[Samba] Failing to add XP SP3 client to Samba domain

Steve Cayford cayfo001 at umn.edu
Mon Sep 21 14:27:07 MDT 2009

Steve Cayford wrote:
> Wes Deviers wrote:
>> Are you using OpenLDAP?  Is it possible that during the Debian 
>> upgrade, the OpenLDAP schema files got changed, and so it's failing 
>> because updates would violate the schema (perhaps, because, the samba 
>> schema file is now missing or not being loaded..?)
>> Somewhere in there, I think Debian switched from using OpenLDAP with 
>> schema configuration files to schema-over-LDAP updates. If it tried to 
>> convert your schema and failed, or even just flat-out ignored it, that 
>> would cause the problem.
>> Turn slapd's logging to debug or sniff the LDAP transaction when you 
>> try to join the machine and see what that gets you?
>> Wes
> That sounds likely. I'll look into it.

I've done some more digging and realized two things:

1. My "add machine script" is "smbldap-useradd -w '%u'", but the -w switch 
only creates a posix machine account. Apparently what I want is the -i 
switch which is not listed on the man page.

2. Using the -i switch and running smbldap-useradd from the command line 
gives me the error:

"failed to add entry: structural object class modification from 'account' 
to 'inetOrgPerson' not allowed at /usr/sbin/smbldap-useradd line 311, 
<STDIN> line 2."

Looking at smbldap-useradd I can see that it first creates a posix machine 
account with this code in smbldap_tools.pm:

   my $add = $ldap->add (
     attr => [
              'objectclass'   => [
                'top', 'account', 'posixAccount'
              'cn'            => "$user",
              'uid'           => "$user",
              'uidNumber'     => "$uid",
              'gidNumber'     => "$gid",
              'homeDirectory' => '/dev/null',
              'loginShell'    => '/bin/false',
              'description'   => 'Computer',
              'gecos'         => 'Computer',

Then it tries to modify the entry with this code in smbldap-useradd which 
is where it dies:

   my $modify = $ldap_master->modify (
     changes => [
       replace => [
         objectClass => [
           'top', 'person', 'organizationalPerson',
           'inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
       add => [sambaLogonTime       => '0'],
       add => [sambaLogoffTime      => '2147483647'],
       add => [sambaKickoffTime     => '2147483647'],
       add => [sambaPwdCanChange    => '0'],
       add => [sambaPwdMustChange   => '2147483647'],
       add => [sambaPwdLastSet      => "$date"],
       add => [sambaAcctFlags       => '[I          ]'],
       add => [sambaLMPassword      => "$lmpassword"],
       add => [sambaNTPassword      => "$ntpassword"],
       add => [sambaSID             => "$user_sid"],
       add => [sambaPrimaryGroupSID => "$config{SID}-515"]

Looking at all the other entries I see no other accounts with an object 
class of "account" so this seems to be the problem. But I don't know what 
to do about it.


More information about the samba mailing list