unable to join XP to zimbra/samba domain

[mickier]

I've successfully followed the great zimbra+samba howto, and can add new users, provision old users, and they can now successfully map samba shares to their windows machines no problem. It even auto-creates their home directories!

However am unable to join any machines to the domain...

I get the error "the user name could not be found" (I use user name mikey, who is a member of the Domain Admins group.)

Note: if I try using a username that is not in the "domain admins" group, I get the error -"login failure unknown user name or bad password"

Zimbra admin shows domain admins group is the special windows group domain admins, type 2, and net rpc rights list "MY-DOMAIN\Domain Admins" shows:
SeMachineAccountPrivilege
SePrintOperatorPrivilege
SeAddUsersPrivilege

The other error I got during the installation process was when I enter "smbpasswd -a root", I get this error: "ldapsam_modify_entry: LDAP Password could not be changed for user root: Insufficient access" -- I only mention this in case it's related to the above problem...

I have watched the logs on both machines and don't see any messages when I try to join the machine to the domain - (maybe I just don't know where to look....!)

thanks in advance for any help!!

I'm running zm6.03 on centos5.4 x86_64
here are my configs (comments stripped out)

ldap.conf:
base dc=myowndomain,dc=org
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw mysecretpw
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
bind_policy soft
timelimit 120
idle_timelimit 3600
uri ldap://10.224.0.100/
ssl no
tls_cacertdir /etc/openldap/cacerts
pam_password md5
_____________________________

smb.conf:
[global]
workgroup = MY-DOMAIN
netbios name = MYSERVER
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://10.224.0.100/
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=myrealdomain,dc=org
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\10.224.0.111\%U\profile
logon home = \\10.224.0.111\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes

_______________________

system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session required pam_oddjob_mkhomedir.so skel=/etc/skel umask=0077
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

[mickier]

I just did a fresh install (samba only) on another server, and get the same results - all users can map drives, their home dir auto-builds on first login, no problems, Simply can't add machines to the domain

PS. It is cool that you can "replace" your samba server but still have all your users and accounts when you connect to the zimbra server...(save your config files!)

[mickier]

Got it working - seems to be some sort of issue with domain name vs netbios name. I left the Workgroup (same as domain in windows) = MY-DOMAIN (which does resolve in dns) and also changed the netbios name to one that resolves through dns too, and now I can add machines to the domain..(!) Hey whatever works.

Still can't smbpasswd -a root though...

[mickier]

Dang it! NOT WORKING...

What actually happened, was when I couldn't join a machine, I ended up changing (in smb.conf) both the Workgroup AND the netbios name to MY-DOMAIN - and then the workstation can join the server == HOWEVER, of course once it is joined, and I reboot the workstation, it can't contact the server because "there's a duplicate name on the network" and domain controller cannot be contacted... Once I put the Netbios name back to something else (that resolves in dns) I can log in to the xp workstation as a domain user. so I THOUGHT it was working....

but I can't add another workstation to the domain (presumably until I set the Workgroup AND netbios name both to MY-DOMAIN - and after joining the workstation presumably I can log back in only after fixing the duplicate name..(@@!!).

What have I done?@
Wonder if it's a prob with smb 3.0.33...

[mickier]

OK now making progress... Major thankyou's to Chapter 8. Updating Samba-3

I can now join machines plus log in... Trying to reconstruct my errors:
I guess for starters, the smb.conf example file from the "unix and windows accounts in Zimbra ldap and zimbra admin ui 6" how-to is set up for ubuntu, and the create machine section doesn't work with centos/redhat - however, you can copy in the section from the original centos smb.conf, and that works - HOWEVER
I didn't discover that until I had installed a 2nd samba server, (my first one was just on a temp machine just for testing), and that SCREWED UP my SIDs... (this is an easy trap since it "sorta works", no errors, and users/groups work just fine -maybe since the SID is also stored on the zimbra ldap server..) so I figured - hey, zimbra likes the new server just the same as the original one...! but a quick "net getlocalsid MY-DOMAIN" will set you straight - you need to do the command for both the Workgroup, AND the netbios name (smb.conf). Mine didn't match- one was the old sid and one the new one.

The great help from SMB's website got it working MUCH BETTER NOW.

I'm not sure if I'll find any other problems, but I'll start testing workstations now...

PS. If you're fighting a technical (or other problem), remember to ask our heavenly Father for help- After all the difficulties Iv'e had with this, I finally just stopped and prayed for guidance - I can't say how, but almost immediately I just typed in a url that linked me to the above smb page, and it directly took me to the solution. God knows about tech stuff -- AND cares enough to help!
Peace

[cuongjr]

I got the same problem, can you post your configuration?

[mickier]

cuongjr,
they're at the top of this thread - the change I made was to substitute the add user script and add machine script from my original centos smb.conf file.

PS. In my case, the first couple machines I added got "stepped on" when I provisioned users from the command line, just watch those pesky userid numbers - the machines are added as "users", and you need to save userid numbers for them!