[Samba] add machine script almost succeeds

Dwight Tovey dtovey at emergecore.com
Thu Oct 13 17:39:49 GMT 2005 

Jerry said:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Dwight Tovey wrote
> :
> | So the next step was to configure Samba to use
> | the script directly by pointing the "add machine script"
> | parameter in smb.conf to the script:
> |
> | add machine script = /usr/local/bin/samba-addmachine %u
> |
> | I restart Samba, then go to the Windows box (XP Pro)
> | and tell it to join the domain.  It asks for the Admin
> | login and password, then after a minuteor so I get
> | an error popup telling me "The user name could not
> | be found." However, when I look in LDAP I can see that
> | my script did run and add the machine object as before.
> | If I go back to the Windows machine and again
> | tell it to join the domain, this time it succesfully
> | joins the domain.
> ...
> | Do I need to have my script set the 'sambaNTPassword'
> | attribute?  If so, what to I set it to?  Or maybe I need
> | to have it exit with some value?
>
> You only need to create the posixAccount entry with the
> add machine script.  If I were to guess, I would
> make sure that nss_ldap is returning the machine account
> for getpenam() queries.  i.e. 'getent passwd machine$' succeeds.

Ok. Dumb dumb dumb.  My machine accounts are in a different place in the
directory from user accounts, but I had neglected to tell '/etc/ldap.conf'
to look in the 'Computers' section for them.  Once I added the additional
'nss_base_passwd' entry to ldap.conf, Samba was able to find the machine
account.

BTW: for anybody else writing a 'add machine script', it looks like its
not just that you "only need to create the posixAccount entry", but that
you only MAY create possixAccount.  When my script was also adding
sambaSamAccount info, Samba refused to update it because it found
sambaSamAccount items already there.  I took out the samba stuff from my
script and Samba was happy with it.

However, Windows is still not completely happy.  Now on the first attempt
to join a domain, while Samba appears to succesfuly create the account and
populate the sambaSamAccount info, Windows comes back and tells me "The
RPC server is unavailable".  Again, the second attempt to join the domain
succeeds.

> Also check in a level 10 log from smbd for the SAMR.*CREATE.*USER
> call to see what the return value is.
>

I'm not sure what I'm looking for here.  I don't see any return around the
only SAMR.*CREATE.*USER entry in the log.  I do see 'samr_create_user'
being called later, and it tells me that the script 'gave 0'.  I assume
that this means it succeeded.  Any other hints?

Thanks for the help.

    /dwight
-- 
Dwight N. Tovey
email: dtovey at emergecore.com
---------
Work to Live : Live to Ride : Ride to Work

More information about the samba mailing list