[Samba] Samba PDC (3.0.14a) with LDAP cannot add machines

David Clymer david at hrcsb.org
Thu Sep 29 16:48:54 GMT 2005

On Wed, 2005-09-28 at 14:48 +0200, Eduard Witteveen wrote:
> Hello list,
> Im still trying to get the add machine script working.
> I have a user which is named "administrator", which is stored in ldap, 
> i  can login using this user(i attached a loginshell) and execute the 
> command: '/usr/sbin/smbldap-useradd -w "eduard-laptop$"' succesfull
> (UID=0,USER=root)
> Howevery, when this command is executed by samba, it will not run, since 
> ldap doesnt like the way the command was started:
> (UID=65534,USER=root)
> How can i get this script to be executed the same way as when it is run 
> from the commandline?

I fought with this problem for a long time, and no one seemed to know
the answer (other than the kludge mentioned in this thread:

However...the answer lay in the documentation the whole time. :o(

you need add this to your smb.conf:

enable privileges = yes

This allows you to grant special privileges to users (see man smb.conf
for more detail)

reload your samba config:

$ smbcontrol smbd reload-config

and grant the necessary rights to Administrator:

$ net -U Administrator rpc rights list
     SeMachineAccountPrivilege  Add machines to domain
      SePrintOperatorPrivilege  Manage printers
           SeAddUsersPrivilege  Add users and groups to the domain
     SeRemoteShutdownPrivilege  Force shutdown from a remote system
       SeDiskOperatorPrivilege  Manage disk shares

$ net -U Administrator rpc rights list Administrator

$ net -U Administrator rpc rights grant Administrator SeMachineAccountPrivilege
Successfully granted rights.

You should now be able to add machines to the domain. Better yet, your
administrator account does _not_ have to have a uid of 0!

Hope that helps.


The one real object of education is to have a man in the condition of
continually asking questions. -Bishop Mandell Creighton

More information about the samba mailing list