Topic: PDC

[glc]

I followed the guide at http://www.familybrown.org/howtos/samba-upgrade-howto-2.html, but I get the following error when attempting to switch my Win2k PC from workgroup to domain:

Your computer could not be joined to the domain because the following error has occured:

The account used is a computer account.  Use your global user account or local user account to access this server.

I've tried renaming the workgroup on the Win2k machine and restarting.  I've tried w/ and w/o the user already created on SME.  I've tried logging into Win2k w/ a different user.  All return this same error.

TIA>

[guestFF]

Try do a search in these forums, and you will find:

http://myezserver.com/docs/mitel/samba-upgrade-howto.html


HFW

[Greg Zartman]

When asked to authenticate the join, did you use the username root and the root password?  You should also be logged in on the client machine as the administrator.  

This can be very confusing.  I'll summarize:

1.  Log onto your Windows machine as the administrator.
2.  When asked to authenticate joining the machine to your domain, input the username root and the root password.

Regards,

Greg Zartman

[Greg Zartman]

One thing I left out....

In order for all of the previous to work, you need to have the Unix root username in your smbpasswd database.  Did you follow these steps in the Samba Howto?

[root@e-smith /root]# smbpasswd -add root
Added user root.

[root@e-smith /root]# smbpasswd root
New SMB password:
Retype new SMB password:
Password changed for user root. User has disabled flag set.

[root@e-smith /root]# smbpasswd -e root
Enabled user root.


Greg Zartman

[glc]

> When asked to authenticate the join, did you use the username
> root and the root password?  
Yes, I logged in as root and used the root password.


>You should also be logged in on
> the client machine as the administrator.
The username I'm using under Windows is the built-in administrator account renamed,  so yes, the user has admin rights.


> 1.  Log onto your Windows machine as the administrator.
> 2.  When asked to authenticate joining the machine to your
> domain, input the username root and the root password.
That's exactly what I did.


> In order for all of the previous to work, you need to have
> the Unix root username in your smbpasswd database.  Did you
> follow these steps in the Samba Howto?
>
> [root@e-smith /root]# smbpasswd -add root
> Added user root.
>
> [root@e-smith /root]# smbpasswd root
> New SMB password:
> Retype new SMB password:
> Password changed for user root. User has disabled flag set.
>
> [root@e-smith /root]# smbpasswd -e root
> Enabled user root.
Yes, I executed all of those steps.

[Greg Zartman]

OK, time to do a little troubleshooting then.

1.Terminal into your server and issue the command smbstatus.  Samba will reprocess your smb.conf file and report any issues.  Browser through the output and verify that you don't have any errors in your smb.conf file.

2.  From the terminal session, issue the command smbclient -U% -L localhost.  Samba will attempt to query itself for information.  You should see a list of your current samba shares, the netbios name of the server, the workgroup name, and your current Master browser (this should be your samba server).  If you don't get a response from samba or you get an error, then try step 3.  Skip #3 if Samba reports good information.

3.  Make note of your current server time then issue the following command in a terminal sesstion /etc/rc.d/init.d/smb restart.   Now, have a look at the samba log files for the time that you noted: /var/log/samba/log.smbd  and /var/log/samba/log.nmbd.  If you see any errors with samba then I'd recommend that you go back to the Samba HOWTO and start over.  This howto is pretty solid.

If everything appears to be OK with Samba, then you'll need to play around with the client machine a bit.    Here are a few suggestions.
1.  Make sure you are only using the TCP/IP protocol and that you have the Enable TCP/IP over NETBIOS option selected in the WINS section.  
2.  Issue the IPCONFIG command on your client machine and verify that you have a valid ip address, DNS IP, and WINS IP.  If any of these are missing, then you'll need to fix your client network settings.
3.  Try pinging the server from your client machine.  If you don't get a response form the server, then you have a basic network problem.
4.  When joining the domain, try changing the host name on the client machine.  It's possible the Samba "glitched" while trying to add the machine and you have a partial machine account on the server.


This is about all I can think of without sitting in front of your machine or looking at Samba log entries.  If you are still having problems and your client machine doesn't have any network issue, set your samba log level to 5 and send me the samba log files for the time period that you attempted to add the machine (greg@kwikfind.com)

Good luck.

Greg

[glc]

> 1.Terminal into your server and issue the command smbstatus.
> Samba will reprocess your smb.conf file and report any
> issues.  Browser through the output and verify that you don't
> have any errors in your smb.conf file.
The output returned from that command is as follows:

Unknown parameter encountered: "share modes"
Ignoring unknown parameter "share modes"

Samba version 2.2.2
Service          uid          gid          pid          machine
---------------------------------------------------------------------------

No locked files


> 2.  From the terminal session, issue the command smbclient
> -U% -L localhost.  Samba will attempt to query itself for
> information.  You should see a list of your current samba
> shares, the netbios name of the server, the workgroup name,
> and your current Master browser (this should be your samba
> server).  If you don't get a response from samba or you get
> an error, then try step 3.  Skip #3 if Samba reports good
> information.
All looks good.  My ibays appear, as well as my SME server, clients and the current workgroup.  Master = my SME server.


> 1.  Make sure you are only using the TCP/IP protocol and that
> you have the Enable TCP/IP over NETBIOS option selected in
> the WINS section.
Yes and yes.


> 2.  Issue the IPCONFIG command on your client machine and
> verify that you have a valid ip address, DNS IP, and WINS IP
IP address:
    client 2:      192.168.1.4
    client 1:      192.168.1.3 (the system I'm currently attemtping to domain)
    SME:         192.168.1.2
    DSL router: 192.168.1.1

DNS:
    client 1&2: my ISP's DNS
    SME: Not sure.  From http://host_name/server-manager under "Review configuration"/"Server names", 192.168.1.2 is listed as the DNS server
    router: correct

WINS tab under both clients:
    WINS address, in order of use: empty
    Enable LMHOSTS lookup is CHECKED
    Enable NetBIOS over TCP/IP is SELECTED


> 3.  Try pinging the server from your client machine.  If you
> don't get a response form the server, then you have a basic
> network problem.
Server is pingable from both clients.


> 4.  When joining the domain, try changing the host name on
> the client machine.  It's possible the Samba "glitched" while
> trying to add the machine and you have a partial machine
> account on the server.
Tried that.

[sage]

are you in the same workgroup as the domain you are trying to join? if so on your windows box change the workgroup to somthing else. reboot then try to join the domin.

sage

[glc]

Windows 2000 IP Configuration



   Host Name . . . . . . . . . . . . : glc
   Primary DNS Suffix  . . . . . . . :
   Node Type . . . . . . . . . . . . : Broadcast

   IP Routing Enabled. . . . . . . . : No

   WINS Proxy Enabled. . . . . . . . : No


Ethernet adapter Local Area Connection:



   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : SiS 900 PCI Fast Ethernet Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00

   DHCP Enabled. . . . . . . . . . . : No

   IP Address. . . . . . . . . . . . : 192.168.1.3

   Subnet Mask . . . . . . . . . . . : 255.255.255.0

   Default Gateway . . . . . . . . . : 192.168.1.1

   DNS Servers . . . . . . . . . . . : 216.x.x.x
                                       216.x.x.x

[glc]

sage wrote:
>
> are you in the same workgroup as the domain you are trying to
> join? if so on your windows box change the workgroup to
> somthing else. reboot then try to join the domin.
>
> sage

tried that

[Greg Zartman]

OK, I'm 95% sure then that this is an authentication issue.  You either aren't truely the administrator on your client machine and/or you don't have root setup as a samba username.  

Triple check this on your SME server..  Initiate the command smbpasswd root and when prompted, input your password.

After you've done this, attempt to connect to a share from the SME server.  Terminal into your SME server in input the command:

smbclient //servername/Primary -U root%rootpassword

Note: you will need to subsititue for servername and rootpassword.

After you hit return, you sould see something like this:

INFO: Debug class all level = 2   (pid 14353 from pid 14353)
added interface ip=127.0.0.1 bcast=127.255.255.255 nmask=255.0.0.0
added interface ip=192.168.0.1 bcast=192.168.0.255 nmask=255.255.255.0
Got a positive name query response from 127.0.0.1 ( 192.168.0.1 )
Domain=[LEIINC.COM] OS=[Unix] Server=[Samba 2.2.2]
smb: \>

If you don't then your root username is messed up in the smbpasswd file.  You may have to delete it manually by bringing the smbpasswd file up in a text editor (BE VERY CAREFUL when messing with this file).

Greg

[glc]

Greg Zartman wrote:
>
> OK, I'm 95% sure then that this is an authentication issue.
> You either aren't truely the administrator on your client
> machine and/or you don't have root setup as a samba username.
>
> Triple check this on your SME server..  Initiate the command
> smbpasswd root and when prompted, input your password.
OK...done


> After you've done this, attempt to connect to a share from
> the SME server.  Terminal into your SME server in input the
> command:
>
> smbclient //servername/Primary -U root%rootpassword
>
> Note: you will need to subsititue for servername and
> rootpassword.
>
> After you hit return, you sould see something like this:
>
> INFO: Debug class all level = 2   (pid 14353 from pid 14353)
> added interface ip=127.0.0.1 bcast=127.255.255.255
> nmask=255.0.0.0
> added interface ip=192.168.0.1 bcast=192.168.0.255
> nmask=255.255.255.0
> Got a positive name query response from 127.0.0.1 (
> 192.168.0.1 )
> Domain=[LEIINC.COM] OS=[Unix] Server=[Samba 2.2.2]
> smb: \>
I got the exact same minus the INFO: Debug class all level = 2   (pid 14353 from pid 14353) line.  And of course, my IPs are x.x.1.x not x.x.0.x. (i.e., 192.168.1.x)

This means everything should work, correct?

[Greg Zartman]

Yes, this means your root account works as far as Samba is concerned.  Are you using the same samba root password as the root password you use to log into Linux?

The error message:
{The account used is a computer account. Use your global user account or local user account to access this server.}
almost always means that you are trying to join a machine to the domain with a valid samba account that isn't root.  

Have you ever gotten this to work?

Greg

[glc]

> Are you using the same samba root password as the
> root password you use to log into Linux?
As a matter of fact, I am.  Could this be the problem?


> Have you ever gotten this to work?
This is my first attempt at setting up a PDC of any kind.

[Greg Zartman]

OK, I think I may have found your problem.   I think your add user script is messed up.

You'll need to modify one of the template fragments.  Do the following:

1. pico /etc/e-smith/templates-custom/etc/smb.conf/12adduser . Will look start with:
#[12 addusers]

2. Delete all lines in this file using CTRL-K.  

3. Input the following:
#Create Machine Account Script
   add user script = /usr/sbin/adduser -d /dev/null -g 100 -s/bin/false -M %u

4. Save the file.

5. Expand the template fragements:  /sbin/e-smith/expand-templates smb.conf

6  Restart Samba: /etc/rc.d/init.d/smb restart

7. Try adding the machine again.

[Greg Zartman]

Sorry, I messed up step 5.  Should read:

5. Expand the template fragements: /sbin/e-smith/expand-template smb.conf

Greg

[glc]

Greg Zartman wrote:
>
> Sorry, I messed up step 5.  Should read:
>
> 5. Expand the template fragements:
> /sbin/e-smith/expand-template smb.conf
>
> Greg
With the correction, no. 5 returns:

No templates were found for /smb.conf

[Greg Zartman]

It's been a long day.  LOL

Expand template:  /sbin/e-smith/expand-template /etc/smb.conf

[glc]

dammit, still get the error

[glc]

Should I start from scratch and try a different guide, such as this one I found a couple days ago?:
http://de.samba.org/samba/ftp/docs/htmldocs/Samba-PDC-HOWTO.html

[Greg Zartman]

No, I wouldn't use a different howto as it won't apply to the e-smith structure and then you'll really have a mess.

Send my your smb.conf file.  I'll have a look and see if I can spot the error.

greg@leiinc.com

[Kelvin]

Hi glc,

I had exactly the same problems some time back (search forums for the fory details).

While the W2K PC had no problems joining "real" NT4 and W2K Server domains, it refuses to join the SME domain, no matter what I did. In the end, a clean reload of W2K solved the problem immediately. Since then any new W2K PC I had had no problem joining the domain.

Kelvin

[glc]

Kelvin wrote:
>
> Hi glc,
>
> I had exactly the same problems some time back (search forums
> for the fory details).
>
> While the W2K PC had no problems joining "real" NT4 and W2K
> Server domains, it refuses to join the SME domain, no matter
> what I did. In the end, a clean reload of W2K solved the
> problem immediately. Since then any new W2K PC I had had no
> problem joining the domain.
>
> Kelvin

LOL, why is it that formatting is the no. 1 solver of MS OS issues?

Rather than bombarding the consumer's desktop w/ MSN and other shortcuts, they should place an automatic and instantaneous format shortcut.

I was considering a reinstall anyway b/c of a few misc. issues I've had for the last couple of months (not related to SME; just typical MS OS b.s.).

[Kelvin]

Ho ! Ho !

I supposed we could always wish for an option to automatically re-image the drive from a "clean" image as and when the MS OS goes to la - la land !  

Kelvin

[Greg Zartman]

I can't see how reinstalling windows would do anything especially since you can't join any workstation to your domain.  This line of thinking is impling that Win2k somehow infects Samba (not true).  

If you've tried to join multiply machines to the domain without sucess, reinstalling windows on one of them won't change a thing.

This has to have something to do with Samba's configuration and/or some type of network name resolution issue.

Greg

[glc]

Kelvin wrote:
>
> Ho ! Ho !
>
> I supposed we could always wish for an option to
> automatically re-image the drive from a "clean" image as and
> when the MS OS goes to la - la land !  
>
> Kelvin

that's what I use Norton Ghost for.  have for a couple of years now.


Greg Zartman wrote:
>
> I can't see how reinstalling windows would do anything
> especially since you can't join any workstation to your
> domain.  This line of thinking is impling that Win2k somehow
> infects Samba (not true).
>
> If you've tried to join multiply machines to the domain
> without sucess, reinstalling windows on one of them won't
> change a thing.
>
> This has to have something to do with Samba's configuration
> and/or some type of network name resolution issue.
>
> Greg

Got a copy of smb.conf; emailing to you right now...

thanks....

[Patrick Basile]

glc,

Have you tried joining the client using the following 'yourdomain\root', instead of just 'root'?  Also, did you check to make sure the registry has these settings:

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"requirestrongkey"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"requirestrongkey"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
"requiresignorseal"=dword:00000000
"requirestrongkey"=dword:00000000

Let us know, good luck.

Regards,
Patrick

[glc]

Patrick Basile wrote:
>
> glc,
>
> Have you tried joining the client using the following
> 'yourdomain\root', instead of just 'root'?  
yes

Also, did you
> check to make sure the registry has these settings:
>
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Netlogon\Parameters]
> "requiresignorseal"=dword:00000000
> "requirestrongkey"=dword:00000000
>
> [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Netlogon\Parameters]
> "requiresignorseal"=dword:00000000
> "requirestrongkey"=dword:00000000
>
> [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters]
> "requiresignorseal"=dword:00000000
> "requirestrongkey"=dword:00000000
those strings are present

[Greg Zartman]

OK, I found the problem with your smb.conf file.  It's that add user script.  It doesn't appear to me that you installed Darrel's "fragments" RPM.  Download the following RPM and install it on your server

http://www.myezserver.com/downloads/mitel/dmc-mitel-samba-2.2.2-0.noarch.rpm

1.To install:  rpm -Uvh --nodeps dmc-mitel-samba-2.2.2.noarch.rpm

2. Expand fragments:  /sbin/e-smith/expand-template /etc/smb.conf

3. Restart Samba:  /etc/rc.d/init.d/smb restart


There is an very very small chance that the add user script still might not work (I highly doubt it as Darrel's RPM has been tested by many people).  If this is the case, edit the 12adduser fragment as follows:

pico /etc/e-smith/templates-custom/etc/smb.conf/12adduser

Delete all lines in the file using CTRL-K

Input the following:

#Create Machine Account Script
add user script = /usr/sbin/adduser -d /dev/null -g 100 -s/bin/false -M %u

Save the file, re-expand the fragments and restart Samba.  

I highly doubt you will need to modify Darrel's fragments, but I included this just in case.

Greg

[glc]

problem solved, thanks all

[guestFF]

Pleas tell us how....

[Greg Zartman]

I was a problem with the add user script parameter.  I'm posting what I think is the fix on the devinfo mailing list now.  Let's see what the rest of the dev folks have to say before we let it out to the masses.

Greg

[guestFF]

Thanks.