[Samba] Re: Need help configuring Samba3/LDAP PDC

Aaron Ogden aogden at gxt.com
Fri Jun 11 22:07:40 GMT 2004

rwallace at thewallacepack.net wrote:

> Aaron Ogden wrote:
>> Hello Rich (and others), thanks for responding.  I turned up the 
>> loglevel, fixed some configuration errors in smb.conf, and commented 
>> the root= entry in smbusers. You were right, Administrator was being 
>> mapped to 'root'.  Now I can authenticate LDAP users in Samba, e.g. 
>> 'smbclient -L localhost -U Administrator' works properly.  
>> Unfortunately I still cannot join the PDC machine to the domain and I 
>> think I know why.
>> When I run 'net rpc join -U Administrator' the machine account gets 
>> created but it is a posixAccount instead of a sambaSamAccount.  In 
>> other words it is a normal unix user account that is missing all of 
>> the samba-related fields.  Samba is calling the IDEALX 
>> smbldap-useradd.pl script to create the account but obviously I've 
>> got an error somewhere... the user accounts it creates are not 
>> samba-capable.  Does anyone know how to fix this?  Did I miss 
>> something in smbldap_conf.pm?
> What version of samba did you say your using?  It sounds like one with 
> an older version of the Idealx scripts since you still have the .pl 
> extension and they still use the .pm configuration files.  Try going 
> to http://www.idealx.org/prj/samba/index.en.html and download the 
> latest version of the scripts.  I had some problems with the Idealx 
> scripts bundled with 3.0.2a but using the latest versions from the 
> site fixed everything.  Oh, and don't forget that for the "add machine 
> script" setting you need to pass the -w option to smbldap-useradd.

I got it working today, it turns out that the bug John Terpstra mentions 
on page 149 of S3BE still exists in Samba 3.0.4.  The machine accounts 
have to be in the same org unit as the normal user accounts.   After I 
changed the configuration to work around this bug I was able to join the 
PDC to the domain and join a client machine to the domain... so 
everything is working great now.   Thanks again for your help!! 

re: smbldap scripts, I am using the ones that came with the SuSE samba 
packages.  They seem to work fine.

>> On a related note, I've imported lots of NIS data into this LDAP 
>> directory, so I have lots of valid Unix accounts.  These are working 
>> properly on LDAP-enabled linux machines, but how do I 'convert' them 
>> for use with Samba?  Ideally I would like to have one record for each 
>> user that contains all of the samba data as well as the unix data.  
>> Is there an easy way to add the appropriate samba fields to 'normal' 
>> posixAccounts?  Is there a FAQ that covers the procedure?  Any help 
>> would be welcome.
> That's a good question and I hope someone has an answer.  I tried to 
> do the same a while back and didn't have any luck either.  You can't 
> use the smbldap-useradd scripts or smbpasswd -a 'cause those will only 
> tell you that the entry already exists.  Oooo... but it looks like you 
> can use "smbldap-usermod -a" to add the necessary objectclass and 
> whatnot.  Play around with that and see what happens.
I think the 'mkntpasswd' command may take care of this too... not sure 
yet, but I will check and get back to you.  I have the password hashes 
for a few hundred users, hopefully I can enter this into LDAP in binary 
format since they can't be decrypted.

More information about the samba mailing list