Results 1 to 7 of 7

Thread: unable to join XP to zimbra/samba domain

  1. #1
    Join Date
    Dec 2007
    Rep Power

    Default unable to join XP to zimbra/samba domain

    I've successfully followed the great zimbra+samba howto, and can add new users, provision old users, and they can now successfully map samba shares to their windows machines no problem. It even auto-creates their home directories!

    However am unable to join any machines to the domain...

    I get the error "the user name could not be found" (I use user name mikey, who is a member of the Domain Admins group.)

    Note: if I try using a username that is not in the "domain admins" group, I get the error -"login failure unknown user name or bad password"

    Zimbra admin shows domain admins group is the special windows group domain admins, type 2, and net rpc rights list "MY-DOMAIN\Domain Admins" shows:

    The other error I got during the installation process was when I enter "smbpasswd -a root", I get this error: "ldapsam_modify_entry: LDAP Password could not be changed for user root: Insufficient access" -- I only mention this in case it's related to the above problem...

    I have watched the logs on both machines and don't see any messages when I try to join the machine to the domain - (maybe I just don't know where to look....!)

    thanks in advance for any help!!

    I'm running zm6.03 on centos5.4 x86_64
    here are my configs (comments stripped out)

    base dc=myowndomain,dc=org
    binddn uid=zmposix,cn=appaccts,cn=zimbra
    bindpw mysecretpw
    rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
    bind_policy soft
    timelimit 120
    idle_timelimit 3600
    uri ldap://
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5

    workgroup = MY-DOMAIN
    netbios name = MYSERVER
    os level = 33
    preferred master = yes
    enable privileges = yes
    server string = %h server (Samba)
    wins support =yes
    dns proxy = no
    name resolve order = wins bcast hosts
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog only = no
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = user
    encrypt passwords = true
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://
    ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
    ldap suffix = dc=myrealdomain,dc=org
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines
    obey pam restrictions = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    domain logons = yes
    logon path = \\\%U\profile
    logon home = \\\%U
    logon script = logon.cmd
    add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
    socket options = TCP_NODELAY
    domain master = yes
    local master = yes


    auth required
    auth sufficient nullok try_first_pass
    auth requisite uid >= 500 quiet
    auth sufficient use_first_pass
    auth required

    account required broken_shadow
    account sufficient uid < 500 quiet
    account [default=bad success=ok user_unknown=ignore]
    account required

    password requisite try_first_pass retry=3
    password sufficient md5 shadow nullok try_first_pass use_authtok
    password sufficient use_authtok
    password required

    session required skel=/etc/skel umask=0077
    session optional revoke
    session required
    session [success=1 default=ignore] service in crond quiet use_uid
    session required
    session optional

  2. #2
    Join Date
    Dec 2007
    Rep Power


    I just did a fresh install (samba only) on another server, and get the same results - all users can map drives, their home dir auto-builds on first login, no problems, Simply can't add machines to the domain

    PS. It is cool that you can "replace" your samba server but still have all your users and accounts when you connect to the zimbra server...(save your config files!)

  3. #3
    Join Date
    Dec 2007
    Rep Power


    Got it working - seems to be some sort of issue with domain name vs netbios name. I left the Workgroup (same as domain in windows) = MY-DOMAIN (which does resolve in dns) and also changed the netbios name to one that resolves through dns too, and now I can add machines to the domain..(!) Hey whatever works.

    Still can't smbpasswd -a root though...

  4. #4
    Join Date
    Dec 2007
    Rep Power


    Dang it! NOT WORKING...

    What actually happened, was when I couldn't join a machine, I ended up changing (in smb.conf) both the Workgroup AND the netbios name to MY-DOMAIN - and then the workstation can join the server == HOWEVER, of course once it is joined, and I reboot the workstation, it can't contact the server because "there's a duplicate name on the network" and domain controller cannot be contacted... Once I put the Netbios name back to something else (that resolves in dns) I can log in to the xp workstation as a domain user. so I THOUGHT it was working....

    but I can't add another workstation to the domain (presumably until I set the Workgroup AND netbios name both to MY-DOMAIN - and after joining the workstation presumably I can log back in only after fixing the duplicate name..(@@!!).

    What have I done?@
    Wonder if it's a prob with smb 3.0.33...

  5. #5
    Join Date
    Dec 2007
    Rep Power


    OK now making progress... Major thankyou's to Chapter 8. Updating Samba-3

    I can now join machines plus log in... Trying to reconstruct my errors:
    I guess for starters, the smb.conf example file from the "unix and windows accounts in Zimbra ldap and zimbra admin ui 6" how-to is set up for ubuntu, and the create machine section doesn't work with centos/redhat - however, you can copy in the section from the original centos smb.conf, and that works - HOWEVER
    I didn't discover that until I had installed a 2nd samba server, (my first one was just on a temp machine just for testing), and that SCREWED UP my SIDs... (this is an easy trap since it "sorta works", no errors, and users/groups work just fine -maybe since the SID is also stored on the zimbra ldap server..) so I figured - hey, zimbra likes the new server just the same as the original one...! but a quick "net getlocalsid MY-DOMAIN" will set you straight - you need to do the command for both the Workgroup, AND the netbios name (smb.conf). Mine didn't match- one was the old sid and one the new one.

    The great help from SMB's website got it working MUCH BETTER NOW.

    I'm not sure if I'll find any other problems, but I'll start testing workstations now...

    PS. If you're fighting a technical (or other problem), remember to ask our heavenly Father for help- After all the difficulties Iv'e had with this, I finally just stopped and prayed for guidance - I can't say how, but almost immediately I just typed in a url that linked me to the above smb page, and it directly took me to the solution. God knows about tech stuff -- AND cares enough to help!
    Last edited by mickier; 12-13-2009 at 10:21 PM.

  6. #6
    cuongjr Guest


    I got the same problem, can you post your configuration?

  7. #7
    Join Date
    Dec 2007
    Rep Power


    they're at the top of this thread - the change I made was to substitute the add user script and add machine script from my original centos smb.conf file.

    PS. In my case, the first couple machines I added got "stepped on" when I provisioned users from the command line, just watch those pesky userid numbers - the machines are added as "users", and you need to save userid numbers for them!

Similar Threads

  1. UNAUTHORIZED ACCESS Totally fouled up install
    By Lostin60s in forum Installation Help
    Replies: 0
    Last Post: 08-28-2009, 11:17 PM
  2. Replies: 7
    Last Post: 04-27-2009, 03:49 AM
  3. [SOLVED] unable to remove domain document account
    By elisa in forum Administrators
    Replies: 3
    Last Post: 05-09-2008, 06:32 AM
  4. Replies: 20
    Last Post: 03-18-2008, 06:37 AM
  5. Unable to Move Users to a Domain or Delete Domain
    By Justin Rock in forum Administrators
    Replies: 2
    Last Post: 10-06-2005, 01:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts