[Samba] [idx-smbldap-tools ] smbldap-tools and joining workstation to domain RESOLVED

Tim Herty pragmatiker at gmx.de
Fri Jul 15 02:20:05 MDT 2011

Thank you, thank you, thank you. 

The issue with not beeing able to join workstations to our Samba 3 domain
without manually adding the Samba attributes to the LDAP directory with LAM
has been a pain in the butt for months now. I found dozens of threads on the
started by Admins with the same problem and none of those threads ended in
really resolving
the issue.

I have been updating Samba, fidelling with the smbldap-tools and pulling my
hair to no avail.

Finally I found this post from 2005 that resolved my issue.

I tested with :~#getent passwd  an it only listed my users.
I added a line for my computers in /etc/libnss-ldap.conf an changed it from:

nss_base_passwd ou=users,dc=test,dc=de?one
nss_base_shadow ou=users,dc=test,dc=de?one
nss_base_group  ou=groups,dc=test,dc=de?one


nss_base_passwd ou=users,dc=test,dc=de?one
nss_base_passwd ou=computers,dc=test,dc=de?one
nss_base_shadow ou=users,dc=test,dc=de?one
nss_base_group  ou=groups,dc=test,dc=de?one

Now everything works just fine. 

Rhys Goodwin wrote:
> The script only adds the posix stuff, when you join the workstation the 
> sambaSam entries are created by samba. 
> BUT...
> Samba NEEDS to find a posix account with the name of the machine being 
> joined. How are you doing user lookups on your posix side?
> If you use nss_ldap and you have a seperate ou in your directory for users 
> and computers that could be where your problem is.
> i.e. if
> nss_ldap is set to look in "ou=users,dc=test,dc=com " for its posix
> userbase 
> then if you do:
> :~#getent passwd 
> then it will return only users it finds in that ou. So if your add machine 
> script is creating "users"(machine accounts) in
> ou=computers,dc=test,dc=com 
> then as far as posix is concerned there is no posix account for the new 
> machine. Samba will not find a possix account and will not add the
> sambaSam 
> entries and the join will fail. You have 2 options:
>  1.Add your user accounts and computer accounts to the same ou.
> 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your
> base 
> to "dc=test,dc=com" rather than "ou=users,dc=test,dc=com"
>  This is how I understand it anyhow, I might be wrong, Im no smaba pro but
> I 
> went for option 2.
>  If anyone can shed some more light on this is or set me straight if Im 
> wrong, please do.
>  Cheers,
> Rhys

View this message in context: http://samba.2283325.n4.nabble.com/smbldap-tools-and-joining-workstation-to-domain-tp2405892p3669378.html
Sent from the Samba - General mailing list archive at Nabble.com.

More information about the samba mailing list