[Samba] some cannot join domain

Chuck Theobald chuckt at darkwing.uoregon.edu
Mon May 23 20:38:11 GMT 2005

At 05:56 AM 5/23/2005, Flatfender wrote:
>On 5/22/05, Chuck Theobald <chuckt at darkwing.uoregon.edu> wrote:
> > Hi,
> >
> > I have some machines (winXP and win2k) that cannot join my domain.  Others
> > I have joined to the domain.  I am using the smbldap-tools 0.8.9 with an
> > add machine script as follows:
> >
> >          add machine script = /usr/local/samba/sbin/smbldap-useradd -w "%u"
> >
> > The LDAP entity gets created with objectClasses top, inetOrgPerson, and
> > posixAccount.  My impression is that samba then comes along and changes the
> > entity, turning it into an account, sambaSamAccount object.  This process
> > has succeeded in some four machines I have tried, but other machines fail
> > this final conversion.  I get an error "The user name could not be found"
> > at the machine.  All of these machines were joined to the same domain
> > previously run by Totalnet Advanced Server, so the machines themselves are
> > configured to be capable of joining.  The only pattern I can discern is
> > that the machines on which this occurs have names of 8 characters or more,
> > though a machine that did join the domain has a name of 8 characters, so I
> > am not sure that this is relevant.
> >
> > Any ideas as to where I can look to begin to track this down?  I can
> > manually create the machine accounts, but am leary of doing so due to the
> > requirement of having unique SIDs.
> >
> > Thanks,
> >
> > Chuck Theobald
> > System Administrator
> > The Robert and Beverly Lewis Center for Neuroimaging
> > University of Oregon
> > P: 541-346-0343
> > F: 541-346-0345
>I had this same problem, I would look at how your nss_ldap/nsswitch is 

What should I be looking for?  My nsswitch.conf file is as follows:

# /etc/nsswitch.dns:
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.

passwd:     files ldap
group:      files ldap
shadow:     files ldap

# You must also set up the /etc/resolv.conf file for DNS name
# server lookup.  See resolv.conf(4).
hosts:      files dns
ipnodes:    files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes:   files dns

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files
# At present there isn't a 'files' backend for netgroup;  the system will
#   figure it out pretty quickly, and won't use netgroups at all.
netgroup:   files
automount:  files
aliases:    files
services:   files
sendmailvars:   files
printers:       user files

auth_attr:  files
prof_attr:  files
project:    files

I ended up taking a modified version of Tonni's advice, letting the smbldap 
tools do what they could, then running useradd, smbpasswd, then userdel (to 
clean up my /etc/passwd file) for each machine.  Fortunate to not have too 
many of these.

I like the smbldap tools, but they seem to not finish the job.  Why leave a 
posixAccount object hanging out there, trusting to Samba to convert it to a 
sambaSamAccount object?  Why not interface to smbpasswd?


Chuck Theobald
System Administrator
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
P: 541-346-0343
F: 541-346-0345

More information about the samba mailing list