Bryan Ragon
2006-Jan-26 20:43 UTC
[Samba] Creating a machine account manually (EMC, Samba PDC)
Greetings,
I am trying to join a EMC Celerra NS502 CIFS server to our Samba
3.0.21a domain controller. According to EMC, I was told that we need to
manually create the machine account first. How is the best way to do this?
We are using an openLDAP backend, using the idealx scripts. Joining a
windows machine from the computer properties dialog of that machine works
perfectly.
Things I have tried:
Running the NT4 SVRMGR.exe as domain\administrator, file ->Add Computer to
domain
Result: Dialog box that says "Access is denied"
/var/log/samba/machine_i_ran_svrmgr_on.log
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: root
[2006/01/26 15:32:09, 2] auth/auth.c:check_ntlm_password(307)
check_ntlm_password: authentication for user [root] -> [root] -> [root]
succeeded
[2006/01/26 15:32:09, 2] lib/access.c:check_access(324)
Allowed connection from (XX.XXX.X.XX)
[2006/01/26 15:32:09, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2610)
Returning domain sid for domain ZAPATA ->
S-1-5-21-482552267-1952276571-1847928075
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199)
init_group_from_ldap: Entry found for group: 515
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
init_ldap_from_sam: Setting entry for user: boxer$
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(2141)
ldapsam_add_sam_account: added: uid == boxer$ in the LDAP database
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: boxer$
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: boxer$
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: boxer$
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064)
init_ldap_from_sam: Setting entry for user: boxer$
[2006/01/26 15:32:09, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1648)
ldapsam_modify_entry: Failed to modify user
dnuid=boxer$,ou=Computers,dc=zapeng,dc=com with: No such attribute
modify/delete: sambaPrimaryGroupSID: no such value
[2006/01/26 15:32:09, 0] passdb/pdb_ldap.c:ldapsam_update_sam_account(1873)
ldapsam_update_sam_account: failed to modify user with uid = boxer$,
error: modify/delete: sambaPrimaryGroupSID: no such value (Success)
[2006/01/26 15:32:09, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640)
init_sam_from_ldap: Entry found for user: boxer$
However when I check the ldap logs the error that cathes my eye:
Jan 26 15:31:44 smokey slapd[14109]: conn=1625 op=58 MOD
dn="uid=boxer$,ou=Computers,dc=zapeng,dc=com"
Jan 26 15:31:44 smokey slapd[14109]: conn=1625 op=58 MOD
attr=sambaPrimaryGroupSID sambaPrimaryGroupSID displayName description
sambaKickoff
Time sambaPwdCanChange sambaPwdMustChange sambaLMPassword sambaNTPassword
sambaPwdLastSet sambaLogonHours sambaAcctFlags sambaAcctFlags
Jan 26 15:31:44 smokey slapd[14109]: conn=1625 op=58 RESULT tag=103 err=16
text=modify/delete: sambaPrimaryGroupSID: no such value
Now let's suppose I try to run SVRMGR as my own account (who has been
granted seMachineAccountAdd Privileges)
Dialog: "The user name could not be found"
Samba log:
[2006/01/26 15:39:56, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2610)
Returning domain sid for domain ZAPATA ->
S-1-5-21-482552267-1952276571-1847928075
Could not find base dn, to get next uidNumber at
/usr/local/sbin/samba//smbldap_tools.pm line 875.
[2006/01/26 15:39:56, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2359)
_samr_create_user: Running the command
`/usr/local/sbin/samba/smbldap-useradd -w 'boxer$'' gave 3
[2006/01/26 15:39:58, 2] lib/access.c:check_access(324)
And checking the ldap logs, it appears that the bind is done anonymously,
which it shouldn't do.
Bryan Ragon wrote:> Greetings, > I am trying to join a EMC Celerra NS502 CIFS server to our Samba > 3.0.21a domain controller. According to EMC, I was told that we need to > manually create the machine account first. How is the best way to do this?How about <...>/smbldap-useradd -w NS502