Mohammad Reza
2004-Jul-20 07:50 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Dear lists... But this still un-solved the real problem to join w2k to samba3-ldap . I'm here with the same situation. I even switch my distro to SuSe with same result, still cant join domain. Please give us hint how to solve or debug this problem. regards reza -----Original Message----- From: Craig White [mailto:craigwhite@azapple.com] Sent: Tue 7/20/2004 9:48 AM To: samba@lists.samba.org Cc: Subject: Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED On Mon, 2004-07-19 at 19:34, Jos? Ildefonso Camargo Tolosa wrote:> >http://samba.idealx.org/smbldap-howto.fr.html as you > >recommended. I have one big question, which one do I > >put in '/etc/ldap.conf' > > > >nss_base_passwd dc=wbcoll,dc=edu?one > >nss_base_shadow dc=wbcoll,dc=edu?one > >nss_base_group ou=Groups,dc=wbcoll,dc=edu?one > > > >or > > > >nss_base_passwd ou=Users,dc=wbcoll,dc=edu?one > >nss_base_shadow ou=Users,dc=wbcoll,dc=edu?one > >nss_base_group ou=Groups,dc=wbcoll,dc=edu?one > > > > > Neither, use this: > > nss_base_passwd dc=wbcoll,dc=edu?sub > nss_base_shadow dc=wbcoll,dc=edu?sub > nss_base_group ou=Groups,dc=wbcoll,dc=edu?one > > Look at the sub, it tells the system to descend to all the sub-objects it may have. >--- It is pertinent to consider that this suggestion waives any efficiency for ease of use as it will tell all user lookups to search the entire LDAP tree. I already told him to use his second choice as that is most efficient. I recognize that your option would permit the option of trying to use a separate organizational unit for Computers but this guy is endlessly confused, and simple is clearly better for his purposes, without considering the impact of excessive searching of the LDAP db. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
José Ildefonso Camargo Tolosa
2004-Jul-20 15:32 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
Mohammad Reza wrote:>Dear lists... > >But this still un-solved the real problem to join w2k to samba3-ldap . >I'm here with the same situation. >I even switch my distro to SuSe with same result, still cant join domain. >Please give us hint how to solve or debug this problem. > >Sorry, I looked at the thread, and I don't have info about your problem with w2k. According to what I read at the link posted by Abebe, I think it may be a problem with the unix system not "seeing" the machine account created automatically by samba (ie, the smbldap-useradd script). You should be able to do a "su - winxp\$" as root, and it should log in: obelix:~# su - virtualxp\$ No directory, logging in with HOME=/ Off course, it will not give you a prompt as virtualxp\$, because the shell is /bin/false, but If the user didn't existed, it would answered: Unkown ID, or something like that.> >regards >reza > >-----Original Message----- >From: Craig White [mailto:craigwhite@azapple.com] >Sent: Tue 7/20/2004 9:48 AM >To: samba@lists.samba.org >Cc: >Subject: Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED >On Mon, 2004-07-19 at 19:34, Jos? Ildefonso Camargo Tolosa wrote: > > > >>>http://samba.idealx.org/smbldap-howto.fr.html as you >>>recommended. I have one big question, which one do I >>>put in '/etc/ldap.conf' >>> >>>nss_base_passwd dc=wbcoll,dc=edu?one >>>nss_base_shadow dc=wbcoll,dc=edu?one >>>nss_base_group ou=Groups,dc=wbcoll,dc=edu?one >>> >>>or >>> >>>nss_base_passwd ou=Users,dc=wbcoll,dc=edu?one >>>nss_base_shadow ou=Users,dc=wbcoll,dc=edu?one >>>nss_base_group ou=Groups,dc=wbcoll,dc=edu?one >>> >>> >>> >>> >>Neither, use this: >> >>nss_base_passwd dc=wbcoll,dc=edu?sub >>nss_base_shadow dc=wbcoll,dc=edu?sub >>nss_base_group ou=Groups,dc=wbcoll,dc=edu?one >> >>Look at the sub, it tells the system to descend to all the sub-objects it may have. >> >> >> >--- >It is pertinent to consider that this suggestion waives any efficiency >for ease of use as it will tell all user lookups to search the entire >LDAP tree. > >I already told him to use his second choice as that is most efficient. I >recognize that your option would permit the option of trying to use a >separate organizational unit for Computers but this guy is endlessly >confused, and simple is clearly better for his purposes, without >considering the impact of excessive searching of the LDAP db. > >Craig > > >
abebe lsslp
2004-Jul-20 15:36 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
I was having trouble sleeping last night, so I start going over your past e-mails. Do you remember you asking me that I need to make sure LDAP is authenticating system users? And I told you that it was. I was not completely lying, it authenticates 'testuser1' with no problem. However, 'administrator' is getting kicked out as soon as it logs in. Here is what it looks like: [root@eaglex root]# ssh administrator@192.168.1.10 administrator@192.168.1.10's password: Last login: Tue Jul 20 09:49:05 2004 from 192.168.1.17 Connection to 192.168.1.10 closed. [root@eaglex root]# Here is part of 'slapd.log': +++++++++++++++++++++++++++++++++++++++++++++++++++ Jul 20 10:22:31 eaglex slapd[20508]: conn=7 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jul 20 10:22:31 eaglex slapd[20508]: conn=7 op=2 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:22:31 eaglex slapd[20508]: conn=7 fd=15 closed Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(&(objectClass=posixAccount)(uid=administrator))" Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jul 20 10:25:17 eaglex slapd[20508]: conn=4 op=2 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:25:19 eaglex slapd[20508]: conn=8 fd=15 ACCEPT from IP=127.0.0.1:33263 (IP=0.0.0.0:389) Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=0 RESULT tag=97 err=0 textJul 20 10:25:19 eaglex slapd[20508]: conn=8 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(uid=Administrator)" Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND anonymous mech=implicit ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND dn="uid=Administrator,ou=Users,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 BIND dn="uid=Administrator,ou=Users,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=2 RESULT tag=97 err=0 textJul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND anonymous mech=implicit ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=8 op=3 RESULT tag=97 err=0 textJul 20 10:25:19 eaglex slapd[20508]: conn=9 fd=18 ACCEPT from IP=127.0.0.1:33264 (IP=0.0.0.0:389) Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=0 RESULT tag=97 err=0 textJul 20 10:25:19 eaglex slapd[20508]: deferring operation Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(&(objectClass=shadowAccount)(uid=Administrator))" Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire Jul 20 10:25:19 eaglex slapd[20508]: conn=9 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:25:20 eaglex slapd[20508]: conn=8 op=4 UNBIND Jul 20 10:25:20 eaglex slapd[20508]: conn=8 fd=15 closed Jul 20 10:25:20 eaglex slapd[20508]: conn=10 fd=15 ACCEPT from IP=127.0.0.1:33265 (IP=0.0.0.0:389) Jul 20 10:25:20 eaglex slapd[20508]: conn=9 fd=18 closed Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" method=128 Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 BIND dn="cn=Manager,dc=wbcoll,dc=edu" mech=simple ssf=0 Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=0 RESULT tag=97 err=0 textJul 20 10:25:20 eaglex slapd[20508]: conn=10 op=1 SRCH base="dc=wbcoll,dc=edu" scope=2 filter="(uid=Administrator)" Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=1 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SRCH base="ou=Groups,dc=wbcoll,dc=edu" scope=1 filter="(&(objectClass=posixGroup)(|(memberUid=Administrator)(uniqueMember=uid=administrator,ou=users,dc=wbcoll,dc=edu)))" Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SRCH attr=cn userPassword memberUid uniqueMember gidNumber Jul 20 10:25:20 eaglex slapd[20508]: conn=10 op=2 SEARCH RESULT tag=101 err=0 nentries=1 textJul 20 10:25:20 eaglex slapd[20508]: conn=10 fd=15 closed +++++++++++++++++++++++++++++++++++++++++++++++++++ Is it alright if I delete the files in '/var/lib/ldap/*' before I use 'slapindex'? When I do the 'ldapsearch' command, machine entry does not exist anymore. Here is my 'smb.conf' after taking out what you told me and using 'testparm -s > /tmp/smb.conf' +++++++++++++++++++++++++++++++++++++++++++++ [root@eaglex root]# cat /tmp/smb.conf Processing section "[homes]" Processing section "[netlogon]" Processing section "[Profiles]" Processing section "[printers]" Load smb config files from /etc/samba/smb.conf Loaded services file OK. # Global parameters [global] workgroup = AGUILAS netbios name = EALGEX server string = Samba-LDAP PDC Server map to guest = Bad User passdb backend = ldapsam:ldap://127.0.0.1/ username map = /etc/samba/smbusers log level = 10 log file = /var/log/samba/%m.log max log size = 10000 time server = Yes deadtime = 10 socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 printcap name = cups add user script = /usr/sbin/smbldap-useradd -m "%u" add group script = /usr/sbin/smbldap-groupadd -p "%g" add user to group script /usr/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u" logon script = logon.bat logon path logon drive = H: logon home domain logons = Yes os level = 65 preferred master = Yes domain master = Yes dns proxy = No wins support = Yes ldap suffix = dc=wbcoll,dc=edu ldap machine suffix ou=People,dc=wbcoll,dc=edu ldap user suffix = ou=Users,dc=wbcoll,dc=edu ldap group suffix = ou=Groups,dc=wbcoll,dc=edu ldap idmap suffix = dc=wbcoll,dc=edu ldap admin dn = cn=Manager,dc=wbcoll,dc=edu ldap passwd sync = Yes ldap delete dn = Yes printer admin = @print Operators create mask = 0640 directory mask = 0750 hosts allow = 192.168.1., 192.168.2., 127. printing = cups dont descend /proc,/dev,/etc,/lib,/lost+found,/initrd [homes] comment = Home Directories read only = No browseable = No [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon guest ok = Yes share modes = No ++++++++++++++++++++++++++++++++++++++++++++++++ once again, Ambex __________________________________ Do you Yahoo!? Vote for the stars of Yahoo!'s next ad campaign! http://advision.webevents.yahoo.com/yahoo/votelifeengine/
abebe lsslp
2004-Jul-28 20:11 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
So....here I am with some more of my problem :( Sorry for the slow response to your last e-mails, I had to give up my xp machine and had to wait till I get a new one. We were also having trouble with our ISP (cox) for me to VPN from my home xp machine. Back to the real deal... I have decided not to assume anything and to take it step by step :) Craig..I have followed your advice and I am using 'people' instead of 'Computers'. NOTE: - Have 'root= administrator' in /etc/samba/smbusers - Have done the appropriate chages to the xp registery -[root@eaglex root]# smbldap-usershow administrator dn: uid=Administrator,ou=Users,dc=wbcoll,dc=edu cn: Administrator sn: Administrator objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount gidNumber: 512 uid: Administrator uidNumber: 0 homeDirectory: /home/ sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\EAGLEX\homes sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-3864350619-1217412381-2490860374-512 sambaSID: S-1-5-21-3864350619-1217412381-2490860374-2996 loginShell: /bin/false gecos: Netbios Domain Administrator sambaAcctFlags: [U] sambaPwdMustChange: 1098811932 sambaLMPassword: F70389E8F4B94063AAD3B435B51404EE sambaPwdLastSet: 1091035932 sambaNTPassword: 60BED106E19D7A3F919FA1919125FFBA userPassword: {SSHA}3zMR3Ds/5knGujxtByOIYPjl0mVBhJgr ERROR: (having trouble joining XP (xptest) to domain). The following error occured attempting to join the domain "AGUILAS": 'Access is denied.' And here is part of the error message in 'xptest.log': [2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(219) check_ntlm_password: Checking password for unmapped user [AGUILAS]\[administrator]@[XPTEST] with the new password interface [2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(222) check_ntlm_password: mapped user is: [AGUILAS]\[root]@[XPTEST] [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:push_sec_ctx(256) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2004/07/28 13:59:39, 3] smbd/uid.c:push_conn_ctx(364) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:set_sec_ctx(288) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2004/07/28 13:59:39, 3] smbd/sec_ctx.c:pop_sec_ctx(386) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2004/07/28 13:59:39, 3] auth/auth_sam.c:check_sam_security(202) check_sam_security: Couldn't find user 'root' in passdb file. [2004/07/28 13:59:39, 3] auth/auth_winbind.c:check_winbind_security(80) check_winbind_security: Not using winbind, requested domain [AGUILAS] was for this SAM. [2004/07/28 13:59:39, 2] auth/auth.c:check_ntlm_password(312) check_ntlm_password: Authentication for user [administrator] -> [root] FAILED with error NT_STATUS_NO_SUCH_USER [2004/07/28 13:59:39, 3] smbd/sesssetup.c:do_map_to_guest(41) No such user administrator [AGUILAS] - using guest account QUESTION: 1) Do I have to add 'smbpasswd -a root' or 'smbpasswd -a administrator'? 2) NT_STATUS_NO_SUCH_USER ? 'pdbedit -LV administrator' shows that the user exist 3) do 'root' and 'administrator' have to have the same password? Ambex --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!
Christian.Wittmer@intercomponentware.com
2004-Jul-29 06:52 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
abebe lsslp <peaceofcrap2001@yahoo.com> Sent by: samba-bounces+christian.wittmer=intercomponentware.com@lists.samba.org 28.07.2004 22:11 To: Samba Samba <samba@lists.samba.org> cc: Subject: Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED>Back to the real deal... I have decided not to assume anything and totake it step by step :) Craig..I have >followed your advice and I am using 'people' instead of 'Computers'. OK, if you store Computers and Users in ou=People that's ok>NOTE: >- Have 'root= administrator' in /etc/samba/smbusersno remove it>- Have done the appropriate chages to the xp registeryYou do not need any modifications>-[root@eaglex root]# smbldap-usershow administrator >dn: uid=Administrator,ou=Users,dc=wbcoll,dc=eduI think you use ou=People ?!>cn: Administrator >sn: Administrator >objectClass: inetOrgPerson,sambaSAMAccount,posixAccount,shadowAccount >gidNumber: 512 >uid: Administrator >uidNumber: 0 >homeDirectory: /home/ >sambaLogonTime: 0 >sambaLogoffTime: 2147483647 >sambaKickoffTime: 2147483647 >sambaPwdCanChange: 0 >sambaHomePath: \\EAGLEX\homes >sambaHomeDrive: H: >sambaPrimaryGroupSID: S-1-5-21-3864350619-1217412381-2490860374-512 >sambaSID: S-1-5-21-3864350619-1217412381-2490860374-2996 >loginShell: /bin/false >gecos: Netbios Domain Administrator >sambaAcctFlags: [U] >sambaPwdMustChange: 1098811932 >sambaLMPassword: F70389E8F4B94063AAD3B435B51404EE >sambaPwdLastSet: 1091035932 >sambaNTPassword: 60BED106E19D7A3F919FA1919125FFBA >userPassword: {SSHA}3zMR3Ds/5knGujxtByOIYPjl0mVBhJgr>ERROR: (having trouble joining XP (xptest) to domain). >The following error occured attempting to join the domain "AGUILAS": >'Access is denied.'Error is shown in the LOG And here is part of the error message in 'xptest.log':>[2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(219) >check_ntlm_password: Checking password for unmapped user[AGUILAS]\[administrator]@[XPTEST] with the new >password interface>[2004/07/28 13:59:39, 3] auth/auth.c:check_ntlm_password(222) >check_ntlm_password: mapped user is: [AGUILAS]\[root]@[XPTEST]Here is the error. Remove usermapping in smbusers. Administrator should not be mapped to root !!!>[2004/07/28 13:59:39, 3] smbd/sec_ctx.c:push_sec_ctx(256) >push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 >[2004/07/28 13:59:39, 3] smbd/uid.c:push_conn_ctx(364) >push_conn_ctx(0) : conn_ctx_stack_ndx = 0 >[2004/07/28 13:59:39, 3] smbd/sec_ctx.c:set_sec_ctx(288) >setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 >[2004/07/28 13:59:39, 3] smbd/sec_ctx.c:pop_sec_ctx(386) >pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 >[2004/07/28 13:59:39, 3] auth/auth_sam.c:check_sam_security(202) >check_sam_security: Couldn't find user 'root' in passdb file. >[2004/07/28 13:59:39, 3] auth/auth_winbind.c:check_winbind_security(80) >check_winbind_security: Not using winbind, requested domain [AGUILAS] wasfor this SAM.>[2004/07/28 13:59:39, 2] auth/auth.c:check_ntlm_password(312) >check_ntlm_password: Authentication for user [administrator] -> [root]FAILED with error NT_STATUS_NO_SUCH_USER>[2004/07/28 13:59:39, 3] smbd/sesssetup.c:do_map_to_guest(41) >No such user administrator [AGUILAS] - using guest account>QUESTION: >1) Do I have to add 'smbpasswd -a root' or 'smbpasswd -a administrator'?No. See comment in LOG>2) NT_STATUS_NO_SUCH_USER ? 'pdbedit -LV administrator' shows that theuser exist Try 'smbclient -L [YOURHOST] -UAdministrator%password' where password is the the password you gave Administrator you can check if you can access shares on your samba>3) do 'root' and 'administrator' have to have the same password?No, Admnistrator only need to have the uid=0, and he has it. If you have 2 ou, one for Users and one for Computers then you need to have /etc/ldap.conf like as following. This is a must have when not using NIS !!!! # # This is the configuration file for the LDAP nameservice # switch library, the LDAP PAM module and the shadow package. # .....snip # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. # You can omit the suffix eg: # nss_base_passwd ou=People, # to append the default base DN but this # may incur a small performance impact. #nss_base_passwd ou=People,dc=icw,dc=com?sub # uncomment when usin NIS #nss_base_shadow ou=People,dc=icw,dc=com?sub # uncomment when using NIS nss_base_group ou=Groups,dc=icw,dc=com?sub nss_base_hosts ou=Machines,dc=icw,dc=com?sub .... When any other Questions will come along, just mail me. Christian --------------------------------- Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Christian.Wittmer@intercomponentware.com
2004-Jul-30 07:23 UTC
[Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED
abebe lsslp <peaceofcrap2001@yahoo.com> 30.07.2004 01:35 To: Christian.Wittmer@intercomponentware.com cc: Subject: Re: [Samba] Samba+LDAP - so close yet so far :) ...STILL NOT SOLVED Hey Christian, Thanks for your response and your willingness to help me out! However, I am so excited to tell you that I have been able to join the domain for right now. As you said, commenting out "root=administrator" in '/etc/samba/smbusers' and then 'smbpasswd -a administrator' fixed the problem.> #nss_base_passwd ou=People,dc=icw,dc=com?sub # uncomment when usin NIS > #nss_base_shadow ou=People,dc=icw,dc=com?sub # uncomment when using NIS:))>Don't you have to have the n 'nss_base_shadow'?Only when your using NIS. The problem is when joining Machine to Domain samba searches in ou=Peolple because of "nss_base_shadow|passwd" And I read this in the smbldap-tools Mailinglist (www.idealx.org)> nss_base_group ou=Groups,dc=icw,dc=com?sub > nss_base_hosts ou=Machines,dc=icw,dc=com?sub>What version did the samba team fix the ou= Machines for hosts?I started manage LDAP with "LAM" and there are Machines and not Computers so I stayed on Machines. Now I make quick mods on LDAP with "phpMyLDAPAdmin" it's great.>I will contact you if I have trouble with this as I configure Samba+LDAPon the production box. OK Thanks again, Ambex Chris Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers!