[Samba] Can't join pc to domain with smbldap-tools but can with smbpasswd

Ryan Braun ryan.braun at ec.gc.ca
Wed Jun 15 17:49:53 GMT 2005 

I have samba with ldap setup and seems to be running,  just I am having 
trouble having pc's join the domain. 

The samba/ldap server is running debian sarge (when it was testing,  haven't 
updated since) so samba 3.0.14a-13 and slapd 2.2.23-5.  Client pc is windows 
2000, and various linux's. smbldap-tools 0.9.1

If I try to join the domain with no entry in the Computers group,  windows 
says there is a bad username and the log file looks like this.

[2005/06/14 19:01:12, 2] smbd/server.c:exit_server(609)
  Closing connections
[2005/06/14 19:01:12, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: root
[2005/06/14 19:01:12, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000)
  init_group_from_ldap: Entry found for group: 512
[2005/06/14 19:01:12, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded
[2005/06/14 19:01:12, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2580)
  Returning domain sid for domain LDAPDOMAIN -> 
S-1-5-21-3007768992-1764342258-1846594437
[2005/06/14 19:01:13, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
  _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd -w 
"ldap-test$"' gave 9
[2005/06/14 19:01:13, 2] smbd/server.c:exit_server(609)
  Closing connections

I'm not sure what the "gave 9" error means or where to look it up.  But the 
ldap-test$ entry gets created without a sambaSAMAccount objectclass.

If I run "smbldap-adduser -w ldap-test$"  (after removing the existing 
ldap-test$ entry)  it will create the entry but it doesn't have a 
sambaSAMAcount objectclass.  And it won't join the domain.

If I create a local user in /etc/passwd and then user smbpasswd -m -a it will 
create the ldap entry in Computers but it has no posix objectclass.  BUT it 
will allow me to join the pc to the domain.  

The only problem then (not  sure if it's related or not),  is that the only 
user that can login is the root user used to join the pc to the domain,  any 
other users created with smbldap-adduser -a won't authenticate.  Any users 
created with the smbldap scripts can authenticate against any of the linux 
boxes setup to authenticate against ldap.

[2005/06/14 21:36:27, 2] lib/smbldap.c:smbldap_open_connection(692)
  smbldap_open_connection: connection opened
[2005/06/14 21:36:27, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: ldap-test$
[2005/06/14 21:37:07, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: windowsguy
[2005/06/14 21:37:08, 1] auth/auth_util.c:make_server_info_sam(840)
  User windowsguy in passdb, but getpwnam() fails!
[2005/06/14 21:37:08, 0] auth/auth_sam.c:check_sam_security(324)
  check_sam_security: make_server_info_sam() failed with 
'NT_STATUS_NO_SUCH_USER'
[2005/06/14 21:37:08, 2] auth/auth.c:check_ntlm_password(312)
  check_ntlm_password:  Authentication for user [windowsguy] -> [windowsguy] 
FAILED with error NT_STATUS_NO_SUCH_USER

then as root

[2005/06/14 21:38:21, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: root
[2005/06/14 21:38:22, 2] passdb/pdb_ldap.c:init_group_from_ldap(2000)
  init_group_from_ldap: Entry found for group: 512
[2005/06/14 21:38:22, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded
[2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: root
[2005/06/14 21:38:25, 2] auth/auth.c:check_ntlm_password(305)
  check_ntlm_password:  authentication for user [root] -> [root] -> [root] 
succeeded
[2005/06/14 21:38:25, 2] passdb/pdb_ldap.c:init_sam_from_ldap(499)
  init_sam_from_ldap: Entry found for user: root
[2005/06/14 21:38:25, 1] smbd/service.c:make_connection_snum(642)
  ldap-test (192.16.240.141) connect to service profiles initially as user 
root (uid=0, gid=0) (pid 14108)

More information about the samba mailing list