SAMBA: Strange Add Machine Failure w/pdbedit...Stumped I am.

I find myself unable to add machine accounts in samba to join the Windows 7 clients to my samba domain.
I was getting the “Specified computer account could not be found…” error on the windows client.
After verifying that the samba server was set as the PDC and advertising itself correctly via WINs I proceeded to troubleshoot.
(log level =3 in samba)

I think I have found the point of failure, but not how to fix it. Running the following command to manually add the machine account:

pdbedit -a bobnut$ -m

…I get the following:

No builtin backend found, trying to load plugin
Module 'ldapsam' loaded
smbldap_search_domain_info: Searching for:(&(objectClass=sambaDomain)(sambaDoma                          inName=IMPERIUM))]
StartTLS issued: using a TLS connection
smbldap_open_connection: connection opened
ldap_connect_system: successful connection to the LDAP server
Use of uninitialized value in concatenation (.) or string at
        /usr/share/YaST2/modules/ line 150 (#1)
    (W uninitialized) An undefined value was used as if it were already
    defined.  It was interpreted as a "" or a 0, but maybe it was a mistake.
    To suppress this warning assign a defined value to your variables.

    To help you figure out what was undefined, perl will try to tell you
    the name of the variable (if any) that was undefined.  In some cases
    it cannot do this, so it also tells you what operation you used the
    undefined value in.  Note, however, that perl optimizes your program
    and the operation displayed in the warning may not necessarily appear
    literally in your program.  For example, "that $foo" is usually
    optimized into "that " . $foo, and the warning will refer to the
    concatenation (.) operator, even though there is no . in
    your program.

Use of uninitialized value in regexp compilation at
        /usr/share/YaST2/modules/ line 151 (#1)
_samr_create_user: Running the command `/sbin/yast /usr/share/YaST2/data/add_mac                          hine.rb $' gave 0
Could not find user bobnut$, add script did not work
Failed to add entry for user bobnut$.
Machine bobnut$ not found!

What is particularly curious is that I’m not using Kerberos…

Relevant config files…

#       interfaces = ens160 lo
#       bind interfaces only = yes
        workgroup = IMPERIUM
        passdb backend = ldapsam:ldap://
        printing = cups
        printcap name = cups
        printcap cache time = 750
        cups options = raw
        map to guest = Bad User
        #logon path = \\%L\profiles\.msprofile
        logon home = \\%L\%U\.9xprofile
        logon drive = P:
        usershare allow guests = No
        add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.rb %m$
        domain logons = Yes
        domain master = Yes
        security = user
        idmap backend = ldap:ldap://
        ldap admin dn = cn=Administrator,dc=tol-lamfirith,dc=org
        ldap group suffix = ou=group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Machines
        ldap passwd sync = Yes
        ldap suffix = dc=tol-lamfirith,dc=org
        ldap user suffix = ou=people
        netbios name = angrenost
        wins support = Yes
        local master = Yes
        os level = 65
        preferred master = Yes
        log level = 3
        comment = Home Directories
        valid users = %S, %D%w%S
        browseable = No
        read only = No
        inherit acls = Yes
        comment = Network Profiles Service
        path = %H
        read only = No
        store dos attributes = Yes
        create mask = 0600
        directory mask = 0700
        comment = All users
        path = /home
        read only = No
        inherit acls = Yes
        veto files = /aquota.user/groups/shares/
        comment = All groups
        path = /home/groups
        read only = No
        inherit acls = Yes
        comment = All Printers
        path = /var/tmp
        printable = Yes
        create mask = 0600
        browseable = No
        comment = Printer Drivers
        path = /var/lib/samba/drivers
        write list = @ntadmin root
        force group = ntadmin
        create mask = 0664
        directory mask = 0775

        comment = Network Logon Service
        path = /var/lib/samba/netlogon
        write list = root

        comment = Music Files
        inherit acls = Yes
        path = /srv/files/music
        read only = Yes
        write list = mettius athena

        comment = Public Share
        inherit acls = Yes
        path = /srv/files/pub
        read only = No
        valid users = mettius
        guest ok = Yes


config_file_version = 2
services = nss, pam
domains = imperiumldap
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
; domains = LDAP

filter_users = root
filter_groups = root

id_provider = ldap
auth_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldap://
krb5_server =
krb5_realm =

# Example LDAP domain
; [domain/LDAP]
; id_provider = ldap
; auth_provider = ldap
# ldap_schema can be set to "rfc2307", which stores group member names in the
# "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in
# the "member" attribute. If you do not know this value, ask your LDAP
# administrator.
; ldap_schema = rfc2307
; ldap_uri = ldap://
; ldap_search_base = dc=mydomain,dc=org
# Note that enabling enumeration will have a moderate performance impact.
# Consequently, the default value for enumeration is FALSE.
# Refer to the sssd.conf man page for full details.
; enumerate = false
# Allow offline logins by locally storing password hashes (default: false).
; cache_credentials = true

# An example Active Directory domain. Please note that this configuration
# works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis
# compliant attribute names. To support UNIX clients with AD 2003 or older,
# you must install Microsoft Services For Unix and map LDAP attributes onto
# msSFU30* attribute names.

Speculating but IMO this may be your problem

After verifying that the samba server was set as the PDC and advertising itself correctly via WINs

It’s been a very long time since networks have used WINS which are NetBIOS Name resolution servers. If you’re running SAMBA 3, it’s still based on NetBIOS naming but you should also implement Host name resolution. This means making sure your name entries also exist in your LAN DNS or if you’re not running a LAN DNS then distribute custom Hosts files using DHCP (if the LAN is very large) or editing the Hosts file manually on every machine.

In fact, if you don’t have any special reason to run WINS(like supporting ancient XP machines), it should generally be disabled/removed in favor of implementing only DNS for name resolution.

I’m also curious about your reference to Kerberos, are you running SAMBA 3 or SAMBA 4?


Well, I just wanted to setup an NT4 style domain vs trying to fiddle with the new samba Active Directory setup.
My understanding is that Win7 and such still use NetBIOS over TCP/IP for network browsing, and that to join an NT4 style (i.e. samba PDC) there still needs to be a master browser for a given domain, which advertises (via WINs) the PDC for that domain/workgroup.

I am using DNS for name resolution, but as far as I know I still need WINs for the above reason.

I’m also curious about your reference to Kerberos, are you running SAMBA 3 or SAMBA 4?

Samba 4.1.19

openSUSE 13.2 insists on installing it (Kerberos) if one installs the YasT Authentication Server module.
I have things setup to use LDAP for authentication (this server is the LDAP server).

It is worth noting the add machine script which YasT configured. It is a ruby script as far as I can tell…
Somewhere in there it seems to want to deal with Kerberos in some fashion.

I’m setting up a fresh install to see if I can reproduce this.