[Samba] Machine accounts creation with pdbedit (Samba&LDAP)

Fermin Molina fermin at asic.udl.es
Thu Oct 23 16:52:26 GMT 2003 

Hi,

I get this error when I'm trying to create a machine acount with
pdbedit:

--------
# pdbedit -a -m -u machine
ldapsam_modify_entry: Failed to add user dn=
uid=machine$,ou=Computers,dc=mydomain,dc=org with: Object class 
violation
        object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = machine$
(dn = uid=machine$,ou=Computers,dc=mydomain,dc=org)
Unable to add machine! (does it already exist?)
--------


I've been searching information in all documentation available, but I
cannot find anything about how works the new LDAP schema and his
interaction with Samba.

Enabling debug in smb.conf (log level = 3 passdb:10 auth:10), I get:


--------
# pdbedit -a -m -u machine
Trying to load: ldapsam:ldap://localhost
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match ldapsam:ldap://localhost
(ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_search_suffix: searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost has a valid init
Trying to load: guest
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Trying to load: ldapsam:ldap://localhost
Attempting to find an passdb backend to match ldapsam:ldap://localhost
(ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_search_suffix: searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=MYDOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
pdb backend ldapsam:ldap://localhost has a valid init
Trying to load: guest
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
pdb_set_username: setting username machine$, was
pdb_set_group_sid: setting group sid
S-1-5-21-3242272402-4231600687-3648858774-515
pdb_set_group_sid_from_rid:
        setting group sid S-1-5-21-3242272402-4231600687-3648858774-515
from rid 515
smbldap_search_suffix: searching
for:[(&(&(uid=machine$)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]
smbldap_search_suffix: searching
for:[(&(uid=machine$)(objectclass=sambaSamAccount))]
smbldap_search_suffix: searching
for:[(&(sambaSID=S-0-0)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))]
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: machine$
ldapsam_modify_entry: Failed to add user dn=
uid=machine$,ou=Computers,dc=mydomain,dc=org with: Object class
violation
        object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = machine$
(dn = uid=machine$,ou=Computers,dc=mydomain,dc=org)
Unable to add machine! (does it already exist?)
--------


I don't understand what is the process pdbedit (or samba) follows. And I
cannot find any clear related information about it. Even using the -U
option with a manually generated SID, I get the same error.

When I run LDAP and Samba for the first time, it appears an entry in
LDAP (but I don't put it into!):


--------
dn: sambaDomainName=MYDOMAIN,dc=mydomain,dc=org
sambaDomainName: MYDOMAIN
sambaSID: S-1-5-21-3242272402-4231600687-3648858774
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
--------

What is the intended use of this entry? pdbedit gets the server base SID
from here? Then generates a new SID for the new account (user/machine)
that is about to create?

My LDAP configuration in smb.conf:

--------------
passdb backend = ldapsam:ldap://localhost, guest
idmap  backend = ldapsam:ldap://localhost

ldap admin dn           = cn=Manager,dc=mydomain,dc=org
ldap ssl                = off
ldap suffix             = dc=mydomain,dc=org
ldap user suffix        = ou=People
ldap machine suffix     = ou=Computers
ldap filter             = "(&(uid=%u)(objectclass=sambaSamAccount))"
ldap idmap suffix       = ou=Idmap

idmap uid = 50000-60000
idmap gid = 50000-60000
--------------


Thanx,
Fermin

More information about the samba mailing list