samba pdc + squid.

winbindd запускай с ключом -d9 и читай внимательно логи.

>wbinfo -u
>Error looking up domain users
Этой ошибке 100 лет в обед, поправили буквально на днях.

>wbinfo -t
>checking the trust secret via RPC calls failed
>error code was NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc00000da)
>Could not check secret
net join DOMAIN --user=root -I ip.add.re.s и админский пароль.

>;local master = yes
>;wins support = yes
лучше включите.

>security = user
security = domain, либо просто уберите эту строчку.

и testparm запустить не забудьте, а его результат сбросить сюда.

Что имеем (Windows PDC в сети нет, просто напоминаю):

добавил local master = Yes
wins support = Yes, 


убрал строчку security=users вообще, т.к. security=domain в ответ на testparm дает такое:

root@mainrouter:/etc/samba# testparm
Load smb config files from /etc/samba/smb.conf
Processing section "[homes]"
Processing section "[netlogon]"
Server's Role (logon server) NOT ADVISED with domain-level security
Loaded services file OK.
Server role: ROLE_DOMAIN_BDC
Press enter to see a dump of your service definitions

[global]
        workgroup = TEST
        netbios name = TESTED
        server string = SPDC(Samba %v)
        security = DOMAIN
        password server = mainrouter
        username map = /etc/samba/usersmap.conf
        log level = 10
        time server = Yes
        add user script = /etc/samba/scripts/adduser.sh %u
        delete user script = /etc/samba/scripts/deluser.sh %u
        add group script = /etc/samba/scripts/addgroup.sh %g
        delete group script = /etc/samba/scripts/delgroup.sh %g
        add user to group script = /etc/samba/scripts/addusertogroup.sh %u %g
        delete user from group script = /etc/samba/scripts/deluserfrgroup.sh %u %g
        set primary group script = /etc/samba/scripts/setprimarygroup.sh %u %g
        add machine script = /etc/samba/scripts/addmashine.sh %u
        logon script = STARTUP.BAT
        logon path =
        domain logons = Yes
        os level = 255
        preferred master = Yes
        domain master = Yes
        wins support = Yes
        idmap uid = 10000-20000
        idmap gid = 10000-20000
        winbind separator = @
        winbind enum users = Yes
        winbind enum groups = Yes
        winbind use default domain = Yes
        admin users = root
        hosts allow = 192.168.2., 127., 127.27.1.

[homes]
        comment = Home Directories
        read only = No
        create mask = 0750
        browseable = No

[netlogon]
        comment = Network logon service
        path = /etc/samba/netlogon
        browseable = No


Загоняю самбу в домен к самой себе:

net join TEST --user=root -I localhost
Password:
Creation of workstation account failed
Unable to join domain TEST.

пробовал раскоммитить #password server = localhost
пробовал поменять localhost на router (в hosts это внешний интерфейс PDC, смотрит в локалку).  


Вот лог log.winbindd (слишком большой с d9, привожу конец):



[2008/11/21 09:31:22, 3] nsswitch/winbindd_sid.c:winbindd_sid_to_gid(308)
  [23577]: sid to gid S-1-5-32-546
[2008/11/21 09:31:22, 7] nsswitch/winbindd_async.c:winbindd_sid2gid_async(545)
  winbindd_sid2gid_async: Resolving S-1-5-32-546 to a gid
[2008/11/21 09:31:22, 5] nsswitch/winbindd_async.c:winbindd_sid2gid_recv(527)
  sid2gid returned an error
[2008/11/21 09:31:22, 5] nsswitch/winbindd_sid.c:sid2gid_recv(254)
  Could not convert sid S-1-5-32-546
[2008/11/21 09:31:22, 3] nsswitch/winbindd_misc.c:winbindd_ping(470)
  [23577]: ping

Останьте вы от winbind'а, он заработает не раньше, чем машина окажется в домене. Показывайте весь smb.conf, кроме шар. Включайте debug level 2/3 и смотрите, что происходит при попытке добавить себя в домен.

Уберите нафиг password server - у вас Samba PDC должна внести свой аккаунт в свой же домен, который она же контролирует.

Где add_machine скрипт? вы вообще знаете, как Samba NT4 style домен функционирует? в частности, что для каждого КОМПЬЮТЕРА д.б. заведена учетная запись в системе?

smb.conf:

[global]
server string = SPDC(Samba %v)
workgroup = TEST
netbios name = TESTED

security = user
;encrypted password = yes
domain master = yes
local master = yes
wins support = yes
preferred master = yes
domain logons = yes
os level = 255
winbind uid = 10000-20000
winbind gid = 10000-20000
admin users = root
time server = yes


#######WINS
winbind separator = @
winbind use default domain = yes
winbind enum users = yes
winbind enum groups = yes 
######


#new

log level = 2
hosts allow = 192.168.2. 127. 127.27.1.
####

username map = /etc/samba/usersmap.conf

logon script = STARTUP.BAT
logon path = 

;add user script = /usr/sbin/useradd %u
;add group script = /usr/sbin/groupadd %g
;add machine script = /usr/sbin/adduser -n -g machines -c Machine -d /dev/null -s /bin/false %u
;delete user script = /usr/sbin/userdel %u
;delete user from group script = /usr/sbin/deluser %u %g
;delete group script = /usr/sbin/groupdel %g

add machine script = /etc/samba/scripts/addmashine.sh %u
add user script = /etc/samba/scripts/adduser.sh %u
delete user script = /etc/samba/scripts/deluser.sh %u
add group script = /etc/samba/scripts/addgroup.sh %g
delete group script = /etc/samba/scripts/delgroup.sh %g
set primary group script = /etc/samba/scripts/setprimarygroup.sh %u %g
add user to group script = /etc/samba/scripts/addusertogroup.sh %u %g
delete user from group script = /etc/samba/scripts/deluserfrgroup.sh %u %g

[homes]
#read only = no
#browseable = no
comment = Home Directories 
browseable = no
read only = no 
preserve case = yes
short preserve case = yes 
create mode = 0750 

[netlogon]
comment = Network logon service
path = /etc/samba/netlogon
browseable = no

Скрипт addmachine.sh

#!/bin/bash
# addmachine.sh
# v1.0
RETVAL=0
MSG="success"
machinename="$1"
test -z "$machinename" && exit 1

if [ $RETVAL -eq 0 ]; then
    /etc/samba/scripts/checkmap.pl
    RETVAL=$?
    [ $RETVAL -ne 0 ] && MSG="checkmap failed [$RETVAL]"
fi

if [ $RETVAL -eq 0 ]; then
    /usr/sbin/useradd -g nogroup -d /dev/null -s /bin/false "$machinename"
    RETVAL=$?
    [ $RETVAL -ne 0 ] && MSG="useradd failed [$RETVAL]"
fi

if [ $RETVAL -eq 0 ]; then
    /usr/bin/passwd -l "$machinename"
    RETVAL=$?
    [ $RETVAL -ne 0 ] && MSG="passwd failed [$RETVAL]"
fi

echo `date`" Add machine '$machinename' account: $MSG" \
    >> /etc/samba/scripts/log
exit 0 


При добавлении в домен:

net join TEST --user=root -I localhost

log.smbd:

  get_md4pw: Workstation TESTED$: no account in domain
[2008/11/24 09:01:29, 0] rpc_server/srv_netlog_nt.c:_net_auth_2(461)
  _net_auth2: failed to get machine password for account EUGEN$: NT_STATUS_ACCESS_DENIED
[2008/11/24 09:01:33, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.2.63)
[2008/11/24 09:01:33, 2] auth/auth.c:check_ntlm_password(309)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] succeeded
[2008/11/24 09:01:33, 2] lib/access.c:check_access(323)
  Allowed connection from  (192.168.2.63)
groupadd: BUILTIN_users is a not a valid group name
root@:/var/log/samba#

log.nmbd:
root@mainrouter:/var/log/samba# tail -10 ./log.nmbd
  We are both a domain and a local master browser for workgroup TEST.  Do not announce to ourselves.
[2008/11/24 08:51:50, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(152)
  sync_with_dmb:
  Initiating sync with domain master browser TESTED<20> at IP 192.168.2.63 for workgroup TEST
[2008/11/24 08:51:50, 2] nmbd/nmbd_browsesync.c:announce_local_master_browser_to_domain_master_browser(1
08)
  announce_local_master_browser_to_domain_master_browser:
  We are both a domain and a local master browser for workgroup TEST.  Do not announce to ourselves.
[2008/11/24 08:51:50, 2] nmbd/nmbd_browsesync.c:sync_with_dmb(152)
  sync_with_dmb:
  Initiating sync with domain master browser TESTED<20> at IP 192.168.2.63 for workgroup TEST

log.tested во время добавления в домен покажите. И log level = 3 сделайте, если на данном видно не будет.

>/etc/samba/scripts/log

и еще: скрипт addmachine отработал? что быдал?
id TESTED$ что говорит? или что там у вас, getent passwd|grep TESTED$?

Ура! Эту засаду победил. В домен к себе самой самба не включалась до тех пор, пока не:

1) был добавлен юзер tested$ - через программу vipw в /etc/passwd
   и passwd -l tested$, id группы должен совпадать с группой всех машин-акаунтов (которые с "$" в имени). 

2) пока он не был добавален в smbpasswd:
         smbpasswd -a -m test      <-------без "$" в имени!

3) net rpc join -S TESTED --user=root%password
Joined domain TEST.
 
Всем Спасибо! ) Особенно zgen !