when i start sucking a pdc in my ldapserver the following errors come up with every machineaccount on the pdc: 1.) Creating account: SP1$ /usr/sbin/smbldap-usermod: user SP1_ doesn't exist [2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312) smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1 2.) User SP1_ does not exist: create it first ! what instantly strikes is that there is an _ instead of the $ in the pcname which cannot work. I guess the second error comes up when the script tries to set the correct password!? Afterwards nevertheless there are machineaccount-passwords in the ldap-database but they seem wrong because machineconnects fail. everything else is flawlessly imported (users, groups, groupmemberships). i didn't change anything in the configuration which worked perfectly with vampire in 3.0.x ExampleLDAPentry of the above mentioned machine after import: ------------------------------------------------------------- dn: uid=SP1$,ou=Computers,dc=test,dc=com objectClass: top objectClass: account objectClass: posixAccount objectClass: sambaSamAccount cn: SP1$ uid: SP1$ uidNumber: 1071 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer structuralObjectClass: account entryUUID: be6e3366-087c-102d-9d48-4b401f1e60f4 creatorsName: cn=manager,dc=test,dc=com createTimestamp: 20080827120929Z sambaSID: S-1-5-21-378104194-1064922793-1509252994-1090 sambaPrimaryGroupSID: S-1-5-21-378104194-1064922793-1509252994-513 sambaNTPassword: 5C49A9927C59942A46F193C41446FFD5 sambaPwdLastSet: 1162907539 sambaAcctFlags: [W ] entryCSN: 20080827120929.102086Z#000000#000#000000 modifiersName: cn=manager,dc=test,dc=com modifyTimestamp: 20080827120929Z smb.conf (suck-configuration) ----------------------------- [global] workgroup = PRESSFK netbios name = DEBIANPDC wins server = 192.168.200.3 ## Domäne ######### domain master = No domain logons = Yes passdb backend = ldapsam:ldap://127.0.0.1 ## Benutzerverwaltung ldapsam ############################# add user script = /usr/sbin/smbldap-useradd -m '%u' delete user script = /usr/sbin/smbldap-userdel '%u' add machine script = /usr/sbin/smbldap-useradd -w '%u' add group script = /usr/sbin/smbldap-groupadd -p '%g' delete group script = /usr/sbin/smbldap-groupdel '%g' add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g' delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g' set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u' ## LDAP ####### ldap suffix = dc=test,dc=com ldap admin dn = cn=manager,dc=test,dc=com ldap machine suffix = ou=Computers ldap user suffix = ou=People ldap group suffix = ou=Groups ldap idmap suffix = ou=Idmap ldap passwd sync = Yes ldap delete dn = Yes ldap ssl = No
Yes, that's going to happen as we're trying not to get any meta-characters into our account database (machine accounts are normally created by net join activity). I'll take a look at this to see what can be done to fix it. Jeremy.
The problem is the same if you create a machine account with srvmgr.exe. I don't understand why Samba 3.2 is trying to set the primary group sid of a machine account. Is this a normal behaviour? Isn't the POSIX stuff enought? By default the idealx scripts creates a machine account with a primary gid that corresponds to a "Domain Computers" posix group/samba group mapping. Then Samba 3.2 seems to check whether the machine account is in "Domain Users" group and try to correct this if its not the case (first the POSIX stuff with smb_set_primary_group then sambaPrimaryGroupSID in LDAP) Unfortunately smb_set_primary_group doesn't like trailing dollars. I'm not sure but perhaps it's because of the use of talloc_string_sub instead of talloc_string_sub2 with the right parameters: add_script = talloc_string_sub(ctx, add_script, "%u", unix_user) But as i said before, i really don't understand why Samba 3.2 is trying to set the primary group sid of a machine account.
I'm using Samba 3.3.3 with the same results. Whenever I try to create a machine account with srvmgr.exe, the error occures. As I've done some further investigations on the internet, the same situation occured with Samba 3.0.7. http://www.mail-archive.com/samba@lists.samba.org/msg47210.html
Metze, isnt that exactly the issue you resolved very recently ?
Does this still happens with 3.6.x?