Re: [Samba] Re: Can join domain; can't logon
That code hack was designed to be temporary, so that I could make sure everything else worked (it didn't) in the mean time before I got a fix for this problem. Anyhow, that looks like it could work. In the upgrade from 2.2.8, I had left that attribute as just "acctFlags". Unfortunately, I can't test for the moment, since, after the upgrade, I've been unable to join the domain. Ironically, my problem is now reversed: I can't join the domain, but if I could, I could probably login. Thanks for all your help; I'm going to grind away at my current problem for a while. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 8 Oct 2004, Igor Belyi wrote: >Chris St. Pierre wrote: > >> I did some further investigation, and it appears that in the >> conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in >> get_md4pw() is where the failure point is. Namely, the account is not >> disabled, and the pass is not null, but none of the trust checks pass. >> (acct_ctrl == 16). I put a quick hack in pdb_get_acct_ctrl() on line >> 45 of passdb/pdb_get_set.c ("return ACB_WSTRUST;") to get past this >> immediate problem; it worked, but logins still don't work. There's >> some sort of problem with credentials that I've been trying to work >> out. >> >I would recommend to change account to be Workstation account instead of >hacking the code. :o) > >> ldapmodify >dn: uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp >changetype: modify >replace: sambaAcctFlags >sambaAcctFlags: [W ] > >Just a note: when creating machine account with smbldap-useradd.pl by hand use >-w option instead of -a - just like the one used in your smb.conf. >Another note: despite what you heard it's quite possible to put machine >accounts in a separate LDAP directory. > >Let me know if you still have problems. >Igor > >-- >To unsubscribe from this list go to the following URL and read the >instructions: http://lists.samba.org/mailman/listinfo/samba > -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: I did some further investigation, and it appears that in the conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in get_md4pw() is where the failure point is. Namely, the account is not disabled, and the pass is not null, but none of the trust checks pass. (acct_ctrl == 16). I put a quick hack in pdb_get_acct_ctrl() on line 45 of passdb/pdb_get_set.c ("return ACB_WSTRUST;") to get past this immediate problem; it worked, but logins still don't work. There's some sort of problem with credentials that I've been trying to work out. I would recommend to change account to be Workstation account instead of hacking the code. :o) > ldapmodify dn: uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp changetype: modify replace: sambaAcctFlags sambaAcctFlags: [W ] Just a note: when creating machine account with smbldap-useradd.pl by hand use -w option instead of -a - just like the one used in your smb.conf. Another note: despite what you heard it's quite possible to put machine accounts in a separate LDAP directory. Let me know if you still have problems. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Can join domain; can't logon
On the LDAP server: > ldapsearch -b "ou=people,o=nebrwesleyan.edu,o=isp" "uid=guinea-pig$" \ sambaSID uid=guinea-pig$,ou=people,o=nebrwesleyan.edu,o=isp sambaSID=S-1-5-21-2507527290-1625623118-1076039497-3002 On the Samba server: > /usr/local/samba/bin/net getlocalsid SID for domain TESTERATOR is: S-1-5-21-2507527290-1625623118-1076039497 So yes, they match. I did some further investigation, and it appears that in the conditional on lines 250-254 of rpc_server/srv_netlog_nt.c in get_md4pw() is where the failure point is. Namely, the account is not disabled, and the pass is not null, but none of the trust checks pass. (acct_ctrl == 16). I put a quick hack in pdb_get_acct_ctrl() on line 45 of passdb/pdb_get_set.c ("return ACB_WSTRUST;") to get past this immediate problem; it worked, but logins still don't work. There's some sort of problem with credentials that I've been trying to work out. Anyhow, that's everything I know about the problem; here's the smbd log. Thanks for looking at this. [...snip...] [2004/10/07 16:14:09, 5] lib/smbldap.c:smbldap_search(963) smbldap_search: base => [o=nebrwesleyan.edu,o=isp], filter => [(&(uid=GUINEA-PIG$)(objectclass=sambaSamAccount))], scope => [2] [2004/10/07 16:14:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(485) init_sam_from_ldap: Entry found for user: guinea-pig$ [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_username(625) pdb_set_username: setting username guinea-pig$, was [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525) element 12 -> now SET [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_domain(652) pdb_set_domain: setting domain NWU_TEST, was [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_nt_username(679) pdb_set_nt_username: setting nt username guinea-pig$, was [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525) element 15 -> now SET [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid_from_string(565) pdb_set_user_sid_from_string: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002 [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_user_sid(552) pdb_set_user_sid: setting user sid S-1-5-21-2507527290-1625623118-1076039497-3002 [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525) element 18 -> now SET [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaPrimaryGroupSID] = [] [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_group_sid(588) pdb_set_group_sid: setting group sid S-1-5-21-2507527290-1625623118-1076039497-513 [2004/10/07 16:14:09, 10] passdb/pdb_compat.c:pdb_set_group_sid_from_rid(100) pdb_set_group_sid_from_rid: setting group sid S-1-5-21-2507527290-1625623118-1076039497-513 from rid 513 [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaPwdLastSet] = [] [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaLogonTime] = [] [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaLogoffTime] = [] [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaKickoffTime] = [] [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaPwdCanChange] = [] [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaPwdMustChange] = [] [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_fullname(706) pdb_set_full_name: setting full name guinea-pig$, was [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_init_flags(525) element 13 -> now SET [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaHomeDrive] = [] [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_dir_drive(787) pdb_set_dir_drive: setting dir drive , was NULL [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaHomePath] = [] [2004/10/07 16:14:09, 4] lib/substitute.c:automount_server(323) Home server: testerator [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_homedir(814) pdb_set_homedir: setting home dir \\testerator\guinea-pig_, was [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaLogonScript] = [] [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_logon_script(733) pdb_set_logon_script: setting logon script scripts\logon.bat, was [2004/10/07 16:14:09, 10] lib/smbldap.c:smbldap_get_single_attribute(309) smbldap_get_single_attribute: [sambaProfilePath] = [] [2004/10/07 16:14:09, 10] passdb/pdb_get_set.c:pdb_set_profile_path(760) pdb_set_profile_path: setting profile path \\testerator\profiles\guinea-pig_, was [2004/10/07 16:14:09, 10] lib
[Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: An update: I managed to get a domain entry added to my LDAP directory. Still got the same error. Googled for it; found out that I had to put my machine trust accounts in ou=people instead of ou=machines. Did so. Still get the same message from Windows: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect." From Samba, it's the same old thing: get_md4pw: Workstation GUINEA-PIG$: no account in domain What the heck does this mean? How can I fix it? Does Samba just hate me? I've attached the section of the smbd log that appears to pertain to the immediate problem. Any insights you can offer would be greatly appreciated. Thank you. Verify that sambaSID of your GUINEA-PIG$ contains SID of the Domain (sambaSID field of the sambaDomain entry or result of 'net getlocalsid' which should be the same). And yes, I can take a look at your Samba log. Note, attachments don't get through when sent to this list. Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Can join domain; can't logon
An update: I managed to get a domain entry added to my LDAP directory. Still got the same error. Googled for it; found out that I had to put my machine trust accounts in ou=people instead of ou=machines. Did so. Still get the same message from Windows: >>> "The system cannot log you on to this domain because the system's >>> computer account in its primary domain is missing or the password on >>> that account is incorrect." >From Samba, it's the same old thing: get_md4pw: Workstation GUINEA-PIG$: no account in domain What the heck does this mean? How can I fix it? Does Samba just hate me? I've attached the section of the smbd log that appears to pertain to the immediate problem. Any insights you can offer would be greatly appreciated. Thank you. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 On Tue, 5 Oct 2004, Chris St. Pierre wrote: >I did verify that the account exists in LDAP. To prove it: > ># ldapsearch -b "o=nebrwesleyan.edu,o=isp" >"(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" >uid=guinea-pig$,ou=machines,o=nebrwesleyan.edu,o=isp >[...snip...] > >And moreover: > ># getent passwd guinea-pig$ >guinea-pig$:x:1001:1000:guinea-pig$:/dev/null:/bin/false > >I am not running ncsd. The samba machine has a decidedly out-of-sync >system clock, but I haven't bothered with it since it's only a test >box. > >However! Here's the smbd log: > >[2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289) > failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: > Object class violation > >[2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338) > Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL >[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) > get_md4pw: Workstation GUINEA-PIG$: no account in domain >[2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) > get_md4pw: Workstation GUINEA-PIG$: no account in domain > >Which alerts me to the fact that it's the creation of the domain in >LDAP that's causing problems. I properly installed the 3.0.7 schema >-- as is evidenced by other things working -- but this is giving me an >object class violation. I cranked the log level up to 10, but it >didn't give me much more information that was readily useful to me; >the full 157K log is available, though, if you want it. > >Any ideas? Or, if anyone has a typical LDAP domain entry I can look >at, I can add it by hand and get more info from it. > >Thanks. > >Chris St. Pierre >Unix Systems Administrator >Nebraska Wesleyan University >402.465.7549 > >On Tue, 5 Oct 2004, Igor Belyi wrote: > >>Chris St. Pierre wrote: >>> I had a problem similar to my current one a week or so ago, and I was >>> encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now >>> that I've completed that nightmare, the problem I initially set out to >>> fix is still there, just different. Namely: >>> >>> I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC >>> whose only job will be authentication. Our LDAP server is on a >>> separate box. I can join the domain just fine, but when I try to >>> login via Windows, I get the following error: >>> >>> "The system cannot log you on to this domain because the system's >>> computer account in its primary domain is missing or the password on >>> that account is incorrect." >>> >>> I suspected that neither of these were the case, as I created the >>> account with idealx's smbldap-tools. I verified that the account is >>> there with ldapsearch. Last time I had this problem, Samba wasn't >>> even communicating with LDAP, but this time it is. When I try to >>> login, here's what the LDAP logs show: >> >>smbldap-tools create posixAccounts in case you use NSS LDAP support. You >>should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you >>probably use passwd or shadow in which case you need to use adduser to to the >>job. >> >>Besides posixAccount you should also have Samba account as well. You should >>look at what was responses to the LDAP requests by looking at the SEARCH >>RESULT lines with the same 'conn=' and 'op='. I would guess that response was >>'nentries=0' And it has nothing to do with some optional attributes being >>empty - just with the fact that there's no such entry with >>'objectClass=sambaSamAccount'. >> >>It can also be a problem of nscd if you have one. Your LDAP requests are at >>10:03 and your nmbd log extract is for 11:14 which means LDAP requests were >>done long before Samba requests unless there's a timezone issue between the >>machines or that their clocks are really scrude up. >> >>I would also recommend to post smbd log instead of nmbd since its smbd which >>interacts with LDAP. >> >>Igor >> >>> [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH >>> base="o=nebrwesleyan.edu,o=isp" scope=2 >>> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid >>> uidNumber
Re: [Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: However! Here's the smbd log: [2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289) failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: Object class violation [2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338) Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain Which alerts me to the fact that it's the creation of the domain in LDAP that's causing problems. I properly installed the 3.0.7 schema -- as is evidenced by other things working -- but this is giving me an object class violation. I cranked the log level up to 10, but it didn't give me much more information that was readily useful to me; the full 157K log is available, though, if you want it. Any ideas? Or, if anyone has a typical LDAP domain entry I can look at, I can add it by hand and get more info from it. Hopefuly you already found that it's something obvious in your setup, but just in case... Here's the relevant part of the samba.scheme: objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL DESC 'Samba Domain Information' MUST ( sambaDomainName $ sambaSID ) MAY ( sambaNextRid $ sambaNextGroupRid $ sambaNextUserRid $ sambaAlgorithmicRidBase ) ) Here's what I have for this entry: # TESTPDC, mydomain.org dn: sambaDomainName=TESTPDC,dc=mydomain,dc=org sambaDomainName: TESTPDC sambaSID: S-1-5-21-2972487546-3827399895-3041126189 sambaAlgorithmicRidBase: 1000 objectClass: sambaDomain You can also look in LDAP log to see if all MUST attributes are sent in ldap_add_s call for the domain entry. Hope it helps, Igor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] Re: Can join domain; can't logon
I did verify that the account exists in LDAP. To prove it: # ldapsearch -b "o=nebrwesleyan.edu,o=isp" "(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" uid=guinea-pig$,ou=machines,o=nebrwesleyan.edu,o=isp [...snip...] And moreover: # getent passwd guinea-pig$ guinea-pig$:x:1001:1000:guinea-pig$:/dev/null:/bin/false I am not running ncsd. The samba machine has a decidedly out-of-sync system clock, but I haven't bothered with it since it's only a test box. However! Here's the smbd log: [2004/10/05 16:24:17, 1] lib/smbldap.c:add_new_domain_info(1289) failed to add domain dn= sambaDomainName=NWU_TEST,o=nebrwesleyan.edu,o=isp with: Object class violation [2004/10/05 16:24:17, 0] lib/smbldap.c:smbldap_search_domain_info(1338) Adding domain info for NWU_TEST failed with NT_STATUS_UNSUCCESSFUL [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain [2004/10/05 16:24:20, 0] rpc_server/srv_netlog_nt.c:get_md4pw(261) get_md4pw: Workstation GUINEA-PIG$: no account in domain Which alerts me to the fact that it's the creation of the domain in LDAP that's causing problems. I properly installed the 3.0.7 schema -- as is evidenced by other things working -- but this is giving me an object class violation. I cranked the log level up to 10, but it didn't give me much more information that was readily useful to me; the full 157K log is available, though, if you want it. Any ideas? Or, if anyone has a typical LDAP domain entry I can look at, I can add it by hand and get more info from it. Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 On Tue, 5 Oct 2004, Igor Belyi wrote: >Chris St. Pierre wrote: >> I had a problem similar to my current one a week or so ago, and I was >> encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now >> that I've completed that nightmare, the problem I initially set out to >> fix is still there, just different. Namely: >> >> I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC >> whose only job will be authentication. Our LDAP server is on a >> separate box. I can join the domain just fine, but when I try to >> login via Windows, I get the following error: >> >> "The system cannot log you on to this domain because the system's >> computer account in its primary domain is missing or the password on >> that account is incorrect." >> >> I suspected that neither of these were the case, as I created the >> account with idealx's smbldap-tools. I verified that the account is >> there with ldapsearch. Last time I had this problem, Samba wasn't >> even communicating with LDAP, but this time it is. When I try to >> login, here's what the LDAP logs show: > >smbldap-tools create posixAccounts in case you use NSS LDAP support. You >should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you >probably use passwd or shadow in which case you need to use adduser to to the >job. > >Besides posixAccount you should also have Samba account as well. You should >look at what was responses to the LDAP requests by looking at the SEARCH >RESULT lines with the same 'conn=' and 'op='. I would guess that response was >'nentries=0' And it has nothing to do with some optional attributes being >empty - just with the fact that there's no such entry with >'objectClass=sambaSamAccount'. > >It can also be a problem of nscd if you have one. Your LDAP requests are at >10:03 and your nmbd log extract is for 11:14 which means LDAP requests were >done long before Samba requests unless there's a timezone issue between the >machines or that their clocks are really scrude up. > >I would also recommend to post smbd log instead of nmbd since its smbd which >interacts with LDAP. > >Igor > >> [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH >> base="o=nebrwesleyan.edu,o=isp" scope=2 >> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid >> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange >> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn >> displayName sambaHomeDrive sambaHomePath sambaLogonScript >> sambaProfilePath description sambaUserWorkstations sambaSID >> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName >> objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount >> sambabadpasswordtime sambapasswordhistory modifyTimestamp >> sambalogonhours modifyTimestamp" >> [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH >> base="o=nebrwesleyan.edu,o=isp" scope=2 >> filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid >> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange >> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn >> displayName sambaHomeDrive sambaHomePath sambaLogonScript >> sambaProfilePath description sambaUserWorkstations sambaSID >> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainNam
[Samba] Re: Can join domain; can't logon
Chris St. Pierre wrote: I had a problem similar to my current one a week or so ago, and I was encouraged to upgrade from Samba 2.2.9 to 3.0.7, which I did. Now that I've completed that nightmare, the problem I initially set out to fix is still there, just different. Namely: I am trying to set up Samba 3.0.7 on a SuSE 9.1 box as an LDAP PDC whose only job will be authentication. Our LDAP server is on a separate box. I can join the domain just fine, but when I try to login via Windows, I get the following error: "The system cannot log you on to this domain because the system's computer account in its primary domain is missing or the password on that account is incorrect." I suspected that neither of these were the case, as I created the account with idealx's smbldap-tools. I verified that the account is there with ldapsearch. Last time I had this problem, Samba wasn't even communicating with LDAP, but this time it is. When I try to login, here's what the LDAP logs show: smbldap-tools create posixAccounts in case you use NSS LDAP support. You should verify that it's there with 'getent passwd GUINEA-PIG$'. If not - you probably use passwd or shadow in which case you need to use adduser to to the job. Besides posixAccount you should also have Samba account as well. You should look at what was responses to the LDAP requests by looking at the SEARCH RESULT lines with the same 'conn=' and 'op='. I would guess that response was 'nentries=0' And it has nothing to do with some optional attributes being empty - just with the fact that there's no such entry with 'objectClass=sambaSamAccount'. It can also be a problem of nscd if you have one. Your LDAP requests are at 10:03 and your nmbd log extract is for 11:14 which means LDAP requests were done long before Samba requests unless there's a timezone issue between the machines or that their clocks are really scrude up. I would also recommend to post smbd log instead of nmbd since its smbd which interacts with LDAP. Igor [05/Oct/2004:10:03:52 -0500] conn=53576 op=7 SRCH base="o=nebrwesleyan.edu,o=isp" scope=2 filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp" [05/Oct/2004:10:03:52 -0500] conn=53576 op=8 SRCH base="o=nebrwesleyan.edu,o=isp" scope=2 filter="(&(uid=GUINEA-PIG$)(objectClass=sambaSamAccount))" attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambamungeddial sambabadpasswordcount sambabadpasswordtime sambapasswordhistory modifyTimestamp sambalogonhours modifyTimestamp" It searches twice for the machine trust account, which I've verified exists. The only thing I can think of is that not all of the attributes it's asking for exist. (In fact, a lot of them don't.) As you can see in the attached nmbd log, though, Samba doesn't show any obvious errors. I've also included my smb.conf (with some changes to protect my server's innocence). Any ideas are greatly appreciated. Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University 402.465.7549 [global] server string = test workgroup = NWU_TEST netbios name = TESTERATOR log level = 1 encrypt passwords = yes max smbd processes = 0 socket options = TCP_NODELAY add machine script = /usr/local/sbin/smbldap-useradd -w '%u' logon script = scripts\logon.bat logon path = \\%L\profiles\%U domain logons = yes local master = yes preferred master = yes wins server = 10.9.1.12 security = user passdb backend = ldapsam:ldap://server.nebrwesleyan.edu ldap suffix = o=nebrwesleyan,o=edu ldap machine suffix = ou=Machines ldap user suffix = ou=People ldap group suffix = ou=Groups ldap filter = (uid=%u) ldap admin dn = cn=foo ldap ssl = no idmap uid = 1-2 idmap gid = 1-2 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = yes locking = No [profiles] comment = Profile Share path = /var/lib/samba/profiles read only = No [tmp] comment = temporary files path = /tmp read only = yes [2004/10/05 11:14:43, 5] nmbd/nmbd_packets.c:process_dgram(1194) process_dgram: ignori