Hi,
There are a other parameter which cause to add machine account failed :
That is the ldap filter parameter, if the ldap filter contain the filter
((uid=%u)(objectclass=sambaSamAccount))
samba not add the machine account correctly
---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique Corman S.A. Tel : 00 32 087/342467
[EMAIL PROTECTED] a écrit sur
06/06/2005 09:28:40 :
The script only adds the posix stuff, when you join the workstation the
sambaSam entries are created by samba.
BUT...
Samba NEEDS to find a posix account with the name of the machine being
joined. How are you doing user lookups on your posix side?
If you use nss_ldap and you have a seperate ou in your directory for
users
and computers that could be where your problem is.
i.e. if
nss_ldap is set to look in ou=users,dc=test,dc=com for its posix
userbase
then if you do:
:~#getent passwd
then it will return only users it finds in that ou. So if your add
machine
script is creating users(machine accounts) in
ou=computers,dc=test,dc=com
then as far as posix is concerned there is no posix account for the new
machine. Samba will not find a possix account and will not add the
sambaSam
entries and the join will fail. You have 2 options:
1.Add your user accounts and computer accounts to the same ou.
2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your
base
to dc=test,dc=com rather than ou=users,dc=test,dc=com
This is how I understand it anyhow, I might be wrong, Im no smaba pro
but I
went for option 2.
If anyone can shed some more light on this is or set me straight if Im
wrong, please do.
Cheers,
Rhys
On 6/6/05, Andres Toomsalu [EMAIL PROTECTED] wrote:
Tim Verhoeven wrote:
On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote:
I've reported this before but I guess I'll have to do it again, since
it's not fixed yet or I'm understanding something wrong here.
The problem is that smbldap-useradd -w 'machinename' will add only
posixAccount entrys into ldap but it should add both posixAccount and
sambaSAMAccount entrys.
So if one doesn't add correct machine account entrys manually to ldap
the windows workstation domain joining is impossible.
In my experience the smbldap-useradd behaviour is correct. It will
only add the posicAccount part of a machine account. Then when you
actually join a machine to a domain Samba itself will modify the
machine account and add the sambaSAMAccount parts.
For this to work you will ofcourse need also to configure Samba that
is has a ldap account that has the rights to update items in the ldap
tree.
I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
1) I can't join XP workstation to domain when I don't have computer
account in ldap - Error is Access denied. In result it makes computer
account in ldap but only posixAccount part of it as smbldap-useradd -w
does it.
2) I can't join XP workstation to domain when I do have computer
account
in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
them like that - Error is Access denied.
3) I can join XP workstation to domain when I manually make correct
computer account entrys in ldap with phpldapadmin - then there are both
posixAccount and sambaSamAccount entrys present.
Here is copy-paste samples of computer accounts in my ldap - first
sample is made with smbldap-useradd -w and second that actually works
is
made manually:
# Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: testmasin$
sn: testmasin$
uid: testmasin$
uidNumber: 1016
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
# Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
dn: uid=windesk$,ou=Computers,dc=active,dc=ee
gidNumber: 515
uidNumber: 3002
uid: windesk$
sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
sambaAcctFlags: [W ]
cn: windesk
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1118035851
sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
sambaPwdLastSet: 1118035851
So joining XP workstations to domain with smbldap-tools doesn't work
for
me. I still think there is a bug in smbldap-useradd script that it
won't
add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'.
I don't think sambaSamAccount entry's are being added during domain
joining procedure because for domain joining samba uses the very same
smbldap-useradd -w '%u' command - which doesn't add any
sambaSamAccount entrys.