Thank you, thank you, thank you. The issue with not beeing able to join workstations to our Samba 3 domain without manually adding the Samba attributes to the LDAP directory with LAM has been a pain in the butt for months now. I found dozens of threads on the net started by Admins with the same problem and none of those threads ended in really resolving the issue.
I have been updating Samba, fidelling with the smbldap-tools and pulling my hair to no avail. Finally I found this post from 2005 that resolved my issue. I tested with :~#getent passwd an it only listed my users. I added a line for my computers in /etc/libnss-ldap.conf an changed it from: nss_base_passwd ou=users,dc=test,dc=de?one nss_base_shadow ou=users,dc=test,dc=de?one nss_base_group ou=groups,dc=test,dc=de?one to: nss_base_passwd ou=users,dc=test,dc=de?one nss_base_passwd ou=computers,dc=test,dc=de?one nss_base_shadow ou=users,dc=test,dc=de?one nss_base_group ou=groups,dc=test,dc=de?one Now everything works just fine. Rhys Goodwin wrote: > > The script only adds the posix stuff, when you join the workstation the > sambaSam entries are created by samba. > BUT... > Samba NEEDS to find a posix account with the name of the machine being > joined. How are you doing user lookups on your posix side? > If you use nss_ldap and you have a seperate ou in your directory for users > and computers that could be where your problem is. > i.e. if > nss_ldap is set to look in "ou=users,dc=test,dc=com " for its posix > userbase > then if you do: > :~#getent passwd > then it will return only users it finds in that ou. So if your add machine > script is creating "users"(machine accounts) in > ou=computers,dc=test,dc=com > then as far as posix is concerned there is no posix account for the new > machine. Samba will not find a possix account and will not add the > sambaSam > entries and the join will fail. You have 2 options: > 1.Add your user accounts and computer accounts to the same ou. > 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your > base > to "dc=test,dc=com" rather than "ou=users,dc=test,dc=com" > This is how I understand it anyhow, I might be wrong, Im no smaba pro but > I > went for option 2. > If anyone can shed some more light on this is or set me straight if Im > wrong, please do. > Cheers, > Rhys > > -- View this message in context: http://samba.2283325.n4.nabble.com/smbldap-tools-and-joining-workstation-to-domain-tp2405892p3669378.html Sent from the Samba - General mailing list archive at Nabble.com. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
