To anyone out there who's having problems joining their Samba/LDAP
domain with XP here's a solution. The main symptom is that the XP join
domain gui returns a "user cannot be found" error. The setup that I
experienced this on was configured and managed using the smbldap-tools
package. Usual disclaimer applies if it fails to work, you are
responsible for backing up your installation and no responsibility will
be accepted for anything.
The problem arose after I configured my servers to use the Computers
organisational unit in LDAP (ou=Computers) to store host names. The
process of a Windows/Samba domain member joining a Samba domain is a two
stage one as each Samba client has to have a matching Posix account in
the LDAP directory. After clicking OK on the client the server first
creates the POSIX entry and then adds the SambaSam attributes.
For whatever reason, when the ou=Computers entry was used, smbldap-tools
added the POSIX entry into the Computers ou but then tried to read it
back out from the Users ou. As the entry was non-existent in Users it
cannot add the Samba attributes to the POSIX side and hence windows
declares user cannot be found.
Some Googling revealed that you can store machine accounts in ou=Users
so the solution I found was as follows:
1) Stop LDAP and Dump the directory into an ldif file using "slapcat -l
> /root/userdump.ldif"
2) Open the LDIF file in a text editor and use search and replace to
change all machine account entries from ou=Computers to ou=Users. Note
that at the top of your ldif file there's an entry that adds the
Computers organisational unit. Do not change this. You can probably
delete it but personally I just left it as it was. An easy way to only
change the machine name entries is to search for $,ou=Computers and
replace it with $,ou=Users as the computer name entries end with $ and
will match this pattern.
3) Backup your directory databases using "cp -R /var/lib/ldap /root"
(adjust to match your distro but this works on Redhat/Mandriva). You can
also create a second backup using the slapcat command and dumping the
ldif file to a safe place.
4) Delete the files in the LDAP database directory, in the above case rm
-f /var/lib/ldap/* ,and then check the directory to make sure it's empty
"ls -la /var/lib/ldap". If you had a DB_CONFIG file in there, copy it
back from the backup directory.
5) Run "slapadd -v -l /root/userdump.ldif" to add the modified ldif file
back into LDAP. The -v forces slapadd into versbose mode so you should
see all the entries scrolling up the screen as they're added.
6) Change ownership of the ldap directory and it's newly created
databases to user/group ldap using "chown -R ldap.ldap /var/lib/ldap" .
If you don't do this the server will bitch horribly when you try to
start it.
7) Restart your ldap server . You should now find that the XP client
says welcome to the "whatever" domain when you click OK.
As I say, it worked for me after I'd spent hours searching for a
solution without finding one. Good Luck!!
Cheers,
Jools
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
