Hi, There are a other parameter which cause to add machine account failed : That is the ldap filter parameter, if the ldap filter contain the filter (&(uid=%u)(objectclass=sambaSamAccount)) samba not add the machine account correctly
----------------------------------- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 06/06/2005 09:28:40 : > The script only adds the posix stuff, when you join the workstation the > sambaSam entries are created by samba. > BUT... > Samba NEEDS to find a posix account with the name of the machine being > joined. How are you doing user lookups on your posix side? > If you use nss_ldap and you have a seperate ou in your directory for users > and computers that could be where your problem is. > i.e. if > nss_ldap is set to look in "ou=users,dc=test,dc=com " for its posix userbase > then if you do: > :~#getent passwd > then it will return only users it finds in that ou. So if your add machine > script is creating "users"(machine accounts) in ou=computers,dc=test,dc=com > then as far as posix is concerned there is no posix account for the new > machine. Samba will not find a possix account and will not add the sambaSam > entries and the join will fail. You have 2 options: > 1.Add your user accounts and computer accounts to the same ou. > 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your base > to "dc=test,dc=com" rather than "ou=users,dc=test,dc=com" > This is how I understand it anyhow, I might be wrong, Im no smaba pro but I > went for option 2. > If anyone can shed some more light on this is or set me straight if Im > wrong, please do. > Cheers, > Rhys > > > On 6/6/05, Andres Toomsalu <[EMAIL PROTECTED]> wrote: > > > > Tim Verhoeven wrote: > > > > >On 6/4/05, Andres Toomsalu <[EMAIL PROTECTED]> wrote: > > > > > > > > >>I've reported this before but I guess I'll have to do it again, since > > >>it's not fixed yet or I'm understanding something wrong here. > > >> > > >>The problem is that smbldap-useradd -w 'machinename' will add only > > >>posixAccount entrys into ldap but it should add both posixAccount and > > >>sambaSAMAccount entrys. > > >> > > >>So if one doesn't add correct machine account entrys manually to ldap > > >>the windows workstation domain joining is impossible. > > >> > > >> > > > > > >In my experience the smbldap-useradd behaviour is correct. It will > > >only add the posicAccount part of a machine account. Then when you > > >actually join a machine to a domain Samba itself will modify the > > >machine account and add the sambaSAMAccount parts. > > > > > >For this to work you will ofcourse need also to configure Samba that > > >is has a ldap account that has the rights to update items in the ldap > > >tree. > > > > > > > > I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + > > smbldap-tools 0.88 just to be sure nothing has changed meanwhile: > > > > 1) I can't join XP workstation to domain when I don't have computer > > account in ldap - Error is "Access denied". In result it makes computer > > account in ldap but only posixAccount part of it as smbldap-useradd -w > > does it. > > 2) I can't join XP workstation to domain when I do have computer account > > in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes > > them like that - Error is "Access denied". > > 3) I can join XP workstation to domain when I manually make correct > > computer account entrys in ldap with phpldapadmin - then there are both > > posixAccount and sambaSamAccount entrys present. > > > > Here is copy-paste samples of computer accounts in my ldap - first > > sample is made with smbldap-useradd -w and second that actually works is > > made manually: > > > > # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee > > dn: uid=testmasin$,ou=Computers,dc=active,dc=ee > > objectClass: top > > objectClass: inetOrgPerson > > objectClass: posixAccount > > cn: testmasin$ > > sn: testmasin$ > > uid: testmasin$ > > uidNumber: 1016 > > gidNumber: 515 > > homeDirectory: /dev/null > > loginShell: /bin/false > > description: Computer > > gecos: Computer > > > > > > # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee > > dn: uid=windesk$,ou=Computers,dc=active,dc=ee > > gidNumber: 515 > > uidNumber: 3002 > > uid: windesk$ > > sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 > > sambaAcctFlags: [W ] > > cn: windesk > > homeDirectory: /dev/null > > objectClass: top > > objectClass: sambaSamAccount > > objectClass: posixAccount > > objectClass: account > > sambaPwdMustChange: 2147483647 > > sambaPwdCanChange: 1118035851 > > sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 > > sambaPwdLastSet: 1118035851 > > > > > > > > So joining XP workstations to domain with smbldap-tools doesn't work for > > me. I still think there is a bug in smbldap-useradd script that it won't > > add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'". > > > > I don't think sambaSamAccount entry's are being added during domain > > joining procedure because for domain joining samba uses the very same > > "smbldap-useradd -w '%u'" command - which doesn't add any > > sambaSamAccount entrys. > > > > > > > > > > > > > >>The Samba Openldap howto clearly documents that smbldap-useradd -w > > >>'worsktation' should produce following entrys in ldap: > > >> > > >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG > > >>objectClass: top > > >>objectClass: posixAccount > > >>objectClass: sambaSAMAccount > > >>cn: testhost3$ > > >>gidNumber: 553 > > >>homeDirectory: /dev/null > > >>loginShell: /bin/false > > >>uid: testhost3$ > > >>uidNumber: 1005 > > >>sambaPwdLastSet: 0 > > >>sambaLogonTime: 0 > > >>sambaLogoffTime: 2147483647 > > >>sambaKickoffTime: 2147483647 > > >>sambaPwdCanChange: 0 > > >>sambaPwdMustChange: 2147483647 > > >>description: Computer Account > > >>rid: 0 > > >>primaryGroupID: 0 > > >>lmPassword: 7582BF7F733351347D485E46C8E6306E > > >>ntPassword: 7582BF7F733351347D485E46C8E6306E > > >>acctFlags: [W ] > > >> > > >> > > > > > >So my guess that this is a bug in the documentation and not in the code. > > > > > >Kind regards, > > >Tim > > > > > > > > > > > > > > > -- > > ---------------------------------------------- > > Andres Toomsalu, [EMAIL PROTECTED] > > juhataja - general manager, OÜ Active Systems > > Lille 4-205, Pärnu 80041, phone +372 44 70 595 > > GSM +372 56 496 124, IM: [EMAIL PROTECTED] > > http://www.active.ee > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba