[Samba] Unable to add machine accounts

LiPi - lipixx at gmail.com
Mon Mar 30 20:23:29 GMT 2009 

I wasn't using nscd and I got the same error.

Don't know if it's destructive, first do it in a testing machine.

2009/3/30 Chris St. Pierre <stpierre at nebrwesleyan.edu>

> On Mon, 30 Mar 2009, John Drescher wrote:
>
>  Is that destructive to an existing setup? I have been using samba and
>> openldap for around 5 years.
>>
>
> Looks that way.  I've also been using Samba + LDAP for about 5 years,
> and have 8000 users and 1000 machine accounts I'd kinda like to keep
> around.
>
> It also assumes that your Samba box is your OpenLDAP box.  I have two
> of the former and four of the latter, none of which share hardware.
> Not that that would matter for me anyway, since that script assumes
> you use OpenLDAP, and I use Fedora DS.  These are just the problems I
> found in about a 60-second perusal of the script.
>
> In other words, it looks fine if you're trying to get your shiny new
> Samba + LDAP setup working on your home server, but it's not exactly
> what I'd call enterprise quality software.
>
> That said, I figured out the problem -- kind of: nscd.  As far as I
> can tell, what happens is:
>
> 1.  In the process of creating a trust account, Samba checks to see if
> the account already exists.  nscd caches a negative answer.
>
> 2.  The account is created.
>
> 3.  Samba again checks for the account, but gets nscd's cached
> negative reply.
>
> Not using nscd isn't really a good option for us.
>
> I tried reducing the nscd negative TTL so it was below the -t (wait)
> argument to smbldap-useradd, but that didn't appear to work.
>
> My other option is to wrap smbldap-useradd in a script that
> invalidates the entire nscd cache, but that's also not a very good
> option, since it torches the entire cache, not just the entry that
> needs to be invalidated.  Admittedly, we don't add machine accounts
> that often, but it's not really my favorite solution.
>
> I'm sure other people must be running Samba + nscd.  What other
> solutions are there to this problem?
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
>
>

More information about the samba mailing list