[Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account

Jim C. jcllings at javahop.com
Fri Mar 12 15:30:17 GMT 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I had many problems getting the scripts to work until I realized that I
had two admin groups with the same name and same id, one in /etc/group
and the other in LDAP.  Now this is just fine and even kind of elegant
but not if it is set up wrong.  There are two ways it can work.

1. You can add the ldap admin users to the local group in /etc/group.
2. You can duplicate the group in ldap and add the admin users to that
group instead.  If you do this though, you have to put ldap first in
/etc/nss_switch.conf so that the system will find that group first when
the slapd daemon is operational.  The cool part about this way is that
when slapd is not operational, those extra members of the admin group
just go away.  They are simply not found because they are not part of
the local group.  Also, one must remember that adding a user to the
local group means adding one to the ldap group also but NOT necessarily
the other way around.

For a default/debug setup, you might consider either just going with 1
above and having no admin group contained in ldap or makeing both groups
discussed in 2 above exact duplicates i.e. each user contained in one
also exists in the other.


Jim C.

zergio wrote:

| Hi all!
| Domain is up and running. I can add users and they can change passwords.
| Problem occurred when I tried to add machine account.
| add machine script works fine (unix user created) but samba can not
| modify entry. LDAP permissions are proper.
| If you have any idea welcomed.
| Thank you
| Here is the log:
|
| [2004/03/10 14:33:08, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1595)
|  ldapsam_add_sam_account: Adding new user
| [2004/03/10 14:33:08, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
|  init_ldap_from_sam: Setting entry for user: hive$
| [2004/03/10 14:33:08, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1214)
|  ldapsam_modify_entry: Failed to add user dn=
| uid=hive$,ou=Computers,ou=accounts,o=isma with: Already exists
|
| [2004/03/10 14:33:08, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1633)
|  ldapsam_add_sam_account: failed to modify/add user with uid = hive$ (dn
| = uid=hive$,ou=Computers,ou=accounts,o=isma)
| [2004/03/10 14:33:08, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2250)
|  could not add user/computer hive$ to passdb.  Check permissions?
|
| smb.conf
|
| [global]
|     dos charset = CP866
|     unix charset = koi8-r
|     display charset = koi8-r
|     workgroup = ISMA-TEST
|     netbios name = BDC-SRV
|     server string = Samba Server 3.0.2a testing
|     interfaces = eth1
|     bind interfaces only = Yes
|     min passwd length = 4
|     map to guest = Bad User
|     passdb backend = ldapsam:ldap://192.168.10.156
|     guest account = guest
|     passwd program = /usr/local/sbin/smbldap-passwd.pl %u
|     passwd chat = *New*password* %n\n *new*password* %n\n
|     passwd chat timeout = 1
|     unix password sync = Yes
|     log level = 3
|     log file = /var/log/samba/log.%m
|     max log size = 50
|     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|     add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d
| /dev/null -g 'Domain Computers' -c 'Machine Account' -s /bin/false %u
|     logon script = %U.bat
|     logon path = \\%N\%U\.2kXPprofiles
|     logon home = \\%N\%U\.9xMeprofiles
|     domain logons = Yes
|     os level = 255
|     preferred master = Yes
|     domain master = Yes
|     dns proxy = No
|     wins server = 192.168.77.3
|     ldap suffix = ou=accounts,o=isma
|     ldap machine suffix = ou=Computers
|     ldap user suffix = ou=Users
|     ldap group suffix = ou=Groups
|     ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
|     ldap admin dn = cn=admin,ou=accounts,o=isma
|     ldap ssl = no
|     ldap passwd sync = Yes
|
| [homes]
|     comment = Home Directories
|     read only = No
|     browseable = No
|
| [printers]
|     comment = All Printers
|     path = /var/spool/samba
|     printable = Yes
|     browseable = No
|
| [test]
|     path = /home
|     read only = No
|
| [netlogon]
|     path = /opt/samba/netlogon
|     admin users = admin
|     read only = No
|     browseable = No
|
|
|


- --

- -----------------------------------------------------------------
| I can be reached on the following messenger services:		|
|---------------------------------------------------------------|
| MSN: j_c_llings at hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings at njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAUdeJ57L0B7uXm9oRAoNCAJ0f+XYw7vtQjVstMCivFKooG9+gtwCfWFPz
42mL/9SIbfruxR0TojW6sSk=
=T/CG
-----END PGP SIGNATURE-----

More information about the samba mailing list