Re: [Samba] Two attempts required to join domain (SOLVED)
On 06/18/12 16:03, Miguel Medalha wrote: add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u Shouldn't that be -W (uppercase W)? From smbldap-useradd: -wis a Windows Workstation (otherwise, Posix stuff only) -Wis a Windows Workstation, with Samba atributes (otherwise, Posix stuff only) Hi Miguel, Thanks for the reply. In regards to your question, I'd say: You would think so. And reading through the smbldap-useradd code it is clear that -W (upper) does add the extra Samba attributes on account creation, whereas -w (lower) does not. Also that can be seen/proven that those two options are working as expected when manually running the smbldap-useradd with -w and then again with -W, then running slapcat, or ldapsearch to see the entries. When -w (lower) is used in smb.conf it appears that after the add machine script is run and the machine account is created, Samba automatically adds the Samba attributes when it finds the machine account in the directory - just before the welcome to the domain pop-up is displayed on the workstation. Also, when I use -W (upper) in smb.conf, instead of a Welcome to the domain pop-up, I get A device attached to the system is not functioning pop-up on first join attempt, followed by a successful join on second join attempt. So, the -w works, while the -W does not (for me at least). I am not 100% sure why, but I am not going to fight with this any longer. :) -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain (SOLVED)
If anyone is interested (especially time travelers from the future), the fix for our issue was found here. http://www.mail-archive.com/samba@lists.samba.org/msg31736.html a thread from way back in 2004... That along with the smb.conf line add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u allows our XP machines to join domain on first attempt regardless of what OU we decide to place them in. Using a -i on the smbldap-useradd command line, as recommended by someone in the IRC #samba channel, does not work for us. Thanks Steve and Gaiseric for trying to help out. I tried both suggestions, but in the end, It appears I need the sub scope search in ldap.conf -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain (SOLVED)
add machine script = /usr/sbin/smbldap-useradd -t 0 -w %u Shouldn't that be -W (uppercase W)? From smbldap-useradd: -wis a Windows Workstation (otherwise, Posix stuff only) -Wis a Windows Workstation, with Samba atributes (otherwise, Posix stuff only) -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
bump I'd prefer to not have to put machine accounts into the People OU for all the obvious reasons, but I may be forced to in order to have the end-user (e.g. our customer) experience to be a smooth one. Any idea on what might cause the behavior I am seeing described on the 13th below? Thanks for any help! -- Bill Arlofski Reverse Polarity, LLC On 06/13/12 18:55, Bill Arlofski wrote: Hi Everyone. I have run across an issue that is driving me crazy. This is a new deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8 When trying to join the domain, on the first attempt the machine account is properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local But the failed to join domain pop-up with reason of The user name could not be found is displayed (which really means the machine name was not found in LDAP) and of course the machine is not yet a domain member. However, a 2nd attempt to join the domain with the same credentials, immediately after the failure results in a Welcome to the X domain and the machine is now a domain member. Setting the openldap slapd loglevel to 416 to show the queries during this process reveals the following: On 1st join attempt Samba searches the whole directory from dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount. It of course does not find it, so the smbldap-useradd script is called and the machine account is properly added to ou=Computers. Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the newly created machine account and of course does not find it. And the failed to join domain pop-up is displayed on the WinXP machine. On the second join attempt, Samba _ONLY_ searches ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines as defined everywhere in my configs and it finds the machine and the machine successfully joins the domain. If I set all configs - samba, smbldap etc to be such that computers are in the People organizational unit, then joining the domain works on the first try, every time. Also, if I un-join the domain, but leave the machine account in LDAP in ou=Computers and then re-join the domain, this always works on first try too since Samba's initial scope 2 sub search of the directory starting at the top will find the machine account under ou=Computers. Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? Thank you in advance for any help on this! -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
You could put the machines in a sub container under people- , or have people and computers as subs under user accounts- that way samba can search the entire accounts or people subtree BUT you can restrict other LDAP services that use people to not be recursive. -Original Message- From: samba-boun...@lists.samba.org [mailto:samba-boun...@lists.samba.org] On Behalf Of Bill Arlofski Sent: Sunday, June 17, 2012 4:16 PM To: samba@lists.samba.org Subject: Re: [Samba] Two attempts required to join domain bump I'd prefer to not have to put machine accounts into the People OU for all the obvious reasons, but I may be forced to in order to have the end-user (e.g. our customer) experience to be a smooth one. Any idea on what might cause the behavior I am seeing described on the 13th below? Thanks for any help! -- Bill Arlofski Reverse Polarity, LLC On 06/13/12 18:55, Bill Arlofski wrote: Hi Everyone. I have run across an issue that is driving me crazy. This is a new deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8 When trying to join the domain, on the first attempt the machine account is properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local But the failed to join domain pop-up with reason of The user name could not be found is displayed (which really means the machine name was not found in LDAP) and of course the machine is not yet a domain member. However, a 2nd attempt to join the domain with the same credentials, immediately after the failure results in a Welcome to the X domain and the machine is now a domain member. Setting the openldap slapd loglevel to 416 to show the queries during this process reveals the following: On 1st join attempt Samba searches the whole directory from dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount. It of course does not find it, so the smbldap-useradd script is called and the machine account is properly added to ou=Computers. Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the newly created machine account and of course does not find it. And the failed to join domain pop-up is displayed on the WinXP machine. On the second join attempt, Samba _ONLY_ searches ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines as defined everywhere in my configs and it finds the machine and the machine successfully joins the domain. If I set all configs - samba, smbldap etc to be such that computers are in the People organizational unit, then joining the domain works on the first try, every time. Also, if I un-join the domain, but leave the machine account in LDAP in ou=Computers and then re-join the domain, this always works on first try too since Samba's initial scope 2 sub search of the directory starting at the top will find the machine account under ou=Computers. Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? Thank you in advance for any help on this! -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
On Wed, 13 Jun 2012, Bill Arlofski wrote: Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? In /etc/ldap.conf you probably need something like: nss_base_passwd ou=People,dc=domain,dc=org?one nss_base_passwd ou=Computers,dc=domain,dc=org?one Steve -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
On 06/17/12 17:16, Gaiseric Vandal wrote: You could put the machines in a sub container under people- , or have people and computers as subs under user accounts- that way samba can search the entire accounts or people subtree BUT you can restrict other LDAP services that use people to not be recursive. Thanks for that idea, and I think that may be the way I have to go... Just wonder why I am having such a unique issue when everything else works fine. :) -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Two attempts required to join domain
On 06/17/12 18:03, Steve Thompson wrote: On Wed, 13 Jun 2012, Bill Arlofski wrote: Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? In /etc/ldap.conf you probably need something like: nss_base_passwd ou=People,dc=domain,dc=org?one nss_base_passwd ou=Computers,dc=domain,dc=org?one Steve Hi Steve... Thanks for that idea. I had the first one of course and had assumed that in that file it was a one, and only one setting e.g. didn't know you could stack those and all would be used. I tried adding the second line and now the symptom has changed. Instead of the The user name could not be found error on 1st join attempt, I am now seeing a rather bizarre: A device attached to the system is not functioning The machine account is however created in the Computers OU by the smbldap-useradd script and on an immediate 2nd join attempt I get Welcome the the domain X I can get some debug logs from both samba and slapd if that would help. Thanks for the reply. -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Two attempts required to join domain
Hi Everyone. I have run across an issue that is driving me crazy. This is a new deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8 When trying to join the domain, on the first attempt the machine account is properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local But the failed to join domain pop-up with reason of The user name could not be found is displayed (which really means the machine name was not found in LDAP) and of course the machine is not yet a domain member. However, a 2nd attempt to join the domain with the same credentials, immediately after the failure results in a Welcome to the X domain and the machine is now a domain member. Setting the openldap slapd loglevel to 416 to show the queries during this process reveals the following: On 1st join attempt Samba searches the whole directory from dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount. It of course does not find it, so the smbldap-useradd script is called and the machine account is properly added to ou=Computers. Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the newly created machine account and of course does not find it. And the failed to join domain pop-up is displayed on the WinXP machine. On the second join attempt, Samba _ONLY_ searches ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines as defined everywhere in my configs and it finds the machine and the machine successfully joins the domain. If I set all configs - samba, smbldap etc to be such that computers are in the People organizational unit, then joining the domain works on the first try, every time. Also, if I un-join the domain, but leave the machine account in LDAP in ou=Computers and then re-join the domain, this always works on first try too since Samba's initial scope 2 sub search of the directory starting at the top will find the machine account under ou=Computers. Can someone offer guidance as to why during the new machine creation process (joining a domain) Samba does not look for the machine in the defined machines ou but always in the People ou? Thank you in advance for any help on this! -- Bill Arlofski Reverse Polarity, LLC -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba