SV: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account

Mon Nov 17 15:11:12 GMT 2003

Thanks, I did not notice the typo, but the funny thing is that it was
working with the typo.  I had an idea that using the people ou would
work, and I did some searching and found that someone else ran into the
same problem.  They used the same ou for user accounts and it worked.
So I tried it and everything seems to be working.  It looks like this is
a bug in samba 3.  Some one has already reported this as a bug so maybe
it will get fixed.

Patrick

Tarjei Bitustøyl wrote:

>Hi,
>
>First, there's an error in the smb.conf: ldap user suffix has a typo.
>
>Second, I ran into a similar problem myself. No matter what I do, I
>cannot make a computer register in the LDAP *with ldap machine suffix
>different from ldap people suffix*.
>
>I have no idea why this is, but it's working with the people and machine
>suffix in the same dn.
>
>Regards
>Tarjei
>
>-----Opprinnelig melding-----
>Fra: samba-bounces+astaroth=uses.nofw.org at lists.samba.org
>[mailto:samba-bounces+astaroth=uses.nofw.org at lists.samba.org] På vegne
>av critter at rmci.net
>Sendt: 16. november 2003 21:58
>Til: samba at samba.org
>Emne: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account
>
>Hello all,
>
>I'm having an issue with adding machine accounts to a Samba 3.0.0 PDC
>with
>an LDAP passwd db backend.  This is on a RedHat 9 with an rpm I compiled
>from the 3.0.0 release. I have configured samba to where it is using
>LDAP
>and able to add user accounts and group mappings to LDAP, but when I try
>to add a computer account using smbpasswd -a -m data it is not able to
>add
>the account.  I ran it with the debug option and here is what I get:
>
>(pts/2)[root at impact samba]# smbpasswd -a -m data -D 10
>Netbios name list:-
>my_netbios_names[0]="IMPACT"
>Trying to load: ldapsam:ldap://127.0.0.1
>Attempting to register passdb backend ldapsam
>Successfully added passdb backend 'ldapsam'
>Attempting to register passdb backend ldapsam_compat
>Successfully added passdb backend 'ldapsam_compat'
>Attempting to register passdb backend smbpasswd
>Successfully added passdb backend 'smbpasswd'
>Attempting to register passdb backend tdbsam
>Successfully added passdb backend 'tdbsam'
>Attempting to register passdb backend guest
>Successfully added passdb backend 'guest'
>Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1
>(ldapsam)
>Found pdb backend ldapsam
>Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MATRIX))]
>smbldap_search_suffix: searching
>for:[(&(objectClass=sambaDomain)(sambaDomainName=MATRIX))]
>smbldap_open_connection: ldap://127.0.0.1
>smbldap_open_connection: connection opened
>ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as
>"cn=Samba
>Admin,ou=People,dc=firerun,dc=net"
>ldap_connect_system: succesful connection to the LDAP server
>The LDAP server is succesful connected
>pdb backend ldapsam:ldap://127.0.0.1 has a valid init
>Attempting to find an passdb backend to match guest (guest)
>Found pdb backend guest
>pdb backend guest has a valid init
>smbldap_search_suffix: searching
>for:[(&(uid=data$)(objectclass=sambaSamAccount))]
>ldapsam_getsampwnam: Unable to locate user [data$] count=0
>Finding user data$
>Trying _Get_Pwnam(), username as lowercase is data$
>Trying _Get_Pwnam(), username as uppercase is DATA$
>Checking combinations of 0 uppercase letters in data$
>Get_Pwnam_internals didn't find user [data$]!
>Failed initialise SAM_ACCOUNT for user data$.
>Failed to modify password entry for user data$
>
>
>My relavent smb.conf options are
>
>#====================== Password Database
>
># Define the backend to use
>passdb backend = ldapsam:ldap://127.0.0.1
>
># Define the DN that will be used to bind to the ldap directory
># must have write access to lmPassword and ntPassword attributes
># use smbpasswd -w secret to store password
>ldap admin dn = "cn=Samba Admin,ou=People,dc=firerun,dc=net"
>
># Should ssl be used to connect to ldap server
># (off, start tls, on) default = on
>ldap ssl = off
>
># smbpasswd -x delete the entire dn-entry
>ldap delete dn = no
>
># The machine and user suffix added to the base suffix
># wrote WITHOUT quotes.  NULL suffixes by default
>ldap user suffix = ou=People,dc=fireru,dc=net
>ldap group suffix = ou=Group,dc=firerun,dc=net
>ldap idmap suffix = ou=Idmap,dc=firerun,dc=net
>ldap machine suffix = ou=Computers,dc=firerun,dc=net
>
># Specify the base DN to use when searching the directory
>ldap suffix = "dc=firerun,dc=net"
>
># Specify the search filter. Generally the default is okay
># ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
>
># Should ldap passwords be synced with nt passwords
># (yes, no, only) default = no
>ldap passwd sync = no
>
># Allow adding a computer account to ldap
>add machine script = /etc/samba/ldapaddcomp %m$
>
>#======================
>
>As for the user data$ it already exists in the directory as:
>
># data$, Computers, firerun, net
>dn: uid=data$,ou=Computers,dc=firerun,dc=net
>uid: data$
>cn: Computer Account
>objectClass: account
>objectClass: posixAccount
>objectClass: top
>objectClass: shadowAccount
>uidNumber: 1007
>gidNumber: 1003
>homeDirectory: /dev/null
>gecos: Computer Account
>loginShell: /sbin/nologin
>description: Computer Account
>shadowLastChange: 12372
>shadowMin: 0
>shadowMax: 99999
>shadowWarning: 7
>
>when I do a getent passwd the computer account data$ shows up in the
>listing so by all accounts the account exists. As for LDAP ACL the Samba
>admin has write access to the Computer ou in the Directory so it should
>be
>able to update the information.  I did find out that in the ldap log it
>has:
>
>Nov 16 13:32:42 impact slapd[10664]: conn=9 op=1 SRCH
>base="ou=People,dc=firerun,dc=net" scope=1
>filter="(&(objectClass=posixAccount)(uid=DATA$))"
>
>So it appears that it might be searching the wrong ou for the account
>information.  Does anyone have any ideas what is happening or why I am
>unable to add machine accounts?
>
>Thank you in advance.
>Patrick Gunerud
>
>
>  
>