Samba as PDC

[bogdan_bartos]

I'm trying to configure Samba as PDC and I want to join the domain with a Windows machine. I'm adding the machine name like this:

useradd –-g machines -–d /dev/null -–s /dev/null machine$

I'm adding it to the samba accounts with:

smbpasswd –a –m machine

I'm also adding the system user usersamba

useradd -g machines usersamba
passwd usersamba

And I'm adding the user also

smbpasswd -a usersamba

The main problem is when I'm trying to join the domain [BLUE] with the Windows machine, it gives me one of these errors:

ACCESS IS DENIED or LOGON FAILURE: UNKNOWN USER NAME OR BAD PASSWORD

I checked the samba logs and here are the results:

[2007/07/06 14:12:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(250)
startsmbfilepwent_internal: unable to open file /var/lib/samba/private/smbpasswd. Error was: Permission denied
[2007/07/06 14:12:53, 0] passdb/pdb_smbpasswd.c:add_smbfilepwd_entry(654)
add_smbfilepwd_entry: unable to open file.

or

[2007/07/06 12:48:03, 1] auth/auth_util.c:make_server_info_sam(566)
User test1 in passdb, but getpwnam() fails!
[2007/07/06 12:48:03, 0] auth/auth_sam.c:check_sam_security(352)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2007/07/06 12:48:04, 0] passdb/pdb_get_set.c: pdb_get_group_sid(211)
pdb_get_group_sid: Failed to find Unix account for usersamba

If I try to run vipw, the password file contains this:

machine$: x:511:512::/dev/null:/dev/null

So the machine has been added to the list...

WHAT AM I DOING WRONG? I restarted the smb and nmb service several times and there is no change. If I want to change the security policy and run it just as a workgroup, I can do it, but as a domain, I cannot join it.

My smb.conf file follows:

[global]
workgroup = BLUE
server string = Samba Server Version %v

netbios name = BLUEUNIVERSE

interfaces = lo eth1
hosts allow = 127. 192.168.0.
bind interfaces only = yes

log file = /var/log/samba/log.%m
max log size = 50

security = user
passdb backend = tdbsam

domain master = yes
domain logons = yes

encrypt passwords = yes

logon script = %u.bat
logon path =

local master = yes
os level = 65
preferred master = yes

wins support = yes
wins server = 192.168.0.1

load printers = yes
cups options = raw

printcap name = /etc/printcap

printing = cups

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
public = yes
writable = yes
printable = yes
use client driver = yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no

[Profiles]
path = /var/lib/samba/profiles
browseable = no
guest ok = yes

Thank you for any possible help!

P.S. I'm running samba-3.0.25b-2.fc7 on a Fedora system as you can see...

[mvrk]

Hi,

i got Samba configured too on a Fedora 7 system, and i configured it to use my LDAP server, now the thing is, i got another system with Centos 4.5, and the Samba server configured in the same away as in Fedora 7, and i log in ok with any user that i got on my LDAP server even if isn't a linux user.

And on the Fedora 7 when i try to login with a user that exists on the LDAP but doesn't exists on the system it just gives this msg:

[2007/09/18 18:35:49, 0] passdb/pdb_get_set.cdb_get_group_sid(211)
pdb_get_group_sid: Failed to find Unix account for drocha

So this must be some Fedora 7 issue... can any one help me out?

[bogdan_bartos]

I got my PDC working, so it's fine. I'm not using LDAP... Thank you for your interest!

[desynced]

And thank you for telling us how you fixed it.

[robzy]

And thank you for telling us how you fixed it.

Yup, I am now having this trouble as well.

Rob.

[robzy]

From another forum:

Robzy, you haven't set up a Domain Admin user who is responsible for adding machines to the domain.

Come on mate!

There's a giant howto on this right here: [BUMPED!] How to build a primary domain controller - Open Source OS - Forums - www.atomicmpc.com.au

You need to add the admin users directive to your [global] section

So (as an example using "root" do:


[global]
...
..
.
admin users = root

Samba as primary domain controller - Open Source OS - Forums - www.atomicmpc.com.au

Rob.

[bogdan_bartos]

Hi guys,

My mistake with Samba was that I didn't set a root password. First time when a machine wants to join the domain, you have to join it with the samba root user, so you have to add one to samba. Samba 3 is good, but I'm looking forward to get Samba 3 running.

In order to get it working all you have to do is

$ smbpasswd -a -m <machine-name>$
$ smbpasswd -a <user-name>

and add a root user to the samba. Besides that, you have to change your mains samba.conf file to be a domain controller:

[global]
netbios name = <your-machine-name>
server string = Samba %v on %L
workgroup = <your-domain-name>

; domain & local master browser
; coz we're dealing with Win2k
os level = 65 [or 99 if you want to be sure]
prefered master = yes
domain master = yes
local master = yes
domain logons = yes

encrypt passwords = yes [DO NOT FORGET THIS]

and add the logon scripting stuff!

A good tutorial about this, you can find at Samba PDC mini-HOWTO.

Other tutorials at:

HOWTO Implement Samba as your PDC - Gentoo Linux Wiki
samba setup and configuration
http://ploug.eu.org/doc/samba-a4.pdf

It would be also a good idea to select the interfaces and ip subnets and do the bind interfaces stuff for more securty, otherwise, samba will bind even on the external interfaces and if you don't firewall, you can be vulnerable.

Have fun!

[prabhas]

I'm trying to configure Samba as PDC and I want to join the domain with a Windows machine. I'm adding the machine name like this:

useradd –-g machines -–d /dev/null -–s /dev/null machine$

I'm adding it to the samba accounts with:

smbpasswd –a –m machine

I'm also adding the system user usersamba

useradd -g machines usersamba
passwd usersamba

And I'm adding the user also

smbpasswd -a usersamba

The main problem is when I'm trying to join the domain [BLUE] with the Windows machine, it gives me one of these errors:

ACCESS IS DENIED or LOGON FAILURE: UNKNOWN USER NAME OR BAD PASSWORD

I checked the samba logs and here are the results:

[2007/07/06 14:12:53, 0] passdb/pdb_smbpasswd.c:startsmbfilepwent(250)
startsmbfilepwent_internal: unable to open file /var/lib/samba/private/smbpasswd. Error was: Permission denied
[2007/07/06 14:12:53, 0] passdb/pdb_smbpasswd.c:add_smbfilepwd_entry(654)
add_smbfilepwd_entry: unable to open file.

or

[2007/07/06 12:48:03, 1] auth/auth_util.c:make_server_info_sam(566)
User test1 in passdb, but getpwnam() fails!
[2007/07/06 12:48:03, 0] auth/auth_sam.c:check_sam_security(352)
check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2007/07/06 12:48:04, 0] passdb/pdb_get_set.c: pdb_get_group_sid(211)
pdb_get_group_sid: Failed to find Unix account for usersamba

If I try to run vipw, the password file contains this:

machine$: x:511:512::/dev/null:/dev/null

So the machine has been added to the list...

WHAT AM I DOING WRONG? I restarted the smb and nmb service several times and there is no change. If I want to change the security policy and run it just as a workgroup, I can do it, but as a domain, I cannot join it.

My smb.conf file follows:

[global]
workgroup = BLUE
server string = Samba Server Version %v

netbios name = BLUEUNIVERSE

interfaces = lo eth1
hosts allow = 127. 192.168.0.
bind interfaces only = yes

log file = /var/log/samba/log.%m
max log size = 50

security = user
passdb backend = tdbsam

domain master = yes
domain logons = yes

encrypt passwords = yes

logon script = %u.bat
logon path =

local master = yes
os level = 65
preferred master = yes

wins support = yes
wins server = 192.168.0.1

load printers = yes
cups options = raw

printcap name = /etc/printcap

printing = cups

[homes]
comment = Home Directories
browseable = no
writable = yes

[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
public = yes
writable = yes
printable = yes
use client driver = yes

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no

[Profiles]
path = /var/lib/samba/profiles
browseable = no
guest ok = yes

Thank you for any possible help!

P.S. I'm running samba-3.0.25b-2.fc7 on a Fedora system as you can see...

Set oWsh = CreateObject("Wscript.Shell")
oWsh.RegWrite "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servi ces\Netlogon\Parameters\requiresignorseal",0,"REG_ DWORD"
oWsh.regwrite "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Wi ndows\System\CompatibleRUPSecurity",1,"REG_DWORD"




make the vb scrpt file with this content and execute it in windiws system then tyr to add the system in to the domain