samba - Nov 2003 - Samba 3.0 - LDAP create machine account fails

Hello,
It's me again. I'm running Samba 3.0 and LDAP 2.1.23 on a RedHat 8.0
system.


I am able to browse shares and home directories. I get a:

Logon failure: unknown username or bad password

when I try to connect a W2k machine. For Win/95/98 the system already
works. I believe it is setup OK I need to work on scripts that work with
MMC. I just want a basic connect a w2k machine right now.

Output from /usr/local/samba/bin/net groupmap list


root@172.16.0.3's password:
Last login: Mon Nov 10 08:10:41 2003 from 172.16.1.246
[root@whs1 root]# /usr/local/samba/bin/net groupmap list
domain_users (S-1-5-21-1129281578-1295143107-3311307472-513) -> dusers
domain_guests (S-1-5-21-1129281578-1295143107-3311307472-514) -> nobody
domain_admins (S-1-5-21-1129281578-1295143107-3311307472-512) -> root
administrators (S-1-5-32-544) -> 544
users (S-1-5-21-1129281578-1295143107-3311307472-545) -> users
guests (S-1-5-21-1129281578-1295143107-3311307472-546) -> nobody
power_users (S-1-5-21-1129281578-1295143107-3311307472-547) -> 547
account_operators (S-1-5-32-548) -> 548
server_operators (S-1-5-32-549) -> sys
print_operators (S-1-5-32-550) -> lp
backup_operators (S-1-5-32-551) -> bin
replicator (S-1-5-21-1129281578-1295143107-3311307472-552) -> daemon
computers (S-1-5-21-1129281578-1295143107-3311307472-515) -> dcomputers
Enterprise Admins (S-1-5-21-1129281578-1295143107-3311307472-519) -> 519
[root@whs1 root]#

output ldap search =>cn=domain_admins

[root@whs1 root]# ldapsearch -xv -b "dc=tow,dc=net" cn=domain_admins
ldap_initialize( <DEFAULT> )
filter: cn=domain_admins
requesting: ALL
# extended LDIF
#
# LDAPv3
# base <dc=tow,dc=net> with scope sub
# filter: cn=domain_admins
# requesting: ALL
#
 
# domain_admins, Groups, tow.net
dn: cn=domain_admins,ou=Groups,dc=tow,dc=net
objectClass: posixGroup
objectClass: sambaGroupMapping
sambaSID: S-1-5-21-1129281578-1295143107-3311307472-512
gidNumber: 0
cn: domain_admins
memberUid: Administrator,kent
description: Netbios Domain Administrators
sambaGroupType: 2
 
# search result
search: 2
result: 0 Success
 
# numResponses: 2
# numEntries: 1


smb.conf

[root@whs1 root]# cat /usr/local/samba/lib/smb.conf
# Samba config file created using SWAT
# from 172.16.1.246 (172.16.1.246)
# Date: 2003/11/04 16:29:07
 
# Global parameters
[global]
        workgroup = WarehamPS
        netbios name = WHS1
        server string = RedHat 8.0 LDAP Server
        passdb backend = ldapsam
        passwd program = /usr/local/sbin/smbldap-passwd.pl
        log file = /var/log/samba.%m
        max log size = 50
        time server = Yes
        passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
#       unix password sync = Yes
#       add user script = /usr/local/sbin/smbldap-useradd.pl -w -d
/dev/null -c
'Machine Account' -s /bin/False
#       delete user script = /usr/local/sbin/smbldap-userdel.pl
#       add group script = /usr/local/sbin/smbldap-groupadd.pl
#       delete group script = /usr/local/sbin/smbldap-groupdel.pl
        add machine script = /usr/local/sbin/smbldap-useradd.pl -w -g
"domain_computer" -d /dev/null -c "Machine Account" -s
/bin/false %u$
        add user script = /usr/sbin/useradd -m -d /accounts/"%u" -g
500
%u
        delete user script = /usr/sbin/userdel -r %u
        add group script = /usr/sbin/groupadd %g
        delete group script = /usr/sbin/groudadd %g
        add user to group script = /usr/sbin/usermod -G %g %u
#       add machine script = /usr/sbin/useradd -s /bin/false -g 502 -d
/dev/null %u$
        logon script = netlogon.bat
        logon home = \\%L\%U
        domain logons = Yes
        os level = 64
        domain master = Yes
        dns proxy = No
        ldap suffix = dc=tow,dc=net
        ldap machine suffix = ou=Computers
        ldap user suffix = ou=Users
        ldap group suffix = ou=Groups
        ldap admin dn = cn=admin,dc=tow,dc=net
        admin users = @domain_admins
        ldap ssl = no
        read only = No
        create mask = 02770
        directory mask = 02770
 
[homes]
        comment = Home Directories
        path = %H
        hide files = /.*/
        browseable = No
 
[netlogon]
        comment = Network Logon Service
        path = /usr/local/samba/netlogon
        read only = Yes
        hide files = /.*/*.bat/*.dll/200*/
        browseable = No
[profiles]
        comment = Domain User Profiles
        path = /accounts/profiles
        read only = No
        browseable = No
 
[staff]
        comment = Staff common
        path = /accounts/staff
 
[images]
        comment = Ghost image files
        path = /accounts/images
 
[printers]
        comment = All Printers
        path = /var/spool/samba
        read only = Yes
        printable = Yes
        browseable = No

I've also added the appropriate password to secrets.tdb by:
smbpasswd -w xxxx

slapd.conf

[root@whs1 root]# cat /usr/local/etc/openldap/slapd.conf
# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.4 2000/08/26
17:06:18 kurt Exp $
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nis.schema
include         /usr/local/etc/openldap/schema/samba.schema
database        ldbm
suffix          "dc=tow,dc=net"
rootdn          "cn=admin,dc=tow,dc=net"
rootpw          {SSHA}WhTBLrgNGnKeZYgS0bT6TfIL2jKBbOnr
#password-hash  {crypt}
directory       /usr/local/var/openldap-data/wareham
schemacheck     on
lastmod         on
# Indices to maintain
index   objectClass                             eq
#index  objectClass,uid,uidNumber,gidNumber     eq
#index  cn,mail,surname,givenname               eq,subinitial
index   cn,sn,st                                pres,eq,sub
#access read

I got the latest tools from www.idealx.com and adjusted the
smbldap_conf.pm for my site. 



Any suggestions? I'm so close I can taste it.


-- 
Kent L. Nasveschuk <kent@wareham.k12.ma.us>