Samba + LDAP (trouble with domain join)

Message

ploem · Post by **ploem** » Mon Sep 06, 2004 11:40 am

Ok, I'm at my wits end. I've spend hours trying to figure this out, no results.
I'm trying to setup samba and ldap to act as a PDC using samba-3.0.5 and openldap-2.1.30-r1.
Ldap is working fine. I can add users, search, list, etc. Samba also seems to work fine. The trouble is, I can't join computers to the domain. When I try to join from the server I get the following result:

Code: Select all

# net rpc join -U Administrator
Password:

Create of workstation account failed
User specified does not have administrator privileges
Unable to join domain IENBI.

The user Administrator does exist (some of the less interesting lines removed):

Code: Select all

# smbldap-usershow Administrator

dn: uid=Administrator,ou=People,dc=mydomain,dc=nl
cn: Administrator
sn: Administrator
objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount
gidNumber: 512
uid: Administrator
sambaPrimaryGroupSID: S-1-5-21-2196064246-2337432505-1058958737-512
loginShell: /bin/false
gecos: Netbios Domain Administrator
sambaSID: S-1-5-21-2196064246-2337432505-1058958737-1000
uidNumber: 0
sambaAcctFlags: [U          ]
sambaLMPassword: <removed>
sambaNTPassword: <removed>
userPassword: {MD5}<removed>

/etc/ldap.conf

Code: Select all

#/etc/ldap.conf
host 127.0.0.1
base dc=mydomain,dc=nl
pam_password exop
rootbinddn cn=Manager,dc=mydomain,dc=nl

nss_base_passwd dc=mydomain,dc=nl?one
nss_base_shadow dc=mydomain,dc=nl?one
nss_base_group  ou=Groups,dc=mydomain,dc=nl?one

/etc/samba/smb.conf

Code: Select all

#/etc/samba/smb.conf
workgroup = IENBI
netbios name = IENBIPDC
security = user
map to guest = Bad User
smb passwd file = /etc/samba/private/smbpasswd
obey pam restrictions = Yes
passdb backend = ldapsam:ldap://127.0.0.1
username map = /etc/samba/smbusers
log file = /var/log/samba3/log.%m
max log size = 50
log level = 256
time server = Yes
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
passwd program = /usr/local/sbin/smbldap-passwd '%u'
add user script = /usr/local/sbin/smbldap-useradd -a -m '%u'
delete user script = /usr/local/sbin/smbldap-userdel '%u'
add group script = /usr/local/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/local/sbin/smbldap-groupdel '%g'
add user to group script = /usr/local/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/local/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/local/sbin/smbldap-usermod -g '%g' '%u'
add machine script = /usr/local/sbin/smbldap-useradd -w '%u'
logon script = logon.bat
logon path = \\%L\profiles\%U
logon drive = h:
logon home = \\%L\%U\.profile
domain logons = Yes
os level = 33
domain master = Yes
dns proxy = No
local master = Yes
preferred master = Yes
wins support = Yes
ldap suffix = dc=mydomain,dc=nl
ldap machine suffix = ou=People
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap admin dn = cn=Manager,dc=mydomain,dc=nl
ldap ssl = no
ldap passwd sync = Yes
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldap://127.0.0.1
idmap uid = 10000-20000
idmap gid = 10000-20000
hosts allow = 195.169., 127.
map acl inherit = Yes

Does anybody have any idea why this doesn't work? It looks like Administrator doesn't have the rights to add machines to the domain, but I have no idea where I can change this.

ploem · Post by **ploem** » Mon Sep 06, 2004 12:37 pm

Ok, nevermind. Looks like it's solved. Some stupid thing with a non-existent module in /etc/pam.d/samba. I don't remember when and why I added that pam_pwdb module.. but it didn't exist.
It works now.

bruor · Post by **bruor** » Mon Jan 23, 2006 9:23 pm

any other ideas why this might not be working ? i am getting the same thing after following the samba openldap guide at teh gentoo wiki

the account actually gets created but i cannot join the domain with a user not found error on a windows box

in linux i get
Creation of workstation account failed
Unable to join domain TECHGEEKS.

thedd · Post by **thedd** » Thu Feb 02, 2006 7:24 pm

bruor wrote:any other ideas why this might not be working ? i am getting the same thing after following the samba openldap guide at teh gentoo wiki

the account actually gets created but i cannot join the domain with a user not found error on a windows box

in linux i get
Creation of workstation account failed
Unable to join domain TECHGEEKS.

that is excatly the same kind of error I get.
when I google I see alot of questions on this subject, but never an answer.
I get "Creation of workstation account failed" but the workstation is indeed created..