Bryan Celentano
2009-Feb-15 17:27 UTC
[Samba] Strange issue with Samba + LDAP + Domain Member
Hey, I keep posting but no replies yet, this is a new issue, the rest I seem to have fixed. I have an odd issue: * When I do net rpc join the PDC creates the account, and puts it into LDAP, which looks fine. * I then can access the domain and winbind works fine from the Domain Member server. * On the PDC I see the following error: "pdb_get_group_sid: Failed to find Unix account for member$" * So I had a look into the nss_ldap and found it wasn't searching the ou=computers, so I added this in, and the error goes. * Then I have a new issue, the domain member and winbind fails with NT_ACCESS_DENIED. * So I remove the nss_ldap entry for the ou=computers and it all works again. Has anyone come across this issue? Any help would be great. Regards, Bryan This message has been scanned for malware by SurfControl plc. www.surfcontrol.com
John Drescher
2009-Feb-15 21:27 UTC
[Samba] Strange issue with Samba + LDAP + Domain Member
On Sun, Feb 15, 2009 at 12:27 PM, Bryan Celentano <bryan.celentano@ultracontrols.aero> wrote:> Hey, > > > > I keep posting but no replies yet, this is a new issue, the rest I seem to > have fixed. > > > > I have an odd issue: > > > > * When I do net rpc join the PDC creates the account, and puts it into > LDAP, which looks fine. > * I then can access the domain and winbind works fine from the Domain > Member server. > * On the PDC I see the following error: "pdb_get_group_sid: Failed to > find Unix account for member$" > * So I had a look into the nss_ldap and found it wasn't searching the > ou=computers, so I added this in, and the error goes. > * Then I have a new issue, the domain member and winbind fails with > NT_ACCESS_DENIED. > * So I remove the nss_ldap entry for the ou=computers and it all works > again. > > > > Has anyone come across this issue? Any help would be great. >Yes. I have this issue (and have had it for at least 5 years) using the smbldap-tools. To workaround I now just precreate an account using LAM (http://lam.sourceforge.net/) and then all is well with the PDC join. The previous workaround was to create a user for the machine account on the pdc first in the /etc/passwd. John John
Bryan Celentano
2009-Feb-17 18:17 UTC
[Samba] Strange issue with Samba + LDAP + Domain Member
Hello, Thank you for the replies, I will try the first, but in regards to your reply Ray, as soon as I do that, the domain member complains of NT_STATUS_ACCESS_DENIED, but the errors are removed from the Domain Controller. Regards, Bryan -----Original Message----- From: Ray Klassen [mailto:rayklassen@gmail.com] Sent: 16 February 2009 17:08 To: John Drescher Cc: Bryan Celentano; Samba mailing list Subject: Re: [Samba] Strange issue with Samba + LDAP + Domain Member I get around this by including nss_base_passwd ou=Computers,dc=mydomain,dc=com?one in /etc/ldap.conf if nss_ldap isn't looking in your computers tree for passwd entries, it will never see them as unix accounts. On Sun, Feb 15, 2009 at 1:27 PM, John Drescher <drescherjm@gmail.com> wrote:> On Sun, Feb 15, 2009 at 12:27 PM, Bryan Celentano > <bryan.celentano@ultracontrols.aero> wrote: >> Hey, >> >> >> >> I keep posting but no replies yet, this is a new issue, the rest I seemto>> have fixed. >> >> >> >> I have an odd issue: >> >> >> >> * When I do net rpc join the PDC creates the account, and puts itinto>> LDAP, which looks fine. >> * I then can access the domain and winbind works fine from theDomain>> Member server. >> * On the PDC I see the following error: "pdb_get_group_sid: Failedto>> find Unix account for member$" >> * So I had a look into the nss_ldap and found it wasn't searchingthe>> ou=computers, so I added this in, and the error goes. >> * Then I have a new issue, the domain member and winbind fails with >> NT_ACCESS_DENIED. >> * So I remove the nss_ldap entry for the ou=computers and it allworks>> again. >> >> >> >> Has anyone come across this issue? Any help would be great. >> > > Yes. I have this issue (and have had it for at least 5 years) using > the smbldap-tools. To workaround I now just precreate an account using > LAM (http://lam.sourceforge.net/) and then all is well with the PDC > join. The previous workaround was to create a user for the machine > account on the pdc first in the /etc/passwd. > > John > > John > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >This message has been scanned for malware by SurfControl plc. www.surfcontrol.com