[Samba] Two attempts required to join domain

Bill Arlofski waa-samba at revpol.com
Wed Jun 13 16:55:14 MDT 2012

Hi Everyone.

I have run across an issue that is driving me crazy. This is a new deployment
of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8

When trying to join the domain, on the first attempt the machine account is
properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local

But the "failed to join domain" pop-up with reason of "The user name could not
be found" is displayed (which really means the machine name was not found in
LDAP)  and of course the machine is not yet a domain member.

However, a 2nd attempt to join the domain with the same credentials,
immediately after the failure results in a "Welcome to the X domain" and the
machine is now a domain member.

Setting the openldap slapd loglevel to 416 to show the queries during this
process reveals the following:

On 1st join attempt Samba searches the whole directory from dc=domain,dc=local
with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount.

It of course does not find it, so the smbldap-useradd script is called and the
machine account is properly added to ou=Computers.

Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the
newly created machine account and of course does not find it. And the "failed
to join domain" pop-up is displayed on the WinXP machine.

On the second join attempt, Samba _ONLY_ searches
ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines
as defined everywhere in my configs and it finds the machine and the machine
successfully joins the domain.

If I set all configs - samba, smbldap etc to be such that computers are in the
"People" organizational unit, then joining the domain works on the first try,
every time.

Also, if I un-join the domain, but leave the machine account in LDAP in
ou=Computers and then re-join the domain, this always works on first try too
since Samba's initial scope 2 "sub" search of the directory starting at the
top will find the machine account under ou=Computers.

Can someone offer guidance as to why during the new machine creation process
(joining a domain) Samba does not look for the machine in the defined machines
ou but always in the People ou?

Thank you in advance for any help on this!

Bill Arlofski
Reverse Polarity, LLC

