[Samba] Access denied error when trying to join XP to Samba Domain

mschwartz at dcscorp.net mschwartz at dcscorp.net
Tue May 31 23:40:01 GMT 2005

Hi everyone, 
I know this one has been addressed before.  I have had so much trouble
getting the IDEALX scripts to work that I set about writing my own and
they almost work.  The trouble is with the add machine script.  The
first time I do the join, I get an access denied error message on
WinXP.  I have verified that an entry for the machine was successfully
created in ldap.  Then, I try again and, voila, it works.  I am
dumbfounded as to why this is happening.  Please find my script below.
Any insight would be appreciated.

# ldap-adduser.pl - Script to add users to an OpenLDAP backend
# takes one argument -u

use Getopt::Long;

$HOST = "";
$BASEDN = "dc=dcscorp,dc=net";
$ADMINDN = "cn=admin,$BASEDN";
$ADMINPASS = 'xxxxxxxx';
$USERDN = "ou=People";
$GROUPDN = "ou=Groups";
$COMPUTERDN = "ou=Computers";
$LDAPADD = "/usr/bin/ldapadd";
$LDAPDELETE = "/usr/bin/ldapdelete";
$LDAPMODIFY = "/usr/bin/ldapmodify";
$LDAPSEARCH = "/usr/bin/ldapsearch";
$HOMEDIR = "/dev/null";
$SHELL = "/bin/false";
$SMBPASSWD = "/usr/local/samba/bin/smbpasswd";

sub GetAvailUid()
	my ($search, $modify, $searchbase, $filter);
	$searchbase = "dc=dcscorp,dc=net"." '(objectClass=idPool)'";
	$filter = "filter nextUid";
	$search = `$LDAPSEARCH -LLL -x -b $searchbase $filter | grep nextUid |
cut -d ':' -f2`;
	chomp ($search);
	UpdateIDPool ($search);
	return $search;

sub UpdateIDPool
	my ($uidnum) = @_;
	my $entry = "dn: cn=Pool,dc=dcscorp,dc=net
			replace: nextUid
			nextUid: $uidnum";
	open (FH, '>', 'updateidpool.ldif');
	print FH $entry;
	my $cmd = `$LDAPMODIFY -D $ADMINDN -w $ADMINPASS -x -f

sub GetShadowLast ()
	my ($pwdlastset, $i);
	$pwdlastset = `date +%s`;
	chomp ($pwdlastset);
	$i = int($pwdlastset);
	return $i;

sub SetupLDAPEntry 
	my ($userdn, $username, $uidnum, $gidnum, $gecos, $homedir,
	    $loginshell, $shadowlast, $shadowmax, $shadowwarning) = @_;
	my $entry = "dn: $userdn
			objectclass: top
			objectclass: account
			objectclass: posixAccount
			objectclass: shadowAccount
			cn: $username
			uid: $username
			uidNumber: $uidnum
			gidNumber: $gidnum
			gecos: $gecos
			homeDirectory: $homedir
			loginShell: $loginshell";
	open (FH, '>', 'newuser.ldif');
	print FH $entry;
	close (FH);

	return $entry;

sub UpdateLDAP
	my ($entry) = @_;
	$cmd=`$LDAPADD -x -D $ADMINDN -w $ADMINPASS -f newuser.ldif`;
	$cmd=`$SMBPASSWD -a -m $entry`;

sub GetAccountInfo ()
	my ($userdn, $username, $uidnum, $gidnum, $gecos, $homedir,
	GetOptions ('u:s'=>\$username);
	chomp ($username);
	$gecos = $username;
	$userdn = "cn=$username,$USERDN,$BASEDN";
	$homedir = "$HOMEDIR";
	$uidnum = GetAvailUid();
	$gidnum = 515;
	$loginshell = "$SHELL";

	return ($userdn, $username, $uidnum, $gidnum, $gecos, $homedir,

@accountinfo = GetAccountInfo();
$entry = SetupLDAPEntry (@accountinfo);

More information about the samba mailing list