[Samba] some cannot join domain
chuckt at darkwing.uoregon.edu
Mon May 23 20:38:11 GMT 2005
At 05:56 AM 5/23/2005, Flatfender wrote:
>On 5/22/05, Chuck Theobald <chuckt at darkwing.uoregon.edu> wrote:
> > Hi,
> > I have some machines (winXP and win2k) that cannot join my domain. Others
> > I have joined to the domain. I am using the smbldap-tools 0.8.9 with an
> > add machine script as follows:
> > add machine script = /usr/local/samba/sbin/smbldap-useradd -w "%u"
> > The LDAP entity gets created with objectClasses top, inetOrgPerson, and
> > posixAccount. My impression is that samba then comes along and changes the
> > entity, turning it into an account, sambaSamAccount object. This process
> > has succeeded in some four machines I have tried, but other machines fail
> > this final conversion. I get an error "The user name could not be found"
> > at the machine. All of these machines were joined to the same domain
> > previously run by Totalnet Advanced Server, so the machines themselves are
> > configured to be capable of joining. The only pattern I can discern is
> > that the machines on which this occurs have names of 8 characters or more,
> > though a machine that did join the domain has a name of 8 characters, so I
> > am not sure that this is relevant.
> > Any ideas as to where I can look to begin to track this down? I can
> > manually create the machine accounts, but am leary of doing so due to the
> > requirement of having unique SIDs.
> > Thanks,
> > Chuck Theobald
> > System Administrator
> > The Robert and Beverly Lewis Center for Neuroimaging
> > University of Oregon
> > P: 541-346-0343
> > F: 541-346-0345
>I had this same problem, I would look at how your nss_ldap/nsswitch is
What should I be looking for? My nsswitch.conf file is as follows:
# An example file that could be copied over to /etc/nsswitch.conf; it uses
# DNS for hosts lookups, otherwise it does not use any other naming service.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
passwd: files ldap
group: files ldap
shadow: files ldap
# You must also set up the /etc/resolv.conf file for DNS name
# server lookup. See resolv.conf(4).
hosts: files dns
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: files dns
# At present there isn't a 'files' backend for netgroup; the system will
# figure it out pretty quickly, and won't use netgroups at all.
printers: user files
I ended up taking a modified version of Tonni's advice, letting the smbldap
tools do what they could, then running useradd, smbpasswd, then userdel (to
clean up my /etc/passwd file) for each machine. Fortunate to not have too
many of these.
I like the smbldap tools, but they seem to not finish the job. Why leave a
posixAccount object hanging out there, trusting to Samba to convert it to a
sambaSamAccount object? Why not interface to smbpasswd?
The Robert and Beverly Lewis Center for Neuroimaging
University of Oregon
More information about the samba