I find myself unable to add machine accounts in samba to join the Windows 7 clients to my samba domain.
I was getting the “Specified computer account could not be found…” error on the windows client.
After verifying that the samba server was set as the PDC and advertising itself correctly via WINs I proceeded to troubleshoot.
(log level =3 in samba)
I think I have found the point of failure, but not how to fix it. Running the following command to manually add the machine account:
pdbedit -a bobnut$ -m
…I get the following:
No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching for:(&(objectClass=sambaDomain)(sambaDoma inName=IMPERIUM))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
Use of uninitialized value in concatenation (.) or string at
/usr/share/YaST2/modules/UsersPluginKerberos.pm line 150 (#1)
(W uninitialized) An undefined value was used as if it were already
defined. It was interpreted as a "" or a 0, but maybe it was a mistake.
To suppress this warning assign a defined value to your variables.
To help you figure out what was undefined, perl will try to tell you
the name of the variable (if any) that was undefined. In some cases
it cannot do this, so it also tells you what operation you used the
undefined value in. Note, however, that perl optimizes your program
and the operation displayed in the warning may not necessarily appear
literally in your program. For example, "that $foo" is usually
optimized into "that " . $foo, and the warning will refer to the
concatenation (.) operator, even though there is no . in
your program.
Use of uninitialized value in regexp compilation at
/usr/share/YaST2/modules/UsersPluginKerberos.pm line 151 (#1)
_samr_create_user: Running the command `/sbin/yast /usr/share/YaST2/data/add_mac hine.rb $' gave 0
Could not find user bobnut$, add script did not work
Failed to add entry for user bobnut$.
Machine bobnut$ not found!
What is particularly curious is that I’m not using Kerberos…
Relevant config files…
smb.conf
[global]
# interfaces = ens160 lo
# bind interfaces only = yes
workgroup = IMPERIUM
passdb backend = ldapsam:ldap://angrenost.tol-lamfirith.org
printing = cups
printcap name = cups
printcap cache time = 750
cups options = raw
map to guest = Bad User
#logon path = \\%L\profiles\.msprofile
logon home = \\%L\%U\.9xprofile
logon drive = P:
usershare allow guests = No
add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.rb %m$
domain logons = Yes
domain master = Yes
security = user
idmap backend = ldap:ldap://angrenost.tol-lamfirith.org
ldap admin dn = cn=Administrator,dc=tol-lamfirith,dc=org
ldap group suffix = ou=group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Machines
ldap passwd sync = Yes
ldap suffix = dc=tol-lamfirith,dc=org
ldap user suffix = ou=people
netbios name = angrenost
wins support = Yes
local master = Yes
os level = 65
preferred master = Yes
log level = 3
[homes]
comment = Home Directories
valid users = %S, %D%w%S
browseable = No
read only = No
inherit acls = Yes
[profiles]
comment = Network Profiles Service
path = %H
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
[users]
comment = All users
path = /home
read only = No
inherit acls = Yes
veto files = /aquota.user/groups/shares/
[groups]
comment = All groups
path = /home/groups
read only = No
inherit acls = Yes
[printers]
comment = All Printers
path = /var/tmp
printable = Yes
create mask = 0600
browseable = No
[print$]
comment = Printer Drivers
path = /var/lib/samba/drivers
write list = @ntadmin root
force group = ntadmin
create mask = 0664
directory mask = 0775
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
write list = root
[Music]
comment = Music Files
inherit acls = Yes
path = /srv/files/music
read only = Yes
write list = mettius athena
[pub]
comment = Public Share
inherit acls = Yes
path = /srv/files/pub
read only = No
valid users = mettius
guest ok = Yes
sssd.conf
[sssd]
config_file_version = 2
services = nss, pam
domains = imperiumldap
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP
[nss]
filter_users = root
filter_groups = root
[pam]
[domain/imperiumldap]
id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://angrenost.tol-lamfirith.org
krb5_server =
krb5_realm =
# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://ldap.mydomain.org
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true
# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.