Bug 438 - Domain joins broken from beta1
Domain joins broken from beta1
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control
All Linux
: P2 major
: none
Assigned To: Gerald (Jerry) Carter
Depends on:
  Show dependency treegraph
Reported: 2003-09-11 10:44 UTC by José Luis Tallón
Modified: 2005-02-07 09:04 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description José Luis Tallón 2003-09-11 10:44:58 UTC
Existing *working* infrastructure:
 - Samba 3.0.0beta1, from Debian's "Sid" packages
 - LDAPSAM, Samba3 schema
 - OpenLDAP 2.1.22 - BDB backend, from Debian's "Sid" packages
 - nss_ldap v207, from Debian's "Sid" packages
 - W2k & WXP Pro clients

After upgrading from beta1 to beta2, beta3, rc1, rc2, trying to join any machine 
to the domain fails with the message "user not found". This user can, however, 
access the shares perfectly, and is a domain admin. Overwriting smbd/nmbd with 
the ones from beta1 solves the problem.

Tested in a "clean slate" install apart from production, rc2 & co. would only 
succeed with tdbsam/smbpasswd passdbs and not ldapsam. Beta1 with ldapsam works.

"privacy enhanced" 'smb.conf' below. Ask for more info if needed.

---- 8< ---- 8< -------------------------------------------------

workgroup = CNSR
server string = Servidor (%h)
;netbios name = SERVIDOR

load printers = no
; printing = bsd
; printcap name = /etc/printcap
;   printing = cups
;   printcap name = cups
;   guest account = nobody
invalid users = root

log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0

security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://localhost, tdbsam, guest
algorithmic rid base = 1000
ldap suffix = dc=xxxxxxxx,dc=xxx
ldap admin dn = uid=samba,ou=daemons,dc=xxx,dc=xxx
ldap delete dn = no
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=machines
ldap filter = "(uid=%u)"
idmap only = no
idmap backend = winbind
ldap idmap suffix = ou=idmap,ou=samba,dc=recuerdo,dc=net
winbind use default domain = yes
idmap uid = 50000-55000
idmap gid = 50000-55000
#winbind separator = +
username map = /etc/samba/smbusers
;   include = /home/samba/etc/smb.conf.%m

socket options = TCP_NODELAY
local master = yes
os level = 20
domain master = yes
preferred master = auto
wins support = no
dns proxy = no
name resolve order = lmhosts host wins bcast
;   preserve case = yes
;   short preserve case = yes
; unix password sync = true
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword
:* %n\n .
pam password change = no
;   message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
obey pam restrictions = no

domain logons = yes
logon script = netlogon.bat
logon drive = H:
logon path = \\%L\Profiles\%u

panic action = /usr/share/samba/panic-action %d

   comment = Home Directories
   browseable = no
   writeable = yes
   read only = no
   csc policy = disable
   force create mode = 0640
   force directory mode = 2750

   comment = Network Logon Service
   path = /profiles/netlogon
   guest ok = yes
   writable = no
   share modes = no

    comment = Directorio de perfiles
    path = /profiles
    browseable = no
    guest ok = yes
    writeable = yes
;    nt acl support = no
    profile acls = yes
    create mask = 0600
    directory mask = 0700
Comment 1 José Luis Tallón 2003-09-15 08:32:09 UTC
Just tried RC4. Same environment.
The error is the same, "User unknown", when trying to join the domain.

Overwriting Samba-3.0.0rc4's binaries with those from beta1 makes the join 
succeed at first try.
Comment 2 Ulf Dettmer 2003-09-16 02:31:45 UTC
I might experience the same problem with Samba RC4 ( and older versions, at 
least down to RC2 ) on a SuSE 8.2 box in a similar configuration.
This is my "add machine script": /usr/bin/cpu useradd %u -d /dev/null -
f /etc/samba/scripts/machadd.cfg -F %u -L %u -g 511 -p xxx
I've manually tested this script and it's reliably creating a functional user 
with the necessary posixAccount class attached. When I do a "smbpasswd -amn" on 
that user object it becomes a Samba machine account just as it should.
But when I run the "Network ID"-Wizard from the Windows XP client I get a "bad 
username or password" message when Windows is at the point of actually 
requesting the machine account on the DC.
Strangely, the correct posixAccount is indeed being created, Samba 
simply "forgets" to add the SambaSamAccount after the script ran. This is also 
what the LDAP log tells me - there are no errors at all, but the LDAP traffic 
still stops right after the posixAccount user has been added.
I've also got a level 3 Samba log for the client machine. It doesn't tell me 
much more, but it can be mailed on request.
Comment 3 José Luis Tallón 2003-09-17 15:56:20 UTC
NUA domain joins broke as a result of the new schannel/kerberos stuff in Samba3
Andrew Bartlett was kind enough to explain the consequences of this and its 
interaction with NUA machine accounts.

This might be relevant again when the release of Samba4 is nearer.

Please tag it as "LATER". Thanks.
Comment 4 Gerald (Jerry) Carter 2003-09-22 12:19:31 UTC
domain jo9ins work correctly.  We can open another bug later if necessary
Comment 5 Gerald (Jerry) Carter 2005-02-07 09:04:58 UTC
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.