[Samba] Problems joining machine to domain

Misty Stanley-Jones misty at borkholder.com
Wed Sep 5 19:57:29 GMT 2007


> Anyway, when I try to join to the domain using smbldap-tools, here is 
> my script in smb.conf:
> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"

Can you explain to me what "-t" means and where did you got it from?

  -t    time. Wait 'time' seconds before exiting (when adding Windows

I copied it from the config before the upgrade, where it worked.  I took out
the -t 0 just to test, and I get the same result.

> If I run that by hand, as root, it adds the posixAccount but not the 
> sambaSamAccount.  On the Windows system I get an error like "No such
> In the Samba logs, I see an error like this:
> [2007/09/05 13:24:55, 3]
>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 
> 0 -w "xptommy$"' gave 0
> [2007/09/05 13:24:55, 3]
>   pdb_default_create_user: failed to create a new user structure:
> Just to be sure I had the privileges right:
>  net rpc rights grant "CORP\Domain Admins" SeMachineAccountPrivilege
> I am joining domains as 'root', who is a member of the Domain Admins
> memberUid: root,misty,carl
> Obviously smbldap-tools is set up at least somewhat correctly, because 
> it is creating the posixAccount.  I re-ran 'smbpasswd -W' just to be 
> sure that Samba could bind to the LDAP server.  I also tried using the 
> username 'misty' to join the domain.  Same results every time.
> Any idea what I can try next, apart from simply adding the 
> sambaSamAccount objectclass by hand?
> Misty Stanley-Jones
> System Administrator

Have you configured NSS properly ("getent passwd" show your machine accounts
from LDAP)? Any chance that you are using nscd and winbind?

Nss is configured just fine.  The getent command works just fine, both for
'root' and for 'misty'.  Should I be able to getent my machine accounts?
Hmm, I think I should.

OK, I had been specifying the base for users and groups in the nss
configuration file.  I took that off so it would search the whole tree.
Lets test... 

Yep, that was it!  You must not specify nss_base_passwd (in
/etc/libnss-ldap.conf on my system) if your users and computers are in
different sections of the LDAP tree.  It makes sense now that I think about
it.  The downside is that the entire LDAP tree will be searched for users
every time nss is used.  I think I will definitely start using nscd

Any ideas on a better way to do this?


More information about the samba mailing list