Jon Detert
2011-Feb-21 21:14 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Hello, I can't join a winxp box to my samba domain. I just have one samba server, meant to act as a PDC for domain='CHI'. Any ideas how to troubleshoot and/or remedy? Thanks, Jon Context: ------------ samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. smbldap-tools v0.9.6. I 'populated' the ldap with 'smbldap-populate'. I try to join the winxp box, authenticating to the domain as user 'jdetert', which is a member of the 'Administrators' group: # smbldap-groupshow Administrators dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com objectClass: top,posixGroup,sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDomainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators memberUid: jdetert,root What happens: ---------------------- a failure dialog window pops up on the winxp box with this message: 'The following error occurred attempting to join the domain "CHI": The user name could not be found.' And here are the interesting bits (as far as I can tell) from the samba logs: <log.smb> [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))] [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) smbldap_open_connection: connection opened [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) ldap_connect_system: successful connection to the LDAP server [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) The LDAP server is successfully connected .. [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(gidNumber=0)) ... [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) ... [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-500] ... <[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-501] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-514] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-32-546] </log.smb> interesting bits in the log.<clientMachineName>, where clientMachineName=testfsclient <log.testfsclient> [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) .... [editor's note: that's for the group 'Users'. Also couldn't find groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 ('Authenticated Users').] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11002] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-21-3685928793-4148883033-3314734756-11001] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-2] [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) get_privileges: No privileges assigned to SID [S-1-5-11] .... [editor's note: the SID ending in 11002 is the user 'jdetert' that attempted to join the machine, and the SID ending in 11001 is jdetert's primary GID.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 .... [editor's note: 'TESTFSCLIENT' is the name of the machine i was trying to join.] [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) .... [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w -c "Workstation (testfsclient$)" "testfsclient$"' gave 9 [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) pdb_default_create_user: failed to create a new user structure: NT_STATUS_NO_SUCH_USER </log.testfsclient> I assume that the 'group not found' log entries are not significant, and that '9' was the return code from smbldap-useradd. Anyone know what return code 9 means? Anyone have ideas how to remedy this problem? Thanks, Jon
Mike Brady
2011-Feb-21 22:15 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
Quoting Jon Detert <jdetert at infinityhealthcare.com>:> Hello, > > I can't join a winxp box to my samba domain. I just have one samba > server, meant to act as a PDC for domain='CHI'. > Any ideas how to troubleshoot and/or remedy? > > Thanks, > > Jon > > Context: > ------------ > samba v3.3.8 on CentOS v5.5, using ldapsam backend. Domainname ='CHI'. > smbldap-tools v0.9.6. > I 'populated' the ldap with 'smbldap-populate'. > > I try to join the winxp box, authenticating to the domain as user > 'jdetert', which is a member of the 'Administrators' group: > # smbldap-groupshow Administrators > dn: cn=Administrators,ou=Groups,dc=infinityhealthcare,dc=com > objectClass: top,posixGroup,sambaGroupMapping > gidNumber: 544 > cn: Administrators > description: Netbios Domain Members can fully administer the > computer/sambaDomainName > sambaSID: S-1-5-32-544 > sambaGroupType: 5 > displayName: Administrators > memberUid: jdetert,root > > What happens: > ---------------------- > a failure dialog window pops up on the winxp box with this message: > 'The following error occurred attempting to join the domain "CHI": > The user name could not be found.' > > And here are the interesting bits (as far as I can tell) from the samba logs: > > <log.smb> > [2011/02/21 14:32:07, 2] lib/smbldap_util.c:smbldap_search_domain_info(277) > smbldap_search_domain_info: Searching > for:[(&(objectClass=sambaDomain)(sambaDomainName=CHI))] > [2011/02/21 14:32:07, 2] lib/smbldap.c:smbldap_open_connection(856) > smbldap_open_connection: connection opened > [2011/02/21 14:32:07, 3] lib/smbldap.c:smbldap_connect_system(1067) > ldap_connect_system: successful connection to the LDAP server > [2011/02/21 14:32:07, 4] lib/smbldap.c:smbldap_open(1143) > The LDAP server is successfully connected > .. > [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(gidNumber=0)) > ... > [2011/02/21 14:32:07, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) > ... > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-500] > ... > > <[2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-501] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-514] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-2] > [2011/02/21 14:32:07, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-32-546] > </log.smb> > > interesting bits in the log.<clientMachineName>, where > clientMachineName=testfsclient > <log.testfsclient> > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-545)) > .... [editor's note: that's for the group 'Users'. Also couldn't find > groups for S-1-5-2 ('Network'), S-1-1-0 ('Everyone'), and S-1-5-11 > ('Authenticated Users').] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-11002] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID > [S-1-5-21-3685928793-4148883033-3314734756-11001] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-2] > [2011/02/21 14:32:22, 3] lib/privileges.c:get_privileges(63) > get_privileges: No privileges assigned to SID [S-1-5-11] > .... [editor's note: the SID ending in 11002 is the user 'jdetert' > that attempted to join the machine, and the SID ending in 11001 is > jdetert's primary GID.] > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1519) > ldapsam_getsampwnam: Unable to locate user [TESTFSCLIENT$] count=0 > .... [editor's note: 'TESTFSCLIENT' is the name of the machine i was > trying to join.] > [2011/02/21 14:32:22, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2481) > ldapsam_getgroup: Did not find group, filter was > (&(objectClass=sambaGroupMapping)(|(displayName=TESTFSCLIENT$)(cn=TESTFSCLIENT$))) > .... > [2011/02/21 14:32:22, 0] passdb/pdb_interface.c:pdb_default_create_user(342) > _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w > -c "Workstation (testfsclient$)" "testfsclient$"' gave 9 > [2011/02/21 14:32:22, 3] passdb/pdb_interface.c:pdb_default_create_user(359) > pdb_default_create_user: failed to create a new user structure: > NT_STATUS_NO_SUCH_USER > </log.testfsclient> > > I assume that the 'group not found' log entries are not significant, > and that '9' was the return code from smbldap-useradd. > > Anyone know what return code 9 means? > Anyone have ideas how to remedy this problem? > > Thanks, > > Jon > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >I am working through a similar setup at the moment. Looking at the smbldap-useradd source, status 9 is "user must not exist in LDAP", so I assume from that that the workstation userid already exists? I have just added a Window 7 machine to my domain and also get "No privileges assigned to SID" messages, but no group not found messages and the domain join works for me. Regards Mike ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Natxo Asenjo
2011-Feb-22 19:08 UTC
[Samba] problem joining WinXP machine to samba PDC+LDAP environment
On Mon, Feb 21, 2011 at 10:14 PM, Jon Detert <jdetert at infinityhealthcare.com> wrote:> I assume that the 'group not found' log entries are not significant, > and that '9' was the return code from smbldap-useradd. > > Anyone know what return code 9 means? > Anyone have ideas how to remedy this problem?according to http://leto.net/docs/ldap_error_code.php, it means 'reserved', which may, or may not, shed more light into this. HTH, -- natxo