Existing *working* infrastructure: - Samba 3.0.0beta1, from Debian's "Sid" packages - LDAPSAM, Samba3 schema - OpenLDAP 2.1.22 - BDB backend, from Debian's "Sid" packages - nss_ldap v207, from Debian's "Sid" packages - W2k & WXP Pro clients After upgrading from beta1 to beta2, beta3, rc1, rc2, trying to join any machine to the domain fails with the message "user not found". This user can, however, access the shares perfectly, and is a domain admin. Overwriting smbd/nmbd with the ones from beta1 solves the problem. Tested in a "clean slate" install apart from production, rc2 & co. would only succeed with tdbsam/smbpasswd passdbs and not ldapsam. Beta1 with ldapsam works. "privacy enhanced" 'smb.conf' below. Ask for more info if needed. TIA ---- 8< ---- 8< ------------------------------------------------- [global] workgroup = CNSR server string = Servidor (%h) ;netbios name = SERVIDOR load printers = no ; printing = bsd ; printcap name = /etc/printcap ; printing = cups ; printcap name = cups ; guest account = nobody invalid users = root log file = /var/log/samba/log.%m max log size = 1000 syslog only = no syslog = 0 security = user encrypt passwords = true passdb backend = ldapsam:ldap://localhost, tdbsam, guest algorithmic rid base = 1000 ldap suffix = dc=xxxxxxxx,dc=xxx ldap admin dn = uid=samba,ou=daemons,dc=xxx,dc=xxx ldap delete dn = no ldap user suffix = ou=people ldap group suffix = ou=groups ldap idmap suffix = ou=idmap,ou=samba ldap machine suffix = ou=machines ldap filter = "(uid=%u)" idmap only = no idmap backend = winbind ldap idmap suffix = ou=idmap,ou=samba,dc=recuerdo,dc=net winbind use default domain = yes idmap uid = 50000-55000 idmap gid = 50000-55000 #winbind separator = + username map = /etc/samba/smbusers ; include = /home/samba/etc/smb.conf.%m socket options = TCP_NODELAY local master = yes os level = 20 domain master = yes preferred master = auto wins support = no dns proxy = no name resolve order = lmhosts host wins bcast ; preserve case = yes ; short preserve case = yes ; unix password sync = true passwd program = /usr/bin/passwd %u passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword :* %n\n . pam password change = no ; message command = /bin/sh -c '/usr/bin/linpopup "%f" "%m" %s; rm %s' & obey pam restrictions = no domain logons = yes logon script = netlogon.bat logon drive = H: logon path = \\%L\Profiles\%u panic action = /usr/share/samba/panic-action %d [homes] comment = Home Directories browseable = no writeable = yes read only = no csc policy = disable force create mode = 0640 force directory mode = 2750 [netlogon] comment = Network Logon Service path = /profiles/netlogon guest ok = yes writable = no share modes = no [Profiles] comment = Directorio de perfiles path = /profiles browseable = no guest ok = yes writeable = yes ; nt acl support = no profile acls = yes create mask = 0600 directory mask = 0700
Just tried RC4. Same environment. The error is the same, "User unknown", when trying to join the domain. Overwriting Samba-3.0.0rc4's binaries with those from beta1 makes the join succeed at first try.
I might experience the same problem with Samba RC4 ( and older versions, at least down to RC2 ) on a SuSE 8.2 box in a similar configuration. This is my "add machine script": /usr/bin/cpu useradd %u -d /dev/null - f /etc/samba/scripts/machadd.cfg -F %u -L %u -g 511 -p xxx I've manually tested this script and it's reliably creating a functional user with the necessary posixAccount class attached. When I do a "smbpasswd -amn" on that user object it becomes a Samba machine account just as it should. But when I run the "Network ID"-Wizard from the Windows XP client I get a "bad username or password" message when Windows is at the point of actually requesting the machine account on the DC. Strangely, the correct posixAccount is indeed being created, Samba simply "forgets" to add the SambaSamAccount after the script ran. This is also what the LDAP log tells me - there are no errors at all, but the LDAP traffic still stops right after the posixAccount user has been added. I've also got a level 3 Samba log for the client machine. It doesn't tell me much more, but it can be mailed on request.
NUA domain joins broke as a result of the new schannel/kerberos stuff in Samba3 Andrew Bartlett was kind enough to explain the consequences of this and its interaction with NUA machine accounts. This might be relevant again when the release of Samba4 is nearer. Please tag it as "LATER". Thanks.
domain jo9ins work correctly. We can open another bug later if necessary
originally reported against one of the 3.0.0rc[1-4] releases. Cleaning up non-production versions.