[Samba] Joining Domain on Solaris, Get_Pwnam_internals didn't find user

[Thomas Maschutznig]

Hi

I am running samba 3.0.22 on Solaris 10 x86, using a Sun Directory 
Server as ldapsam backend. The samba schema used is the recent version 
from .22, and I am using the IDEALX smbldap-tools 0.9.2.

I split users, computers and groups into 3 different OUs and configured 
samba, smbldap-tools and Solaris ldapclient respectively.

smb.conf:
  ldap suffix = dc=new10,dc=com
  ldap user suffix = ou=Users
  ldap group suffix = ou=Groups
  ldap machine suffix = ou=Computers
  add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u"
  (I also tried -w "%m")

smbldap.conf:
  suffix="dc=new10,dc=com"
  usersdn="ou=Users,${suffix}"
  computersdn="ou=Computers,${suffix}"
  groupsdn="ou=Groups,${suffix}"
  scope="sub"

ldapclient profile:
  serviceSearchDescriptor: group:ou=Groups,dc=new10,dc=com?sub
  serviceSearchDescriptor: 
passwd:ou=Users,dc=new10,dc=com?sub;ou=Computers,dc=new10,dc=com?sub

nsswitch points to files and ldap for group and passwd.


When I try to join a Win2k SP3 or WinXP SP2 to the Domain, it says it 
"The username could not be found" - in smbd.log I see 
"Get_Pwnam_internals didn't find user [sambaclient$]!"

However, getent and id do find the user right after this failed join:
# getent passwd|grep -i sambaclient
sambaclient$:x:2018:515:Computer:/dev/null:/bin/false
# id -a sambaclient$
uid=2018(sambaclient$) gid=515(Domain Computers) groups=515(Domain 
Computers)

and there is indeed a posixAccount entry in ou=Computers, lacking 
sambaSamAccount:
http://kaneda.flakcannon.org/samba3/sambaclient_first.ldif

If I try to join the same PC a second time, it succeeds and the entry in 
ou=Computers gets sambaSamAccount. Domain users can login fine on the PC 
then:
http://kaneda.flakcannon.org/samba3/sambaclient_second.ldif

I can add the machine by running "smbldap-useradd -t 0 -w sambaclient" 
fine without any error.

I have logged at level 10, the log files can be found here:
http://kaneda.flakcannon.org/samba3/smbd.log
http://kaneda.flakcannon.org/samba3/sambaclient.log


From the sambaclient.log it looks like the search right after running 
smbldap-useradd fails. I checked the LDAP server access log and I cannot 
find any search after the "ADD DN", see the access log here:
http://kaneda.flakcannon.org/samba3/sun_ldap_access.log

I am a bit clueless why the first join always fails because of not 
finding the computer account which seems to have just been added.

Did I miss something?

cheers,
 thomas

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba