The Samba-Bugzilla – Bug 438
Domain joins broken from beta1
Last modified: 2005-02-07 09:04:58 UTC
Existing *working* infrastructure:
- Samba 3.0.0beta1, from Debian's "Sid" packages
- LDAPSAM, Samba3 schema
- OpenLDAP 2.1.22 - BDB backend, from Debian's "Sid" packages
- nss_ldap v207, from Debian's "Sid" packages
- W2k & WXP Pro clients
After upgrading from beta1 to beta2, beta3, rc1, rc2, trying to join any machine
to the domain fails with the message "user not found". This user can, however,
access the shares perfectly, and is a domain admin. Overwriting smbd/nmbd with
the ones from beta1 solves the problem.
Tested in a "clean slate" install apart from production, rc2 & co. would only
succeed with tdbsam/smbpasswd passdbs and not ldapsam. Beta1 with ldapsam works.
"privacy enhanced" 'smb.conf' below. Ask for more info if needed.
---- 8< ---- 8< -------------------------------------------------
workgroup = CNSR
server string = Servidor (%h)
;netbios name = SERVIDOR
load printers = no
; printing = bsd
; printcap name = /etc/printcap
; printing = cups
; printcap name = cups
; guest account = nobody
invalid users = root
log file = /var/log/samba/log.%m
max log size = 1000
syslog only = no
syslog = 0
security = user
encrypt passwords = true
passdb backend = ldapsam:ldap://localhost, tdbsam, guest
algorithmic rid base = 1000
ldap suffix = dc=xxxxxxxx,dc=xxx
ldap admin dn = uid=samba,ou=daemons,dc=xxx,dc=xxx
ldap delete dn = no
ldap user suffix = ou=people
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap,ou=samba
ldap machine suffix = ou=machines
ldap filter = "(uid=%u)"
idmap only = no
idmap backend = winbind
ldap idmap suffix = ou=idmap,ou=samba,dc=recuerdo,dc=net
winbind use default domain = yes
idmap uid = 50000-55000
idmap gid = 50000-55000
#winbind separator = +
username map = /etc/samba/smbusers
; include = /home/samba/etc/smb.conf.%m
socket options = TCP_NODELAY
local master = yes
os level = 20
domain master = yes
preferred master = auto
wins support = no
dns proxy = no
name resolve order = lmhosts host wins bcast
; preserve case = yes
; short preserve case = yes
; unix password sync = true
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword
:* %n\n .
pam password change = no
; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' &
obey pam restrictions = no
domain logons = yes
logon script = netlogon.bat
logon drive = H:
logon path = \\%L\Profiles\%u
panic action = /usr/share/samba/panic-action %d
comment = Home Directories
browseable = no
writeable = yes
read only = no
csc policy = disable
force create mode = 0640
force directory mode = 2750
comment = Network Logon Service
path = /profiles/netlogon
guest ok = yes
writable = no
share modes = no
comment = Directorio de perfiles
path = /profiles
browseable = no
guest ok = yes
writeable = yes
; nt acl support = no
profile acls = yes
create mask = 0600
directory mask = 0700
Just tried RC4. Same environment.
The error is the same, "User unknown", when trying to join the domain.
Overwriting Samba-3.0.0rc4's binaries with those from beta1 makes the join
succeed at first try.
I might experience the same problem with Samba RC4 ( and older versions, at
least down to RC2 ) on a SuSE 8.2 box in a similar configuration.
This is my "add machine script": /usr/bin/cpu useradd %u -d /dev/null -
f /etc/samba/scripts/machadd.cfg -F %u -L %u -g 511 -p xxx
I've manually tested this script and it's reliably creating a functional user
with the necessary posixAccount class attached. When I do a "smbpasswd -amn" on
that user object it becomes a Samba machine account just as it should.
But when I run the "Network ID"-Wizard from the Windows XP client I get a "bad
username or password" message when Windows is at the point of actually
requesting the machine account on the DC.
Strangely, the correct posixAccount is indeed being created, Samba
simply "forgets" to add the SambaSamAccount after the script ran. This is also
what the LDAP log tells me - there are no errors at all, but the LDAP traffic
still stops right after the posixAccount user has been added.
I've also got a level 3 Samba log for the client machine. It doesn't tell me
much more, but it can be mailed on request.
NUA domain joins broke as a result of the new schannel/kerberos stuff in Samba3
Andrew Bartlett was kind enough to explain the consequences of this and its
interaction with NUA machine accounts.
This might be relevant again when the release of Samba4 is nearer.
Please tag it as "LATER". Thanks.
domain jo9ins work correctly. We can open another bug later if necessary
originally reported against one of the 3.0.0rc[1-4] releases.
Cleaning up non-production versions.