I cannot join any windows clients to my samba 3 pdc. I am seeing these logs in my samba log.machinename when I am attempting to join it to the domain. I am using an OpenLDAP backend hosted on the pdc. I can su, or ssh into the pdc with ldap only accounts without problem. [2006/12/13 12:36:05, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/12/13 12:36:05, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: Admin [2006/12/13 12:36:05, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 512 [2006/12/13 12:36:05, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [admin] -> [admin] -> [Admin] succeeded [2006/12/13 12:36:06, 2] rpc_server/srv_samr_nt.c:_samr_lookup_domain(2659) Returning domain sid for domain TSCH -> S-1-5-21-1413032332-9999999999-666666666 [2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_ldap_from_sam(1064) init_ldap_from_sam: Setting entry for user: readykey$ [2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(2141) ldapsam_add_sam_account: added: uid == readykey$ in the LDAP database [2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: readykey$ [2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: readykey$ [2006/12/13 12:36:06, 0] libsmb/smbencrypt.c:decode_pw_buffer(514) decode_pw_buffer: incorrect password length (2118141193). [2006/12/13 12:36:06, 0] libsmb/smbencrypt.c:decode_pw_buffer(515) decode_pw_buffer: check that 'encrypt passwords = yes' [2006/12/13 12:36:06, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: readykey$ [2006/12/13 12:36:06, 0] passdb/pdb_ldap.c:ldapsam_delete_entry(480) ldapsam_delete_entry: Could not delete attributes for uid=readykey$,ou=Computers,dc=tsch,dc=lan, error: Object class violation (attribute 'displayName' not allowed) [2006/12/13 12:36:07, 2] smbd/server.c:exit_server(614) Closing connections [2006/12/13 12:36:42, 2] lib/smbldap.c:smbldap_open_connection(722) smbldap_open_connection: connection opened [2006/12/13 12:36:42, 2] smbd/server.c:exit_server(614) Closing connections [2006/12/13 12:36:42, 2] passdb/pdb_ldap.c:init_sam_from_ldap(640) init_sam_from_ldap: Entry found for user: Admin [2006/12/13 12:36:42, 2] passdb/pdb_ldap.c:init_group_from_ldap(2199) init_group_from_ldap: Entry found for group: 512 [2006/12/13 12:36:42, 2] auth/auth.c:check_ntlm_password(307) check_ntlm_password: authentication for user [admin] -> [admin] -> [Admin] succeeded [2006/12/13 12:36:44, 2] smbd/server.c:exit_server(614) Closing connections I used smbldap-tools to populate the dit. This created a cn=Admin account in the tree, with a uidNumber=0, and allowed me to set the password, I have been using this account to attempt to join the client. I see that even though the join fails, the machine account gets created in my ou=Computers. The error I get on the windows workstation is "Logon failure: unknown username or bad password." Openldap server 2.2.30, freebsd 6.1-release, and samba 3.0.21b my smb.conf [global] netbios name = test-dc encrypt passwords = yes workgroup = tsch security = user invalid users = bin daemon sys man postfix mail ftp admin users = @wheel # domain admin group = @wheel # domain admin users = root # wins support = yes printing = cups passdb backend = ldapsam:ldap://localhost # username map = /etc/samba/smbusers enable privileges = yes os level = 65 preferred master = yes show add printer wizard = yes local master = yes domain logons = yes domain master = yes logon path = \\%N\profiles\%U logon drive = H: logon home = \\%N\Users\%U # logon script ## idealx scripts for user, group, and machine account mgmt add user script = /usr/local/sbin/smbldap-useradd -m "%u" delete user script = /usr/local/sbin/smbldap-userdel "%u" add group script = /usr/local/sbin/smbldap-groupadd "%g" delete group script = /usr/local/sbin/smbldap-groupdel "%g" add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g" delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/local/sbin/smbldap-useradd - w "%u" ## password sync passwd program = /usr/local/sbin/smbldap-passwd -o %u passwd chat = *New*password* %n\n *Retype*new*password* %n\n *passwd:*all*authentication*tokens*updated* unix password sync = yes ## OpenLDAP stuff here ldap suffix = dc=tsch,dc=lan ldap user suffix = ou=People ldap group suffix = ou=Groups ldap machine suffix = ou=Computers ldap idmap suffix = ou=People ldap admin dn = cn=Manager,dc=tsch,dc=lan ldap passwd sync = yes ldap ssl = no ldap delete dn = no # idmap backend = ldap:ldap://localhost # idmap uid = 15000-20000 # idmap gid = 15000-20000 ## logging options log level = 2 log file = /usr/local/samba/var/log.%m max log size = 1000 syslog = 1 ## defining the network logon service [netlogon] comment = Network Logon Service path = /usr/local/samba/netlogon read only = yes #write list valid users = root @smbusers ## Defining profile shares for roaming profiles [profiles] comment = Roaming profile shares path = /usr/local/samba/profiles writeable = yes create mask = 0600 directory mask = 0700 browsable = no guest ok = yes [printers] comment = All printers path = /var/spool/samba browseable = no # Set public = yes to allow user 'guest account' to print guest ok = no writeable = no printable = yes -- Brad Askew The Surgery Center of Huntsville 721 Madison St. Huntsville, AL 35801 256.533.4888 256.319.2710 - Fax