Default OU vs. CN per SAMBA-HOWTO?

Jason Gerfen jason.gerfen at
Mon Oct 31 20:24:33 GMT 2005

I have come accross a problem I have not been able to resolve.  I am 
attempting to create a Samba ADS Domain Membership machine to 
authenticate users which will be accessing the shares on the Samba 
server from a combination of Active Directory and Kerberos.

The problem I am experiencing is stemming from following the directions 
for the "Create the Computer Account" in chapter 6 part II of the 
Samba-Howto.  The last command says it is possible to create a machine 
trust account in a container called servers under a different OU.

ex: root# net ads join "Computer\BusinessUnit\Department\Servers"

Here are the steps I have taken, I have joined the Samba machine to the 
domain using the "net ads join -U<username>" command.

I have configured the /etc/krb5.conf to mimic our network environment as 
well as the nsswitch.conf, I am able to run the command "getent passwd" 
and I can see users, however the problem is they are not the correct 
users.  After running the command I described above "net ads join 
"Computer\BusinessUnit\Department\Servers"" I can only view and 
authenticate users in the OU.

I have attempted the following, removed the comupter trust account from 
the active directory, let the AD replicate and rejoined the domain only 
to have the same OU show up as default.  I have removed Samba, Winbind 
packages from the machine, changed the machine name, as well as any 
temporary files for samba and winbind, let the machine sit without any 
domain interaction for 3 days to make sure it was removed the computer 
trust account and all without any success.

Any assistance with this problem is definately appreciated.  I am 
including the /etc/samba/smb.conf and the /etc/krb5.conf.  Again any 
help is appreciated.
# Network configuration
       server string =
       workgroup = DOMAIN
       netbios name = DOC-ODIN
       realm = DOMAIN
       security = ADS
       password server =

# Domain configuation options
       prefered master = no
       local master = no
       domain master = no
       prefered master = no
       domain logons = no

# Security options
       encrypt passwords = yes
       update encrypted = yes
       password level = 20

# Winbind options
       winbind use default domain = no
       winbind cache time = 5
       winbind separator = /
       winbind enum users = no
       winbind enum groups = no
       winbind nested groups = yes

# User/Group mapping options
       idmap uid = 500-500000
       idmap gid = 500-500000
       add user script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s 
/bin/false -M %u
       add machine script = /usr/sbin/useradd -c Machine -d 
/var/lib/nobody -s /bin/false %m$

# LDAP/AD configuration options
       passdb backend = ldapsam:LDAP://
       ldap admin dn = "cn=readonly,cn=users,dc=domain,dc=com
       ldap user suffix = cn=users
       ldap group suffix = ou=groups
       ldap suffix = dc=domain,dc=com
       ldap delete dn = no
       use spnego = yes

# Networking options
       hide unreadable = no
       wins support = no
       dns proxy = no
       interfaces = eth* lo
       bind interfaces only = yes
       socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
       hosts deny =

# Miscellaneous options
       os level = 20
       template shell = /bin/false
       template homedir = /odin/%D/%U
       load printers = no

# Logging options
       log level = 1 ads:5 auth:5 sam:5 rpc:5

default_realm = DOMAIN.COM
clockskew = 300
default_tgs_enctypes = rc4-hmac des-cbc-md5
default_tkt_enctypes = rc4-hmac des-cbc-md5
permitted_enctypes = rc4-hmac des-cbc-md5

        kdc =
        default_domain =
        admin_server =

kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb5lib.log

[domain_realm] = DOMAIN.COM = DOMAIN.COM

pam = {
   ticket_lifetime = 1d
   renew_lifetime = 1d
   forwardable = true
   proxiable = false
   retain_after_close = false
   minimum_uid = 0

Jason Gerfen

"My girlfriend threated to
 leave me if I went boarding...
 I will miss her."

More information about the samba-technical mailing list