SAMBA Machine Account lookup fails in LDAP

dwestf · August 19, 2008, 10:28am

I just migrated our Samba LDAP PDC from gentoo to openSUSE 10.3_64. I am getting an error when a work station tries to connect to the domain. I have used wireshark to monitor the ldap interface. I see Samba search the whole tree for the host name. LDAP responds with the machine account in the correct container (ou=.MachineAccounts,ou=SambaDomain,dc=CTL,dc=CrewSystems). Samba then searches for the machine account in the People container (ou=People,dc=CTL,dc=CrewSystems), I then get the error below. Samba is ignoring the ldap machine suffix entry in the smb.conf. If I move the machine account to the People container there is now error. The problem here is when you do a getent passwd on any linux computer it shows the machine accounts along with user accounts.

Thanks

Dave

[2008/08/04 10:19:43, 0] passdb/pdb_get_set.c:pdb_get_group_sid(211)
pdb_get_group_sid: Failed to find Unix account for deedee$

Samba config file created using SWAT

from 192.168.0.168 (192.168.0.168)

Date: 2008/08/04 10:17:08

[global]
workgroup = CTL
passdb backend = ldapsam:ldap://localhost
unix password sync = Yes
add user script = ldapsmb -a -u
delete user script = ldapsmb -d -u
add group script = ldapsmb -a -g
delete group script = ldapsmb -d -g
add user to group script = ldapsmb -j -u
delete user from group script = ldapsmb -j -u
set primary group script = ldapsmb -m -u
domain logons = Yes
wins support = Yes
ldap admin dn = cn=Manager,dc=CrewSystems
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap,ou=SambaDomain
ldap machine suffix = ou=MachineAccounts,ou=SambaDomain
ldap passwd sync = Yes
ldap suffix = dc=CTL,dc=CrewSystems
ldap ssl = no
ldap user suffix = ou=People
homedir map = /etc/samba/auto.home
NIS homedir = Yes
idmap backend = ldap:ldap://localhost
idmap uid = 10000-20000
idmap gid = 10000-20000

[Atlas]
path = /atlas
read only = No

[homes]
valid users = %S
browseable = yes
writeable = yes
create mask = 0600
directory mask = 0700

[profiles]
path = /atlas/usr/samba/profiles
writeable = yes
browseable = no
read only = no
create mode = 0777
directory mode = 0777

[netlogon]
comment = Network Logon Service
path = /atlas/usr/samba/netlogon
writeable = yes
browseable = No
read only = no

Also posted in opensuse.us forums.
OpenSUSE.us : SAMBA LDAP lookup fails

dwestf · June 4, 2009, 2:14pm

Still having the same problem after upgrading server from openSUSE 10.3 64bit to openSUSE 11.1 64bit. Samba is now 3.2.7-11.2.1. Is any else using samba with ldap with Machine Accounts not in the same tree as People?