samba - Oct 2003 - Can't add machine account with 3.0.0; ldapsam backend (RESENT)

Resending as I'm no closer to a solution and really would appreciate any 
help that anyone has to offer.

Hi,

Please cc me on any replies as I'm not subscribed.

First, I've seen reference to this problem on the list but no solution, eg.:

http://marc.theaimsgroup.com/?l=samba&m=106032316504352&w=2

Platform is:

# uname -a
Linux allanon 2.4.21-xfs-aihplc3 #1 SMP Thu Aug 21 15:50:27 BST 2003
i686 unknown

Debian woody. Samba is 3.0.0final-1 from Debian unstable complied for
woody. Some other non-woody backports such as OpenLDAP, libacl, etc.

I was using beta1 previously which didn't have this problem, ie., I
could join machines to the domain, both win(NT|2k) and Linux, by
providing appropriate credentials without first adding a system account.

Config and -D 10 debug output attached.

So, adding a machine account from the samba 3.0.0 PDC machine using
pdbedit gives:

# pdbedit -v -a -m -u tardis
ldapsam_modify_entry: Failed to add user
dnuid=tardis$,ou=Machines,dc=amazing-internet,dc=net with: Object class
violation
          object class 'sambaSamAccount' requires attribute
'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = tardis$
(dn = uid=tardis$,ou=Machines,dc=amazing-internet,dc=net)
Unable to add machine! (does it already exist?)

And using net join on a Linux box not in the domain, tardis, gives:

# net join -S allanon -U admin -d 3
[2003/10/10 18:53:05, 3] param/loadparm.c:lp_load(3925)
    lp_load: refreshing parameters
[2003/10/10 18:53:05, 3] param/loadparm.c:init_globals(1311)
    Initialising global parameters
[2003/10/10 18:53:06, 3] param/params.c:pm_process(566)
    params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
[2003/10/10 18:53:06, 3] param/loadparm.c:do_section(3428)
    Processing section "[global]"
[2003/10/10 18:53:06, 2] lib/interface.c:add_interface(79)
    added interface ip=172.16.1.17 bcast=172.16.1.255 nmask=255.255.255.0
admin password:
[2003/10/10 18:53:10, 3] libads/ldap.c:ads_connect(218)
    Connected to LDAP server 172.16.1.16
[2003/10/10 18:53:10, 1] libads/ldap.c:ads_connect(222)
    Failed to get ldap server info
[2003/10/10 18:53:10, 1] utils/net_ads.c:ads_startup(181)
    ads_connect: No results returned
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_start_connection(1290)
    Connecting to host=allanon
[2003/10/10 18:53:10, 3] lib/util_sock.c:open_socket_out(690)
    Connecting to 172.16.1.16 at port 445
[2003/10/10 18:53:10, 3] rpc_client/cli_netlogon.c:cli_nt_setup_creds(283)
    cli_nt_setup_creds: auth2 challenge failed NT_STATUS_ACCESS_DENIED
[2003/10/10 18:53:10, 3] libsmb/trusts_util.c:just_change_the_password(43)
    just_change_the_password: unable to setup creds
(NT_STATUS_ACCESS_DENIED)!
[2003/10/10 18:53:10, 1] utils/net_rpc.c:run_rpc_command(152)
    rpc command function failed! (NT_STATUS_ACCESS_DENIED)
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_start_connection(1290)
    Connecting to host=allanon
[2003/10/10 18:53:10, 3] lib/util_sock.c:open_socket_out(690)
    Connecting to 172.16.1.16 at port 445
[2003/10/10 18:53:10, 2] libsmb/cliconnect.c:cli_session_setup_spnego(635)
    Doing spnego session setup (blob length=58)
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(660)
    got OID=1 3 6 1 4 1 311 2 2 10
[2003/10/10 18:53:10, 3] libsmb/cliconnect.c:cli_session_setup_spnego(667)
    got principal=NONE
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(469)
    Got challenge flags:
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
    Got NTLMSSP neg_flags=0x20810205
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:ntlmssp_client_challenge(518)
    NTLMSSP: Set final flags:
[2003/10/10 18:53:10, 3] libsmb/ntlmssp.c:debug_ntlmssp_flags(33)
    Got NTLMSSP neg_flags=0x20000215
[2003/10/10 18:53:10, 3] rpc_parse/parse_lsa.c:lsa_io_sec_qos(186)
    lsa_io_sec_qos: length c does not match size 8
Create of workstation account failed
Unable to join domain PERN.
[2003/10/10 18:53:11, 2] utils/net.c:main(758)
    return code = 1

net join -d 10 output available directly on request - it's 180Kb.

I'm at a loss to explain this. It worked prior to the upgrade. Any ideas?

Ronny
-- 
Technical Director
Amazing Internet Ltd, London
t: +44 20 8607 9535
f: +44 20 8607 9536
w: www.amazinginternet.com



-------------- next part --------------
allanon:~# pdbedit -v -a -m -u tardis -d 10 &> pdbedit.txt

INFO: Current debug levels:
  all: True/10
  tdb: False/0
  printdrivers: False/0
  lanman: False/0
  smb: False/0
  rpc_parse: False/0
  rpc_srv: False/0
  rpc_cli: False/0
  passdb: False/0
  sam: False/0
  auth: False/0
  winbind: False/0
  vfs: False/0
  idmap: False/0
lp_load: refreshing parameters
Initialising global parameters
Attempting to register new charset UCS-2LE
Registered charset UCS-2LE
Attempting to register new charset UTF8
Registered charset UTF8
Attempting to register new charset ASCII
Registered charset ASCII
Attempting to register new charset 646
Registered charset 646
Attempting to register new charset UCS2-HEX
Registered charset UCS2-HEX
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
Substituting charset 'ANSI_X3.4-1968' for LOCALE
params.c:pm_process() - Processing configuration file
"/etc/samba/smb.conf"
Processing section "[global]"
doing parameter interfaces = eth0 127.0.0.1
doing parameter bind interfaces only = yes
doing parameter display charset = ISO8859-15
doing parameter unix charset = ISO8859-15
doing parameter workgroup = PERN
doing parameter server string = %h server (Samba %v)
doing parameter obey pam restrictions = No
doing parameter passdb backend = ldapsam:ldap://allanon.amazing-internet.net/
doing parameter ldap passwd sync = yes
doing parameter passwd program = /usr/bin/passwd %u
doing parameter passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n .
doing parameter syslog = 0
doing parameter log file = /var/log/samba/log.%m
doing parameter max log size = 1000
doing parameter logon script = scripts\%U.bat
doing parameter logon path = \\jettero\profiles\%U
doing parameter logon home = \\jettero\%U\profile
doing parameter logon drive = h:
doing parameter domain logons = Yes
doing parameter dns proxy = Yes
doing parameter wins support = Yes
doing parameter ldap suffix = dc=amazing-internet,dc=net
doing parameter ldap machine suffix = ou=Machines
doing parameter ldap user suffix = ou=People
doing parameter ldap group suffix = ou=Group
doing parameter ldap idmap suffix = ou=IDMap
doing parameter ldap admin dn = cn=admin,dc=amazing-internet,dc=net
doing parameter ldap ssl = start tls
doing parameter utmp = Yes
doing parameter panic action = /usr/share/samba/panic-action %d
doing parameter idmap backend = ldap:ldap://allanon.amazing-internet.net/
doing parameter idmap uid = 10000-20000
doing parameter idmap gid = 10000-20000
doing parameter profile acls = Yes
pm_process() returned Yes
lp_servicenumber: couldn't find homes
set_server_role: role = ROLE_DOMAIN_PDC
Trying to load: ldapsam:ldap://allanon.amazing-internet.net/
Attempting to register passdb backend ldapsam
Successfully added passdb backend 'ldapsam'
Attempting to register passdb backend ldapsam_compat
Successfully added passdb backend 'ldapsam_compat'
Attempting to register passdb backend smbpasswd
Successfully added passdb backend 'smbpasswd'
Attempting to register passdb backend tdbsam
Successfully added passdb backend 'tdbsam'
Attempting to register passdb backend guest
Successfully added passdb backend 'guest'
Attempting to find an passdb backend to match
ldapsam:ldap://allanon.amazing-internet.net/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_search_suffix: searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_open_connection: ldap://allanon.amazing-internet.net/
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://allanon.amazing-internet.net/
as "cn=admin,dc=amazing-internet,dc=net"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://allanon.amazing-internet.net/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
Netbios name list:-
my_netbios_names[0]="ALLANON"
Trying to load: ldapsam:ldap://allanon.amazing-internet.net/
Attempting to find an passdb backend to match
ldapsam:ldap://allanon.amazing-internet.net/ (ldapsam)
Found pdb backend ldapsam
Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_search_suffix: searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=PERN))]
smbldap_open_connection: ldap://allanon.amazing-internet.net/
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: Binding to ldap server ldap://allanon.amazing-internet.net/
as "cn=admin,dc=amazing-internet,dc=net"
ldap_connect_system: succesful connection to the LDAP server
The LDAP server is succesful connected
pdb backend ldapsam:ldap://allanon.amazing-internet.net/ has a valid init
Attempting to find an passdb backend to match guest (guest)
Found pdb backend guest
pdb backend guest has a valid init
account_policy_get: maximum password age:-1
account_policy_get: minimum password age:0
pdb_set_username: setting username tardis$, was 
pdb_set_group_sid: setting group sid
S-1-5-21-2620758496-3919074717-1561781800-515
pdb_set_group_sid_from_rid:
	setting group sid S-1-5-21-2620758496-3919074717-1561781800-515 from rid 515
smbldap_search_suffix: searching
for:[(&(uid=tardis$)(objectclass=sambaSamAccount))]
smbldap_search_suffix: searching for:[(uid=tardis$)]
smbldap_search_suffix: searching
for:[(&(sambaSID=S-0-0)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))]
ldapsam_add_sam_account: Adding new user
init_ldap_from_sam: Setting entry for user: tardis$
ldapsam_modify_entry: Failed to add user dn=
uid=tardis$,ou=Machines,dc=amazing-internet,dc=net with: Object class violation
	object class 'sambaSamAccount' requires attribute 'sambaSID'
ldapsam_add_sam_account: failed to modify/add user with uid = tardis$ (dn =
uid=tardis$,ou=Machines,dc=amazing-internet,dc=net)
Unable to add machine! (does it already exist?)

-------------- next part --------------
# Global parameters
[global]
	interfaces = eth0 127.0.0.1
	bind interfaces only = yes
	display charset = ISO8859-15
	unix charset = ISO8859-15
	workgroup = PERN
	server string = %h server (Samba %v)
#	obey pam restrictions = Yes
	passdb backend = ldapsam:ldap://allanon.amazing-internet.net/
	ldap passwd sync = yes
	passwd program = /usr/bin/passwd %u
	passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:*
%n\n .
	syslog = 0
	log file = /var/log/samba/log.%m
#	log level = 3
	max log size = 1000
	logon script = scripts\%U.bat
	logon path = \\jettero\profiles\%U
	logon home = \\jettero\%U\profile
	logon drive = h:
	domain logons = Yes
	dns proxy = Yes
	wins support = Yes
	ldap suffix = dc=amazing-internet,dc=net
	ldap machine suffix = ou=Machines
	ldap user suffix = ou=People
	ldap group suffix = ou=Group
	ldap idmap suffix = ou=IDMap
	ldap admin dn = cn=admin,dc=amazing-internet,dc=net
	ldap ssl = start tls
	utmp = Yes
	panic action = /usr/share/samba/panic-action %d
	idmap backend = ldap:ldap://allanon.amazing-internet.net/
	idmap uid = 10000-20000
	idmap gid = 10000-20000
#	invalid users = root
	profile acls = Yes

[netlogon]
	comment = The domain logon service
	path = /home/netlogon
	write list = ntadmin
	create mask = 0664
	directory mask = 0775
	force directory mode = 02000
	guest ok = Yes
	browseable = No
	locking = No

># pdbedit -v -a -m -u tardis
>ldapsam_modify_entry: Failed to add user
dnuid=tardis$,ou=Machines,dc=amazing-internet,dc=net with: Object class
>violation
 >         object class 'sambaSamAccount' requires attribute
'sambaSID'

	Did you create the machine account in /etc/passwd or in ldap
before using pdbedit ?
	

Extract from a python script I've done what am I doing in the ldap
before pdbedit -a -m.

def cre_ldif_machine(last_uidnumber):
        """ Cette fonction cr?e un fichier d'enregistrement
ldap d'un
compte machine pour samba"
""
        sys.stdout = open('/etc/samba/bin/machine.ldif', 'w')
        print "dn: uid=%s,ou=pc,o=test,c=fr" %  sys.argv[1]
        print "objectclass: account"
        print "objectclass: posixaccount"
        print "objectclass: shadowaccount"
        print "uid:%s" % sys.argv[1]
        print "cn: Samba machine %s " % sys.argv[1]
        print "uidnumber: %s" %last_uidnumber
        print "gidnumber:504"
        print "homedirectory:/dev/null"
        print "loginshell:/bin/false"
        sys.stdout.close()


Are you sure to have the right object class and  attribute ?

	Jean-Marc