Trouble with Samba Domain
- by Arkevius
I'm having a bit of trouble setting up this Samba domain correctly. I'm getting an Access Denied error when trying to add a Windows XP machine to the domain. I'll go through my scenario in detail, but for those of you wanting a TLDR summary it'll be at the bottom of this post.
I have HP Proliant server with Ubuntu 12.04 LTS installed. For this particular environment, I need this server to act as a PDC, file server, and print server.
I began by updating and upgrading the packages (of course). Then went to install samba, gnome-desktop, wine, and cpanm. Samba was, of course, for the PDC and file/print services. The GUI was needed because a certain software has to be installed on there that needs a GUI. Wine was needed because the software is Windows-native. And cpanm was for a perl script I have running.
For Samba, I went into the smb.conf file and enabled domain logons, changed the workgroup/domain name, the logon script for a per-group basis (netlogon/%g), enabled the netlogon and profiles share, and setup a couple of custom shares for the file service. The printer was added later, and seems to be working just fine.
I then restarted the services, and used the net groupmap command to ensure my unix groups were mapped correctly to the Windows groups. After this, I went to a Windows box, and was able to successfully join the domain without a problem.
After some fidgeting with the software to get it running on the win boxes from the server (it's a records management system program, which stores it's database files on the server), I went to add another computer to the domain. But now it's saying Access Denied.
Before when I had this trouble it was because I forgot to add the group "machines" so Samba could create machine accounts. Thinking this was the case, I manually created the machine account to test this theory. However, it would still give me an Access Denied error. That must mean it has something to do with permissions now, correct?
I've been fighting with this server for the past two weeks. If it's not one thing that;s wrong, then it's something else completely different. This would be the third time I've actually reinstalled everything to start over.
I'll post snippets of my system settings below. If anything else is needed, just say the word and I'll gather up the info.
The unix group 'domadmin' is the Domain Admins group.
Samba Administrator account
administrator:x:1000:1000:Administrator,,,:/home/administrator:/bin/bash
Adminstrator's groups
administrator adm cdrom sudo dip plugdev lpadmin sambashare domadmin crimestar
Samba's Configuration FIle (a snippet anyways)
[global]
workgroup = CITYPD
server string = BPDServer
dns proxy = no
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
passdb backend = tdbsam
obey pam restrictions = yes
unix password sync = yes
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\s*\spassword:* %n\n *Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .
pam password change = yes
map to guest = bad user
domain logons = yes
logon path = \\%L\srv\samba\profiles\%U
logon script = logon.bat
add machine script = /usr/sbin/useradd -g machines -c "%u machine account" -d /var/lib/samba -s /bin/false %u
domain master = yes
usershare allow guests = yes
[netlogon]
comment = Network Logon Service
path = /srv/samba/netlogon/%g
guest ok = yes
read only = yes
browseable = no
[profiles]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
guest ok = no
read only = yes
create mask = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
write list = root, @lpadmin
[crimestar]
comment = "Crimestar DB"
path = /srv/crimestar/db
valid users = @domadmin, @crimestar
admin users = administrator
writeable = yes
guest ok = no
browseable = no
create mask = 0666
directory mask = 0777
[crimestarfiles]
path = /home/administrator/.wine/drive_c/crimestar
admin users = administrator
browseable = yes
ls -la on /srv/samba/profiles
drwxrwxrwx 2 root machines 4096 Nov 21 15:27 .
drwxr-xr-x 4 root root 4096 Nov 21 15:28 ..
ls -la on /srv/samba/netlogon
drwxr-xr-x 6 root root 4096 Nov 21 15:30 .
drwxr-xr-x 4 root root 4096 Nov 21 15:28 ..
drwxr-xr-x 2 root root 4096 Nov 21 15:30 crimestar
drwxr-xr-x 2 root root 4096 Nov 21 18:13 domadmin
drwxr-xr-x 3 root root 4096 Nov 21 15:30 guests
drwxr-xr-x 2 root root 4096 Nov 21 15:29 users
GrouMap list
Domain Users (S-1-5-21-2978508755-2341913247-928297747-513) -> users
Domain Admins (S-1-5-21-2978508755-2341913247-928297747-512) -> domadmin
Domain Guests (S-1-5-21-2978508755-2341913247-928297747-514) -> nogroup
TLDR
I'm getting an Access Denied error message while trying to join a windows box to a samba domain, even after I successfully joined another computer without a problem. System settings / files are quoted above.
Anyone have any ideas or suggestions?