samba - Jun 2012 - Two attempts required to join domain

Hi Everyone.

I have run across an issue that is driving me crazy. This is a new deployment
of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8


When trying to join the domain, on the first attempt the machine account is
properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local

But the "failed to join domain" pop-up with reason of "The user
name could not
be found" is displayed (which really means the machine name was not found
in
LDAP)  and of course the machine is not yet a domain member.

However, a 2nd attempt to join the domain with the same credentials,
immediately after the failure results in a "Welcome to the X domain"
and the
machine is now a domain member.


Setting the openldap slapd loglevel to 416 to show the queries during this
process reveals the following:

On 1st join attempt Samba searches the whole directory from dc=domain,dc=local
with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount.

It of course does not find it, so the smbldap-useradd script is called and the
machine account is properly added to ou=Computers.

Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the
newly created machine account and of course does not find it. And the
"failed
to join domain" pop-up is displayed on the WinXP machine.

On the second join attempt, Samba _ONLY_ searches
ou=Computers,dc=domain,dc=local, which is where it SHOULD search for machines
as defined everywhere in my configs and it finds the machine and the machine
successfully joins the domain.

If I set all configs - samba, smbldap etc to be such that computers are in the
"People" organizational unit, then joining the domain works on the
first try,
every time.

Also, if I un-join the domain, but leave the machine account in LDAP in
ou=Computers and then re-join the domain, this always works on first try too
since Samba's initial scope 2 "sub" search of the directory
starting at the
top will find the machine account under ou=Computers.

Can someone offer guidance as to why during the new machine creation process
(joining a domain) Samba does not look for the machine in the defined machines
ou but always in the People ou?

Thank you in advance for any help on this!

--
Bill Arlofski
Reverse Polarity, LLC

bump

I'd prefer to not have to put machine accounts into the People OU for all
the
obvious reasons, but I may be forced to in order to have the end-user (e.g.
our customer) experience to be a smooth one.

Any idea on what might cause the behavior I am seeing described on the 13th
below?

Thanks for any help!

-- 
Bill Arlofski
Reverse Polarity, LLC

On 06/13/12 18:55, Bill Arlofski wrote:
> Hi Everyone.
> 
> I have run across an issue that is driving me crazy. This is a new
deployment
> of Samba v3.6.5 with openldap v2.4.30 and smbldap-tools v0.9.8
> 
> 
> When trying to join the domain, on the first attempt the machine account is
> properly created in the correct ou - e.g. ou=Computers,dc=domain,dc=local
> 
> But the "failed to join domain" pop-up with reason of "The
user name could not
> be found" is displayed (which really means the machine name was not
found in
> LDAP)  and of course the machine is not yet a domain member.
> 
> However, a 2nd attempt to join the domain with the same credentials,
> immediately after the failure results in a "Welcome to the X
domain" and the
> machine is now a domain member.
> 
> 
> Setting the openldap slapd loglevel to 416 to show the queries during this
> process reveals the following:
> 
> On 1st join attempt Samba searches the whole directory from
dc=domain,dc=local
> with a scope of 2 (sub) for uid=MyMachine, objectClass=sambaSamAccount.
> 
> It of course does not find it, so the smbldap-useradd script is called and
the
> machine account is properly added to ou=Computers.
> 
> Then Samba immediately searches _ONLY_ ou=People,dc=domain,dc=local for the
> newly created machine account and of course does not find it. And the
"failed
> to join domain" pop-up is displayed on the WinXP machine.
> 
> On the second join attempt, Samba _ONLY_ searches
> ou=Computers,dc=domain,dc=local, which is where it SHOULD search for
machines
> as defined everywhere in my configs and it finds the machine and the
machine
> successfully joins the domain.
> 
> If I set all configs - samba, smbldap etc to be such that computers are in
the
> "People" organizational unit, then joining the domain works on
the first try,
> every time.
> 
> Also, if I un-join the domain, but leave the machine account in LDAP in
> ou=Computers and then re-join the domain, this always works on first try
too
> since Samba's initial scope 2 "sub" search of the directory
starting at the
> top will find the machine account under ou=Computers.
> 
> Can someone offer guidance as to why during the new machine creation
process
> (joining a domain) Samba does not look for the machine in the defined
machines
> ou but always in the People ou?
> 
> Thank you in advance for any help on this!
> 
> --
> Bill Arlofski
> Reverse Polarity, LLC

On Wed, 13 Jun 2012, Bill Arlofski wrote:
> Can someone offer guidance as to why during the new machine creation
process
> (joining a domain) Samba does not look for the machine in the defined
machines
> ou but always in the People ou?
In /etc/ldap.conf you probably need something like:

nss_base_passwd         ou=People,dc=domain,dc=org?one
nss_base_passwd         ou=Computers,dc=domain,dc=org?one

Steve