zergio
2004-Mar-11 11:50 UTC
[Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
Hi all! Domain is up and running. I can add users and they can change passwords. Problem occurred when I tried to add machine account. add machine script works fine (unix user created) but samba can not modify entry. LDAP permissions are proper. If you have any idea welcomed. Thank you Here is the log: [2004/03/10 14:33:08, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1595) ldapsam_add_sam_account: Adding new user [2004/03/10 14:33:08, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769) init_ldap_from_sam: Setting entry for user: hive$ [2004/03/10 14:33:08, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1214) ldapsam_modify_entry: Failed to add user dn= uid=hive$,ou=Computers,ou=accounts,o=isma with: Already exists [2004/03/10 14:33:08, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1633) ldapsam_add_sam_account: failed to modify/add user with uid = hive$ (dn = uid=hive$,ou=Computers,ou=accounts,o=isma) [2004/03/10 14:33:08, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2250) could not add user/computer hive$ to passdb. Check permissions? smb.conf [global] dos charset = CP866 unix charset = koi8-r display charset = koi8-r workgroup = ISMA-TEST netbios name = BDC-SRV server string = Samba Server 3.0.2a testing interfaces = eth1 bind interfaces only = Yes min passwd length = 4 map to guest = Bad User passdb backend = ldapsam:ldap://192.168.10.156 guest account = guest passwd program = /usr/local/sbin/smbldap-passwd.pl %u passwd chat = *New*password* %n\n *new*password* %n\n passwd chat timeout = 1 unix password sync = Yes log level = 3 log file = /var/log/samba/log.%m max log size = 50 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d /dev/null -g 'Domain Computers' -c 'Machine Account' -s /bin/false %u logon script = %U.bat logon path = \\%N\%U\.2kXPprofiles logon home = \\%N\%U\.9xMeprofiles domain logons = Yes os level = 255 preferred master = Yes domain master = Yes dns proxy = No wins server = 192.168.77.3 ldap suffix = ou=accounts,o=isma ldap machine suffix = ou=Computers ldap user suffix = ou=Users ldap group suffix = ou=Groups ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) ldap admin dn = cn=admin,ou=accounts,o=isma ldap ssl = no ldap passwd sync = Yes [homes] comment = Home Directories read only = No browseable = No [printers] comment = All Printers path = /var/spool/samba printable = Yes browseable = No [test] path = /home read only = No [netlogon] path = /opt/samba/netlogon admin users = admin read only = No browseable = No
Beast
2004-Mar-11 11:59 UTC
[Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
* zergio <zergio@isma.kharkov.ua> nulis: This:> ldap filter = (&(uid=%u)(objectclass=sambaSamAccount))change to: # ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) --beast
zergio
2004-Mar-11 12:17 UTC
[Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
Beast ?????:>* zergio <zergio@isma.kharkov.ua> nulis: > >This: > > > >> ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) >> >> > >change to: > # ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) > > >--beast > > > > >According to man smb.conf if ldap filter is not set then dafault used Default: /ldap filter/ = (&(uid=%u)(objectclass=sambaAccount)) However, I use new samba.schema and there is no sambaAccount, thus ldap gives NO SUCH USER.
Jim C.
2004-Mar-12 15:30 UTC
[Samba] samba 3.0.2a (ported from 2.2.8a) with LDAP failed to add machine account
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I had many problems getting the scripts to work until I realized that I had two admin groups with the same name and same id, one in /etc/group and the other in LDAP. Now this is just fine and even kind of elegant but not if it is set up wrong. There are two ways it can work. 1. You can add the ldap admin users to the local group in /etc/group. 2. You can duplicate the group in ldap and add the admin users to that group instead. If you do this though, you have to put ldap first in /etc/nss_switch.conf so that the system will find that group first when the slapd daemon is operational. The cool part about this way is that when slapd is not operational, those extra members of the admin group just go away. They are simply not found because they are not part of the local group. Also, one must remember that adding a user to the local group means adding one to the ldap group also but NOT necessarily the other way around. For a default/debug setup, you might consider either just going with 1 above and having no admin group contained in ldap or makeing both groups discussed in 2 above exact duplicates i.e. each user contained in one also exists in the other. Jim C. zergio wrote: | Hi all! | Domain is up and running. I can add users and they can change passwords. | Problem occurred when I tried to add machine account. | add machine script works fine (unix user created) but samba can not | modify entry. LDAP permissions are proper. | If you have any idea welcomed. | Thank you | Here is the log: | | [2004/03/10 14:33:08, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1595) | ldapsam_add_sam_account: Adding new user | [2004/03/10 14:33:08, 2] passdb/pdb_ldap.c:init_ldap_from_sam(769) | init_ldap_from_sam: Setting entry for user: hive$ | [2004/03/10 14:33:08, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1214) | ldapsam_modify_entry: Failed to add user dn| uid=hive$,ou=Computers,ou=accounts,o=isma with: Already exists | | [2004/03/10 14:33:08, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1633) | ldapsam_add_sam_account: failed to modify/add user with uid = hive$ (dn | = uid=hive$,ou=Computers,ou=accounts,o=isma) | [2004/03/10 14:33:08, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2250) | could not add user/computer hive$ to passdb. Check permissions? | | smb.conf | | [global] | dos charset = CP866 | unix charset = koi8-r | display charset = koi8-r | workgroup = ISMA-TEST | netbios name = BDC-SRV | server string = Samba Server 3.0.2a testing | interfaces = eth1 | bind interfaces only = Yes | min passwd length = 4 | map to guest = Bad User | passdb backend = ldapsam:ldap://192.168.10.156 | guest account = guest | passwd program = /usr/local/sbin/smbldap-passwd.pl %u | passwd chat = *New*password* %n\n *new*password* %n\n | passwd chat timeout = 1 | unix password sync = Yes | log level = 3 | log file = /var/log/samba/log.%m | max log size = 50 | socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 | add machine script = /usr/local/sbin/smbldap-useradd.pl -w -d | /dev/null -g 'Domain Computers' -c 'Machine Account' -s /bin/false %u | logon script = %U.bat | logon path = \\%N\%U\.2kXPprofiles | logon home = \\%N\%U\.9xMeprofiles | domain logons = Yes | os level = 255 | preferred master = Yes | domain master = Yes | dns proxy = No | wins server = 192.168.77.3 | ldap suffix = ou=accounts,o=isma | ldap machine suffix = ou=Computers | ldap user suffix = ou=Users | ldap group suffix = ou=Groups | ldap filter = (&(uid=%u)(objectclass=sambaSamAccount)) | ldap admin dn = cn=admin,ou=accounts,o=isma | ldap ssl = no | ldap passwd sync = Yes | | [homes] | comment = Home Directories | read only = No | browseable = No | | [printers] | comment = All Printers | path = /var/spool/samba | printable = Yes | browseable = No | | [test] | path = /home | read only = No | | [netlogon] | path = /opt/samba/netlogon | admin users = admin | read only = No | browseable = No | | | - -- - ----------------------------------------------------------------- | I can be reached on the following messenger services: | |---------------------------------------------------------------| | MSN: j_c_llings@hotmail.com AIM: WyteLi0n ICQ: 123291844 | |---------------------------------------------------------------| | Y!: j_c_llings Jabber: jcllings@njs.netlab.cz | - ----------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3-nr1 (Windows XP) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFAUdeJ57L0B7uXm9oRAoNCAJ0f+XYw7vtQjVstMCivFKooG9+gtwCfWFPz 42mL/9SIbfruxR0TojW6sSk=T/CG -----END PGP SIGNATURE-----