samba - Jul 2006 - impossible to join domain - smbldap-useradd -w "%u" is buggy

Hello all! I have spent a lot of time chasing down what I think is a
bug in smbldap-tools. It seems like many other people have experienced
the same problem too. It was pretty hard to triage so I'm writing it
down here.

The symptom of the problem is that Windows machines cannot join your
Samba+LDAP PDC. When you try to change the domain Windows pops up a
dialog box saying "no such user." But the user exists, what it really
is complaining about is that the machine account for the computer
isn't found. Not only does users have accounts in Samba, all computers
also have their own accounts. Their accounts always end with a $ sign.

Provided you have a "fairly default" configuration of Samba+LDAP, all
machine accounts can be listed with ldapsearch like this:

    ldapsearch -LLL -D 'cn=Manager,dc=your,dc=company,dc=com' -w yourpwd
        -b 'ou=Computers,dc=your,dc=company,dc=com'
'objectClass=account'

Odds are that the machine account for the computer isn't there.
Another way to verify that it is the machine account that is missing
is to check the slapd log in /var/log/openldap/ldap.log. First there
is a line like this (indented and line-breaked for readability):

op=13 SRCH
    base="dc=your,dc=company,dc=com"
    scope=2 deref=1
    filter="(&(uid=computer-name$)(objectClass=sambaSamAccount))"

This log-line shows samba attempting to locate the machine account
object in the LDAP directory. Then two lines below:

op=13 SEARCH RESULT tag=101 err=0 nentries=0 text
Note that nentries=0 - LDAP didn't find the requested object.

One (bad) way to fix this problem is to manually add the machine account with:

smbldap-useradd -w computer-name$

But that method will probably break and it isn't the right way to do
it. And it isn't feasible to manually add an account for each machine.
Samba should automagically add the machine accounts. Check
/etc/samba/smb.conf, locate a line looking like this:

add machine script = /usr/sbin/smbldap-useradd -w "%u"

This is the command that Samba executes when an unregistered machine
account tries to connect to it. But does it work? NO. Check
/var/log/samba/log.computer-name:

[2006/07/21 15:58:34, 5] rpc_server/srv_samr_nt.c:_samr_create_user(2402)
  _samr_create_user:  can add this account : False
Use of uninitialized value in string at /usr/sbin//smbldap_tools.pm line 286.
Use of uninitialized value in string at /usr/sbin//smbldap_tools.pm line 286.
[2006/07/21 15:58:35, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2415)
  _samr_create_user: Running the command
  `/usr/sbin/smbldap-useradd -w "computer-name$"' gave 1

This shows Samba trying to add the user, but the smbldap-useradd
script failing to do so. It signals an error by "give 1". Try doing
the same thing Samba tries on the command line:

/usr/sbin/smbldap-useradd -w "computer-name$"
Use of uninitialized value in string at /usr/sbin//smbldap_tools.pm line 286.
Use of uninitialized value in string at /usr/sbin//smbldap_tools.pm line 286.

This is the real error. smbldap-useradd can't cope with the quotes.
The fix is to NOT have the quotes in smb.conf:

add machine script = /usr/sbin/smbldap-useradd -w %u

I believe this is a bug, but that is how you have to handle it meanwhile.

HTH

-- 
mvh Bj?rn