LDAP-SAM and Samba 2.2

Erik Persson erik at roxen.com
Sat Dec 1 11:06:03 GMT 2001

On Fri, 30 Nov 2001, David Highley wrote:

> "Erik Persson wrote:"
> >
> > Hi!
> >
> > I am experimenting with the PDC features of Samba 2.2 with the LDAP SAM
> > backend. This is going fairly well, except eny attempt to join the domain
> > fails due to some confusion within smbd concerning what the RID for the
> > workstation account should be.
> There was a posting in the last couple of days that indicated that
> cvs patches were needed to get Samba 2.2.2 to operate with LDAP.

Right. I pulled the SAMBA_2_2 from CVS and built it. Now, it has stopped
doing the strange hex->int format conversion stuff but it still doesn't
quite work. What happens now when a client tries to join is that after a
looong while (1-2 minutes or so) of waiting (last message reported is a
"switch message SMBclose") the client declares that it has joined the
domain. After rebooting and actually trying to log into the domain i get a
"Computer account doesn't exist or password incorrect".

*sigh* What really eats me is that I actually had a working setup with at
least one successful join and subsequent login using the original 2.2.2
release with a few source code modifications that I cannot remember now.

Anyway, could I possibly be doing something wrong? How does the process of
joining a domain look like. The things that I can see from the log files

* Client (let's call it "foo") requests to joing the domain and supplies
  credentials for accomplishing this (administrator login and password).

* smbd creates an initial account in LDAP for "foo$" and sets the password
  to "foo".

* More magic...

I assume that in the "more magic" department the client supplies some kind
of data that smbd can use to set the password to something other than
"foo". However, when I look in my LDAP records for "foo$" the password
doesn't change. Could this be the problem?

This is a typcial machine account entry in my LDAP server _after_ smbd
gotten to it and added (as far as I can see) displayName and cn.

dn: uid=roadrunner$, ou=People, dc=roxen, dc=com
gidNumber: 7000
lmPassword: DC12FFA682C3844D2E87078C29EC8618
objectClass: shadowAccount
objectClass: sambaAccount
objectClass: posixAccount
loginShell: /bin/false
homeDirectory: /dev/null
userPassword:: e2NyeXB0fSpMSyo=
ntPassword: 63911FAC3D75FECB66C48A17A30C5F9D
displayName: ROADRUNNER$
uid: roadrunner$
uidNumber: 7001
pwdLastSet: 0
logonTime: 0
logoffTime: 0
kickoffTime: 0
pwdCanChange: 0
pwdMustChange: 0
smbHome: \\%N\
homeDrive: U:
profilePath: \\%N\profile
rid: 15002
primaryGroupID: 15001
acctFlags: [W          ]

The password here is hashed from foo and not from "FOO". Could that be the

I'm going nuts here. Any attempt to enlighten me will be greatly
appreciated. ;-)


Erik Persson, System Manager            <erik at roxen.com>
Roxen Internet Software                 Voice:  +46 13 376817

More information about the samba-ntdom mailing list