Joining an OpenSuse 13.1 Domain Controller

Hello…

I’m trying to join other machines to a new OpenSuse 13.1 (64 bit) domain controller, but the server doesn’t accept the user “root” for domain authentication. The error message from the boxes I’m trying to join return “the user name cannot be found.” The joining boxes recognize the domain name, and DNS name resolution is working.

I’m a bit of a novice using OpenSuse as a PDC. I’m not sure if Samba is even the actual domain authenticator at this point, or if the Samba authentication module may be missing the domain administrator “root.” Worse, I’m not certain which conf files contain domain authentication user names, or how to correct the problem in any YAST2 module, or in the Samba Server gui. The systems I’m trying to join are Windows based OSes, PS3, XPPro, and Win2kPro, but I don’t believe they are the problematic parts.

I’m guessing it’s a simple fix or configuration switch, but I lack Linux experience. Could use any words of advice from all less green than me!

Many thanks,

John

A starting point could be whatever reference you’re using to guide your setup.
If you’re using one, post a link. That way people might at least have an idea what you’ve tried to do.
Else, you’d probably end up having to post all your individual steps.
But, I’d recommend always using a reference.

TSU

Thanks, it’s a huge help to realize how the original question is interpreted, so I can post more specifically - - buuuut I have to post all the steps taken. The only non-default options installed were for the the SW selection

I plugged in a standard static IP (10.10.0.10), hostname (susesvr), and a FQDN (family.net) for a SuSe 13.1 server of an internal network (IPv4 10.10.0.0/24) following installation setup dialogs. After online patch installation, I set up DHCP (lease pool 10.10.0.100 - 10.10.0.115), DNS, HTTP and Samba Server services using YAST, with the box configured as a PDC, and the firewall disabled. All the installed system runlevel 5 and xinetd services are enabled and active. The internal network is available to all internal connections, and there are no external connection problems to the internet from any box in the network, or to the internal apache2 web server via HTTP name resolution and internal IP address. File sharing and Samba policy management works on all the boxes. In short, I don’t believe there is a problem with the network DNS, except that the file manager on the server (smb4k Dolphin) shows the server is in the named domain, but the rest of the boxes on the network are in “workgroup.” I can log onto each network client and open their shares as the client administrator from the server, however, they are not active in the domain that’s configured.

I’ve done some trial and error diagnostics. In attempts to join the domain, WIN boxes cannot find the domain authenticator “root,” and Linux (SuSe and Ubuntu wks) and Solaris 10 OSes indicated that the named domain “did not exist or was not available,” which seems as though the server xinetd services do not recognize the domain they are configured to control. I think it’s odd that WIN boxes can’t find an authentication userid in the domain, but that Linux and Unix boxes can’t find the domain on the network. I even installed WebYAST on the server, and attempted to run the server as a domain AD. It did not accept its own server name as the AD domain controller, either. WebYast indicated a specific daemon - admind - be started, which seems to be a part of WebYAST configuration, and wasn’t installed as a service available on the box. I don’t believe WebYAST is necessary on the server to configure it as a PDC, so rather than cope with WebYAST configuration processes, it was removed. All this makes me believe there is a service config parameter or switch that needs to be installed or turned on, but I am neither Linux or WIN expert enough to know exactly what that is or where to find it. At this point, I’m not certain it’s a missing service or config parameter, a bug in this particular build, or even an installation deficiency. I have joined a default installed SuSe 13.1 controlled domain without errors in the past, but I didn’t have to go through all this, so I’m inclined to believe it’s an installation setup problem.

I’m hoping someone can point me in a diagnostic direction to pinpoint and correct the problem, or have that magical experience to know exactly what the problem may be. There’s got to be more sophisticated ways then installing and reinstalling different configs to determine which one works…almost - - as if I know what I’m doing.

Thanks again,

John

On 2/13/2015 1:46 PM, john holl wrote:
> I’m hoping someone can point me in a diagnostic direction to pinpoint
> and correct the problem, or have that magical experience to know exactly
> what the problem may be. There’s got to be more sophisticated ways then
> installing and reinstalling different configs to determine which one
> works…almost - - as if I know what I’m doing.
>
> Thanks again,
>
> John

John;

It might help to see the contents of /etc/samba/smb.conf. You can sanitize any confidential information.


P.V.
“We’re all in this together, I’m pulling for you” Red Green

I looked at conf files for dns, dhcp, smb. I looked at SMB/conf, and name.d. and didn’t see anything out of sorts. I corrected an IP typo in the RTR pointer in named.

There is different error message from the ubuntu box when I attempted a domainjoin again - DNS_ERROR_BAD_PACKET, and it appears name resolution isn’t working as I earlier wrote it did.

smb.conf is the main Samba configuration file. You find a full commented

version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

samba-doc package is installed.

[global]
workgroup = family.net
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
security = user
wins support = No
usershare max shares = 100
wins server =
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root

[Admin Files]
comment = john/home
inherit acls = Yes
path = /home
read only = No
vfs objects =

smb.conf is the main Samba configuration file. You find a full commented

version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the

samba-doc package is installed.

[global]
workgroup = family.net
passdb backend = tdbsam
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
include = /etc/samba/dhcp.conf
logon path = \%L\profiles.msprofile
logon home = \%L%U.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$
domain logons = Yes
domain master = Yes
local master = Yes
os level = 65
preferred master = Yes
security = user
wins support = No
usershare max shares = 100
wins server =
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root

[Admin Files]
comment = john/home
inherit acls = Yes
path = /home
read only = No
vfs objects =

On 2/14/2015 6:06 AM, john holl wrote:
>
> I looked at conf files for dns, dhcp, smb. I looked at SMB/conf, and
> name.d. and didn’t see anything out of sorts. I corrected an IP typo in
> the RTR pointer in named.
>
> There is different error message from the ubuntu box when I attempted a
> domainjoin again - DNS_ERROR_BAD_PACKET, and it appears name resolution
> isn’t working as I earlier wrote it did.
>
> # smb.conf is the main Samba configuration file. You find a full
> commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> [global]
> workgroup = family.net
> passdb backend = tdbsam
> printing = cups
> printcap name = cups
> printcap cache time = 750
> cups options = raw
> map to guest = Bad User
> include = /etc/samba/dhcp.conf
> logon path = \%L\profiles.msprofile
> logon home = \%L%U.9xprofile
> logon drive = P:
> usershare allow guests = No
> add machine script = /usr/sbin/useradd -c Machine -d
> /var/lib/nobody -s /bin/false %m$
> domain logons = Yes
> domain master = Yes
> local master = Yes
> os level = 65
> preferred master = Yes
> security = user
> wins support = No
> usershare max shares = 100
> wins server =
> [homes]
> comment = Home Directories
> valid users = %S, %D%w%S
> browseable = No
> read only = No
> inherit acls = Yes
> [profiles]
> comment = Network Profiles Service
> path = %H
> read only = No
> store dos attributes = Yes
> create mask = 0600
> directory mask = 0700
> [users]
> comment = All users
> path = /home
> read only = No
> inherit acls = Yes
> veto files = /aquota.user/groups/shares/
> [groups]
> comment = All groups
> path = /home/groups
> read only = No
> inherit acls = Yes
> [printers]
> comment = All Printers
> path = /var/tmp
> printable = Yes
> create mask = 0600
> browseable = No
> [print$]
> comment = Printer Drivers
> path = /var/lib/samba/drivers
> write list = @ntadmin root
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root
>
> [Admin Files]
> comment = john/home
> inherit acls = Yes
> path = /home
> read only = No
> vfs objects =
> # smb.conf is the main Samba configuration file. You find a full
> commented
> # version at /usr/share/doc/packages/samba/examples/smb.conf.SUSE if the
> # samba-doc package is installed.
> [global]
> workgroup = family.net
<snip>
> force group = ntadmin
> create mask = 0664
> directory mask = 0775
>
> [netlogon]
> comment = Network Logon Service
> path = /var/lib/samba/netlogon
> write list = root
>
> [Admin Files]
> comment = john/home
> inherit acls = Yes
> path = /home
> read only = No
> vfs objects =
>
>
John;

Is it only a paste error or does your smb.conf have two copies of the parameters?
Have you started nmb(d) and smb(d)?


systemctl status nmb
systemctl status smb

Are Samba Server, Netbios Server and Samba Client all allowed services through the firewall?

You might consider these suggestions:
Do not use a dot in your workgroup/domain name. This is after all just an old NT style domain not an AD.
For example:


workgoup = familynet

Since .net is a well known top domain the .net suffix may cause a real problem.

I’ve always used ‘%u’ in the add machine script although %m$ should work, the netbios name of the client is not passed
on port 445. See man smb.conf.


add machine script = /usr/sbin/useradd  -c Machine -d /var/lib/nobody -s /bin/false '%u'


P.V.
“We’re all in this together, I’m pulling for you” Red Green

Thank you for hanging in with all this. My objective is to ween off my win2kadvsrv, and i’m determined to make SuSe work.

The smbconf file was good, the duplicated lines were not included. nmb service was not running - it has been started (my bad - fat fingers). For now, the firewall is disabled, until i can get the server running, and i made the syntax changes you suggested, but nothing eventful changed, except the error messages from the client boxes when attempting to join the domain.

From a Win box (Win2kpro), when attempting to join the domain or attempting a netlogon, the error message now reads “A device attached to the system is not functioning,” with no indication of which device. Previously, I could log onto the server shares through the server netlogon service, and manage files on the share. From the server to the client, the logon is successful and the shares are available, but not from the client to the server. Name resolution works from the client to the server using ping, and i can open the web server from the client with name resolution.

From a linux box (Ubuntu), when attempting to join the domain, the error message reads “DNS_ERROR_BAD_PACKET.” I can use the server netlogon, and access shares on the server. Name resolution using ping, the box gets a reply from the server, however, it doesn’t seem to reflect the correct domain. The return is “10.sub-0-10-10.myvzw.com,” which is the RTR slave IP record address in DNS. I searched through named.d, and didn’t find anything, however, the YAST DNS gui has an IP “sub-10.10.0.10” shown as a child to the familynet (no dot) domain. I believe the reply originate from the DNS reverse translation record, but the myvzw.com seems a bit spurious. I don’t know where myvzw.com originates or is appended by the server.

There are several IPv6 entries in the YAST DNS gui, which aren’t needed. They are installation default setups and i’m not certain they can be deleted without affecting the configuration. IPv6 is disabled. Notably, there isn’t a samba client gui in YAST, but I recall checking the box for it in the SW options during install. Although there is a xinetd service shown for swat, and indicates it’s installed, but it neither starts through a terminal window, nor addressed at http port :901. The only place I can find anything samba related is through /etc/sysconfig or /etc/samba. Additionally, name resolution does not work using ping from the server to the clients, but they are getting IP addresses and name server data through DNS and DHCP. Client hostnames are not returned to the server. The communications betwen the boxes on the net show different things with changes made on the server - some things are happening, just not closer to the objective…

Tomorrow, i’m going to stop DHCP and DNS services and configure static IPs on the clients, to see if I can narrow the scope of the problem. NFS is not started on the server, which leaves only samba to deal with. Also, I know I had reference docs for dhcp, samba, and suse 13.1 installed from the openSuSe repository. I could probably have more specific and relevant info if…i could find them. Do you know where they are hidden? Thoughts, comments?

Thanks again!

John