[Samba] can't join to a domain... can_add_account is returning false

[Gerald (Jerry) Carter]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Brad Langhorst wrote:
| I have just set up a domain and am trying to join a machine to it.
| When i watch the log i see
|
| [2005/07/22 14:56:26, 5]
| rpc_server/srv_samr_nt.c:_samr_create_user(2311)
|   _samr_create_user:  can add this account : False
| Error: modifications require authentication
| at /usr/share/perl5/smbldap_tools.pm line 892, <DATA> line 283.
| [2005/07/22 14:56:28, 0]
| rpc_server/srv_samr_nt.c:_samr_create_user(2324)
|   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w
| "newt$"' gave 127
|
| so for some reason my account (root) is not passing
| the can_add_account test and the add user script is
| not being run as root.
|
| I don't know why since root is a member of the correct groups

Technically root doesn't need any extra privileges.
Run a level 10 debug log and look for SE_PRIV to see
what privileges have been assigned though just out of
curiousity.

| Error: modifications require authentication
| at /usr/share/perl5/smbldap_tools.pm line 892, <DATA> line 283.

This implies that your script is connecting anonymously.
OpenLDAP doesn't allow anonymous updatres by default
(starting with OL 2.1 IIRC).  SO you would have to add
'allow update_anon' to slapd.conf.

But of course, this is like adding 'guest account = root'
in smb.conf. :-)  It's a really bad idea.







cheers, jerry
=====================================================================
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"I never saved anything for the swim back."     Ethan Hawk in Gattaca
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFC5OrVIR7qMdg1EfYRAmaaAJ9xqSLofIDAk23mFVj1DLWptfuCdQCglcIS
F2cjMD7Hsthq+Wmw7EQjgOA=
=6gxb
-----END PGP SIGNATURE-----