 means? > Anyone have ideas how to remedy this problem?according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo