[Samba] Two attempts required to join domain

Gaiseric Vandal gaiseric.vandal at gmail.com
Sun Jun 17 15:16:47 MDT 2012 

You could put the machines in a sub container under people-  , or have
people and computers as subs under "user accounts"-  that way samba can
search the entire accounts or people subtree BUT you can restrict other LDAP
services that use "people" to not be recursive.

-----Original Message-----
From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org]
On Behalf Of Bill Arlofski
Sent: Sunday, June 17, 2012 4:16 PM
To: samba at lists.samba.org
Subject: Re: [Samba] Two attempts required to join domain

bump

I'd prefer to not have to put machine accounts into the People OU for all
the obvious reasons, but I may be forced to in order to have the end-user
(e.g.
our customer) experience to be a smooth one.

Any idea on what might cause the behavior I am seeing described on the 13th
below?

Thanks for any help!

--
Bill Arlofski
Reverse Polarity, LLC

On 06/13/12 18:55, Bill Arlofski wrote:
> Hi Everyone.
> 
> I have run across an issue that is driving me crazy. This is a new 
> deployment of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools 
> v0.9.8
> 
> 
> When trying to join the domain, on the first attempt the machine 
> account is properly created in the correct ou - e.g. 
> ou=Computers,dc=domain,dc=local
> 
> But the "failed to join domain" pop-up with reason of "The user name 
> could not be found" is displayed (which really means the machine name 
> was not found in
> LDAP)  and of course the machine is not yet a domain member.
> 
> However, a 2nd attempt to join the domain with the same credentials, 
> immediately after the failure results in a "Welcome to the X domain" 
> and the machine is now a domain member.
> 
> 
> Setting the openldap slapd loglevel to 416 to show the queries during 
> this process reveals the following:
> 
> On 1st join attempt Samba searches the whole directory from 
> dc=domain,dc=local with a scope of 2 (sub) for uid=MyMachine,
objectClass=sambaSamAccount.
> 
> It of course does not find it, so the smbldap-useradd script is called 
> and the machine account is properly added to ou=Computers.
> 
> Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local 
> for the newly created machine account and of course does not find it. 
> And the "failed to join domain" pop-up is displayed on the WinXP machine.
> 
> On the second join attempt, Samba _ONLY_ searches 
> ou=Computers,dc=domain,dc=local, which is where it SHOULD search for 
> machines as defined everywhere in my configs and it finds the machine 
> and the machine successfully joins the domain.
> 
> If I set all configs - samba, smbldap etc to be such that computers 
> are in the "People" organizational unit, then joining the domain works 
> on the first try, every time.
> 
> Also, if I un-join the domain, but leave the machine account in LDAP 
> in ou=Computers and then re-join the domain, this always works on 
> first try too since Samba's initial scope 2 "sub" search of the 
> directory starting at the top will find the machine account under
ou=Computers.
> 
> Can someone offer guidance as to why during the new machine creation 
> process (joining a domain) Samba does not look for the machine in the 
> defined machines ou but always in the People ou?
> 
> Thank you in advance for any help on this!
> 
> --
> Bill Arlofski
> Reverse Polarity, LLC

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

More information about the samba mailing list