Results 1 to 7 of 7

Thread: unable to join XP to zimbra/samba domain

  1. #1
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default unable to join XP to zimbra/samba domain

    I've successfully followed the great zimbra+samba howto, and can add new users, provision old users, and they can now successfully map samba shares to their windows machines no problem. It even auto-creates their home directories!

    However am unable to join any machines to the domain...

    I get the error "the user name could not be found" (I use user name mikey, who is a member of the Domain Admins group.)

    Note: if I try using a username that is not in the "domain admins" group, I get the error -"login failure unknown user name or bad password"

    Zimbra admin shows domain admins group is the special windows group domain admins, type 2, and net rpc rights list "MY-DOMAIN\Domain Admins" shows:
    SeMachineAccountPrivilege
    SePrintOperatorPrivilege
    SeAddUsersPrivilege

    The other error I got during the installation process was when I enter "smbpasswd -a root", I get this error: "ldapsam_modify_entry: LDAP Password could not be changed for user root: Insufficient access" -- I only mention this in case it's related to the above problem...

    I have watched the logs on both machines and don't see any messages when I try to join the machine to the domain - (maybe I just don't know where to look....!)

    thanks in advance for any help!!

    I'm running zm6.03 on centos5.4 x86_64
    here are my configs (comments stripped out)

    ldap.conf:
    base dc=myowndomain,dc=org
    binddn uid=zmposix,cn=appaccts,cn=zimbra
    bindpw mysecretpw
    rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
    bind_policy soft
    timelimit 120
    idle_timelimit 3600
    uri ldap://10.224.0.100/
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    pam_password md5
    _____________________________

    smb.conf:
    [global]
    workgroup = MY-DOMAIN
    netbios name = MYSERVER
    os level = 33
    preferred master = yes
    enable privileges = yes
    server string = %h server (Samba)
    wins support =yes
    dns proxy = no
    name resolve order = wins bcast hosts
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog only = no
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = user
    encrypt passwords = true
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://10.224.0.100/
    ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
    ldap suffix = dc=myrealdomain,dc=org
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines
    obey pam restrictions = yes
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    domain logons = yes
    logon path = \\10.224.0.111\%U\profile
    logon home = \\10.224.0.111\%U
    logon script = logon.cmd
    add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
    socket options = TCP_NODELAY
    domain master = yes
    local master = yes

    _______________________

    system-auth:
    auth required pam_env.so
    auth sufficient pam_unix.so nullok try_first_pass
    auth requisite pam_succeed_if.so uid >= 500 quiet
    auth sufficient pam_ldap.so use_first_pass
    auth required pam_deny.so

    account required pam_unix.so broken_shadow
    account sufficient pam_succeed_if.so uid < 500 quiet
    account [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account required pam_permit.so

    password requisite pam_cracklib.so try_first_pass retry=3
    password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password sufficient pam_ldap.so use_authtok
    password required pam_deny.so

    session required pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
    session optional pam_keyinit.so revoke
    session required pam_limits.so
    session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session required pam_unix.so
    session optional pam_ldap.so

  2. #2
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default

    I just did a fresh install (samba only) on another server, and get the same results - all users can map drives, their home dir auto-builds on first login, no problems, Simply can't add machines to the domain

    PS. It is cool that you can "replace" your samba server but still have all your users and accounts when you connect to the zimbra server...(save your config files!)

  3. #3
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default

    Got it working - seems to be some sort of issue with domain name vs netbios name. I left the Workgroup (same as domain in windows) = MY-DOMAIN (which does resolve in dns) and also changed the netbios name to one that resolves through dns too, and now I can add machines to the domain..(!) Hey whatever works.

    Still can't smbpasswd -a root though...

  4. #4
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default

    Dang it! NOT WORKING...

    What actually happened, was when I couldn't join a machine, I ended up changing (in smb.conf) both the Workgroup AND the netbios name to MY-DOMAIN - and then the workstation can join the server == HOWEVER, of course once it is joined, and I reboot the workstation, it can't contact the server because "there's a duplicate name on the network" and domain controller cannot be contacted... Once I put the Netbios name back to something else (that resolves in dns) I can log in to the xp workstation as a domain user. so I THOUGHT it was working....

    but I can't add another workstation to the domain (presumably until I set the Workgroup AND netbios name both to MY-DOMAIN - and after joining the workstation presumably I can log back in only after fixing the duplicate name..(@@!!).

    What have I done?@
    Wonder if it's a prob with smb 3.0.33...

  5. #5
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default

    OK now making progress... Major thankyou's to Chapter 8. Updating Samba-3

    I can now join machines plus log in... Trying to reconstruct my errors:
    I guess for starters, the smb.conf example file from the "unix and windows accounts in Zimbra ldap and zimbra admin ui 6" how-to is set up for ubuntu, and the create machine section doesn't work with centos/redhat - however, you can copy in the section from the original centos smb.conf, and that works - HOWEVER
    I didn't discover that until I had installed a 2nd samba server, (my first one was just on a temp machine just for testing), and that SCREWED UP my SIDs... (this is an easy trap since it "sorta works", no errors, and users/groups work just fine -maybe since the SID is also stored on the zimbra ldap server..) so I figured - hey, zimbra likes the new server just the same as the original one...! but a quick "net getlocalsid MY-DOMAIN" will set you straight - you need to do the command for both the Workgroup, AND the netbios name (smb.conf). Mine didn't match- one was the old sid and one the new one.

    The great help from SMB's website got it working MUCH BETTER NOW.

    I'm not sure if I'll find any other problems, but I'll start testing workstations now...

    PS. If you're fighting a technical (or other problem), remember to ask our heavenly Father for help- After all the difficulties Iv'e had with this, I finally just stopped and prayed for guidance - I can't say how, but almost immediately I just typed in a url that linked me to the above smb page, and it directly took me to the solution. God knows about tech stuff -- AND cares enough to help!
    Peace
    Last edited by mickier; 12-13-2009 at 09:21 PM.

  6. #6
    cuongjr Guest

    Default

    I got the same problem, can you post your configuration?

  7. #7
    Join Date
    Dec 2007
    Posts
    84
    Rep Power
    7

    Default

    cuongjr,
    they're at the top of this thread - the change I made was to substitute the add user script and add machine script from my original centos smb.conf file.

    PS. In my case, the first couple machines I added got "stepped on" when I provisioned users from the command line, just watch those pesky userid numbers - the machines are added as "users", and you need to save userid numbers for them!

Similar Threads

  1. UNAUTHORIZED ACCESS Totally fouled up install
    By Lostin60s in forum Installation Help
    Replies: 0
    Last Post: 08-28-2009, 10:17 PM
  2. Replies: 7
    Last Post: 04-27-2009, 02:49 AM
  3. [SOLVED] unable to remove domain document account
    By elisa in forum Administrators
    Replies: 3
    Last Post: 05-09-2008, 05:32 AM
  4. Replies: 20
    Last Post: 03-18-2008, 05:37 AM
  5. Unable to Move Users to a Domain or Delete Domain
    By Justin Rock in forum Administrators
    Replies: 2
    Last Post: 10-06-2005, 12:23 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •