Zimbra & Samba -- error joining machine to Domain

[jmartin]

Hi folks. I'm in the process of piloting Zimbra Network Edition for my company. I'm trying to get it working as a Samba PDC with ldap integration following this wiki page:

UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

I'm testing it with the most recent version of Zimbra, running on Centos 5.2 x86_64. The samba pdc is running on another Centos 5.2 x86_64, with samba version 3.0.28-1.el5_2.1.

What does work:

1. I'm able to authenticate to the samba server using the smbclient command.
2. I'm able to create accounts in the Zimbra admin GUI and list them with the net rpc commands on the samba server.
3. I successfully created a "Domain Admins" group as per the wiki page and assigned it the proper privileges.
4. I created a user and added it to the Domain Admins group.

What doesn't work:

When I attempt to join a Windows XP SP2 client to the domain, it returns an error saying:

"The following error occurred attempting to join the domain 'MYTESTDOMAIN':

The user's password must be changed before logging on the first time."

This of course prevents me from adding a machine to the domain.

Of course this is an interesting chicken/egg dilemma. How do I change the password without ever having logged in?

I've tried changing it from the Zimbra UI, no luck, I've also tried changing it with the "net rpc password" command, no luck.

The only reference I can find of that error is here:

Web Notebook: Samba 3 user authentication against OpenLDAP server

It mentions you need the sambaPwdLastSet attribute in the ldap schema, which I checked and is indeed in there (the samba.schema)

Doing an ldap search for the attribute, it shows up here:

# root, people, mycompany.com
dn: uid=root,ou=people,dc=mycompany,dc=com
sambaPwdLastSet: 1227077872

but not for my domain admin account I've named "lame"


Debugging samba shows:


[2008/11/20 15:00:24, 1] auth/auth_sam.c:sam_account_ok(172)
sam_account_ok: Account for user 'lame' password must change!.
[2008/11/20 15:00:24, 5] auth/auth.c:check_ntlm_password(273)
check_ntlm_password: sam authentication for user [lame] FAILED with error NT_STATUS_PASSWORD_MUST_CHANGE

Clearly something is setting the NT_STATUS_PASSWORD_MUST_CHANGE, I didn't set that for the account in the Zimbra GUI.



After doing a "smbpasswd -U lame" and changing the password on the samba server, I see that it's updated in the ldap config:

# lame, people, mycompany.com
dn: uid=lame,ou=people,dc=mycompany,dc=com
sambaPwdLastSet: 1227212413


But attempts to join the domain end with "The user name could not be found".

Debugging samba shows:

sh: /usr/sbin/adduser: Permission denied
[2008/11/20 15:23:50, 0] passdb/pdb_interface.cdb_default_create_user(329)
_samr_create_user: Running the command `/usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname winxpvm$' gave 126
[2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_alloc(131)
Finding user WINXPVM$
[2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(75)
Trying _Get_Pwnam(), username as lowercase is winxpvm$
[2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(83)
Trying _Get_Pwnam(), username as given is WINXPVM$
[2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(102)
Checking combinations of 0 uppercase letters in winxpvm$
[2008/11/20 15:23:50, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [WINXPVM$]!

Clearly this was an selinux problem, so I disabled selinux temporarily.

I then noticed this in the log:

[2008/11/20 16:44:28, 5] lib/username.c:Get_Pwnam_internals(108)
Get_Pwnam_internals didn't find user [WINXPVM$]!
/usr/sbin/adduser: unrecognized option `--disabled-password'


So that is not a valid option with the CentOS/RHEL version of adduser.


After changing the add machine script to:

add machine script = /usr/sbin/useradd –d /dev/null –g 100 –s /bin/false –M %u


I still get the "The user name could not be found" error.


So after all this, my questions are:

Why doesn't the wiki refer to using the smbldap tools for manipulating samba-ldap accounts? (Especially the add machine script).

Why do I have to set the password for my domain admin account with smbpasswd before I use it to add a Windows machine to the domain?

[jmartin]

Going to give this another shot today... No reason why it should be this difficult, and I'm sure someone has done it already. I can't afford to spend more time on this, and it sucks because I was looking forward to getting rid of Windows.

[jmartin]

Success! I'm able to join a machine to a domain, and authenticate. Changing passwords from the Windows machine failed to update the password when logging into the zimbra web interface. Although, if I change the password on web interface, I can use that password successfully on Windows. This seems slightly backwards and not the same problem that most people have. I do have ldap sync enabled.

Is this a known issue? I'll post a write-up as soon as I work out the rest of the kinks.

[jmartin]

Ok, the kinks have been worked out. One of the biggest issues is the buggy samba that ships with Centos/RHEL 5.2. I pulled the Samba RPMS for RHEL 5.3 beta into the mix, and it definitely seemed to help. Some other issues, the /etc/samba/smb.conf listed does not work with a centos install. Here is a working smb.conf file for a centos install:



[global]

workgroup = MYCOMP
server string = Samba Server Version %v

netbios name = MYCOMPDC

# --------------------------- Logging Options -----------------------------
#
# Log File let you specify where to put logs and how to split them up.
#
# Max Log Size let you specify the max size log files should reach

# logs split per machine
log file = /var/log/samba/%m.log
log level = 5

# max 50KB per log file, then rotate
; max log size = 50

# ----------------------- Standalone Server Options ------------------------
#
# Security can be set to user, share(deprecated) or server(deprecated)
#
# Backend to store user information in. New installations should
# use either tdbsam or ldapsam. smbpasswd is available for backwards
# compatibility. tdbsam requires no further configuration.

security = user
passdb backend = ldapsam:ldap://zimbra.mycompany.com/
ldap admin dn = "cn=config"
ldap suffix = dc=mycompany,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines

ldap passwd sync = yes
socket options = TCP_NODELAY
security = domain
obey pam restrictions = no
domain master = yes
domain logons = yes
local master = yes
wins support =yes
# the login script name depends on the machine name
logon script =
# disables profiles support by specifing an empty path
logon path =

add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"

local master = yes
os level = 33
preferred master = yes


load printers = yes
cups options = raw

; printcap name = /etc/printcap
#obtain list of printers automatically on SystemV
; printcap name = lpstat
; printing = cups

# --------------------------- Filesystem Options ---------------------------
#
# The following options can be uncommented if the filesystem supports
# Extended Attributes and they are enabled (usually by the mount option
# user_xattr). Thess options will let the admin store the DOS attributes
# in an EA and make samba not mess with the permission bits.
#
# Note: these options can also be set just per share, setting them in global
# makes them the default for all shares

; map archive = no
; map hidden = no
; map read only = no
; map system = no
; store dos attributes = yes



[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes

# Un-comment the following and create the netlogon directory for Domain Logons
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
writable = no
share modes = no



After creating my initial domain admin group and domain admin user (named him domainadmin), I did have to update that user's password with:

smbpasswd domainadmin

That was the only way to get rid of the "NT_STATUS_PASSWORD_MUST_CHANGE" error.

Also to get samba to work properly with selinux, I had to run the following commands:

setsebool -P samba_domain_controller on
setsebool -P samba_enable_home_dirs on
setsebool -P samba_export_all_ro on
setsebool -P samba_export_all_rw on

And of course you have to open the requisite samba ports in iptables.


I'm still at a loss as to why if I change my password on the Windows machine it doesn't sync with the password for the Zimbra interface, but the reverse does work.

[RACjr]

JMartin,

Thanks so much for this post and your research. Like you, I got about 95% there from the wiki page, but also using Centos 5.2, I had strange problems about not getting to have machines join the domains etc.

Your rework of the smb.conf file is priceless.

I can now have machines join the domain thanks to your post.

Thanks again.

-Ron

[storto]

sorry for my silly question:

using that parameters:
-------------------------
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
-------------------------

are you telling samba to use the internal db instead of ldap?

If it's true your ldap server is empty.

another point is that

/usr/sbin/useradd -n -c "Workstation (%u)" -M -d

means that computers are just "regular users" and they can log-on on clients. this is very very bad.


thak you.

storto
dBlog 2.0 CMS Open Source