I would compare the LDAP attributes between a problem machine and a
working machine. Each machine has to have a unique unix account name
and SID.
Normally you don't need to precreate the samba acct with "smbpasswd -a
-m" or pdbedit. However it may help with the diagnostics to see
what is not getting created. If you use smbpasswd or pdbedit to create
the account, then use the ldap editor to fill in the missing attributes
then you should be able to join the domain.
Also double check that machine accounts are not being created in some
other LDAP ou than you expected. you might be trying to fix one ldap
entry while samba is creating one somewhere else.
It gets tricky when you use smbpasswd or pdbedit to create an account
and it sees some attributes ther
On 06/14/13 07:49, Luis H. Forchesatto wrote:
Hi Gaiseric
Thanks for the reply.
I believe the problem is not the flags but I will check them again as
you suggested. I've found quite annoying this problem because is not
on my network, it's on a remote network and I need to move physically
to another place in order to test the environment, quite boring also.
Regarding the sambaPrimaryGroupSID I'll check again but I believe it
MAY be the problem :) Also, can this cause this problem? "Another
machine was already created previously..." something like....?
2013/6/10 Gaiseric Vandal <gaiseric.van...@gmail.com
<mailto:gaiseric.van...@gmail.com>>
I found that Samba 3.5.x has trouble creating the LDAP attributes
correctly on new machine accounts . I think Samba 3.4.x was OK.
Rejoining a machine to a domain was usually OK. You need may
need to do a mix of account creation with smbpasswd and LDAP
modification with the LDAP editor.
It appears to incorrectly set sambaAccountFlags as "[U]" (user)
instead of "[W]" (workstation). When attempting to join a
machine to the domain you may get an error that the account
already exists. Use an LDAP editor to make sure sambaAccountFlags
is set to "[W]." (You can used pbedit to verify the setting but
not to change it to "[W].")
type: sambaAccountFlags
value: [W ]
If, when joining a domain, you get an error that the "the
specified network password is not correct." you may need to
precreate the samba account attribues with the pdbedit or
smbpasswd commands .Try the following on spooky
#smbpasswd -x -m machinename
#smbpasswd -a -m machinename
You MAY also need to make sure that the sambaPrimaryGroupSID is
also set. It should end with 515.
type: sambaPrimaryGroupSID
value: S-1-5-21-xxx-xxx-xxx-515
On 06/10/13 08:33, Luis H. Forchesatto wrote:
Greetings.
I've run into a trouble when trying to add a new Win7 machine
on a domain.
The domain is controlled by a server running Samba + LDAP
(samba compiled
with ldap support), on a Debian 5 OS at the local network.
I've added the machine name to the LDAP three through
phpldapadmin using
the option "Samba3 Machine" on the related submenu and via
terminal on
samba. Then I renamed the new machine to match the computer
name and tried
to add it to the domain. When prompted for credentials to add
the new
machine I've informed the admin login and password and hit
<enter>.
The windows then returned the following error (something
like): "The
junction operation was not well succeded. Maybe another
existent machine
account <machine_account_name> was created previously using
anothet set of
credentials. User another computer name or contact the admin
to remove any
obsolete conflicting account. Error: Access denied."
Any ideas for the troubleshoot will be welcome.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
Att.*
*
Luis H. Forchesatto
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
