Hi,
I want to have one opensuse 11.2 machine as PDC for other opensuse 11.2 and windows 7 machines.
So I set up dnsmasq as DHCP, DNS server.
I’ve created LDAP server and LDAP users (LDAP authentication from other machines work)
In the Samba Server section in Yast I’ve created PDC and filled netbios name and checked that it should be WINS server also. And filled LDAP stuff.
I’ve granted privileges to one user to add machines to domain.
Now when I try to join this domain from other machines, I’m getting NT_STATUS_ACCESS_DENIED for both root and user with granted privileges. In log.smbd there is something about NT_STATUS_NO_TRUST_SAM_ACCOUNT.
When I fill also LDAP stuff on client computer machine and sambaDomainName is added to LDAP, but still ACCESS_DENIED is returned.
Did I miss some steps?
What is the right user for adding stuff to domain?
>
> Hi,
> I want to have one opensuse 11.2 machine as PDC for other opensuse 11.2
> and windows 7 machines.
>
> So I set up dnsmasq as DHCP, DNS server.
> I’ve created LDAP server and LDAP users (LDAP authentication from other
> machines work)
> In the Samba Server section in Yast I’ve created PDC and filled netbios
> name and checked that it should be WINS server also. And filled LDAP
> stuff.
> I’ve granted privileges to one user to add machines to domain.
>
> Now when I try to join this domain from other machines, I’m getting
> NT_STATUS_ACCESS_DENIED for both root and user with granted privileges.
> In log.smbd there is something about NT_STATUS_NO_TRUST_SAM_ACCOUNT.
>
> When I fill also LDAP stuff on client computer machine and
> sambaDomainName is added to LDAP, but still ACCESS_DENIED is returned.
>
> Did I miss some steps?
> What is the right user for adding stuff to domain?
>
>
mjakl;
Have you checked that your “add machine script” in /etc/samba/cmb.conf
works correctly. You can test this by running the script manually to add the
machine. Remember that machine names must end in $.
The script probably works, because the machine is registered in LDAP ou=Machines afterwards. It’s “add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$”. But workstation still shows “Creation of workstation account failed Unable to join domain …”
These lines appear in /var/log/messages:
Dec 9 10:12:13 mainframe smbd[13314]: [2009/12/09 10:12:13, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
Dec 9 10:12:13 mainframe smbd[13314]: get_md4pw: Workstation VM-MJ-SAMBA$: no account in domain
Dec 9 10:12:13 mainframe smbd[13314]: [2009/12/09 10:12:13, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
Dec 9 10:12:13 mainframe smbd[13314]: _netr_ServerAuthenticate2: failed to get machine password for account VM-MJ-SAMBA$: NT_STATUS_ACCESS_DENIED
Dec 9 10:12:13 mainframe smbd[13314]: [2009/12/09 10:12:13, 0] rpc_server/srv_netlog_nt.c:336(get_md4pw)
Dec 9 10:12:13 mainframe smbd[13314]: get_md4pw: Workstation VM-MJ-SAMBA$: no account in domain
Dec 9 10:12:13 mainframe smbd[13314]: [2009/12/09 10:12:13, 0] rpc_server/srv_netlog_nt.c:584(_netr_ServerAuthenticate3)
Dec 9 10:12:13 mainframe smbd[13314]: _netr_ServerAuthenticate2: failed to get machine password for account VM-MJ-SAMBA$: NT_STATUS_ACCESS_DENIED
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaGroupType) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:13 mainframe slapd[21631]: <= bdb_equality_candidates: (sambaSIDList) not indexed
Dec 9 10:12:16 mainframe smbd[13316]: [2009/12/09 10:12:16, 0] passdb/pdb_ldap.c:2116(ldapsam_add_sam_account)
Dec 9 10:12:16 mainframe smbd[13316]: ldapsam_add_sam_account: User ‘vm-mj-samba$’ already in the base, with samba attributes
Uff, I have it finally working. With only one problem left. I have a computer and on it runs virtual machine which is PDC. I can join the real computer to domain, but afterwards it doesn’t authenticate users. All other machines can do it without problem. In my opinion it’s because the virtual machine with PDC starts later than real machine. So is it somehow possible to force it to reread user info from domain or something?
>
> Uff, I have it finally working. With only one problem left. I have a
> computer and on it runs virtual machine which is PDC. I can join the
> real computer to domain, but afterwards it doesn’t authenticate users.
> All other machines can do it without problem. In my opinion it’s because
> the virtual machine with PDC starts later than real machine. So is it
> somehow possible to force it to reread user info from domain or
> something?
>
>
mjakl;
If the “real” machine is a Unix flavor, try restarting nmbd and smbd. If that
works, you could set it up as a cron job.
P. V.
“We’re all in this together, I’m pulling for you.” Red Green
So there was something wrong with samba instalation on the ‘real’ machine. I played with it for three days and probably got it completely messed up. I removed every samba package, delete every samba directory, reinstall it and now it works perfectly. Thanks for the help.
Now only thing that I’m not completely satisfied with is that Samba users are not listed in GNOME login dialog and I have to type everytime. But man can’t have everything. :-))