The Samba-Bugzilla – Bug 5722
net rpc vampire fails to import machine accounts correctly
Last modified: 2011-11-02 13:28:27 UTC
when i start sucking a pdc in my ldapserver the following
errors come up with every machineaccount on the pdc:
Creating account: SP1$
/usr/sbin/smbldap-usermod: user SP1_ doesn't exist
[2008/08/27 14:09:45, 0] groupdb/mapping.c:smb_set_primary_group(312)
smb_set_primary_group: Running the command `/usr/sbin/smbldap-usermod -g 'Domain Users' 'SP1_'' gave 1
User SP1_ does not exist: create it first !
what instantly strikes is that there is an _ instead
of the $ in the pcname which cannot work.
I guess the second error comes up when the script tries to set
the correct password!? Afterwards nevertheless there are
machineaccount-passwords in the ldap-database but they seem
wrong because machineconnects fail.
everything else is flawlessly imported (users, groups, groupmemberships).
i didn't change anything in the configuration which worked
perfectly with vampire in 3.0.x
ExampleLDAPentry of the above mentioned machine after import:
sambaAcctFlags: [W ]
workgroup = PRESSFK
netbios name = DEBIANPDC
wins server = 192.168.200.3
domain master = No
domain logons = Yes
passdb backend = ldapsam:ldap://127.0.0.1
## Benutzerverwaltung ldapsam
add user script = /usr/sbin/smbldap-useradd -m '%u'
delete user script = /usr/sbin/smbldap-userdel '%u'
add machine script = /usr/sbin/smbldap-useradd -w '%u'
add group script = /usr/sbin/smbldap-groupadd -p '%g'
delete group script = /usr/sbin/smbldap-groupdel '%g'
add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
delete user from group script = /usr/sbin/smbldap-groupmod -x '%u' '%g'
set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
ldap suffix = dc=test,dc=com
ldap admin dn = cn=manager,dc=test,dc=com
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap
ldap passwd sync = Yes
ldap delete dn = Yes
ldap ssl = No
Yes, that's going to happen as we're trying not to get any meta-characters into our account database (machine accounts are normally created by net join activity). I'll take a look at this to see what can be done to fix it.
The problem is the same if you create a machine account with srvmgr.exe.
I don't understand why Samba 3.2 is trying to set the primary group sid of a machine account. Is this a normal behaviour? Isn't the POSIX stuff enought?
By default the idealx scripts creates a machine account with a primary gid that corresponds to a "Domain Computers" posix group/samba group mapping. Then Samba 3.2 seems to check whether the machine account is in "Domain Users" group and try to correct this if its not the case (first the POSIX stuff with smb_set_primary_group then sambaPrimaryGroupSID in LDAP)
Unfortunately smb_set_primary_group doesn't like trailing dollars. I'm not sure but perhaps it's because of the use of talloc_string_sub instead of talloc_string_sub2 with the right parameters:
add_script = talloc_string_sub(ctx,
add_script, "%u", unix_user)
But as i said before, i really don't understand why Samba 3.2 is trying to set the primary group sid of a machine account.
I'm using Samba 3.3.3 with the same results. Whenever I try to create a machine account with srvmgr.exe, the error occures. As I've done some further investigations on the internet, the same situation occured with Samba 3.0.7.
Metze, isnt that exactly the issue you resolved very recently ?
Does this still happens with 3.6.x?