[tclug-list] Samba3+LDAP and W2K machine accounts

Wed Feb 16 13:15:52 CST 2005

Anyone figure out how to get a W2K machine to join a samba3 domain thats
using ldap?

I'm on Debian/unstable which has:
Samba 3.0.10-1
smbldap-tools 0.8.5-3-2
slapd 2.1.30-3

I've gone through the howto's on how to do Samba3+LDAP, and its working
fine for a W98 machine (which of course doesn't need a machine account).

smb.conf has these ldap related params:

### LDAP related additions ###
   ldap admin dn = "cn=smbadmin,ou=Services,dc=hissingdragon,dc=net"
#   ldap ssl = start tls
   passdb backend = ldapsam:ldap://localhost
   ldap delete dn = no
   ldap suffix = dc=hissingdragon,dc=net
   ldap machine suffix = ou=Users
   ldap user suffix = ou=Users
   ldap group suffix = ou=Groups
   ldap idmap suffix = ou=Idmap
   idmap uid = 10000-20000
   idmap gid = 10000-20000
   map acl inherit = Yes
   ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
   ldap passwd sync = yes

   add user script = /usr/sbin/smbldap-useradd -a -m '%u'
   delete user script = /usr/sbin/smbldap-userdel '%u'
   add group script = /usr/sbin/smbldap-groupadd -p '%g'
   delete group script = /usr/sbin/smbldap-groupdel '%g'
   add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
   delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%
g'
   set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
   add machine script = /usr/sbin/smbldap-useradd -w '%u'

... which creates this machine account in ldap automatically the first
time I try to join the machine to the domain:

dn: uid=nidoqueen$,ou=Computers,dc=hissingdragon,dc=net
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: nidoqueen$
sn: nidoqueen$
uid: nidoqueen$
uidNumber: 1035
gidNumber: 513
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

-- account is created in "Computers" ou, even though my smb.conf says to
use "Users".  Read somewhere that there is a bug in Samba3 that requires
that the machine account go in the same ou as users.  (I did try
manually changing it to Users, but no good.)

... here's some of the log output (near the end, it was rather lengthy):

Feb 16 12:53:35 steelix slapd[5304]: conn=1824 op=5 SRCH
base="dc=hissingdragon,dc=net" scope=2 filter="(&(&(uid=NIDOQUEEN
$)(objectClass=sambaSamAccount))(objectClass=sa\
mbaSamAccount))"

Feb 16 12:53:35 steelix slapd[5304]: conn=1824 op=5 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime s\
ambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive
sambaHomePath sambaLogonScript sambaProfilePath description
sambaUserWorkstations sambaSID sambaPrimaryGrou\
pSID sambaLMPassword sambaNTPassword sambaDomainName objectClass
sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTim\
estamp sambaLogonHours modifyTimestamp

Feb 16 12:53:35 steelix slapd[5304]: conn=1824 op=5 SEARCH RESULT
tag=101 err=0 nentries=0 text=

Feb 16 12:53:35 steelix smbd[4093]: [2005/02/16 12:53:35, 0]
rpc_server/srv_netlog_nt.c:get_md4pw(244)

Feb 16 12:53:35 steelix smbd[4093]:   get_md4pw: Workstation NIDOQUEEN$:
no account in domain

... it looks suppicious that its looking to objectClass=sambaSamAccount,
when this nidoqueen$ is a posixAccount.  I've tried this:
   add machine script = /usr/sbin/smbldap-useradd -a '%u'
so that it is a sambaSamAccount thats created, but that doesn't work
either.

Any ideas?  Someone willing to post the LDIF dump of a working machine
account?

Thanks.

John Hawley               | Unix? What's that? Is that like Linux?
Network Admin (CCNA)      | --Jurgen Botz
Linux Sys Admin (LPIC-1)  | 
jhawley at hissingdragon.net | 