[Samba] Windows XP joining Samba/LDAP domain problem (User cannot be found) [SOLVED]

[Julian Pilfold-Bagwell]

To anyone out there who's having problems joining their Samba/LDAP 
domain with XP here's a solution. The main symptom is that the XP join 
domain gui returns a "user cannot be found" error. The setup that I 
experienced this on was configured and managed using the smbldap-tools 
package. Usual disclaimer applies if it fails to work, you are 
responsible for backing up your installation and no responsibility will 
be accepted for anything.

The problem arose after I configured my servers to use the Computers 
organisational unit in LDAP (ou=Computers) to store host names. The 
process of a Windows/Samba domain member joining a Samba domain is a two 
stage one as each Samba client has to have a matching Posix account in 
the LDAP directory. After clicking OK on the client the server first 
creates the POSIX entry and then adds the SambaSam attributes.

For whatever reason, when the ou=Computers entry was used, smbldap-tools 
added the POSIX entry into the Computers ou but then tried to read it 
back out from the Users ou. As the entry was non-existent in Users it 
cannot add the Samba attributes to the POSIX side and hence windows 
declares user cannot be found.

Some Googling revealed that you can store machine accounts in ou=Users 
so the solution I found was as follows:

1) Stop LDAP and Dump the directory into an ldif file using "slapcat -l 
 > /root/userdump.ldif"

2) Open the LDIF file in a text editor and use search and replace to 
change all machine account entries from ou=Computers to ou=Users. Note 
that at the top of your ldif file there's an entry that adds the 
Computers organisational unit. Do not change this. You can probably 
delete it but personally I just left it as it was. An easy way to only 
change the machine name entries is to search for $,ou=Computers and 
replace it with $,ou=Users as the computer name entries end with $ and 
will match this pattern.

3)  Backup your directory databases using "cp -R /var/lib/ldap /root" 
(adjust to match your distro but this works on Redhat/Mandriva). You can 
also create a second backup using the slapcat command and dumping the 
ldif file to a safe place.

4) Delete the files in the LDAP database directory, in the above case rm 
-f /var/lib/ldap/* ,and then check the directory to make sure it's empty 
"ls -la /var/lib/ldap".  If you had a DB_CONFIG file in there, copy it 
back from the backup directory.

5) Run "slapadd -v -l /root/userdump.ldif" to add the modified ldif file 
back into LDAP. The -v forces slapadd into versbose mode so you should 
see all the entries scrolling up the screen as they're added.

6) Change ownership of the ldap directory and it's newly created 
databases to user/group ldap using "chown -R ldap.ldap /var/lib/ldap" . 
If you don't do this the server will bitch horribly when you try to 
start it.

7) Restart your ldap server . You should now find that the XP client 
says welcome to the "whatever" domain when you click OK.


As I say, it worked for me after I'd spent hours searching for a 
solution without finding one. Good Luck!!

Cheers,

Jools