I find myself unable to add machine accounts in samba to join the Windows 7 clients to my samba domain.
I was getting the “Specified computer account could not be found…” error on the windows client.
After verifying that the samba server was set as the PDC and advertising itself correctly via WINs I proceeded to troubleshoot.
(log level =3 in samba)
I think I have found the point of failure, but not how to fix it. Running the following command to manually add the machine account:
pdbedit -a bobnut$ -m
…I get the following:
No builtin backend found, trying to load plugin Module 'ldapsam' loaded smbldap_search_domain_info: Searching for:(&(objectClass=sambaDomain)(sambaDoma inName=IMPERIUM))] StartTLS issued: using a TLS connection smbldap_open_connection: connection opened ldap_connect_system: successful connection to the LDAP server Use of uninitialized value in concatenation (.) or string at /usr/share/YaST2/modules/UsersPluginKerberos.pm line 150 (#1) (W uninitialized) An undefined value was used as if it were already defined. It was interpreted as a "" or a 0, but maybe it was a mistake. To suppress this warning assign a defined value to your variables. To help you figure out what was undefined, perl will try to tell you the name of the variable (if any) that was undefined. In some cases it cannot do this, so it also tells you what operation you used the undefined value in. Note, however, that perl optimizes your program and the operation displayed in the warning may not necessarily appear literally in your program. For example, "that $foo" is usually optimized into "that " . $foo, and the warning will refer to the concatenation (.) operator, even though there is no . in your program. Use of uninitialized value in regexp compilation at /usr/share/YaST2/modules/UsersPluginKerberos.pm line 151 (#1) _samr_create_user: Running the command `/sbin/yast /usr/share/YaST2/data/add_mac hine.rb $' gave 0 Could not find user bobnut$, add script did not work Failed to add entry for user bobnut$. Machine bobnut$ not found!
What is particularly curious is that I’m not using Kerberos…
Relevant config files…
[global] # interfaces = ens160 lo # bind interfaces only = yes workgroup = IMPERIUM passdb backend = ldapsam:ldap://angrenost.tol-lamfirith.org printing = cups printcap name = cups printcap cache time = 750 cups options = raw map to guest = Bad User #logon path = \\%L\profiles\.msprofile logon home = \\%L\%U\.9xprofile logon drive = P: usershare allow guests = No add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.rb %m$ domain logons = Yes domain master = Yes security = user idmap backend = ldap:ldap://angrenost.tol-lamfirith.org ldap admin dn = cn=Administrator,dc=tol-lamfirith,dc=org ldap group suffix = ou=group ldap idmap suffix = ou=Idmap ldap machine suffix = ou=Machines ldap passwd sync = Yes ldap suffix = dc=tol-lamfirith,dc=org ldap user suffix = ou=people netbios name = angrenost wins support = Yes local master = Yes os level = 65 preferred master = Yes log level = 3 [homes] comment = Home Directories valid users = %S, %D%w%S browseable = No read only = No inherit acls = Yes [profiles] comment = Network Profiles Service path = %H read only = No store dos attributes = Yes create mask = 0600 directory mask = 0700 [users] comment = All users path = /home read only = No inherit acls = Yes veto files = /aquota.user/groups/shares/ [groups] comment = All groups path = /home/groups read only = No inherit acls = Yes [printers] comment = All Printers path = /var/tmp printable = Yes create mask = 0600 browseable = No [print$] comment = Printer Drivers path = /var/lib/samba/drivers write list = @ntadmin root force group = ntadmin create mask = 0664 directory mask = 0775 [netlogon] comment = Network Logon Service path = /var/lib/samba/netlogon write list = root [Music] comment = Music Files inherit acls = Yes path = /srv/files/music read only = Yes write list = mettius athena [pub] comment = Public Share inherit acls = Yes path = /srv/files/pub read only = No valid users = mettius guest ok = Yes
[sssd] config_file_version = 2 services = nss, pam domains = imperiumldap # SSSD will not start if you do not configure any domains. # Add new domain configurations as [domain/<NAME>] sections, and # then add the list of domains (in the order you want them to be # queried) to the "domains" attribute below and uncomment it. ; domains = LDAP [nss] filter_users = root filter_groups = root [pam] [domain/imperiumldap] id_provider = ldap auth_provider = ldap ldap_schema = rfc2307 ldap_uri = ldap://angrenost.tol-lamfirith.org krb5_server = krb5_realm = # Example LDAP domain ; [domain/LDAP] ; id_provider = ldap ; auth_provider = ldap # ldap_schema can be set to "rfc2307", which stores group member names in the # "memberuid" attribute, or to "rfc2307bis", which stores group member DNs in # the "member" attribute. If you do not know this value, ask your LDAP # administrator. ; ldap_schema = rfc2307 ; ldap_uri = ldap://ldap.mydomain.org ; ldap_search_base = dc=mydomain,dc=org # Note that enabling enumeration will have a moderate performance impact. # Consequently, the default value for enumeration is FALSE. # Refer to the sssd.conf man page for full details. ; enumerate = false # Allow offline logins by locally storing password hashes (default: false). ; cache_credentials = true # An example Active Directory domain. Please note that this configuration # works for AD 2003R2 and AD 2008, because they use pretty much RFC2307bis # compliant attribute names. To support UNIX clients with AD 2003 or older, # you must install Microsoft Services For Unix and map LDAP attributes onto # msSFU30* attribute names.