samba - Aug 2008 - Problem with pdbedit during add machine account

Hi,

I have running LDAP + SAMBA as PDC on gentoo and I have problem with
adding machine account.

Whem I try add machine account with pdbedit -am 'hostname' I have this
error:

smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE.KENS.PL))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
smbldap_search_domain_info: Searching
for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE.KENS.PL))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
Cannot locate Unix account for hostname$


I added first machine account with smbldap-useradd -w 'localhost'
(host has been created in LDAP tree in right ou),

the /etc/nsswitch.conf looks like these:

passwd:     ldap
shadow:     ldap
group:      ldap

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

But sill the same error.

That error disappers after change /etc/nsswitch.conf to:

passwd:      compat
shadow:      compat
group:       compat


and run: adduser hostname$
and then: pdbedit -am 'hostname'

Also it works fine when I use: smbldap-useradd 'localhost$', but then
I have mixed Users and Computers, and I dont want this kind of mess.

My questions are: Why I must create Unix account for machine account
before pdbedit create it? Why pdbedit doesn't see Unix accounts for
computures in ou=Computers, only in ou=Users?

--
Best Regards,

Micha? Adamczyk

On Wednesday 06 August 2008 04:51:19 Micha? Adamczyk
wrote:
> Hi,
>
> I have running LDAP + SAMBA as PDC on gentoo and I have problem with
> adding machine account.
>
> Whem I try add machine account with pdbedit -am 'hostname' I have
this
> error:
>
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE.KENS.PL))]
> smbldap_open_connection: connection opened
> ldap_connect_system: succesful connection to the LDAP server
> smbldap_search_domain_info: Searching
> for:[(&(objectClass=sambaDomain)(sambaDomainName=OFFICE.KENS.PL))]
> smbldap_open_connection: connection opened
> ldap_connect_system: succesful connection to the LDAP server
> Cannot locate Unix account for hostname$
How is your /etc/ldap.conf file configured? Do you have the following in this 
file?:

nss_base_passwd        ou=People,ou=Users,dc=yourzone,dc=org?one
nss_base_passwd        ou=Computers,ou=Users,dc=yourzone,dc=org?one
nss_base_shadow        ou=People,ou=Users,dc=yourzone,dc=org?one
nss_base_shadow        ou=Computers,ou=Users,dc=yourzone,dc=org?one
nss_base_group            ou=Groups,dc=yourzone,dc=org?one

Instead of searching each directory sub-tree, you could do a sub-search from 
the top down, like this:

nss_base_passwd	dc=yourzone,dc=org?sub
nss_base_shadow	dc=yourzone,dc=org?sub
nss_base_group            ou=Groups,dc=yourzone,dc=org?one

> I added first machine account with smbldap-useradd -w 'localhost'
> (host has been created in LDAP tree in right ou),
There is no need to do the above.  Samba never refers to itself 
as "localhost".
> the /etc/nsswitch.conf looks like these:
>
> passwd:     ldap
> shadow:     ldap
> group:      ldap
For the above you might want:

passwd: files ldap
shadow: files ldap
group: files ldap

This permits resolution of system accounts at boot time and before LDAP is 
enabled.
> hosts:       files dns
> networks:    files dns
>
> services:    db files
> protocols:   db files
> rpc:         db files
> ethers:      db files
> netmasks:    files
> netgroup:    files
> bootparams:  files
>
> automount:   files
> aliases:     files
>
> But sill the same error.
>
> That error disappers after change /etc/nsswitch.conf to:
>
> passwd:      compat
> shadow:      compat
> group:       compat
The compat model is good, but then you need to add to your /etc/nsswitch.conf 
file:

passwd_compat:  ldap
group_compat:   ldap
>
> and run: adduser hostname$
> and then: pdbedit -am 'hostname'
>
> Also it works fine when I use: smbldap-useradd 'localhost$', but
then
> I have mixed Users and Computers, and I dont want this kind of mess.
>
> My questions are: Why I must create Unix account for machine account
> before pdbedit create it? Why pdbedit doesn't see Unix accounts for
> computures in ou=Computers, only in ou=Users?
>
> --
> Best Regards,
>
> Micha? Adamczyk
Cheers,
John T.