Can't join Domain PDC

Hi,

I’am a new user and have a critical issue with samba+ldap.

I following this tutorial: http://digiplan.eu.org/ldap-samba-howto-v4.html

my smb.conf:

# smb.conf is the main Samba configuration file. You find a full commented
# version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
# samba-doc package is installed.
[global]
        workgroup = comdesk
        passdb backend = ldapsam:ldap://localhost
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        include = /etc/samba/dhcp.conf
        logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false %m$
        domain logons = Yes
        domain master = Yes
        local master = Yes
        os level = 65
        preferred master = Yes
        security = user
        wins support = Yes
        idmap backend = ldap:ldap://localhost
        ldap admin dn = cn=Administrator,dc=comdesk,dc=local
        ldap delete dn = No
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = Yes
        ldap replication sleep = 1000
        ldap ssl = Start_tls
        ldap suffix = dc=comdesk,dc=local
        ldap timeout = 5
        ldap user suffix = ou=people
        netbios name = srvcomdesk
[homes]
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
[profiles]
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
[users]
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
[groups]
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
[printers]
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
[print$]
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775


[netlogon]
        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root




In client registry I added DWORD:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Parameters]
“DomainCompatibilityMode”=dword:00000001
“DNSNameResolutionRequired”=dword:00000000

When a try join the domain, return a error and cannot join.

The messages in /var/log/samba/log.smbd:

[2016/07/18 16:10:51.426923,  0] ../source3/passdb/pdb_interface.c:489(pdb_default_create_user)
  _samr_create_user: Running the command `/usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false marcelo$' gave 83

I have tried several solutions since last week and nothing works.

Thanks,

Marcelo Costa
Porto Alegre, Brazil

Hello Marcello,

Before anything else, need clarification what you are trying to do.

Skimming your reference, it looks like a description how to set up a brand new LDAP Domain.

Is this what you are trying to do, or are you attempting to join an existing LDAP or AD Domain?

Also, you will need to identify whether your Domain Server is a Windows or Linux, and whether your client is a Windows or Linux… to better understand if you are configuring the Windows Registry correctly.

TSU

Hello Tsu,

I want create a new PDC server with opensuse Leap 42.1.
My clients are Windows 10.

I need LDAP for integrate with others services (Owncloud, Squid, etc.)

My PDC server has been configured, but cannot join to this domain.

Messages in /var/log/samba/log.smbd:

2016/07/18 16:10:51.426923, 0] ../source3/passdb/pdb_interface.c:489(pdb_default_create_user) _samr_create_user: Running the command `/usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false marcelo$' gave 83

Thanks,
Marcelo Costa

What is your existing Domain, an Active Directory or LDAP or something else?

TSU

PDC with LDAP, configured by YAST on OpenSuse Leap.

OK,
I still don’t know where your posted Windows Registry setting enters the picture since I think you are saying that your existing LDAP Domain was set up initially on an openSUSE using YAST (Which would result in an LDAP Domain with only one PDC, and now you might be trying to add another openSUSE as another DC?).

If you already have a DC and particularly if it’s set up on openSUSE, have you considered simply running YAST on your new openSUSE and setting up an LDAP replica server?

Looks like the SDB for LDAP was recently updated to describe setting up <only> on LEAP (seems the decision to update content also included removing everything related to 13.2, TW and other earlier openSUSE)

https://en.opensuse.org/SDB:LDAP_server

TSU

Hi Tsu,

Sorry…English is not my native language and maybe I have not been able to explain better.

I want a samba file server with authentication for my network. The AD (Active Directory) is a excelent option, but is not native on OpenSUSE, then I choice the PDC (Primary Domain Controller). When I have a samba PDC, on the Windows machines (workstations), the Windows registry setting is mandatory. Making possible to join the workstation (Windows) with the samba server (OpenSuSE). The error happen in this stage!

The LDAP is necessary to me, because the samba users will be connected with others applications (squid, owncloud, etc.).

Thanks,
Marcelo Costa

I understand what you are doing now.

You have created an NT4-style SAMBA Domain (We’re assuming you’ve created it correctly) on an openSUSE and now you are attempting to add a Windows host (You didn’t describe the Windows OS which might be important). Your mentioning LDAP threw me, because personally I think of NT4 technology as <not> LDAP although SAMBA documentation is not so clear, suggesting that a SAMBA NT4-style Domain is simply an LDAP compatibility setting… But, no matter since I think I see what you are doing clearly now.

First, although I think you’re probably doing things correctly for the most part, let me provide you with links to the official SAMBA documentation relevant to what you are doing

The SAMBA NT4 Quickstart
https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart

Adding a Windows machine to a SAMBA Domain (basic info)
https://wiki.samba.org/index.php/Joining_a_Windows_host_to_a_domain

Additional required settings for adding Windows clients to an NT4-style SAMBA Domain
https://wiki.samba.org/index.php/Required_settings_for_NT4-style_domains

Note that the above documentation is largely in English, but the base info for adding Windows clients has plenty of pictures/screenshots. Links to documentation in other languages is at https://www.samba.org/samba/docs/

Now for addressing your specific problem.
The error you posted from log.smbd clearly says that a SAMBA User account was not created, but your log snippet doesn’t include how/when this happened (a hint would be the log entries immediately preceding).

But, no problem. Follow the instructions in the first link above to manually create a User. The following link will take you directly to the steps which should solve your problem. The User can also be added using YAST > User Management. After that SAMBA User account is created, you can use it when you add or login with SAMBA client machines.

https://wiki.samba.org/index.php/Samba_NT4_PDC_quickstart#User_creation

TSU