Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: can't join domain (with new directory admin account)

Daniel Wittenberg wrote:
We've got an xserve running 10.3.9, that we used to be able to join
machines to the domain with an old admin account. But for other reasons
we had to delete the admin account and create a new one. When I go into
WGM it shows the new 'diradmin' account has full rights to all parts of
the domain. However, when I try to use that account Windows complains
"Access is denied", but in the samba logs it shows that authentication
succeeds. So I'm guessing it's a rights issue somewhere. 

Apple of course won't help with "integration issues" so kinda stuck.

Any ideas?

 It turns out that Samba doesn't just forward the account you present to it.
 Rather it does directory operations under its own directory account which Apple
 sets up when you first configure Samba but won't get automatically updated
 later (sounds like a bug to me).

 The solution is to use CLI to update the Samba configs with new id/password.
 Config file is:
    /var/db/samba/opendirectorysam

 Below is Michael Bartosh's explanation

/John
******************** using "opendirectorysam"


Michael Bartosh wrote:

>  /usr/bin/opendirectorypdbconfig -c set_authenticator -r admin-name -p  xxxxx -n /LDAPv3/127.0.0.1
>
> Had an apple guy dig out the radar I filed a couple months back.
>
  Ahhh....you'd never figure that out from the commandline help (see below)
  and I was worried because I can't make either of the the "get" commands work.


******************* opendirectorypdbconfig help

~ % /usr/bin/opendirectorypdbconfig -h
opendirectorypdbconfig
-h displays this help info
-c <command> <options>
*** commands ***
        <set_authenticator> -r <name> -p <password> user session key
        <user_session_key> -r <name> [-i <slot id>] user session key
        <credential_session_key> -r <name> [-i <slot id>] credential session key
        <create_computer_account> -r <name>
        <create_user_account> -r <name>
        <get_user_account> -r <name>
        <get_computer_account> -r <name>

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >can't join domain (From: "Daniel Wittenberg" <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.