samba - Sep 2009 - Samba PDC + OpenLDAP, Jaunty: Can't join domain

Greetings!

I'm trying to get an OpenLDAP (2.4.15-1ubuntu3), Samba PDC
(2:3.3.2-1ubuntu3.1) running under Ubuntu Jaunty.  I've followed the
instructions on the Ubuntu server guide
(https://help.ubuntu.com/9.04/serverguide/C/samba-ldap.html) as closely
as possible (twice. . .), and spent some time with Chapter 5 of the
Samba3 By Example book, trying to use it to get things working.  But I
can't seem to join a computer to the domain, and I've run out of ideas.
I'd like some help trying to identify where I've gone wrong and how to
get the server to allow desktops to join.

There are three user accounts in the LDAP database, 'nobody',
'root' and
'cswingley':

    # ldapsearch -xLLL -b 'ou=People,dc=abrinc,dc=com' uid uidNumber
    dn: ou=People,dc=abrinc,dc=com

    dn: uid=root,ou=People,dc=abrinc,dc=com
    uid: root
    uidNumber: 0

    dn: uid=nobody,ou=People,dc=abrinc,dc=com
    uid: nobody
    uidNumber: 65534

    dn: uid=cswingley,ou=People,dc=abrinc,dc=com
    uid: cswingley
    uidNumber: 522

Both 'root' and 'cswingley' are able to connect to the server
with
smbclient using their account passwords set up in LDAP.  Both accounts
are also in the "Domain Admins" group:

    # getent group | grep "Domain Admins"
    Domain Admins:*:512:root,cswingley

'cswingley' has the SeMachineAccountPrivilege right, as does the
"Domain
Admins" group:

    # net rpc rights list accounts -U root%PASSWD
    TESTDOM\cswingley
    SeMachineAccountPrivilege

    TESTDOM\Domain Admins
    SeMachineAccountPrivilege
    SeRemoteShutdownPrivilege
    SePrintOperatorPrivilege
    SeAddUsersPrivilege
    SeDiskOperatorPrivilege

Here are a few of the /etc/samba/smb.conf settings that seem relevant:

    passdb backend = ldapsam:ldap://127.0.0.1
    ldap admin dn = cn=admin,dc=test,dc=com
    add machine script = sudo /usr/sbin/smbldap-useradd -t 0 -w "%u"
    domain logons = yes
    wins support = yes
    log level = 3 passdb:10 auth:10

When I try to join a Windows XP SP3 computer to the domain as 'root' (or
'TESTDOM\root'), I get 'Logon failure: unknown user or bad
password'.
When I try to join using my account (cswingley), I get 'Access is
denied'.  Adding the computer to LDAP manually using 
'smbldap-useradd -w' doesn't make a difference.

I'm not seeing anything in the logs that look like login failures or
some other obvious mistake errors, so I don't know where to go next or
what else to try.  I feel like I'm missing something very simple,
because everything goes exactly as expected when I follow along in the
guides.  But at the end of the day, it doesn't work.  Help and advice
greatly appreciated.

Thanks!

Chris
-- 
Christopher S. Swingley
http://swingleydev.com/
<cswingle at gmail.com>

> But I can't seem to join a computer to the domain, and I've run out
of
> ideas.  I'd like some help trying to identify where I've gone wrong
> and how to get the server to allow desktops to join.
Sorry to reply to my own post.  I figured out my problem:

    $ smbclient -L //newserv
    Domain=[TESTDOM] OS=[Unix] Server=[Samba 3.3.2]

            Server               Comment
            ---------            -------
            NEWSERV              newserv server (Samba, Ubuntu)

            Workgroup            Master
            ---------            -------
   -        TESTDOM              DESKTOP
   +        TESTDOM              NEWSERV

In other words, I had another "test" machine that was acting as the
domain master.  Nothing I did on the new server made any difference
because joining to the domain was going to the wrong place.

Cheers,

Chris
-- 
Christopher S. Swingley
http://swingleydev.com/
<cswingle at gmail.com>