You could put the machines in a sub container under people- , or have people and computers as subs under "user accounts"- that way samba can search the entire accounts or people subtree BUT you can restrict other LDAP services that use "people" to not be recursive.
-----Original Message----- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bill Arlofski Sent: Sunday, June 17, 2012 4:16 PM To: samba@lists.samba.org Subject: Re: [Samba] Two attempts required to join domain bump I'd prefer to not have to put machine accounts into the People OU for all the obvious reasons, but I may be forced to in order to have the end-user (e.g. our customer) experience to be a smooth one. Any idea on what might cause the behavior I am seeing described on the 13th below? Thanks for any help! -- Bill Arlofski Reverse Polarity, LLC On 06/13/12 18:55, Bill Arlofski wrote: > Hi Everyone. > > I have run across an issue that is driving me crazy. This is a new > deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools > v0.9.8 > > > When trying to join the domain, on the first attempt the machine > account is properly created in the correct ou - e.g. > ou=Computers,dc=domain,dc=local > > But the "failed to join domain" pop-up with reason of "The user name > could not be found" is displayed (which really means the machine name > was not found in > LDAP) and of course the machine is not yet a domain member. > > However, a 2nd attempt to join the domain with the same credentials, > immediately after the failure results in a "Welcome to the X domain" > and the machine is now a domain member. > > > Setting the openldap slapd loglevel to 416 to show the queries during > this process reveals the following: > > On 1st join attempt Samba searches the whole directory from > dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount. > > It of course does not find it, so the smbldap-useradd script is called > and the machine account is properly added to ou=Computers. > > Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local > for the newly created machine account and of course does not find it. > And the "failed to join domain" pop-up is displayed on the WinXP machine. > > On the second join attempt, Samba _ONLY_ searches > ou=Computers,dc=domain,dc=local, which is where it SHOULD search for > machines as defined everywhere in my configs and it finds the machine > and the machine successfully joins the domain. > > If I set all configs - samba, smbldap etc to be such that computers > are in the "People" organizational unit, then joining the domain works > on the first try, every time. > > Also, if I un-join the domain, but leave the machine account in LDAP > in ou=Computers and then re-join the domain, this always works on > first try too since Samba's initial scope 2 "sub" search of the > directory starting at the top will find the machine account under ou=Computers. > > Can someone offer guidance as to why during the new machine creation > process (joining a domain) Samba does not look for the machine in the > defined machines ou but always in the People ou? > > Thank you in advance for any help on this! > > -- > Bill Arlofski > Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba