[Samba] Can't create machine accounts or join domain (automatically
or manually with scripts or pdbedit)
steven.bambling at sunrocket.com
Mon May 14 20:28:35 GMT 2007
I am having pretty much the same issue that you were having with your
Samba + Ldap setup it is listed below...did you happen to solve this
issue or figure a work around ?
I've seen other folks posting with this problem, but I think my issue
bit different (thus the super long subject).
The environment is Solaris 9 09/05, running Samba 3.0.22/Sun DS 5.2/
scripts 0.9.1, but I can translate openldap/linux/samba-ese if you
a solution that would apply in that environment.
Anyway - my core problem is an inability to add machine accounts on a
domain Im setting up. I didn't really see anything jump out at me in
samba logs except that the machine add script runs (its the samba
is failing). So of course I end up with a bunch of posix attributes
computer in ou=Machines, but no sambaSamAccount attributes.
The next step I took was to try it manually use the useradd script then
pdbedit -a -m -u $machinename. The script ran with no errors and
the machine account without samba attributes:
but pdbedit bombed with an error:
ldapsam_modify_entry: Failed to modify user dn=
uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu with: Object class
ldapsam_add_sam_account: failed to modify/add user with uid =
(dn = uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu)
Unable to add machine! (does it already exist?)
When I check the ldap logs I came up with this:
[13/Jul/2006:14:58:12 -0700] - ERROR<5896> - Schema - conn=-1 op=-1
msgId=-1 - User error: Entry
"sambaSID" required by object class "sambaSamAccount" is missing
So, just to be thorough I changed the samba schema to not require
for sambaSamAccount and it gets a little further through the
process. I end
up with an account that looks like this:
sambaAcctFlags: [W ]
So it doesn't have the password fields or the SID, and thus still
you join a machine. The only way I have done it successfully so far
run at a high log level and capture what its trying to add as the
before it bombs. Then I create the SID field and password fields
and it allows me to join.
Any thoughts? Last year I had a problem where it wouldnt look in the
sambadomain object (schema for the sun ds wasn't updated) and I had
nextfreeuid to store the sid but that didn't do the trick either (in
neither way worked for me).
On a final note I should mention that using the scripts to add a user
perfectly - so its an issue in samba not in the scripts. Any ideas are
More information about the samba