[Samba] add machine account + ldap (again)

Edmundo Valle Neto edmundo.valle at terra.com.br
Mon Jun 26 19:27:16 GMT 2006 

Geraldo Coelho escreveu:
> Hi all,
>
> I have a problem. I need to create an account machine with samba.
> The smbldap-useradd created the account, but only an unix account, like
> this:
>
>
> dn: uid=notedell$,ou=computers,dc=grupora,dc=com,dc=br
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> cn: notedell$
> sn: notedell$
> uid: notedell$
> uidNumber: 15025
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
>   
How are you doing that? The "recommended" add machine script only does 
that what you are seeing.
If you execute: smbldap-useradd -w machinename it will only create the 
account with posix attributes.

As stated in the smbldap-tools documentation:
"The script defined with the add machine script MUST NOT add the 
sambaSAMAccount
objectclass of the machine account. The script must only add the Posix 
machine account.
Samba will add the sambaSAMAccount when joining the domain."

Look at an example of smbldap-useradd beeing executed through "add 
machine script" option:

A samba log with a level 3 output:

...
[2006/06/26 14:47:28, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
"testmachine$"' gave 0
...
[2006/06/26 14:47:28, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1832)
  ldapsam_add_sam_account: User exists without samba attributes: adding them
[2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912)
  init_ldap_from_sam: Setting entry for user: testmachine$
[2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1942)
  ldapsam_add_sam_account: added: uid == testmachine$ in the LDAP database
...


So, "User exists without samba attributes: adding them", isnt the script 
that creates the samba attributes, samba do that.


> But, the samba doesn't created an valid account.
> Like this:
>
>
> dn: uid=notedell$,ou=Computers,dc=grupora,dc=com,dc=br
> uid: notedell$
> sambaSID: S-1-5-21-243819190-2830005574-892836686-31036
> sambaPrimaryGroupSID: S-1-5-21-243819190-2830005574-892836686-515
> objectClass: sambaSamAccount
> objectClass: account
> displayName: NOTEDELL$
> sambaPwdCanChange: 1150829558
> sambaPwdMustChange: 2147483647
> sambaNTPassword: D7CD95C07847C9DD38F14D8751D0B8F4
> sambaPwdLastSet: 1150829558
> sambaAcctFlags: [W          ]
>
>   

Well, it should.

> so, windows rejects my login with a "bad password" error
> and doesn't join the domain
>
> I'm using user id = 0 (root)
>   

Does your root account have both posix and samba attributes?
Have you configured the "add * script" and the ldap options properly?
Have you added the ldap admin password to samba (smbpasswd -w 
yourldappassword)?
What your logs say?

> Someone knows what's happening.
>
>
> Thanks in advance
> --
> --
> No virus found in this outgoing message.
> Checked by AVG Free Edition.
> Version: 7.1.394 / Virus Database: 268.9.4/375 - Release Date: 25/6/2006
>
>   

OR if you want to do that by hand:

smbldap-useradd -w -i machinename
then put a blank password
then join the workstation without typing a username or password.

Regards.

Edmundo Valle Neto

More information about the samba mailing list