[Samba] openldap PDC : can't add machine account ; "too many domain info entries"

Simone Cittadini simonec at comvert.com
Thu Sep 23 09:01:55 GMT 2004

I've ereditated this quite messy openldap server from the previous 
administrator, samba (3) relies on it for acting as a PDC.
The main problem (while I build a new directory from scratch) is you 
can't add a machine account to the domain :
On the client it says the credentials are invalid, anyway the real 
problem (from samba logs) seems to be :

"Got too many (2) domain info entries for domain DOMAIN"

(I've replaced my domain name to 'DOMAIN' and sambahost name to 'host' 
for no particular reason ...)

host:/etc/samba # strings secrets.tdb | grep SID
&SECRETS/SID/DOMAIN   <-- I think this is the problem, since a clean 
installation on a test machine gives only the first line from the same 
command, but I can't figure how to remove the entry.

other useful infos can be :

host:/ # smbclient -L localhost -U%

Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.4-SUSE]

Server        Comment
---------       -------
HOST        Samba Server Version 3.0.4-SUSE

Workgroup       Master
---------              -------

host:/ # net getlocalsid

[2004/09/22 11:39:38, 0] lib/smbldap.c:smbldap_search_domain_info(1368)
  Got too many (2) domain info entries for domain DOMAIN
SID for domain HOST is: S-1-5-21-3942806058-2931819711-1847247862

host:/ # pdbedit -Lv user

Got too many (2) domain info entries for domain DOMAIN
Got too many (2) domain info entries for domain DOMAIN
Unix username:        user
NT username:          user
Account Flags:        [U          ]
User SID:             S-1-5-21-3942806058-2931819711-1847247862-2010
Primary Group SID:    S-1-5-21-3942806058-2931819711-1847247862-513
Full Name:            Some User
Home Directory:       \\host\user
HomeDir Drive:        H:
Logon Script:         logon.bat
Profile Path:         \\host\profiles\user
Domain:               DOMAIN

host:/ # net groupmap list

[2004/09/22 11:50:47, 0] lib/smbldap.c:smbldap_search_domain_info(1368)
  Got too many (2) domain info entries for domain DOMAIN

Domain (S-1-5-21-3942806058-2931819711-1847247862-1203) -> domain
Domain Guests (S-1-5-21-3942806058-2931819711-1847247862-514) -> nobody
Domain Users (S-1-5-21-3942806058-2931819711-1847247862-513) -> users
Domain Admins (S-1-5-21-3942806058-2931819711-1847247862-512) -> Domain 
Guests (S-1-5-21-3942806058-2931819711-1847247862-546) -> Guests
Power Users (S-1-5-21-3942806058-2931819711-1847247862-547) -> Power Users
Account Operators (S-1-5-21-3942806058-2931819711-1847247862-548) -> 
Account Operators
Server Operators (S-1-5-21-3942806058-2931819711-1847247862-549) -> 
Server Operators
Print Operators (S-1-5-21-3942806058-2931819711-1847247862-550) -> Print 
Backup Operators (S-1-5-21-3942806058-2931819711-1847247862-551) -> 
Backup Operators
Replicator (S-1-5-21-3942806058-2931819711-1847247862-552) -> Replicator
Domain Computers (S-1-5-21-3942806058-2931819711-1847247862-553) -> 
Domain Computers

[the exported LDIF of ldap domain entry]

dn: sambaDomainName=DOMAIN, dc=domain, dc=com
sambaNextUserRid: 4000
sambaSID: S-1-5-21-3942806058-2931819711-1847247862
sambaNextGroupRid: 4001
objectClass: sambaDomain
sambaAlgorithmicRidBase: 1000
sambaDomainName: DOMAIN

6 )
[relevant lines from smb.conf]

netbios name = HOST
workgroup = DOMAIN
passdb backend = ldapsam:ldap://localhost/       

ldap suffix = dc=domain,dc=com
ldap admin dn = cn=Manager,dc=domain,dc=com
ldap ssl = on
ldap user suffix = ou=people
ldap group suffix = ou=Group
ldap machine suffix = ou=people
#ldap filter = ($(uid=%u)(objectclass=sambaSAMAccount))
ldap idmap suffix = ou=Idmap
idmap backend = ldap:ldaps://host.domain.com

add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'


Simone Cittadini
via F.lli Bressan, 21
20126 Milano - ITALY
Tel +39.02.27006796(aspetta un beep)103
simonec at comvert.com

More information about the samba mailing list