[Samba] Problems joining machine to domain

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Sep 5 21:27:33 GMT 2007 

Misty Stanley-Jones escreveu:
>  
>
>
>   
>>  
>> Anyway, when I try to join to the domain using smbldap-tools, here is 
>> my script in smb.conf:
>> add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"
>>   
>>     
>
> Can you explain to me what "-t" means and where did you got it from?
>
>   -t    time. Wait 'time' seconds before exiting (when adding Windows
> Workstation)
>
> I copied it from the config before the upgrade, where it worked.  I took out
> the -t 0 just to test, and I get the same result.
>   

Yes I saw that it doesn't gave any error as the logs says that this line 
"gave 0", my doubt was if is really accepted or make any difference. 
Does your smbldap-useradd accepts a "-t" ?

>
>   
>> If I run that by hand, as root, it adds the posixAccount but not the 
>> sambaSamAccount.  On the Windows system I get an error like "No such
>>     
> user".
>   
>> In the Samba logs, I see an error like this:
>>  
>> [2007/09/05 13:24:55, 3]
>>     
> passdb/pdb_interface.c:pdb_default_create_user(368)
>   
>>   _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -t 
>> 0 -w "xptommy$"' gave 0
>> [2007/09/05 13:24:55, 3]
>>     
> passdb/pdb_interface.c:pdb_default_create_user(384)
>   
>>   pdb_default_create_user: failed to create a new user structure:
>> NT_STATUS_NO_SUCH_USER
>>  
>> Just to be sure I had the privileges right:
>>  net rpc rights grant "CORP\Domain Admins" SeMachineAccountPrivilege
>>  
>> I am joining domains as 'root', who is a member of the Domain Admins
>>     
> group:
>   
>> memberUid: root,misty,carl
>>
>> Obviously smbldap-tools is set up at least somewhat correctly, because 
>> it is creating the posixAccount.  I re-ran 'smbpasswd -W' just to be 
>> sure that Samba could bind to the LDAP server.  I also tried using the 
>> username 'misty' to join the domain.  Same results every time.
>>  
>> Any idea what I can try next, apart from simply adding the 
>> sambaSamAccount objectclass by hand?
>>
>>  
>> Misty Stanley-Jones
>> System Administrator
>>     
>
> Have you configured NSS properly ("getent passwd" show your machine accounts
> from LDAP)? Any chance that you are using nscd and winbind?
>
> Nss is configured just fine.  The getent command works just fine, both for
> 'root' and for 'misty'.  Should I be able to getent my machine accounts?
> Hmm, I think I should.
>
> OK, I had been specifying the base for users and groups in the nss
> configuration file.  I took that off so it would search the whole tree.
> Lets test... 
>
> Yep, that was it!  You must not specify nss_base_passwd (in
> /etc/libnss-ldap.conf on my system) if your users and computers are in
> different sections of the LDAP tree.  It makes sense now that I think about
> it.  The downside is that the entire LDAP tree will be searched for users
> every time nss is used.  I think I will definitely start using nscd
> post-haste.
>
> Any ideas on a better way to do this?
>
> Misty

I never really bothered about that. The only thing I can do is say that 
the documentation shows that in [1], it says it can be put everything 
together, separate searching the whole tree, separate searching with a 
sub scope or separate with two options that would make the subtrees be 
searched in sequence.

1. http://us1.samba.org/samba/docs/man/Samba-Guide/happy.html#id336060


Regards.

Edmundo Valle Neto

More information about the samba mailing list