Hello, I originally ran into this problem when trying to use "administrator" mapped to root account. I finally settled on using root user in LDAP. Everything works for joining W2kand XP clients to domain.
LDAP entry for uid=root : sn: root objectClass: inetOrgPerson objectClass: sambaSAMAccount objectClass: posixAccount gidNumber: 0 uid: root uidNumber: 0 sambaPwdLastSet: 1068914615 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 1068914615 sambaPwdMustChange: 2147483647 sambaHomePath: \\whs1\root sambaHomeDrive: H: sambaLMPassword: E3B4E05BE6A182C9E13B8B8F6853DCAC sambaNTPassword: F4858C7E53BB628AE91E0TE9DB6CD467 sambaAcctFlags: [U ] sambaSID: S-1-5-21-1129281578-1295143107-3311307472-1000 loginShell: /bin/bash gecos: Netbios root user homeDirectory: /root userPassword:: e1NNRDV9RmhIS2VJWnpFdkxpMG5PYTAzK3BKbWNRWDFVPQ== sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-512 Running net groupmap list on PDC among other mappings I get: ... domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers ... In /etc/group : ... root:x:0:root dusers:x:500: domadmins:x:501: dcomputers:x:502: ... Applicable line in smb.conf : add machine script = /usr/local/samba/bin/smbpasswd -a -m %u This root account works to machines to domain. The machine accounts need to be in /etc/passwd also. ex: useradd -d /dev/null -s /bin/false -m -c "Computer" whs-0106$ Now I can join comouter "whs-0106" to domain with user root when I right click on "My Computer" LDAP entry for workstation "whs-0106" dn: uid=whs-0106$,ou=Computers,dc=tow,dc=net uid: whs-0106$ sambaSID: S-1-5-21-1129281578-1295143107-3311307472-3942 sambaPrimaryGroupSID: S-1-5-21-1129281578-1295143107-3311307472-515 displayName: WHS-0106$ sambaAcctFlags: [W ] objectClass: sambaSamAccount objectClass: account sambaPwdCanChange: 1071606889 sambaPwdMustChange: 2147483647 sambaLMPassword: D1921171A5BFAAEE0B4786D995AB9B91 sambaNTPassword: D1921171A5BFAAEE0B4786D995AB9B91 sambaPwdLastSet: 1071606889 It's been suggested by I believe John Terpstra, to put machine accounts and users into one container object in LDAP due to a problem with searching for computers. I haven't had any problems with this in fact I'm experimenting with dividing the domain into logical groups by building, in my case. ex. : ou=HighSchool,dc=tow,dc=net ou=Users,ou=HighSchool,dc=tow,dc=net ou=Computers,ou=HighSchool,dc=tow,dc=net ou=MinotElementarySchool,dc=tow,dc=net ou=Users,ou=MinotElementarySchool,dc=tow,dc=net ou=Computers,ou=MinotElementarySchoo,dc=tow,dc=net ou=DecasElementarySchool,dc=tow,dc=net ou=Users,ou=DecasElementarySchool,dc=tow,dc=net ou=Computers,ou=DecasElementarySchoo,dc=tow,dc=net Anyway, this is beyond what you asked but I was on a roll. Hope this helps. On Fri, 2004-01-09 at 15:08, Jason P Holland wrote: > Hello, > > I am hoping someone will offer some help. I'm currently trying to setup a > samba 3 PDC with LDAP authentication backend in Fedora core 1. I've read > loads of documentation, including > > http://www.hilinski.net/samba/ldap_PDC_samba.doc > http://www.unav.es/cti/ldap-smb/smb-ldap-3-howto.html > http://samba.idealx.org/samba-ldap-howto.pdf > > As well as tons of posts in the mailing list archives, but I still cannot > get this combination to work. > > As for the setup, I've installed Openldap 2.1.22, Samba 3.0.0, > smbldap-tools-0.8.2. I've run smbpasswd -w to add my slapd.conf password > to the secrets.tdb file. I've setup smbldap_conf.pl with my correct SID > and ldap dn. I've populated my ldap database using smbldap-populate.pl, > everything shows up correctly. I've gone in to the ldap db and fixed > roots uid and gid as well as its sambaSID so that it can act as > administrator. As far as I can tell, its setup correctly. > > However, when I go to join a W2k Workstation client, I get "The user name > could not be found.". Thats using root-testing combination from my config > files. Samba does automatically create the machine account, that looks > fine. But it refuses to join the machine. Yes, I'm aware of the registry > hack for XP,W2K machines, and that has also been changed. > > > The weird thing is from that client, who I cannot join, I can view shares > on the PDC using root-testing user pass combination, so I know the > authentication is working correctly through ldap. So what does that > user name not found error really mean? > > Does anyone see anything obviously wrong in my config files that would > cause this? I've cut them into the post below. I would appreciate any > help as I'm just tired of reading and just can't seem to get past adding > a machine. Thanks for any help... > > Jason > > > --- begin ldap.conf ---- > > HOST 127.0.0.1 > BASE dc=test,dc=edu > > ---- end ldap.conf ---- > > > --- begin slapd.conf ---- > > include /etc/openldap/schema/core.schema > include /etc/openldap/schema/cosine.schema > include /etc/openldap/schema/nis.schema > include /etc/openldap/schema/inetorgperson.schema > include /etc/openldap/schema/samba.schema > > pidfile /var/run/slapd.pid > argsfile /var/run/slapd.args > database bdb > suffix "dc=test,dc=edu" > rootdn "cn=root,dc=test,dc=edu" > rootpw testing > > directory /var/lib/ldap > index objectClass eq > index cn pres,sub,eq > index sn pres,sub,eq > index uid pres,sub,eq > index displayName pres,sub,eq > index uidNumber eq > index gidNumber eq > index memberUid eq > index sambaSID eq > index sambaPrimaryGroupSID eq > index sambaDomainName eq > index default sub > > ---- end slapd.conf ---- > > > ---- begin smb.conf ---- > [global] > passdb backend = ldapsam > ldap suffix = "dc=test,dc=edu" > ldap machine suffix = ou=Computers > ldap user suffix = ou=Users > ldap group suffix = ou=Groups > ldap admin dn = "cn=root,dc=test,dc=edu" > ldap ssl = no > idmap backend = ldap:ldap://127.0.0.1 > passwd chat debug = Yes > passwd program =/usr/local/sbin/smbldap-passwd.pl -o %u > passwd chat = *new*password* %n\n *new*password:* %n\ *successfully* > socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 Never used the IDEALX scripts. Right now I use a shell script to batch add computers and users. > add machine script = /usr/local/sbin/smbldap-useradd.pl -w %m > add user script = /usr/local/sbin/smbldap-useradd.pl -a %u > delete user script = /usr/local/sbin/smbldap-userdel.pl %u > add group script = /usr/local/sbin/smbldap-groupadd.pl %g > delete group script = /usr/local/sbin/smbldap-groupdel.pl %g > add user to group script = /usr/local/sbin/smbldap-groupmod.pl -m %u %g > delete user from group script = /usr/local/sbin/smbldap-groupmod.pl -x %u %g > set primary group script = /usr/local/sbin/smbldap-usermod.pl -G %g %u > workgroup = TEST > netbios name = donald > comment = test samba pdc > security = user > null passwords = yes > encrypt passwords = yes > logon script=logon.bat > logon drive = > logon path = > domain master = yes > domain logons = yes > preferred master = yes > os level = 33 > wins support = yes > wins proxy = no > log file = /var/log/samba/%m.log > public = No > browseable = yes > writable = No > > ; necessary share for domain controller > [netlogon] > path = /netlogon > locking = no > read only = yes > write list = ntadmin > > ;test share > [tmp] > writeable = yes > public = yes > path = /tmp > > [profiles] > path = /profiles > read only = no > writeable = yes > create mask = 0600 > directory mask = 0700 > > ---- end smb.conf --- One other thing I found that would cause problems adding a computer to a domain. Duplicate names. If you use ghost disk imaging this is a common problem. -- Kent L. Nasveschuk <[EMAIL PROTECTED]> -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba