[Samba] Re: Cannot join SAMBA domain from XP/2K

Sat Sep 18 03:54:56 GMT 2004

Paul Gienger wrote:
> Igor Belyi wrote:
>> In short, it is borken and you'll need to have both machine and user 
>> accounts in the same location in LDAP for now.
>>
>> I'll try to look in the code but I promise nothing. :o)
> 
> It's not so much broken as it is designed for a particular purpose and 
> limited by that decision.  There is a bug filed against it that explains 
> most of the reasoning but I can't remember the number.  To paraphrase 
> (and probably mangle) the intent... they decided to require machine 
> accounts to be 'users' because that is what you have to do to assign 
> rights to a machine, which is a perfectly logical operation under the 
> windows system.

The bug is #1292. I don't quite understand Gerald's remard regarding 
nss_ldap since Samba uses its own library to access LDAP for account 
information.

On related note - somehow it works for me. I've updated my config files 
to separate locations for machine accounts into ou=Computers,dc=xxxxx 
and users into ou=People,dc=xxxxx, My WinXP was added to domain without 
a problem and users can login into it without a problem. I do remember 
that it didn't work before...

In smbldap_conf.pm I have:
$suffix = "dc=xxxxx"
$usersou = q(People);
$usersdn = "ou=$usersou,$suffix";
$computersou = q(Computers);
$computersdn = "ou=$computersou,$suffix";

In smb.conf:
domain logons = yes
security = USER
encrypt passwords = true
preferred master = yes
domain master = yes
passdb backend = ldapsam
ldap suffix = dc=xxxxx
ldap user suffix = ou=People
ldap group suffix = ou=Group

Alexei, if you still want to pursue this problem can you post your 
smb.conf and samba log related to the problem with "log level" set to 2 
or more?

Igor