[Samba] samba 3 LDAP/PDC problem - adding WXP account

Sun Nov 9 09:26:20 GMT 2003

Ok, additional information:
I am using LDAP as a unix password backend, so I shouldn't be needing the
/etc/passwd for a machine account.
The smbldap-useradd.pl -w script adds an account correctly, and both
posixAccount and sambaSAMAccount is set. When this is done, I get again,
"access is denied" when I try to join the domain, with the valid SID user.
It doesn't seem to join correctly on the operation when it actually creates
the account, however I can see nothing wrong with the account itself. Here
is an auto-created account: (smbldap-useradd.pl -w %u)

dn: uid=main$,ou=Machines,o=AstarothInc,c=NO
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: main$
sn: main$
uid: main$
uidNumber: 1003
gidNumber: 553
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer

I have all the scripts in place, but manually only the add machine script
works. I don't think I need the others for the operation I am trying,
though.

The thing is, if I do have an account in /etc/passwd called "main$" when I
try to join, the auto-created ldap entry looks very very different:

dn: uid=main$,ou=Machines,o=AstarothInc,c=NO
uid: main$
sambaSID: S-1-5-21-2523409155-1094959098-2360343008-3006
sambaPrimaryGroupSID: S-1-5-21-2523409155-1094959098-2360343008-1201
sambaAcctFlags: [W          ]
objectClass: sambaSamAccount
objectClass: account

The error upon joining is still the same, username could not be found;
however, subsequent attempts to join give the error "access is denied." I'm
going nuts.

Regards
Tarjei

----- Original Message ----- 
From: "Andrew Bartlett" <abartlet at samba.org>
To: "Tarjei Bitustøyl" <astaroth at uses.nofw.org>
Cc: <samba at lists.samba.org>
Sent: Sunday, November 09, 2003 10:08 AM
Subject: Re: [Samba] samba 3 LDAP/PDC problem - adding WXP account

On Sun, 2003-11-09 at 19:40, Tarjei Bitustøyl wrote:
> Hi,
>
> I've finally gotten my LDAP password backend up and running, and finally
figured out the SID 1000/1001 thing for Samba admin.
> However I'm unable to join the workstation to my domain.

I'm not sure what you mean about the '1000/1001' thing.  Root should be
given the special sid '-500' if at all possible, as that is
'administrator'.

> Using any random user in the WXP dialogue, I get the "Access is Denied"
error. Fair enough.
> Using the user with sambasid and sambagroupsid s-*-1000/s-*-1001, I get
the error "The Username could not be found". This error is probably not
referring to the login user, as that one is validated (I get another error
if I type in a wrong password), so I assume it's the machine account user
that it is looking for.
>
> I have however tried adding the machine account using both LAM and
smbpasswd -a -m, but no difference.
>
> The debug log says everything is successful?
> I'm at a loss. Does anyone have a hint as to what is wrong here?

Do you have the add user scripts in place?

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net