[Samba] Strange issue with Samba + LDAP + Domain Member

Bryan Celentano bryan.celentano at ultracontrols.aero
Tue Feb 17 17:20:01 GMT 2009 

Hello,

Thank you for the replies, I will try the first, but in regards to your
reply Ray, as soon as I do that, the domain member complains of
NT_STATUS_ACCESS_DENIED, but the errors are removed from the Domain
Controller.

Regards,
Bryan

-----Original Message-----
From: Ray Klassen [mailto:rayklassen at gmail.com] 
Sent: 16 February 2009 17:08
To: John Drescher
Cc: Bryan Celentano; Samba mailing list
Subject: Re: [Samba] Strange issue with Samba + LDAP + Domain Member

I get around this by including

nss_base_passwd         ou=Computers,dc=mydomain,dc=com?one

in /etc/ldap.conf

if nss_ldap isn't looking in your computers tree for passwd entries,
it will never see them as unix accounts.


On Sun, Feb 15, 2009 at 1:27 PM, John Drescher <drescherjm at gmail.com> wrote:
> On Sun, Feb 15, 2009 at 12:27 PM, Bryan Celentano
> <bryan.celentano at ultracontrols.aero> wrote:
>> Hey,
>>
>>
>>
>> I keep posting but no replies yet, this is a new issue, the rest I seem
to
>> have fixed.
>>
>>
>>
>> I have an odd issue:
>>
>>
>>
>> *       When I do net rpc join the PDC creates the account, and puts it
into
>> LDAP, which looks fine.
>> *       I then can access the domain and winbind works fine from the
Domain
>> Member server.
>> *       On the PDC I see the following error: "pdb_get_group_sid: Failed
to
>> find Unix account for member$"
>> *       So I had a look into the nss_ldap and found it wasn't searching
the
>> ou=computers, so I added this in, and the error goes.
>> *       Then I have a new issue, the domain member and winbind fails with
>> NT_ACCESS_DENIED.
>> *       So I remove the nss_ldap entry for the ou=computers and it all
works
>> again.
>>
>>
>>
>> Has anyone come across this issue?  Any help would be great.
>>
>
> Yes. I have this issue (and have had it for at least 5 years) using
> the smbldap-tools. To workaround I now just precreate an account using
> LAM (http://lam.sourceforge.net/) and then all is well with the PDC
> join. The previous workaround was to create a user for the machine
> account on the pdc first in the /etc/passwd.
>
> John
>
> John
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>


This message has been scanned for malware by SurfControl plc. www.surfcontrol.com

More information about the samba mailing list