[Samba] Can't create machine accounts or join domain (automatically
or manually with scripts or pdbedit)
Steven Bambling
steven.bambling at sunrocket.com
Mon May 14 20:28:35 GMT 2007
Tony,
I am having pretty much the same issue that you were having with your
Samba + Ldap setup it is listed below...did you happen to solve this
issue or figure a work around ?
Thanks,
STEVE
Hello,
I've seen other folks posting with this problem, but I think my issue
is a
bit different (thus the super long subject).
The environment is Solaris 9 09/05, running Samba 3.0.22/Sun DS 5.2/
idealx
scripts 0.9.1, but I can translate openldap/linux/samba-ese if you
think of
a solution that would apply in that environment.
Anyway - my core problem is an inability to add machine accounts on a
new
domain Im setting up. I didn't really see anything jump out at me in
the
samba logs except that the machine add script runs (its the samba
piece that
is failing). So of course I end up with a bunch of posix attributes
for the
computer in ou=Machines, but no sambaSamAccount attributes.
The next step I took was to try it manually use the useradd script then
pdbedit -a -m -u $machinename. The script ran with no errors and
created
the machine account without samba attributes:
dn: uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person
cn: testmeagain$
sn: testmeagain$
uid: testmeagain$
uidNumber: 1003
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
but pdbedit bombed with an error:
ldapsam_modify_entry: Failed to modify user dn=
uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu with: Object class
violation
ldapsam_add_sam_account: failed to modify/add user with uid =
testmeagain$
(dn = uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu)
Unable to add machine! (does it already exist?)
When I check the ldap logs I came up with this:
[13/Jul/2006:14:58:12 -0700] - ERROR<5896> - Schema - conn=-1 op=-1
msgId=-1 - User error: Entry
"uid=testmeagain$,ou=Machines,dc=mge,dc=arizona,dc=edu", attribute
"sambaSID" required by object class "sambaSamAccount" is missing
So, just to be thorough I changed the samba schema to not require
sambaSid
for sambaSamAccount and it gets a little further through the
process. I end
up with an account that looks like this:
dn: uid=testcomputer1$,ou=Machines,dc=mge,dc=arizona,dc=edu
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: organizationalPerson
objectClass: person
objectClass: sambaSamAccount
cn: testcomputer1$
sn: testcomputer1$
uid: testcomputer1$
uidNumber: 1021
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
sambaPrimaryGroupSID:
S-1-5-21-3141198788-4239702380-13799994-515
sambaPwdCanChange: 1152734452
sambaPwdMustChange: 2147483647
sambaPasswordHistory:
0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1152734452
sambaAcctFlags: [W ]
So it doesn't have the password fields or the SID, and thus still
won't let
you join a machine. The only way I have done it successfully so far
is to
run at a high log level and capture what its trying to add as the
password
before it bombs. Then I create the SID field and password fields
manually
and it allows me to join.
Any thoughts? Last year I had a problem where it wouldnt look in the
sambadomain object (schema for the sun ds wasn't updated) and I had
to use
nextfreeuid to store the sid but that didn't do the trick either (in
fact
neither way worked for me).
On a final note I should mention that using the scripts to add a user
works
perfectly - so its an issue in samba not in the scripts. Any ideas are
appreciated!
Tony
More information about the samba
mailing list