Results 1 to 6 of 6

Thread: Zimbra & Samba -- error joining machine to Domain

Hybrid View

  1. #1
    Join Date
    Nov 2008
    Rep Power

    Default Zimbra & Samba -- error joining machine to Domain

    Hi folks. I'm in the process of piloting Zimbra Network Edition for my company. I'm trying to get it working as a Samba PDC with ldap integration following this wiki page:

    UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

    I'm testing it with the most recent version of Zimbra, running on Centos 5.2 x86_64. The samba pdc is running on another Centos 5.2 x86_64, with samba version 3.0.28-1.el5_2.1.

    What does work:

    1. I'm able to authenticate to the samba server using the smbclient command.
    2. I'm able to create accounts in the Zimbra admin GUI and list them with the net rpc commands on the samba server.
    3. I successfully created a "Domain Admins" group as per the wiki page and assigned it the proper privileges.
    4. I created a user and added it to the Domain Admins group.

    What doesn't work:

    When I attempt to join a Windows XP SP2 client to the domain, it returns an error saying:

    "The following error occurred attempting to join the domain 'MYTESTDOMAIN':

    The user's password must be changed before logging on the first time."

    This of course prevents me from adding a machine to the domain.

    Of course this is an interesting chicken/egg dilemma. How do I change the password without ever having logged in?

    I've tried changing it from the Zimbra UI, no luck, I've also tried changing it with the "net rpc password" command, no luck.

    The only reference I can find of that error is here:

    Web Notebook: Samba 3 user authentication against OpenLDAP server

    It mentions you need the sambaPwdLastSet attribute in the ldap schema, which I checked and is indeed in there (the samba.schema)

    Doing an ldap search for the attribute, it shows up here:

    # root, people,
    dn: uid=root,ou=people,dc=mycompany,dc=com
    sambaPwdLastSet: 1227077872

    but not for my domain admin account I've named "lame"

    Debugging samba shows:

    [2008/11/20 15:00:24, 1] auth/auth_sam.c:sam_account_ok(172)
    sam_account_ok: Account for user 'lame' password must change!.
    [2008/11/20 15:00:24, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: sam authentication for user [lame] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE

    Clearly something is setting the NT_STATUS_PASSWORD_MUST_CHANGE, I didn't set that for the account in the Zimbra GUI.

    After doing a "smbpasswd -U lame" and changing the password on the samba server, I see that it's updated in the ldap config:

    # lame, people,
    dn: uid=lame,ou=people,dc=mycompany,dc=com
    sambaPwdLastSet: 1227212413

    But attempts to join the domain end with "The user name could not be found".

    Debugging samba shows:

    sh: /usr/sbin/adduser: Permission denied
    [2008/11/20 15:23:50, 0] passdb/pdb_interface.cdb_default_create_user(329)
    _samr_create_user: Running the command `/usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname winxpvm$' gave 126
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_alloc(131)
    Finding user WINXPVM$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(75)
    Trying _Get_Pwnam(), username as lowercase is winxpvm$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(83)
    Trying _Get_Pwnam(), username as given is WINXPVM$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(102)
    Checking combinations of 0 uppercase letters in winxpvm$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(108)
    Get_Pwnam_internals didn't find user [WINXPVM$]!

    Clearly this was an selinux problem, so I disabled selinux temporarily.

    I then noticed this in the log:

    [2008/11/20 16:44:28, 5] lib/username.c:Get_Pwnam_internals(108)
    Get_Pwnam_internals didn't find user [WINXPVM$]!
    /usr/sbin/adduser: unrecognized option `--disabled-password'

    So that is not a valid option with the CentOS/RHEL version of adduser.

    After changing the add machine script to:

    add machine script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u

    I still get the "The user name could not be found" error.

    So after all this, my questions are:

    Why doesn't the wiki refer to using the smbldap tools for manipulating samba-ldap accounts? (Especially the add machine script).

    Why do I have to set the password for my domain admin account with smbpasswd before I use it to add a Windows machine to the domain?
    Last edited by jmartin; 11-24-2008 at 01:17 PM.

  2. #2
    Join Date
    Nov 2008
    Rep Power


    Going to give this another shot today... No reason why it should be this difficult, and I'm sure someone has done it already. I can't afford to spend more time on this, and it sucks because I was looking forward to getting rid of Windows.

  3. #3
    Join Date
    Nov 2008
    Rep Power


    Success! I'm able to join a machine to a domain, and authenticate. Changing passwords from the Windows machine failed to update the password when logging into the zimbra web interface. Although, if I change the password on web interface, I can use that password successfully on Windows. This seems slightly backwards and not the same problem that most people have. I do have ldap sync enabled.

    Is this a known issue? I'll post a write-up as soon as I work out the rest of the kinks.
    Last edited by jmartin; 11-24-2008 at 12:55 PM.

  4. #4
    Join Date
    Nov 2008
    Rep Power


    Ok, the kinks have been worked out. One of the biggest issues is the buggy samba that ships with Centos/RHEL 5.2. I pulled the Samba RPMS for RHEL 5.3 beta into the mix, and it definitely seemed to help. Some other issues, the /etc/samba/smb.conf listed does not work with a centos install. Here is a working smb.conf file for a centos install:


    workgroup = MYCOMP
    server string = Samba Server Version %v

    netbios name = MYCOMPDC

    # --------------------------- Logging Options -----------------------------
    # Log File let you specify where to put logs and how to split them up.
    # Max Log Size let you specify the max size log files should reach

    # logs split per machine
    log file = /var/log/samba/%m.log
    log level = 5

    # max 50KB per log file, then rotate
    ; max log size = 50

    # ----------------------- Standalone Server Options ------------------------
    # Security can be set to user, share(deprecated) or server(deprecated)
    # Backend to store user information in. New installations should
    # use either tdbsam or ldapsam. smbpasswd is available for backwards
    # compatibility. tdbsam requires no further configuration.

    security = user
    passdb backend = ldapsam:ldap://
    ldap admin dn = "cn=config"
    ldap suffix = dc=mycompany,dc=com
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines

    ldap passwd sync = yes
    socket options = TCP_NODELAY
    security = domain
    obey pam restrictions = no
    domain master = yes
    domain logons = yes
    local master = yes
    wins support =yes
    # the login script name depends on the machine name
    logon script =
    # disables profiles support by specifing an empty path
    logon path =

    add user script = /usr/sbin/useradd "%u" -n -g users
    add group script = /usr/sbin/groupadd "%g"
    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
    delete user script = /usr/sbin/userdel "%u"
    delete user from group script = /usr/sbin/userdel "%u" "%g"
    delete group script = /usr/sbin/groupdel "%g"

    local master = yes
    os level = 33
    preferred master = yes

    load printers = yes
    cups options = raw

    ; printcap name = /etc/printcap
    #obtain list of printers automatically on SystemV
    ; printcap name = lpstat
    ; printing = cups

    # --------------------------- Filesystem Options ---------------------------
    # The following options can be uncommented if the filesystem supports
    # Extended Attributes and they are enabled (usually by the mount option
    # user_xattr). Thess options will let the admin store the DOS attributes
    # in an EA and make samba not mess with the permission bits.
    # Note: these options can also be set just per share, setting them in global
    # makes them the default for all shares

    ; map archive = no
    ; map hidden = no
    ; map read only = no
    ; map system = no
    ; store dos attributes = yes

    comment = All Printers
    path = /var/spool/samba
    browseable = no
    guest ok = no
    writable = no
    printable = yes

    # Un-comment the following and create the netlogon directory for Domain Logons
    comment = Network Logon Service
    path = /var/lib/samba/netlogon
    guest ok = yes
    writable = no
    share modes = no

    After creating my initial domain admin group and domain admin user (named him domainadmin), I did have to update that user's password with:

    smbpasswd domainadmin

    That was the only way to get rid of the "NT_STATUS_PASSWORD_MUST_CHANGE" error.

    Also to get samba to work properly with selinux, I had to run the following commands:

    setsebool -P samba_domain_controller on
    setsebool -P samba_enable_home_dirs on
    setsebool -P samba_export_all_ro on
    setsebool -P samba_export_all_rw on

    And of course you have to open the requisite samba ports in iptables.

    I'm still at a loss as to why if I change my password on the Windows machine it doesn't sync with the password for the Zimbra interface, but the reverse does work.

  5. #5
    Join Date
    Oct 2006
    Cape Cod
    Rep Power



    Thanks so much for this post and your research. Like you, I got about 95% there from the wiki page, but also using Centos 5.2, I had strange problems about not getting to have machines join the domains etc.

    Your rework of the smb.conf file is priceless.

    I can now have machines join the domain thanks to your post.

    Thanks again.


  6. #6
    Join Date
    Jan 2009
    Rep Power


    sorry for my silly question:

    using that parameters:
    add user script = /usr/sbin/useradd "%u" -n -g users
    add group script = /usr/sbin/groupadd "%g"
    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
    delete user script = /usr/sbin/userdel "%u"
    delete user from group script = /usr/sbin/userdel "%u" "%g"
    delete group script = /usr/sbin/groupdel "%g"

    are you telling samba to use the internal db instead of ldap?

    If it's true your ldap server is empty.

    another point is that

    /usr/sbin/useradd -n -c "Workstation (%u)" -M -d

    means that computers are just "regular users" and they can log-on on clients. this is very very bad.

    thak you.

    dBlog 2.0 CMS Open Source

Similar Threads

  1. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 01:00 AM
  2. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 08:21 AM
  3. Replies: 31
    Last Post: 12-15-2007, 08:05 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 03:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts