I have just spent a weekend setting up a samba 3.0.0 / ldap domain. It had moments of extreme pain - mostly related to the following…

  1. the samba ldap tools do not create full accounts for use with nss_ldap and pam_ldap - nice of them to tell us
  2. the documentation and error messages are Not Good - and there isn’t full, obvious documentation that states what nss_ldap and pam_ldap require as objectTypes.
  3. different versions of pam_ldap / nss_ldap require different objectTypes
  4. gentoo’s version is happy with a group just being a posixGroup
  5. RedHat 8.0’s version requires top to be an objectType in a group otherwise it just won’t work
  6. a user must have objectType account as well as posixAccount
  7. openldap on gentoo/pam_ldap does not support md5 passwords - use crypt (even plain doesn’t work out of the box)
  8. pam_ldap on gentoo (possibly others) does not react well to the ldap server being changed under it (/etc/ldap.conf) and the only way I could get it to respond to the new server was by rebooting the machine :-/
  9. For some reason the samba add machine to domain failed to produce a correct ldap entry for one of the machines (not known why yet) and this then buggered up the entry of furthur machines. Got errors to do with repeated sambaSid values and machines refused to join domains due to the user not being an administrator (this was patently not correct). Sometimes the machines would add to the domain, but it was intermittant. The only solution was to delete back to and including the entry which had the faulty entry. The entry was faulty because there was not uid number created with it, so the sambaSid was not created correctly. This took the better part of two days to sort out. This means I had to be in work over the weekend