[Samba] Samba LDAP and add machine script problems

Keith Robertson keithro at gmail.com
Thu Jan 20 21:26:39 GMT 2005

I'm trying to integrate Openldap with Samba version 3.0.10.  I have populated 
my LDAP server via smbldap-populate.pl and I've gotten PAM to recognize LDAP 
as an authentication mechanism.  Thus, I can add a user with smbldap-useradd.pl
and su to that user.

The problem I am having is when I attempt to add a computer from MS Windoze XP.
When I attempt to join my domain XP prompts me for a user ID and password.  If I
enter a user ID of "root" with either my box's actual root password or the 
password for the LDAP user "uid=Administrator,ou=Users,dc=somedomain,dc=org"
I get the following: "unknown user or bad password".  I suppose this
makes sense
because there are only two users in ou=Users (Administrator and nobody) neither 
of which is "root".  Alternatively, if I attempt to join the domain
with a user ID
of "Administrator" I get "Access is denied".

So, my question is do I need to create a LDAP user in ou=Users with a user ID of
"root".  If so how should I do this and wouldn't it conflict with the root 
UID in /etc/passwd?  I've been trying to follow the directions in "By Example" 
-> "Making Users Happy" but it seems to be a little sketchy on this topic.

I can provide logs on request.  

Here is my smb.conf:
# Global parameters
   workgroup = PEANUTS
   server string = Snoopy Samba Server
   log level = 5
   log file = /var/log/samba/log.%m
   max log size = 50
   time server = Yes
   logon script = %U.bat
   #logon path =
   #logon home =
   domain logons = Yes
   preferred master = Yes
   domain master = Yes
   wins support = Yes
   #username map = /etc/samba/smbusers

   # LDAP Related
   ldap passwd sync = Yes
   passdb backend = ldapsam:ldap://
   ldap admin dn = cn=Manager,dc=somedomain,dc=org
   ldap suffix = dc=somedomain,dc=org
   ldap group suffix = ou=Groups
   ldap user suffix = ou=Users
   ldap machine suffix = ou=Computers
   ldap idmap suffix = ou=Idmap,dc=somedomain,dc=org
   # Avoid the risk of UID/GID inconsistencies across systems
   # by having a common LDAP backend.
   idmap backend = ldap:ldap://
   # These should match the values specified in smbldap_conf.pm
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   map acl inherit = Yes
   #ldap ssl = start_tls

   add user script = /var/lib/samba/sbin/smbldap-useradd.pl -a -m '%u'
   delete user script = /var/lib/samba/sbin/smbldap-userdel.pl '%u'
   add group script = /var/lib/samba/sbin/smbldap-groupadd.pl -p '%g'
   delete group script = /var/lib/samba/sbin/smbldap-groupdel.pl '%g'
   add user to group script = /var/lib/samba/sbin/smbldap-groupmod.pl
-m '%u' '%g'
   delete user from group script =
/var/lib/samba/sbin/smbldap-groupmod.pl -x '%u' '%g'
   set primary group script = /var/lib/samba/sbin/smbldap-usermod.pl
-g '%g' '%u'
   add machine script = /var/lib/samba/sbin/smbldap-useradd.pl -w '%u'

   security = user
   template shell = /bin/false
   winbind use default domain = no
   path = /var/lib/samba/netlogon
   browseable = No
   root preexec = /var/lib/samba/netlogon/logon.pl %U %I

   comment = Common material
   path = /home/common
   force group = common
   read only = No
   create mask = 0774
   directory mask = 0775
   browseable = No

More information about the samba mailing list