[Samba] Can't create machine accounts or join domain (automatically
or manually with scripts or pdbedit)
Anthony Hess
tonyh at engr.arizona.edu
Thu Jul 13 22:16:23 GMT 2006
Hello,
I've seen other folks posting with this problem, but I think my issue is a
bit different (thus the super long subject).
The environment is Solaris 9 09/05, running Samba 3.0.22/Sun DS 5.2/idealx
scripts 0.9.1, but I can translate openldap/linux/samba-ese if you think of
a solution that would apply in that environment.
Anyway - my core problem is an inability to add machine accounts on a new
domain Im setting up. I didn't really see anything jump out at me in the
samba logs except that the machine add script runs (its the samba piece that
is failing). So of course I end up with a bunch of posix attributes for the
computer in ou=Machines, but no sambaSamAccount attributes.
The next step I took was to try it manually use the useradd script then
pdbedit -a -m -u $machinename. The script ran with no errors and created
the machine account without samba attributes:
dn: uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person
cn: testmeagain$
sn: testmeagain$
uid: testmeagain$
uidNumber: 1003
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
but pdbedit bombed with an error:
ldapsam_modify_entry: Failed to modify user dn=
uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu with: Object class
violation
ldapsam_add_sam_account: failed to modify/add user with uid = testmeagain$
(dn = uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu)
Unable to add machine! (does it already exist?)
When I check the ldap logs I came up with this:
[13/Jul/2006:14:58:12 -0700] - ERROR<5896> - Schema - conn=-1 op=-1
msgId=-1 - User error: Entry
"uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu", attribute
"sambaSID" required by object class "sambaSamAccount" is missing
So, just to be thorough I changed the samba schema to not require sambaSid
for sambaSamAccount and it gets a little further through the process. I end
up with an account that looks like this:
dn: uid=testcomputer1$,ou=Machines,dc=mge,dc=arizona,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person
objectClass: sambaSamAccount
cn: testcomputer1$
sn: testcomputer1$
uid: testcomputer1$
uidNumber: 1021
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaPrimaryGroupSID: S-1-5-21-3141198788-4239702380-13799994-515
sambaPwdCanChange: 1152734452
sambaPwdMustChange: 2147483647
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1152734452
sambaAcctFlags: [W ]
So it doesn't have the password fields or the SID, and thus still won't let
you join a machine. The only way I have done it successfully so far is to
run at a high log level and capture what its trying to add as the password
before it bombs. Then I create the SID field and password fields manually
and it allows me to join.
Any thoughts? Last year I had a problem where it wouldnt look in the
sambadomain object (schema for the sun ds wasn't updated) and I had to use
nextfreeuid to store the sid but that didn't do the trick either (in fact
neither way worked for me).
On a final note I should mention that using the scripts to add a user works
perfectly - so its an issue in samba not in the scripts. Any ideas are
appreciated!
Tony
More information about the samba
mailing list