samba - Mar 2004 - samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account

Hi all!
Domain is up and running. I can add users and they can change passwords. 
Problem occurred when I tried to add machine account.
add machine script works fine (unix user created) but samba can not 
modify entry. LDAP permissions are proper.
If you have any idea welcomed.
Thank you
Here is the log:

[2004/03/10 14:33:08, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1595)
  ldapsam_add_sam_account: Adding new user
[2004/03/10 14:33:08, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
  init_ldap_from_sam: Setting entry for user: hive$
[2004/03/10 14:33:08, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1214)
  ldapsam_modify_entry: Failed to add user dn=
uid=hive$,ou=Computers,ou=accounts,o=isma with: Already exists
  	
[2004/03/10 14:33:08, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1633)
  ldapsam_add_sam_account: failed to modify/add user with uid = hive$ (dn =
uid=hive$,ou=Computers,ou=accounts,o=isma)
[2004/03/10 14:33:08, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2250)
  could not add user/computer hive$ to passdb.  Check permissions?

smb.conf

[global]
	dos charset = CP866
	unix charset = koi8-r
	display charset = koi8-r
	workgroup = ISMA-TEST
	netbios name = BDC-SRV
	server string = Samba Server 3.0.2a testing
	interfaces = eth1
	bind interfaces only = Yes
	min passwd length = 4
	map to guest = Bad User
	passdb backend = ldapsam:ldap://192.168.10.156
	guest account = guest
	passwd program = /usr/local/sbin/smbldap-passwd.pl %u
	passwd chat = *New*password* %n\n *new*password* %n\n
	passwd chat timeout = 1
	unix password sync = Yes
	log level = 3
	log file = /var/log/samba/log.%m
	max log size = 50
	socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
	add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null -g
'Domain Computers' -c 'Machine Account' -s /bin/false %u
	logon script = %U.bat
	logon path = \\%N\%U\.2kXPprofiles
	logon home = \\%N\%U\.9xMeprofiles
	domain logons = Yes
	os level = 255
	preferred master = Yes
	domain master = Yes
	dns proxy = No
	wins server = 192.168.77.3
	ldap suffix = ou=accounts,o=isma
	ldap machine suffix = ou=Computers
	ldap user suffix = ou=Users
	ldap group suffix = ou=Groups
	ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
	ldap admin dn = cn=admin,ou=accounts,o=isma
	ldap ssl = no
	ldap passwd sync = Yes

[homes]
	comment = Home Directories
	read only = No
	browseable = No

[printers]
	comment = All Printers
	path = /var/spool/samba
	printable = Yes
	browseable = No

[test]
	path = /home
	read only = No

[netlogon]
	path = /opt/samba/netlogon
	admin users = admin
	read only = No
	browseable = No

* zergio <zergio@isma.kharkov.ua> nulis:

This:
> 	ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
change to:
 	# ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))


--beast

Beast ?????:
>* zergio <zergio@isma.kharkov.ua> nulis:
>
>This:
>
>  
>
>>	ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
>>    
>>
>
>change to:
> 	# ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
>
>
>--beast
>
>
>
>  
>
According to man smb.conf if ldap filter is not set then dafault used

Default: /ldap filter/ = (&(uid=%u)(objectclass=sambaAccount))

However, I use new samba.schema and there is no sambaAccount, thus ldap 
gives NO SUCH USER.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I had many problems getting the scripts to work until I realized that I
had two admin groups with the same name and same id, one in /etc/group
and the other in LDAP.  Now this is just fine and even kind of elegant
but not if it is set up wrong.  There are two ways it can work.

1. You can add the ldap admin users to the local group in /etc/group.
2. You can duplicate the group in ldap and add the admin users to that
group instead.  If you do this though, you have to put ldap first in
/etc/nss_switch.conf so that the system will find that group first when
the slapd daemon is operational.  The cool part about this way is that
when slapd is not operational, those extra members of the admin group
just go away.  They are simply not found because they are not part of
the local group.  Also, one must remember that adding a user to the
local group means adding one to the ldap group also but NOT necessarily
the other way around.

For a default/debug setup, you might consider either just going with 1
above and having no admin group contained in ldap or makeing both groups
discussed in 2 above exact duplicates i.e. each user contained in one
also exists in the other.


Jim C.

zergio wrote:

| Hi all!
| Domain is up and running. I can add users and they can change passwords.
| Problem occurred when I tried to add machine account.
| add machine script works fine (unix user created) but samba can not
| modify entry. LDAP permissions are proper.
| If you have any idea welcomed.
| Thank you
| Here is the log:
|
| [2004/03/10 14:33:08, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1595)
|  ldapsam_add_sam_account: Adding new user
| [2004/03/10 14:33:08, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769)
|  init_ldap_from_sam: Setting entry for user: hive$
| [2004/03/10 14:33:08, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1214)
|  ldapsam_modify_entry: Failed to add user dn|
uid=hive$,ou=Computers,ou=accounts,o=isma with: Already exists
|
| [2004/03/10 14:33:08, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1633)
|  ldapsam_add_sam_account: failed to modify/add user with uid = hive$ (dn
| = uid=hive$,ou=Computers,ou=accounts,o=isma)
| [2004/03/10 14:33:08, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2250)
|  could not add user/computer hive$ to passdb.  Check permissions?
|
| smb.conf
|
| [global]
|     dos charset = CP866
|     unix charset = koi8-r
|     display charset = koi8-r
|     workgroup = ISMA-TEST
|     netbios name = BDC-SRV
|     server string = Samba Server 3.0.2a testing
|     interfaces = eth1
|     bind interfaces only = Yes
|     min passwd length = 4
|     map to guest = Bad User
|     passdb backend = ldapsam:ldap://192.168.10.156
|     guest account = guest
|     passwd program = /usr/local/sbin/smbldap-passwd.pl %u
|     passwd chat = *New*password* %n\n *new*password* %n\n
|     passwd chat timeout = 1
|     unix password sync = Yes
|     log level = 3
|     log file = /var/log/samba/log.%m
|     max log size = 50
|     socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
|     add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d
| /dev/null -g 'Domain Computers' -c 'Machine Account' -s
/bin/false %u
|     logon script = %U.bat
|     logon path = \\%N\%U\.2kXPprofiles
|     logon home = \\%N\%U\.9xMeprofiles
|     domain logons = Yes
|     os level = 255
|     preferred master = Yes
|     domain master = Yes
|     dns proxy = No
|     wins server = 192.168.77.3
|     ldap suffix = ou=accounts,o=isma
|     ldap machine suffix = ou=Computers
|     ldap user suffix = ou=Users
|     ldap group suffix = ou=Groups
|     ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))
|     ldap admin dn = cn=admin,ou=accounts,o=isma
|     ldap ssl = no
|     ldap passwd sync = Yes
|
| [homes]
|     comment = Home Directories
|     read only = No
|     browseable = No
|
| [printers]
|     comment = All Printers
|     path = /var/spool/samba
|     printable = Yes
|     browseable = No
|
| [test]
|     path = /home
|     read only = No
|
| [netlogon]
|     path = /opt/samba/netlogon
|     admin users = admin
|     read only = No
|     browseable = No
|
|
|


- --

- -----------------------------------------------------------------
| I can be reached on the following messenger services:		|
|---------------------------------------------------------------|
| MSN: j_c_llings@hotmail.com  AIM: WyteLi0n  ICQ: 123291844 	|
|---------------------------------------------------------------|
| Y!: j_c_llings               Jabber: jcllings@njs.netlab.cz	|
- -----------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3-nr1 (Windows XP)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFAUdeJ57L0B7uXm9oRAoNCAJ0f+XYw7vtQjVstMCivFKooG9+gtwCfWFPz
42mL/9SIbfruxR0TojW6sSk=T/CG
-----END PGP SIGNATURE-----