> You don't need to give anonymous write access. > You just need to give the ldap admin you set in smb.conf write access to > the tree and properly set the ldap password with smbpasswd -w > Thank you, but this isn't really the issue for me right now. The rest of the message described the problem I can't figure out. By the way, I had smbpasswd -w set to Directory Manager's credentials, all the time, but I was getting Insufficient 'write' privilege to the 'uidNumber' attribute of > entry 'sambadomainname and Insufficient add privileges for ou=computers, until I just made both objects writable by anyone. anyway... this is working right now and I'll deal with security implications later, but joining the domain still produces errors that I described below. Maybe it's worth mentioning that I use Sun ONE directory 5.2, not OpenLDAP ?
It seems that eventhough the machine accounts get created upon successful authentication, it fails to find that same machine account during the same or another operation to actually join the domain. The search string it uses has objectclass=sambaSamAccount. Apparently, the newly created machine account doesn't have that object class. Also there's no sambasid entry for the machine account ( not sure if it needs one, but if sambaSamAccount requires that, I guess it does ? ) In addition to that, the search base it uses to look for the machine accounts only has the parent suffix, without the "ou=computers. Samba user accounts can be added with smbpasswd and all the sids, passwords and other attributes are set correctly. Another issue is that idmap ou doesn't get seem to get populated with any entries at all, but I also don't know if it should be. base => [dc=mydomain,dc=com] > > [(&(uid=computer$)(objectclass=sambaSamAccount))] smb.conf add user script = /usr/local/samba/bin/smbldap-useradd -n "%u" add machine script = /usr/local/samba/bin/smbldap-useradd -n -d /dev/null -s /bin/false -w "%m" ldap admin dn = "cn=Directory Manager" ldap group suffix = ou=groups ldap idmap suffix = ou=idmap ldap machine suffix = ou=computers ldap suffix = dc=mydomain,dc=com ldap ssl = no ldap user suffix = ou=people idmap backend = ldapsam:ldap://myldapserver idmap uid = 10000-30000 idmap gid = 10000-30000 smb-ldap.conf suffix="dc=mydomain,dc=com" usersdn="ou=People,${suffix}" computersdn="ou=computers,${suffix}" groupsdn="ou=Groups,${suffix}" idmapdn="ou=idmap,${suffix}" sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}" -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba