Results 1 to 6 of 6

Thread: Zimbra & Samba -- error joining machine to Domain

Threaded View

  1. #1
    Join Date
    Nov 2008
    Rep Power

    Default Zimbra & Samba -- error joining machine to Domain

    Hi folks. I'm in the process of piloting Zimbra Network Edition for my company. I'm trying to get it working as a Samba PDC with ldap integration following this wiki page:

    UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

    I'm testing it with the most recent version of Zimbra, running on Centos 5.2 x86_64. The samba pdc is running on another Centos 5.2 x86_64, with samba version 3.0.28-1.el5_2.1.

    What does work:

    1. I'm able to authenticate to the samba server using the smbclient command.
    2. I'm able to create accounts in the Zimbra admin GUI and list them with the net rpc commands on the samba server.
    3. I successfully created a "Domain Admins" group as per the wiki page and assigned it the proper privileges.
    4. I created a user and added it to the Domain Admins group.

    What doesn't work:

    When I attempt to join a Windows XP SP2 client to the domain, it returns an error saying:

    "The following error occurred attempting to join the domain 'MYTESTDOMAIN':

    The user's password must be changed before logging on the first time."

    This of course prevents me from adding a machine to the domain.

    Of course this is an interesting chicken/egg dilemma. How do I change the password without ever having logged in?

    I've tried changing it from the Zimbra UI, no luck, I've also tried changing it with the "net rpc password" command, no luck.

    The only reference I can find of that error is here:

    Web Notebook: Samba 3 user authentication against OpenLDAP server

    It mentions you need the sambaPwdLastSet attribute in the ldap schema, which I checked and is indeed in there (the samba.schema)

    Doing an ldap search for the attribute, it shows up here:

    # root, people,
    dn: uid=root,ou=people,dc=mycompany,dc=com
    sambaPwdLastSet: 1227077872

    but not for my domain admin account I've named "lame"

    Debugging samba shows:

    [2008/11/20 15:00:24, 1] auth/auth_sam.c:sam_account_ok(172)
    sam_account_ok: Account for user 'lame' password must change!.
    [2008/11/20 15:00:24, 5] auth/auth.c:check_ntlm_password(273)
    check_ntlm_password: sam authentication for user [lame] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE

    Clearly something is setting the NT_STATUS_PASSWORD_MUST_CHANGE, I didn't set that for the account in the Zimbra GUI.

    After doing a "smbpasswd -U lame" and changing the password on the samba server, I see that it's updated in the ldap config:

    # lame, people,
    dn: uid=lame,ou=people,dc=mycompany,dc=com
    sambaPwdLastSet: 1227212413

    But attempts to join the domain end with "The user name could not be found".

    Debugging samba shows:

    sh: /usr/sbin/adduser: Permission denied
    [2008/11/20 15:23:50, 0] passdb/pdb_interface.cdb_default_create_user(329)
    _samr_create_user: Running the command `/usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname winxpvm$' gave 126
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_alloc(131)
    Finding user WINXPVM$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(75)
    Trying _Get_Pwnam(), username as lowercase is winxpvm$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(83)
    Trying _Get_Pwnam(), username as given is WINXPVM$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(102)
    Checking combinations of 0 uppercase letters in winxpvm$
    [2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(108)
    Get_Pwnam_internals didn't find user [WINXPVM$]!

    Clearly this was an selinux problem, so I disabled selinux temporarily.

    I then noticed this in the log:

    [2008/11/20 16:44:28, 5] lib/username.c:Get_Pwnam_internals(108)
    Get_Pwnam_internals didn't find user [WINXPVM$]!
    /usr/sbin/adduser: unrecognized option `--disabled-password'

    So that is not a valid option with the CentOS/RHEL version of adduser.

    After changing the add machine script to:

    add machine script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u

    I still get the "The user name could not be found" error.

    So after all this, my questions are:

    Why doesn't the wiki refer to using the smbldap tools for manipulating samba-ldap accounts? (Especially the add machine script).

    Why do I have to set the password for my domain admin account with smbpasswd before I use it to add a Windows machine to the domain?
    Last edited by jmartin; 11-24-2008 at 01:17 PM.

Similar Threads

  1. /tmp filling
    By Nutz in forum Administrators
    Replies: 8
    Last Post: 02-22-2008, 01:00 AM
  2. Cleanup after many upgrades
    By tobru in forum Installation
    Replies: 1
    Last Post: 12-23-2007, 08:21 AM
  3. Replies: 31
    Last Post: 12-15-2007, 08:05 PM
  4. Replies: 16
    Last Post: 09-07-2006, 06:39 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 03:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts