| View previous topic :: View next topic |
| Author |
Message |
daff
Apprentice
Joined: 02 Jul 2003
Posts: 232
Location: Vienna, Austria
|
 Posted: Fri Jul 09, 2004 8:35 am Post subject: Win2k won't join Samba-3 domain: "user name not found'' |
 |
|
Hey all, I hope someone can help me on this, I am about to go crazy (as do most people forced to administrate a Windows/Linux network).
Here's the setup:
A newly installed Gentoo box running Apache, MySQL, ... and Samba 3. This box acts as a primary domain controller (PDC) for the network and is (hopyfully) configured correctly. I followed this guide and this one and the official Samba-3 HOWTO collection. Here are the relevant parts of the smb.conf file (I know, I hate it too when people post very long config files  :
| Code: |
[global]
workgroup = MYDOMAIN
netbios name = MYSERVER
load printers = no
keepalive = 30
; security
security = user
hide unreadable = yes
browseable = no
; passwords
password level = 8
username level = 8
encrypt passwords = yes
passdb backend = tdbsam
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter*new*UNIX*password:* %n\n *Retype*new*UNIX*password:* %n\n *Password*changed.*
pam password change = yes
obey pam restrictions = yes
username map = /etc/samba/smbusers
; server settings
local master = yes
dns proxy = no
time server = yes
deadtime = 0
; pdc settings
admin users = root
domain logons = yes
domain master = yes
os level = 99
preferred master = yes
wins support = yes
; logon
logon script = %U.bat
logon path = \\%L\profiles\%U
logon drive = U:
logon home = \\%L\%U\.profile
; files, permissions
preserve case = yes
short preserve case = yes
default case = lower
create mode = 0660
directory mode = 0770
[IPC$]
path = /tmp
hosts allow = 192.168.0.0/16, 127.0.0.1
hosts deny = 0.0.0.0/0
[homes]
path = /home/%U/files
comment = Home Directories
browseable = no
writable = yes
valid users = %S
[netlogon]
comment = Network Logon Scripts
path = /home/data/netlogon
locking = no
guest ok = yes
[profiles]
comment = Profiles
path = /home/data/profiles
writable = yes
profile acls = yes
|
I think there's nothing wrong with that?
I created the usernames luser and root for Samba and can use them to log into the server by accessing it via \\myserver (it then asks for username and password); I'm in and can see all the available shares.
I also did a group mapping so that Domain Admins maps to the Unix group root, Domain Users to users and Domain Guests to nobody.
Now when I try to add a Windows 2000 machine to the domain MYDOMAIN (right-click on My Computer, Network Identification, Properties, Member of domain MYDOMAIN, OK) and enter the username root (or admin, or Administrator, doesn't matter because of the smbusers user mapping) along with the root Samba password, the Windows machine tells me "The following error occured attempting to join the domain "MYDOMAIN": The user name could not be found."
Now what really disturbs me is that the username DOES exists and Samba sees it and acknowledges it when loggin in. Syslog says this when I try to add the machine to the domain:
| Code: |
smbd[9796]: root logged in as admin user (root privileges)
|
Then it waits for a few secs and closes the session again, there the Windows machine gives me the above mentioned error message.
I examined the Samba log files (setting the log level to 5 really gives you A LOT of information) and don't seem to find any errors, except maybe of a message concerning winbind:
| Code: |
[2004/07/09 09:50:14, 3] auth/auth_winbind.c:check_winbind_security(80)
...
check_winbind_security: Not using winbind, requested domain [MYDOMAIN] was for this SAM.
...
_samr_create_user: winbind_create_user(win2k_machine_name$) failed
_samr_create_user: winbind_create_user(win2k_machine_name$) failed
|
Does this have anything to do with it? I don't run winbind and I don't think it is necessary for Samba to act as a PDC, right?
Does anyone have any idea? I really don't see what could be wrong here, every guide I used tells more or less the same, and I did everything (at least I think so). Has anyone had a similar error in the past and knows why this is and how to fix it? Any help would be greatly appreciated.
Thanks in advance!
_________________
Instead of asking why a piece of software is using 1970s technology,
start asking why software is ignoring 30 years of accumulated wisdom. |
|
| Back to top |
|
 |
UberLord
Retired Dev
Joined: 18 Sep 2003
Posts: 6835
Location: Blighty
|
|
| Back to top |
|
|
daff
Apprentice
Joined: 02 Jul 2003
Posts: 232
Location: Vienna, Austria
|
| Posted: Sun Jul 11, 2004 9:51 pm Post subject: |
|
|
Thanks UberLord, your answer put me in the right direction. It turns out I somehow didn't realize that each machine which is to join a domain needs a machine trust account on the PDC, and thus I never added one to any of the passwd files.
Sounds very silly, doesn't it? That's the problem when one has only little experience with the black magic of the SMB/CIFS/NetBIOS/Windows Network stuff, you tend to make wrong assumptions, forget the most basic steps and end up with a configuration mess.
Anyway, it works now, thanks for the input!
_________________
Instead of asking why a piece of software is using 1970s technology,
start asking why software is ignoring 30 years of accumulated wisdom. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
