Thanks for the info, but seems I've still got problems. I ran this
command and get the following response:
[0]set_opendirectory_authenticator
opendirectorypdbconfig error(0)
Not sure exactly what this means, but if I view -b the opendirectorysam
file it looks like it embeds the username and password in clear text
(yippee). But when I go back to Windows and try to join I still get
Access Denied. Looking at the samba log I noticed a couple errors that
I'm not sure what they are and couldn't find any info on:
samr_io_userinfo_ctr: unknown switch level 0x1a
api_samr_set_userinfo: Unable to unmarshall SAMR_Q_SET_USERINFO.
decode_pw_buffer: incorrect password length (89613549).
decode_pw_buffer: check that 'encrypt passwords = yes'
Which I did double-check and encrypt is set to yes.
Any other ideas?
-----Original Message-----
From: John Gerth [mailto:email@hidden]
Sent: Thu 8/11/2005 7:45 PM
To: Daniel Wittenberg
Cc: macos-x-server
Subject: Re: can't join domain (with new directory admin account)
Daniel Wittenberg wrote:
> We've got an xserve running 10.3.9, that we used to be able to join
> machines to the domain with an old admin account. But for other
reasons
> we had to delete the admin account and create a new one. When I go
into
> WGM it shows the new 'diradmin' account has full rights to all parts
of
> the domain. However, when I try to use that account Windows complains
> "Access is denied", but in the samba logs it shows that authentication
> succeeds. So I'm guessing it's a rights issue somewhere.
>
> Apple of course won't help with "integration issues" so kinda stuck.
>
> Any ideas?
>
It turns out that Samba doesn't just forward the account you present
to it.
Rather it does directory operations under its own directory account
which Apple
sets up when you first configure Samba but won't get automatically
updated
later (sounds like a bug to me).
The solution is to use CLI to update the Samba configs with new
id/password.
Config file is:
/var/db/samba/opendirectorysam
Below is Michael Bartosh's explanation
/John
******************** using "opendirectorysam"
Michael Bartosh wrote:
> /usr/bin/opendirectorypdbconfig -c set_authenticator -r admin-name
-p xxxxx -n /LDAPv3/127.0.0.1
>
> Had an apple guy dig out the radar I filed a couple months back.
>
Ahhh....you'd never figure that out from the commandline help (see
below)
and I was worried because I can't make either of the the "get"
commands work.
******************* opendirectorypdbconfig help
~ % /usr/bin/opendirectorypdbconfig -h
opendirectorypdbconfig
-h displays this help info
-c <command> <options>
*** commands ***
<set_authenticator> -r <name> -p <password> user session key
<user_session_key> -r <name> [-i <slot id>] user session key
<credential_session_key> -r <name> [-i <slot id>] credential
session key
<create_computer_account> -r <name>
<create_user_account> -r <name>
<get_user_account> -r <name>
<get_computer_account> -r <name>
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
