[Samba] Two attempts required to join domain

Bill Arlofski waa-samba at revpol.com
Sun Jun 17 14:15:48 MDT 2012 

bump

I'd prefer to not have to put machine accounts into the People OU for all the
obvious reasons, but I may be forced to in order to have the end-user (e.g.
our customer) experience to be a smooth one.

Any idea on what might cause the behavior I am seeing described on the 13th below?

Thanks for any help!

-- 
Bill Arlofski
Reverse Polarity, LLC

On 06/13/12 18:55, Bill Arlofski wrote:
> Hi Everyone.
> 
> I have run across an issue that is driving me crazy. This is a new deployment
> of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8
> 
> 
> When trying to join the domain, on the first attempt the machine account is
> properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local
> 
> But the "failed to join domain" pop-up with reason of "The user name could not
> be found" is displayed (which really means the machine name was not found in
> LDAP)  and of course the machine is not yet a domain member.
> 
> However, a 2nd attempt to join the domain with the same credentials,
> immediately after the failure results in a "Welcome to the X domain" and the
> machine is now a domain member.
> 
> 
> Setting the openldap slapd loglevel to 416 to show the queries during this
> process reveals the following:
> 
> On 1st join attempt Samba searches the whole directory from dc=domain,dc=local
> with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount.
> 
> It of course does not find it, so the smbldap-useradd script is called and the
> machine account is properly added to ou=Computers.
> 
> Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the
> newly created machine account and of course does not find it. And the "failed
> to join domain" pop-up is displayed on the WinXP machine.
> 
> On the second join attempt, Samba _ONLY_ searches
> ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines
> as defined everywhere in my configs and it finds the machine and the machine
> successfully joins the domain.
> 
> If I set all configs - samba, smbldap etc to be such that computers are in the
> "People" organizational unit, then joining the domain works on the first try,
> every time.
> 
> Also, if I un-join the domain, but leave the machine account in LDAP in
> ou=Computers and then re-join the domain, this always works on first try too
> since Samba's initial scope 2 "sub" search of the directory starting at the
> top will find the machine account under ou=Computers.
> 
> Can someone offer guidance as to why during the new machine creation process
> (joining a domain) Samba does not look for the machine in the defined machines
> ou but always in the People ou?
> 
> Thank you in advance for any help on this!
> 
> --
> Bill Arlofski
> Reverse Polarity, LLC

More information about the samba mailing list