Bug 647 - Joining clients to samba3 domain using LDAP backend
Summary: Joining clients to samba3 domain using LDAP backend
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: Domain Control (show other bugs)
Version: 3.0.0
Hardware: All Linux
: P2 normal
Target Milestone: none
Assignee: Gerald (Jerry) Carter (dead mail address)
QA Contact:
Depends on:
Reported: 2003-10-18 09:52 UTC by Örn Hansen
Modified: 2005-11-14 09:25 UTC (History)
0 users

See Also:

Log 5 results (536.25 KB, text/plain)
2003-10-18 10:05 UTC, Örn Hansen
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Örn Hansen 2003-10-18 09:52:32 UTC
The server is using samba 3.0.1pre1cvs and is configured to use an LDAP backend,
which is a working backend for workstation users (A linux ldap backend).  All
critical groups are installed on the backend, as are Administrator and Guest
accounts.  Using the default settings, always fails at first stage because it's
critical that "Admin users" be set, even though it's stated that it isn't.  At
second stage, it fails because all the support scripts expect samba3 to add the
sambaSAMAccount schema, but it doesn't.  Doing all by hand, it fails, because
the default sets ldap backend for computers as "ou=Computers", while the
getpwent looks for these with the getpwent call which is "ou=People" for all
normal linux ldap backends.  That is, it doesn't look for the computers or even
use the "ldap machine suffix" setting.  And finally, after all is set by hand it
fails with the Windows XP Professional message of "No mapping between name and
security identity", whatever that is.  Something, the "join" procedure should
have set is not being "read" or "verified" with the same mechanism.
Comment 1 Örn Hansen 2003-10-18 10:05:01 UTC
Created attachment 205 [details]
Log 5 results

Failure to join, but account for computer exists in ldap directory.
Comment 2 Gerald (Jerry) Carter (dead mail address) 2003-12-08 07:26:23 UTC
This is a defenciancy in the current ldap code in the nss_ldap 
library must search the 'ldap suffix' from smb.conf (which must 
be the common parent of the machine and user suffix).  It's on 
the plate to be rewritten.  However, its going to be hard to 
do this is a backwards compatible fashion.

So what you are seeing is by (a bad) design,
Comment 3 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:25:03 UTC
database cleanup