[Samba] Cannot join SAMBA domain from XP/2K

deff deff at zoznam.sk
Tue Sep 21 10:57:59 GMT 2004 

On Tuesday 21 September 2004 12:05, Nathan Howard wrote:
> deff wrote:
> > On Saturday 18 September 2004 21:31, Alexei Monastyrnyi wrote:
> >>And what was the result of that struggle?
> >>Didi you make it work?
> >
> > Yes, I did. In some other thread someone mentioned that it is mandatory
> > to put all users and machines accounts to ou=People due to some weird
> > samba design decision. However, it isn't mentioned in any howto, neither
> > official nor idealx's, and samba doesn't complain about it in any way
> > either. Too bad...for me.
>
> Actually it is mentioned in the samba guide:
> Chapter 6:
> http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html
>
> 1/2 way down the page just before table 6.2 there is a "Note"

Ok my bad, i guess i'll have to learn to read better, or just buy a new pair 
of glasses.  I went by idealx howto and while i read note regarding "the 
bug", i didn't pay enough attention to it, as their formulation was vague, i 
considered samba 3.0.2 outdated, and DIT schema was outlined as 

dc=IDEALX,dc=ORG
 |
 `--- ou=Users     : to store user accounts for Unix and Windows systems
 |
 `--- ou=Computers : to store computer accounts for Windows systems 

which i was familiar with from windows pdcs. I'd better not presume anything 
in the future.



>
> ==quote==
>   In the following examples, as the LDAP database is initialized, we do
> create a container for Computer (machine) accounts. In the Samba-3
> smb.conf files, specific use is made of the People container, not the
> Computers container, for domain member accounts. This is not a mistake;
> it is a deliberate action that is necessitated by the fact that there is
> a bug in Samba-3 that prevents it from being able to search the LDAP
> database for computer accounts if they are placed in the Computers
> container. By placing all machine accounts in the People container, we
> are able to side-step this bug. It is expected that at some time in the
> future this problem will be resolved. At that time, it will be possible
> to use the Computers container in order to keep machine accounts
> separate from user accounts.
> ==endquote==
>
>
> However the samba Howto is very vaugue
> http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#id25
>33197
>
> Under "Accounts and Group Management"
>
> ==quote==
>   Machine accounts are managed with the sambaSamAccount objectclass,
> just like users accounts. However, it is up to you to store those
> accounts in a different tree of your LDAP namespace. You should use
> “ou=Groups,dc=quenya,dc=org” to store groups and
> “ou=People,dc=quenya,dc=org” to store users. Just configure your NSS and
> PAM accordingly (usually, in the /etc/openldap/sldap.conf  configuration
> file).
> ==endquote==
>
> I am having similar symptoms as well although I am using the same
> container for both Users and Computers.
>
> The symptoms being "User not found" when trying to join domain from 2k
> box. I'm still investigating at the moment although this worked fine
> with samba 3.0.4 with exactly same config.
>
> Samba is now 3.0.7
> Not sure about the IDELX scripts as they came with the samba gentoo
> package so i'm about to look to see what version they really are.
>
> Nathan

More information about the samba mailing list