OK. I am starting to believe that Samba 3.0.x is not stable. At least, the documentation for Samba as PDC with OpenLDAP backend (which is what I have been trying to do for four days) is crap. All the documentation for 3.0.x is mixed with 2.2.x. Most documents start as instructions for 3.0.x but put a lot of information that doesn't apply to 3.0.x, but 2.2.x. People in the mailing list sometimes give answers that apply to 2.2.x. Some people tell me there is a bug that prevents the use of ou=Computers for machine accounts. Some people say they have no problems. Some people say I have to have Administrator with uid=0, some people tell me it must not be 0. Everyone says smbldap-tools work great, but they always give me strange errors.
I'm starting again, this time with 3.0.2pre1. I'm going to use Samba-HOWTO-Collection.pdf as the main guide for general samba configuration and http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html for LDAP configuration (even though I know they have errors regarding 3.0.x). I'm running SuSE 9.0 on an x86 machine. I have my openldap server running without problem. At the moment is has no samba information except the inclusion of the samba.schema in the slapd.conf. I'm using the JXplorer tool to add/modify/delete directory information. My LDAP base is dc=ica,dc=luz,dc=ve. The server is listening without SSL (port 389) on interface 127.0.0.1 (localhost) interface and listening LDAPS (with SSL, port 636) on all interfaces (I know this is deprecated in favor of StartTLS, but this configuration works well for me). 1. Samba 3.0.1 compiled and installed without problems with the following commands: ./configure --prefix=/opt/samba-3.0.2pre1 --with-ldap --with-quotas --with-winbind --with-libsmbclient --with-fhs --with-smbmount make make install 2. The first step is configuring the smb.conf file. I read the documentation and I think I understand most parts of it. The only example in Section 5.3 (Domain Control Example Configuration) is for a tdbsam backend, which I am not interested in. I use a similar configuration, configuration but using information from Section 11.4.4 (Account Information Databases - ldapsam) and previous experience. My first version of smb.conf is: --------START smb.conf---------- [global] #Only allow hosts in my network hosts allow = 172.17.6.0/255.255.255.0 netbios name = BOA workgroup = ICALUZ security = user encrypt passwords = yes preferred master = yes domain master = yes local master = yes domain logons = yes unix charset = "ISO-8859-1" os level = 33 ldap suffix = dc=ica,dc=luz,dc=ve ldap admin dn = "cn=Manager,dc=ica,dc=luz,dc=ve" idmap backend = ldap:ldap://localhost idmap gid = 10000-20000 idmap uid = 10000-20000 ldap idmap suffix = ou=Idmap passdb backend = ldapsam:ldap://localhost ldap ssl = off ldap delete dn = no ldap user suffix = ou=Personas ldap group suffix = ou=Grupos ldap machine suffix = ou=Personas #ldap machine suffix = ou=Computadoras #ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) ldap filter = (uid=%u) logon path = \\%N\profiles\%u logon drive = H: logon home = \\homeserver\%u\winprofile #logon home = \\%N\%u logon script = logon.cmd #logging log level = 2 log file = /var/lib/samba/%m.log [netlogon] path = /var/lib/samba/netlogon read only = yes write list = domadmin [profiles] path = /var/lib/samba/profiles read only = no create mask = 0644 directory mask = 0755 [test] path=/tmp writeable=yes public=yes --------END smb.conf---------- Differences with respect to the documentation: hosts allow: only computers from my network can connect to the server. The order of some directives is changed because I like it better this way. It aparently doesn't matter (if there is a mistake, please corerct me). unix charset: My native language is Spanish and it is common to have files with accented letters. The smb-ldap3-howto (which is from Spain) recommends using CP850, but it did not work for me. ISO-8859-1 works great. ldap ssl: I do not use SSL because the LDAP server is in the same machine as samba. ldap machine suffix: The documentation (Ssmba Howto Collection - SHC) says one should use ou=Computers (ou=Computadoras in spanish). I have this commented and am using ou=Personas (equivalent to ou=People) since a lot of people say there is a bug in Samba 3.0.x that prevents it from searching ou=Computers tree. I do not know if this is fixed in Samba 3.0.2pre1,I'll test that later if everything else goes fine. ldap filter: the documentation (example 11.4.1 in SHC) says one should use (&(uid=%u)(objectclass=sambaSamAccount)), but I found out in previous installations that it doesn't work, at least when you use smbpasswd -a, because at that time entries do not have the sambaSamAccount class and are filtered out. ldap filter =&(uid=%u) workd for me last time so that's what I'm using. I do not yet understand what Idmap does. I read it maps Unix group and user IDs ti Windows user and group SIDs. I am somewhat confused because instructions also say a tool called net groupmap should be used to map unix groups to windows groups. Someone please clarify. I put some entries for it because if it is going to store information I prefer that it does so in the LDAP directory. There are a few differences in the netlogon and profiles shares. I used domadmin instead of ntadmin for write list of netlogon and used different masks in profiles. I'm using logon home = \\homeserver\%u\winprofile, but this isn't goiun to work because I haven't configured a homserver server. I'll correct this when everything else works OK. 2. The SHC say I should add the following entries: - The organization. I added it. - A directory manager (dn: cn=Manager). I didn't add this because it is created automatically by OpenLDAP. -Groups, People and Computers organizational units. I added these. -An admin entry for each of the previously created ou's. I didn't add these because I am going to administer the entries using the cn=Manager. 3. The SHC says I should use the following command so it can access the LDAP server. smbpasswd -w <password> I did this whithout problems. >From this point on all the LDAP related information in SHC applies to Samba 2.2.x. It talks about sambaSamAccount, but all described parameters apply to the Samba 2.2.x sambaAccount. So I switch to SLH. 4. The first relevant thing I find is that there are some Ldap basic entries (also with posixAccount). SLH says: "In the [SAMBA_3_0] and [HEAD] only a few basic entries are required: nobody and administrator BUT an account with uidNumber=0 (root or administrator) MUST �be present if you need add XP/W2K ws. The reason: an administrative account is demanded in the ws side in the join process, and that account must have a uidNumber=0 in the unix world. Remember that in the ldapsam backend the rid mapping is algorthmic based: rid='2*uidNumber+1000' and primaryGroup='2*uidNumber+100+1', so a root or any administrative account must have a rid of 1000, and a sambaSID like: sambaSID: S-1-5-21-298858960-1863792627-3661451959-1000 sambaPrimaryGroupSID: S-1-5-21-298858960-1863792627-3661451959-1001 The root/administrator (uidNumber=0) SHOULD be present in the NT's Admins group (rid=512). " What I interpret from this is that I have to create three posixAccounts (root, Administrator and nobody, although it seems root and nobody might have been enough) and an NT administrative group. Both root and administrator have to belong to the administrative group. There are no instructions at this point on how to create the groups. They appear later. There are other things that are not clear. I have read (and it appears later in SLH) that three Samba (NT) groups must be created: "Domain Admins", "Domain Users" and "Domain Guests" and that these groups should have rid's 512, 513 and 514 respectively. To map the groups, SLH says the following commands should be used: net groupmap add rid=514 ntgroup="Domain Guests" unixgroup=nobody net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=admins There is another thing that is not clear. The (LDIF) entries appear with all samba attributes set, but it is not clear how they must be set, but I know they are set with smbpasswd -a. The example that comes with SLH says the following about the three accounts: Administrator: uidNumber: 506 --- I asume this can be any number not equal to 0 gidNumber: 0 --- maybe because the posixGroup 0 should be previosly mapped to sambaGroup rid 512, althogh this is not written anywhere. Is this true? sambaSID: a number that ends with 500 (I really don't know if this is truly necessary, but it DOES NOT come from the formula given above). sambaPrimaryGroupSID: must end with 512 (to indicate it belongs to the Domain Admins group, I assume). sambaAcctFlags [UX ] -- user account and password doesn't expire nobody: uidNumber: 99 --- I asume this can be any number not equal to 0 gidNumber:99 --- Idem sambaSID: a number that ends with 501 (I don't know if this is necessary, but it DOES NOT come from the formula given above). sambaPrimaryGroupSID: must end with 514 (to indicate it belongs to the Domain Guests group, I assume). sambaAcctFlags [UX ] -- user account and password doesn't expire root: uidNumber: not shown, but I assume 0 gidNumber:Idem sambaSID: a number that ends with 1000 (I don't know if this necessary, but it comes from the formula given above). sambaPrimaryGroupSID: must end with 1001 (I don't know if this is either necessary or correct, but it comes from from the formula above, unless it is wrong and it is 1001 instead of the strange value 100+1). sambaAcctFlags [U ] -- user account The last time I followed the instructions and created the users first I did not get the right values for sambaPrimaryGroupSID (I got the expected values using the formulas). This time I decided to first create the groups, do the mappings and then create the users. To create the groups I first create the following posixGroups entries in the LDAP directory: dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top cn: users description: Local Unix group gidNumber: 100 dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top cn: domadmin description: Local Unix group gidNumber: 0 dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top cn: nobody description: Local Unix group gidNumber: 65533 I mapped the groups to samba groups with the following commands: I added the following LDAP entries: net groupmap add rid=514 ntgroup="Domain Guests" unixgroup=nobody net groupmap add rid=513 ntgroup="Domain Users" unixgroup=users net groupmap add rid=512 ntgroup="Domain Admins" unixgroup=domadmin All commands worked successfully. Now the group entries look like this: dn: cn=users,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: users description: Local Unix group displayName: Domain Users gidNumber: 100 sambaGroupType: 2 sambaSID: S-1-5-21-893857118-1575030141-3707423182-513 dn: cn=domadmin,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: domadmin description: Local Unix group displayName: Domain Admins gidNumber: 0 sambaGroupType: 2 sambaSID: S-1-5-21-893857118-1575030141-3707423182-512 dn: cn=nobody,ou=Grupos,dc=ica,dc=luz,dc=ve objectClass: posixGroup objectClass: top objectClass: sambaGroupMapping cn: nobody description: Local Unix group displayName: Domain Guests gidNumber: 65533 sambaGroupType: 2 sambaSID: S-1-5-21-893857118-1575030141-3707423182-514 They look good, I think. Now I'm going to add the users. I put these entries in the directory: dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top cn: root gidNumber: 0 homeDirectory: /dev/null loginShell: /dev/null sn: root uid: root uidNumber: 0 dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top cn: nobody gidNumber: 65533 homeDirectory: /dev/null loginShell: /dev/null sn: nobody uid: nobody uidNumber: 65533 dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top cn: Administrator gidNumber: 0 homeDirectory: /dev/null loginShell: /dev/null sn: Administrator uid: Administrator uidNumber: 506 dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top cn: Borra gidNumber: 100 homeDirectory: /home/borra loginShell: /bin/bash shadowExpire: -1 shadowFlag: 7100670 shadowInactive: -1 shadowLastChange: 11762 shadowMax: 99999 shadowMin: -1 shadowWarning: -1 sn: Borra uid: borra uidNumber: 1010 userPassword:: Ym9ycmE= The borra user is a normal (test) user. 5. At this point the SLH discusses some steps I already did: - group mapping - configuring smb.conf, which I already configured not exactly like SLH says because there are things that I know don't work for me. - smbpasswd -w <passwd> 6. The next step in SLH is "Starting and stopping the samba server". I will do that after I add samba attributes to users in the directory. 7. The next step in SLH is "Adding accounts with smbpasswd". SLH says that smbpasswd "makes all the ldap stuff for you, from the scratch" (even though the first step about configuring accounts shows ldap entries them with all samba attributes). SLH says to add users "./bin/smbpasswd -a <user> -D 256" and to add machines "./bin/smbpasswd� -m -a <ws_name>$ -D 256". Of course this doesn't add users to LDAP directory, but adds samba attributes to existing users in the directory. I ran successfully the following commands: smbpasswd�-a root smbpasswd -a Administrator smbpasswd -a nobody Now the entries in the directory look like this: dn: uid=borra,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: organizationalPerson objectClass: posixAccount objectClass: shadowAccount objectClass: top objectClass: sambaSamAccount cn: borra displayName: borra gidNumber: 100 homeDirectory: /home/borra loginShell: /bin/bash sambaAcctFlags: [U ] sambaLMPassword: 9C66ABD24F833796AAD3B435B51404EE sambaNTPassword: B481BD80DA6D4E289F47611E924D5A3C sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-513 sambaPwdCanChange: 1074126298 sambaPwdLastSet: 1074126298 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-893857118-1575030141-3707423182-3020 shadowExpire: -1 shadowFlag: 7100670 shadowInactive: -1 shadowLastChange: 11762 shadowMax: 99999 shadowMin: -1 shadowWarning: -1 sn: Romero uid: borra uidNumber: 1010 userPassword:: Ym9ycmE= dn: uid=nobody,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top objectClass: sambaSamAccount cn: nobody displayName: nobody gidNumber: 99 homeDirectory: /dev/null loginShell: /dev/null sambaAcctFlags: [U ] sambaLMPassword: C95F11D5EBB770D2AAD3B435B51404EE sambaNTPassword: 3A1F23F3A6E96E48C4D256A557BF7C9F sambaPwdCanChange: 1074126257 sambaPwdLastSet: 1074126257 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-893857118-1575030141-3707423182-501 sn: nobody uid: nobody uidNumber: 1000 dn: uid=Administrator,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top objectClass: sambaSamAccount cn: Administrator displayName: Administrator gidNumber: 0 homeDirectory: /dev/null loginShell: /dev/null sambaAcctFlags: [U ] sambaLMPassword: 6A98EB0FB88A449CBE6FABFD825BCA61 sambaNTPassword: D144986C6122B1B1654BA39932465528 sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512 sambaPwdCanChange: 1074126020 sambaPwdLastSet: 1074126020 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-893857118-1575030141-3707423182-2012 sn: Administrator uid: Administrator uidNumber: 506 dn: uid=root,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: person objectClass: posixAccount objectClass: top objectClass: sambaSamAccount cn: root displayName: root gidNumber: 0 homeDirectory: /dev/null loginShell: /dev/null sambaAcctFlags: [U ] sambaLMPassword: D480EA9533C500D4AAD3B435B51404EE sambaNTPassword: 329153F560EB329C0E1DEEA55E88A1E9 sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-512 sambaPwdCanChange: 1074126010 sambaPwdLastSet: 1074126010 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-893857118-1575030141-3707423182-1000 sn: root uid: root uidNumber: 0 Everithing looks more or less good. I do not know if it is OK, but at least Administrator and root do have the 512 in the sambaPrimaryGroupSID attribute. The user nobody had no value in sambaPrimaryGroupSID. I do not know whay, but I do not care much because that's nobody. 7. At this point I start samba simply running smbd and nmbd. The log says: [2004/01/14 20:40:23, 2] lib/interface.c:add_interface(79) added interface ip=172.17.6.2 bcast=172.17.255.255 nmask=255.255.0.0 [2004/01/14 20:40:23, 0] smbd/server.c:main(781) standard input is not a socket, assuming -D option [2004/01/14 20:40:23, 2] lib/tallocmsg.c:register_msg_pool_usage(57) Registered MSG_REQ_POOL_USAGE [2004/01/14 20:40:23, 2] lib/dmallocmsg.c:register_dmalloc_msgs(71) Registered MSG_REQ_DMALLOC_MARK and LOG_CHANGED [2004/01/14 20:40:23, 2] smbd/server.c:open_sockets_smbd(318) waiting for a connection It seems OK. 8. Before doing the next step in SLH, I will try to mount the test share using smbmount from an external unix machine and from a windows machine using the test user borra. smbmount //boa/test mnt -o username=borra I tried the same command from the server I am configuring and it worked great. BTW, boa is the name of the server I am configuring (I think I never said that). >From windows it worked well too. Accented letters worked well in both environments. 9. The next step is what has never worked for me. "Joining workstations (NT, W2K, XP) to the Samba domain". SLH says: "Basically you need cover these steps to add (join) a windows NT/W2K/XP to the domain: in the PDC samba server create an account for the machine one entry in the /etc/passwd or equivalent (nsswitch...) for the machine_name$-ended one basic entry in the ldap previous to call to the smbpasswd one full entry in the ldap withsmbpasswd -a -m <machine_name>$ in the MS workstation, if is a XP or W2K you need set in the registry: SignOrSeal to "0" in the MS workstation you need join to the domain ASAP via:" blah blah... I interpret this as sayng that I need to add an enrty in both /etc/passwd and the LDAP server. This is absurd to me. If I'm using LDAP, that's the only place where it makes sense to me to add the machine account. Maybe I'm wrong. Maybe the reason of ou=Computers not working is because Samba needs to see the machine as users and, since nss_ldap is configured to search users only in ou=People then the only other way for it to see them as users is adding them to /etc/password. Maybe this is also wrong. Of course this instructions are incomplete because everywhere I see it is required to have a value for "add machine script" in smb.conf. I have read (probably in the mailing list) that the SignOrSeal change is not required in Samba 3.0.x. This maybe possible. I have also read that W2K and WinXP do not support manual creation of the account. Since the machine I want to add is W2K I will try to join it automatically to the domain. My first attempt will be with the server configuration as it is. It failed, as was expected. I see that smbldap-tools work well for most people in the list and they use that as the command to run in "add machine script". I downloaded thos tools (version 0.8.2) and they do not work. No matter what I do, I always get the same kind of error: failed to perform search; No such object at /root/smbldap-tools-0.8.2/ smbldap_tools.pm line 156, <DATA> line 283. failed to add entry: referral missing at ./smbldap-useradd.pl line 251, <DATA> line 283. No such object at /root/smbldap-tools-0.8.2//smbldap_tools.pm line 180, <DATA> line 283. I configured the smbldap_tools.pm correctly (at least that is what I think). I installed every possible perl package that comes with SuSE 9 (including one called perl-ldap or something like that). I gave up with those tools. I do not like them anyway because they say they do not support shadowAccount and I intend to use shadowAccount. These tools look like they perform the combind work of ldapadd (or ldapmodidy, etc.) and smbpasswd. I have no problems adding LDAP entries manually, especially with JXplorer and later using smbpasswd to set samba attributes, so I will not use these tools. Since SLH redirects me to SHC. I go to Chapter 7 "Domain Membership". It explains some thing I think I understand, but all specific to a tdbsam backend. I first explains manual creation of machine accounts using useradd and smbpasswd -a -m. I think I would have no problem first adding posixAcocunt info ni LDAP and then using smbpasswd -a -m. Then SHC goes to a section called "On-the-Fly Creation of Machine Trust Accounts". SHC says: " The second (and recommended) way of creating Machine Trust Accounts is simply to allow the Samba server to create them as needed when the client is joined to the domain. Since each Samba Machine Trust Account requires a corresponding UNIX account, a method for automatically creating the UNIX account is usually supplied; this requires configuration of the add machine script option in smb.conf. This method is not required, however, corresponding UNIX accounts may also be created manually. " As I understand it, the add machine account only requires adding the posixAccount information and not the samba account information. I assume then that samba automatically executes "smbpasswd -a -m <machine>". The example (not using LDAP) could not be clearer: add machine script = /usr/sbin/useradd -d /dev/null -g 100 -s /bin/false -M %u Since "corresponding UNIX accounts may also be created manually" I will add a machine account entry manually to the LDAP server and then try to join the W2K machine automatically to the domain. The first problem I face is what to use as gidNumber. The example uses 100, which is usually a user group id. I checked Table 12.1 in SHC and there is a non-essential group called "Domain Computers" with RID=515. Since I couldn't find a specific gidNumber to use in this circumstance, I will create a domcomputers posix group mapped to Samba RID 515 and use the corresponding gidNumber for the machine account. After the operation "net groupmap list" shows: Domain Users (S-1-5-21-893857118-1575030141-3707423182-513) -> users Domain Admins (S-1-5-21-893857118-1575030141-3707423182-512) -> root Domain Guests (S-1-5-21-893857118-1575030141-3707423182-514) -> nobody Domain Computers (S-1-5-21-893857118-1575030141-3707423182-515) -> domcomputers I added the following entry to the LDAP server: dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: posixAccount objectClass: device objectClass: top cn: machorro$ description: test machine gidNumber: 101 homeDirectory: /dev/null loginShell: /dev/null uid: machorro$ uidNumber: 2000 Now I will try to join it to the domain. I am using the root account since I read that an account with uidNumber=0 is required for this operation. IT WORKED!!!!!!!! IT WORKED!!!!!!!!!! machorro said: "Bienvenido al dominio ICALUZ", that is "Welcome to ICALUZ domain". I really thought it was not going to work. The machorro$ LDAP entry now is: dn: uid=machorro$,ou=Personas,dc=ica,dc=luz,dc=ve objectClass: posixAccount objectClass: device objectClass: top objectClass: sambaSamAccount cn: machorro$ description: test machine displayName: machorro$ gidNumber: 101 homeDirectory: /dev/null loginShell: /dev/null sambaAcctFlags: [W ] sambaLMPassword: 104BB6F47FAC1C3C8154FBC2F211C5B1 sambaNTPassword: FBC80084DF2D1D4B223A643F74611420 sambaPrimaryGroupSID: S-1-5-21-893857118-1575030141-3707423182-515 sambaPwdCanChange: 1074130590 sambaPwdLastSet: 1074130590 sambaPwdMustChange: 2147483647 sambaSID: S-1-5-21-893857118-1575030141-3707423182-5000 uid: machorro$ uidNumber: 2000 I logged in in machorro and it only complained about not being able to create the profile on the server, but that is because i have logon home = \\homeserver\%u\winprofile And homeserver doesn't exist. It used a local profile and everything else was fine. Well, now I have nothing else to do. Simply add more users and more machines. Wait. I will now try to put the machine account under the ou=Computers tree, just to see what happens. The first thing I'll try will be moving the machorro$ account to the ou=Computadoras subtree and changing the smb.conf "ldap machine suffix" entry to ou=Computadoras. I turned off machorro and stopped samba. Now I moved the machorro account to ou=Computadoras (which is very easy with JXplorer). Then i start samba (smbd and nmbd) and turn on machorro. I could log in withou problems. Interesting. Now I will try to add another machine to the domain. I first added the following entry to the LDAP server: dn: uid=titanic$,ou=Computadoras,dc=ica,dc=luz,dc=ve objectClass: posixAccount objectClass: device objectClass: top cn: titanic$ description: test machine gidNumber: 101 homeDirectory: /dev/null loginShell: /dev/null uid: titanic$ uidNumber: 2001 When I tried to join titanic to the domain, but I got the following error: "the user name could not be found." I suppose this happens when samba does the equivalent to smbpasswd -a -m. Bud luck. But at least I can add W2K machines to the domain. I am very happy. I apologize for calling crap the Samba documentation. It was of great help, but it certainly needs improvement. And I hope the ou=Computers bug is fixed soon. I expect this story could help others trying to do the same I am doing. The next battle will be configuring a BDC, but that will be another day. Regards, VS -- Fuera Ch�vez -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
