Steve Cayford wrote:
Wes Deviers wrote:
Are you using OpenLDAP? Is it possible that during the Debian
upgrade, the OpenLDAP schema files got changed, and so it's failing
because updates would violate the schema (perhaps, because, the samba
schema file is now missing or not being loaded..?)
Somewhere in there, I think Debian switched from using OpenLDAP with
schema configuration files to schema-over-LDAP updates. If it tried to
convert your schema and failed, or even just flat-out ignored it, that
would cause the problem.
Turn slapd's logging to debug or sniff the LDAP transaction when you
try to join the machine and see what that gets you?
Wes
That sounds likely. I'll look into it.
I've done some more digging and realized two things:
1. My "add machine script" is "smbldap-useradd -w '%u'", but the -w switch
only creates a posix machine account. Apparently what I want is the -i
switch which is not listed on the man page.
2. Using the -i switch and running smbldap-useradd from the command line
gives me the error:
"failed to add entry: structural object class modification from 'account'
to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311,
<STDIN> line 2."
Looking at smbldap-useradd I can see that it first creates a posix machine
account with this code in smbldap_tools.pm:
my $add = $ldap->add (
"uid=$user,$config{computersdn}",
attr => [
'objectclass' => [
'top', 'account', 'posixAccount'
],
'cn' => "$user",
'uid' => "$user",
'uidNumber' => "$uid",
'gidNumber' => "$gid",
'homeDirectory' => '/dev/null',
'loginShell' => '/bin/false',
'description' => 'Computer',
'gecos' => 'Computer',
]
);
Then it tries to modify the entry with this code in smbldap-useradd which
is where it dies:
my $modify = $ldap_master->modify (
"uid=$userName,$config{computersdn}",
changes => [
replace => [
objectClass => [
'top', 'person', 'organizationalPerson',
'inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => '0'],
add => [sambaPwdMustChange => '2147483647'],
add => [sambaPwdLastSet => "$date"],
add => [sambaAcctFlags => '[I ]'],
add => [sambaLMPassword => "$lmpassword"],
add => [sambaNTPassword => "$ntpassword"],
add => [sambaSID => "$user_sid"],
add => [sambaPrimaryGroupSID => "$config{SID}-515"]
]
);
Looking at all the other entries I see no other accounts with an object
class of "account" so this seems to be the problem. But I don't know what
to do about it.
-Steve
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
