[Samba] samba ldap domain join

lenny at edpausa.com lenny at edpausa.com
Thu May 11 14:52:55 GMT 2006

I got passed this by permitting anonymous writes to sambadomain
and ou=computers in LDAP ( not ideal, but I really want this to work
already ). Now I'm running into another problem.

It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )

In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.

Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.

Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.

base => [dc=mydomain,dc=com]

> [(&(uid=computer$)(objectclass=sambaSamAccount))]


  add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
   add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"

        ldap admin dn = "cn=Directory Manager"
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=computers
        ldap suffix = dc=mydomain,dc=com
        ldap ssl = no
        ldap user suffix = ou=people
        idmap backend = ldapsam:ldap://myldapserver
        idmap uid = 10000-30000
        idmap gid = 10000-30000




thank you.

> Still can't figure this one out.
> I get
> Error: Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname=ldapauth,dc=mydomain,dc=com'.[2006/05/09 10:29:16,
> 0] rpc_server/srv_samr_nt.c:(2415)
>   _samr_create_user: Running the command
> `/usr/local/samba/bin/smbldap-useradd -n -g machines -c Machine -d
> /dev/null -s /bin/false computer$' gave 1
> when trying to join the domain from WinXP workstation.
> but if I run this manually
>  /usr/local/samba/bin/smbldap-useradd -w machine$
> machine$ computer account gets created exactly where it's expected, under
> ou=computers. Why isn't the default action creating machine
> accounts with -w switch ? Do I misunderstand something ?
> If simply browsing shares all windows auth. works fine via ldap.
> thank you all.

More information about the samba mailing list