[Samba] Problems joining machine to domain
Edmundo Valle Neto
edmundo.valle at terra.com.br
Wed Sep 5 21:27:33 GMT 2007
Misty Stanley-Jones escreveu:
>
>
>
>
>>
>> Anyway, when I try to join to the domain using smbldap-tools, here is
>> my script in smb.conf:
>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>>
>>
>
> Can you explain to me what "-t" means and where did you got it from?
>
> -t time. Wait 'time' seconds before exiting (when adding Windows
> Workstation)
>
> I copied it from the config before the upgrade, where it worked. I took out
> the -t 0 just to test, and I get the same result.
>
Yes I saw that it doesn't gave any error as the logs says that this line
"gave 0", my doubt was if is really accepted or make any difference.
Does your smbldap-useradd accepts a "-t" ?
>
>
>> If I run that by hand, as root, it adds the posixAccount but not the
>> sambaSamAccount. On the Windows system I get an error like "No such
>>
> user".
>
>> In the Samba logs, I see an error like this:
>>
>> [2007/09/05 13:24:55, 3]
>>
> passdb/pdb_interface.c:pdb_default_create_user(368)
>
>> _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t
>> 0 -w "xptommy$"' gave 0
>> [2007/09/05 13:24:55, 3]
>>
> passdb/pdb_interface.c:pdb_default_create_user(384)
>
>> pdb_default_create_user: failed to create a new user structure:
>> NT_STATUS_NO_SUCH_USER
>>
>> Just to be sure I had the privileges right:
>> net rpc rights grant "CORP\Domain Admins" SeMachineAccountPrivilege
>>
>> I am joining domains as 'root', who is a member of the Domain Admins
>>
> group:
>
>> memberUid: root,misty,carl
>>
>> Obviously smbldap-tools is set up at least somewhat correctly, because
>> it is creating the posixAccount. I re-ran 'smbpasswd -W' just to be
>> sure that Samba could bind to the LDAP server. I also tried using the
>> username 'misty' to join the domain. Same results every time.
>>
>> Any idea what I can try next, apart from simply adding the
>> sambaSamAccount objectclass by hand?
>>
>>
>> Misty Stanley-Jones
>> System Administrator
>>
>
> Have you configured NSS properly ("getent passwd" show your machine accounts
> from LDAP)? Any chance that you are using nscd and winbind?
>
> Nss is configured just fine. The getent command works just fine, both for
> 'root' and for 'misty'. Should I be able to getent my machine accounts?
> Hmm, I think I should.
>
> OK, I had been specifying the base for users and groups in the nss
> configuration file. I took that off so it would search the whole tree.
> Lets test...
>
> Yep, that was it! You must not specify nss_base_passwd (in
> /etc/libnss-ldap.conf on my system) if your users and computers are in
> different sections of the LDAP tree. It makes sense now that I think about
> it. The downside is that the entire LDAP tree will be searched for users
> every time nss is used. I think I will definitely start using nscd
> post-haste.
>
> Any ideas on a better way to do this?
>
> Misty
I never really bothered about that. The only thing I can do is say that
the documentation shows that in [1], it says it can be put everything
together, separate searching the whole tree, separate searching with a
sub scope or separate with two options that would make the subtrees be
searched in sequence.
1. http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id336060
Regards.
Edmundo Valle Neto
More information about the samba
mailing list