Prev: [Samba] Looking for help assigning right to AD Machine accounts..
Next: [Samba] Printing Slow-down with Samba 3.5.1
From: Mikael Sundell on 31 Mar 2010 13:00
Hi all!

The problem relates to joining linux based clients to our PDC (all
Samba 3.5.1 running on CentOS5).

For some time Profiles, Homes, Netlogon and in general adding new
Windows machines has been working fine but when we try to add a new
linux client (CLIENT-FS1) to the PDC the following errors are
reported:

/var/log/messages - SERVER-PDC

Mar 31 18:13:55 localhost smbd[30810]: [2010/03/31 18:13:55.650347,
0] rpc_server/srv_netlog_nt.c:475(get_md4pw)
Mar 31 18:13:55 localhost smbd[30810]: get_md4pw: Workstation
CLIENT-FS1$: no account in domain
Mar 31 18:13:55 localhost smbd[30810]: [2010/03/31 18:13:55.650439,
0] rpc_server/srv_netlog_nt.c:692(_netr_ServerAuthenticate3)
Mar 31 18:13:55 localhost smbd[30810]: _netr_ServerAuthenticate2:
failed to get machine password for account CLIENT-FS1$:
NT_STATUS_ACCESS_DENIED

Domain join cmd on CLIENT-FS1:

"net rpc join -S SERVER-PDC -U root%<password>"

returns: Joined domain NTDOMAIN

The machine is added to our LDAP directory just like the Windows machines.

The following error is reported when trying to join the linux client
(again) with the newly created entry:

Mar 31 18:40:12 localhost smbd[30946]: [2010/03/31 18:40:12.162514,
0] rpc_server/srv_netlog_nt.c:714(_netr_ServerAuthenticate3)
Mar 31 18:40:12 localhost smbd[30946]: _netr_ServerAuthenticate2:
netlogon_creds_server_check failed. Rejecting auth request from client
CLIENT-FS1 machine account CLIENT-FS1$

smb.conf - SERVER-PDC

[global]
workgroup = NTDOMAIN
realm = NTDOMAIN.COM
netbios name = SERVER-PDC
server string = Domain Controller
interfaces = lo, eth0, 192.168.222.1
bind interfaces only = Yes
passdb backend = ldapsam:"ldap://127.0.0.1:389"
passwd program = /usr/sbin/smbldap-passwd %u
passwd chat = *New*password* %n\n *Retype*new*password* %n\n
*all*authentication*tokens*updated*
log level = 10
smb ports = 139
add user script = /usr/sbin/smbldap-useradd -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd -p "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
logon path = \\%L\Profiles\%u
domain logons = Yes
domain master = Yes
wins proxy = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=ntdomain,dc=com
ldap delete dn = Yes
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Users
ldap machine suffix = ou=Computers
ldap suffix = dc=ntdomain,dc=com
ldap ssl = no
ldap user suffix = ou=Users
idmap uid = 10000-20000
idmap gid = 10000-20000
winbind enum users = Yes
winbind enum groups = Yes
hosts allow = 127., 192.168.222.
cups options = raw

[homes]
comment = Home Directories
read only = No
create mask = 0700
force create mode = 0700
directory mask = 0700
force directory mode = 0700
browseable = No

[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = Yes
share modes = No

[Profiles]
path = /var/lib/samba/profiles
read only = No
create mask = 0600
directory mask = 0700
guest ok = Yes
profile acls = Yes
browseable = No
csc policy = disable

Please tell if more information is needed,

Thanks,

Mikael
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
 | 
Pages: 1
Prev: [Samba] Looking for help assigning right to AD Machine accounts..
Next: [Samba] Printing Slow-down with Samba 3.5.1