Windows 7 cannot join samba domain
Try changing the script from smbldap-useradd -w -i %u
to smbldap-useradd -W %u
. This should resolve your issue.
Related videos on Youtube
Antonis Christofides
I help frustrated developers deploy Django.
Updated on September 18, 2022Comments
-
Antonis Christofides almost 2 years
I have a 3.5.6 samba server with a LDAP backend (both on Debian 6.0). I've been successfully adding Windows XP machines to the domain for years. I now try to add Windows 7. I have made the recommended registry changes, but I don't have any success so far. Here is what happens:
1. I go to computer name, select "Domain" instead of "Workgroup", type in the domain name, click OK. It asks me for the username and password of an account that can add computers to the domain; I enter them. After about 40 seconds, I get the following message:
The following error occurred attempting to join the domain "ITIA":
The specified computer account could not be found. Contact an administrator to verify the account is in the domain. If the account has been deleted unjoin, reboot, and rejoin the domain.
Despite this, the samba server successfully creates the computer account.
2. Therefore, if I try again a second time, without deleting the already created computer account, I get a different error:
The following error occurred attempting to join the domain "ITIA":
The specified account already exists.
(Note that until a while ago samba wasn't configured to automatically create computer accounts. What I did whenever I wanted an XP to join was to manually create it. When I first attempted to solve the Windows 7 join problem, I setup samba to do this automatically, as this is what most people do, as I understand, and I thought that it might be related. I haven't attempted to add an XP since I made this change, so I don't know if it works, but whether it works or not, the problem remains.)
Update 1: Here are the relevant parts of smb.conf:
[global] panic action = /usr/share/samba/panic-action %d workgroup = ITIA server string = Itia file server announce as = NT interfaces = 147.102.160.1 volume = %h passdb backend = ldapsam:ldap://ldap.itia.ntua.gr:389 ldap admin dn = uid=samba,ou=daemons,dc=itia,dc=ntua,dc=gr ldap ssl = off ldap suffix = dc=itia,dc=ntua,dc=gr ldap user suffix = ou=people ldap group suffix = ou=groups ldap machine suffix = ou=computers unix password sync = no add machine script = smbldap-useradd -w -i %u log file = /var/log/samba/samba-log.all log level = 3 max log size = 5000 syslog = 2 socket options = SO_KEEPALIVE TCP_NODELAY encrypt passwords = true password level = 1 security = user domain master = yes local master = no wins support = yes domain logons = yes idmap gid = 1000-2000
Update 2: The server has a single network interface eth1 (also an unused eth0 that shows up only in the kernel boot messages) and two ip addresses; the main, 147.102.160.1, and an additional one, 147.102.160.37, that comes up with "ip addr add 147.102.160.37/32 dev eth1" (used only for a web site that has a different certificate than other web sites served from the same machine). One of the problems I recently faced was that samba was using the latter IP address. I fixed that by adding the "interfaces = 147.102.160.1" statement in smb.conf.
Now:
acheloos:/etc/apache2# tcpdump host 147.102.160.40 and not port 5900 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes 13:13:56.549048 IP lithaios.itia.civil.ntua.gr.netbios-dgm > 147.102.160.255.netbios-dgm: NBT UDP PACKET(138) 13:13:56.549056 ARP, Request who-has acheloos2.itia.civil.ntua.gr tell lithaios.itia.civil.ntua.gr, length 46 13:13:56.549091 ARP, Reply acheloos2.itia.civil.ntua.gr is-at 00:10:4b:b4:9e:59 (oui Unknown), length 28 13:13:56.549324 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138) 13:13:56.549608 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos2.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138) 13:13:56.549741 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138) 13:13:56.550364 IP lithaios.itia.civil.ntua.gr.netbios-dgm > acheloos.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138) 13:13:56.550468 IP acheloos.itia.civil.ntua.gr.netbios-dgm > lithaios.itia.civil.ntua.gr.netbios-dgm: NBT UDP PACKET(138)
(acheloos2 is the second IP address, 147.102.160.37). The above dump occurs when I click "OK" (to join the domain), until it asks me for the username and password of a user that can join the domain. I don't know why the client is contacting the second IP address. I tried temporarily deactivating it, but I still had some related ARP traffic (though I think not IP traffic).
-
MichelZ about 12 yearsAny logs on the samba-side of things?
-
Olivier S about 12 yearsCan you show us the samba configuration?
-
-
Antonis Christofides about 12 yearsIf I remove
-i
, the ldap entry created is not asambaSamAccount
and does not contain the necessary attributes, such assambaLMPassword
,sambaSID
, and so on. The error message in that case is "The specified computer account could not be found" regardless whether it is the first or second try. I don't understand what good it would do to change the %u; the entry in LDAP is created correctly with the uidlithaios$
. -
Richard de Wit about 12 yearsThe
%u
switch to%m
was suggested because of the errorThe specified computer account could not be found.
so perhaps Windows 7 checks on a different layer than XP -
Antonis Christofides about 12 yearsI tried it.
%m
has exactly the same results as%u
. -
Antonis Christofides about 12 yearsI don't see any -W in the man page of smbldap-useradd.
-
Antonis Christofides about 12 yearssmbldap-tools 0.9.7 does have a -W parameter, but I'm running 0.9.5, which doesn't seem to (at least not in the documentation). But why should this parameter solve the problem? What does this have to do with "manual addition of samba attributes"?
-
Antonis Christofides about 12 yearsI'll be damned! 0.9.5 does have the (undocumented)
-W
parameter, and it did kind-of solve the problem. Still the first time I tried to join, it gave me the "account could not be found" message, but the second time it joined the domain! -
Antonis Christofides about 12 yearsI'd like to have more time to investigate this issue, but I certainly won't be able to do so before the bounty period ends. Therefore, I award you the bounty. It would be nice, however, if you could elaborate a little bit on the issue. I guess that many people are using a PDC with LDAP, and it strikes me why only I seem to have faced this problem.