[Samba] Re: smbldap-tools don't create machine account properlly
daves-jr at cecom.ufmg.br
daves-jr at cecom.ufmg.br
Fri Oct 22 14:22:12 GMT 2004
Your ldap.conf
nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
Your smb.conf
ldap machine suffix = ou=Computadores
Your search on ldap base by nsswitch is restrict at ou=Usuarios,
dc=unimix,dc=com,dc=br ...
You need change your machine suffix to the same suffix used by
nss_base_passwd or leave nsswitch search in machine suffix base
---------------------------------------------------
Emerson Henrique Kfuri Pereira
Divisão de Atendimento e Consultoria
CECOM - Reitoria - UFMG
Telefone: 34994009
---------------------------------------------------
> Fernando Ribeiro <musb at nerdgroup.org>
> Enviado Por: samba-bounces+daves-jr=ufmg.br at lists.samba.org
>
> 22/10/2004 11:52
>
> Para
>
> samba at lists.samba.org
>
> cc
>
> Assunto
>
> Re: [Samba] Re: smbldap-tools don't create machine account properlly
>
> Hi Igor,
>
> my slapd.conf
>
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/samba.schema
> include /usr/local/etc/openldap/schema/qmail.schema
>
> pidfile /usr/local/var/run/slapd.pid
> argsfile /usr/local/var/run/slapd.args
>
> database bdb
> suffix "dc=unimix,dc=com,dc=br"
> rootdn "cn=suporte,dc=unimix,dc=com,dc=br"
> rootpw {SSHA}pass
> directory /usr/local/var/openldap-data
>
> password-hash {CRYPT}
> password-crypt-salt-format "$1$.8s"
>
> index objectClass,uidNumber,gidNumber eq
> index cn,sn,uid,displayName eq
> index memberUid,mail,mailAlternateAddress,givenname,
> accountStatus,mailHost,deliveryMode eq
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> index default sub
>
> access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> by self write
> by anonymous auth
> by * read
>
> access to *
> by * read
>
>
> My ldap.conf
>
> base dc=unimix,dc=com,dc=br
> host ldap.unimix.com.br
>
> rootbinddn cn=suporte,dc=unimix,dc=com,dc=br
> nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
> nss_base_shadow ou=Usuarios,dc=unimix,dc=com,dc=br?one
> nss_base_group ou=Grupos,dc=unimix,dc=com,dc=br?one
>
>
> My smb.conf
>
>
> [global]
> workgroup = UNIMIX
> netbios name = PDC
> server string = PDC
> security = user
> encrypt passwords = yes
> load printers = yes
> log file = /var/log/samba/%m.log
> max log size = 50
> log level = 2
> os level = 255
> local master = yes
> domain master = yes
> preferred master = yes
> domain logons = yes
> admin users = Administrador, Administrator, fernando.ribeiro
> logon script = %U.bat
> logon path = \\%L\profiles\%U
> ldap passwd sync = yes
> ldap delete dn = Yes
> passdb backend = ldapsam:ldap://ldap.unimix.com.br/
> ldap admin dn = cn=suporte,dc=unimix,dc=com,dc=br
> ldap suffix = dc=unimix,dc=com,dc=br
> ldap group suffix = ou=Grupos
> ldap user suffix = ou=Usuarios
> ldap machine suffix = ou=Computadores
> idmap uid = 10000-15000
> idmap gid = 10000-15000
> nt acl support = yes
> create mask = 600
> directory mask = 0700
> force directory mode = 0700
> passwd chat = *New*password* %n\n *Retype*new*password* %
> n\n*passwd:*all*authentication*tokens*updated*successfully*
> socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
SO_SNDBUF=8192
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
"%g"
> delete user script = /usr/local/sbin/smbldap-userdel "%u"
> delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> delete user from group script = /usr/local/sbin/smbldap-groupmod
> -x "%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
"%u"
> dos charset = UTF-8
> unix charset = UTF-8
> cups server = 10.0.0.11
>
> [homes]
> comment = Diretorio Home
> browseable = no
> writable = yes
> force user = %U
>
> [profiles]
> path = /home/profiles
> read only = No
> create mask = 0600
> directory mask = 0700
> browseable = No
> guest ok = Yes
> profile acls = Yes
> csc policy = disable
> force user = %U
> valid users = %U @"Domain Admins"
>
> [netlogon]
> path = /home/netlogon
> browseable = No
> read only = yes
>
> [printers]
> comment = Impressoras
> path = /var/spool/samba
> browseable = no
> guest ok = no
> writable = no
> printable = yes
>
>
> My samba return this errors:
>
> [2004/10/22 10:48:34, 5] lib/smbldap.c:smbldap_search(963)
> smbldap_search: base => [dc=unimix,dc=com,dc=br], filter =>
> [(&(uid=suporte$)(objectclass=sambaSamAccount))], scope => [2]
> [2004/10/22 10:48:34, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1266)
> ldapsam_getsampwnam: Unable to locate user [suporte$] count=0
> [2004/10/22 10:48:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> pop_sec_ctx (0, 1000) - sec_ctx_stack_ndx = 0
> [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam(293)
> Finding user suporte$
> [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(223)
> Trying _Get_Pwnam(), username as lowercase is suporte$
> [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(239)
> Trying _Get_Pwnam(), username as uppercase is SUPORTE$
> [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(247)
> Checking combinations of 0 uppercase letters in suporte$
> [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(251)
> Get_Pwnam_internals didn't find user [suporte$]!
> [2004/10/22 10:48:35, 3]
rpc_server/srv_samr_nt.c:_samr_create_user(2245)
> _samr_create_user: Running the command `/usr/local/sbin/smbldap-
> useradd -w "suporte$"' gave 9
> [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam(293)
> Finding user suporte$
> [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(223)
> Trying _Get_Pwnam(), username as lowercase is suporte$
> [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(239)
> Trying _Get_Pwnam(), username as uppercase is SUPORTE$
> [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(247)
> Checking combinations of 0 uppercase letters in suporte$
> [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(251)
> Get_Pwnam_internals didn't find user [suporte$]!
>
> It don't found suporte$ machine.
> But it exists.
>
> > > dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > > objectClass: top
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > cn: suporte$
> > > sn: suporte$
> > > uid: suporte$
> > > uidNumber: 1020
> > > gidNumber: 1000
> > > homeDirectory: /dev/null
> > > loginShell: /bin/false
> > > description: Computer
> > > gecos: Computer
>
> But without sambasamaccount.
>
> PS. s/Computers/Computadores/g =)
>
> Any idea?
>
> Thanks
>
>
> Palavras de Igor Belyi [Thu, Oct 21, 2004 at 06:32:27PM -0400]:
> > Is it possible that 'ldap admin dn' used in your smb.conf does not have
> > write access to 'ou=Computers,dc=unimix,dc=com,dc=br'? What was the
> > error in smbd log when machine failed to join the Domain?
> >
> > Igor
> >
> > Fernando Ribeiro wrote:
> > >Hi all,
> > >
> > > I have smb.conf with:
> > >
> > >
> > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > > add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > > add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > > add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> > > add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> > > "%g"
> > > delete user script = /usr/local/sbin/smbldap-userdel "%u"
> > > delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> > > delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> > > "%u" "%g"
> > > set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> > > "%u"
> > >
> > > while i try include the w2k machine in samba domain it create the
> > > ldap
> > > machine account entry:
> > >
> > > dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br
> > > objectClass: top
> > > objectClass: inetOrgPerson
> > > objectClass: posixAccount
> > > cn: suporte$
> > > sn: suporte$
> > > uid: suporte$
> > > uidNumber: 1020
> > > gidNumber: 1000
> > > homeDirectory: /dev/null
> > > loginShell: /bin/false
> > > description: Computer
> > > gecos: Computer
> > >
> > > And don't join in samba domain.
> > >
> > > While i create a machine account manually with:
> > >
> > > dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > > gidNumber: 30000
> > > uidNumber: 1022
> > > uid: suporte$
> > > sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044
> > > sambaAcctFlags: [W ]
> > > cn: suporte
> > > homeDirectory: /dev/null
> > > objectClass: top
> > > objectClass: sambaSamAccount
> > > objectClass: posixAccount
> > > objectClass: account
> > >
> > > It join in the samba domain without problem.
> > >
> > > Anyone know why it don't create sambaSamAccount ?
> > > Machine account need inetOrgPerson ?
> > >
> > > Thanks
> > >
> > >
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: http://lists.samba.org/mailman/listinfo/samba
> >
>
> --
> Fernando Ribeiro - GPG-KEY: 0x8D7255F4
> Linux Counter: #273768 - ICQ: 175630330
> LPIC-2 - Advanced Linux
> Death the graph! Death the mouse
> Death patents! Death closed standards!
> http://www.nerdgroup.org
> http://musb.nerdgroup.org
> --------------------------------------
> "Grandes mentes discutem idéias;
> Mentes medianas discutem eventos;
> Mentes pequenas discutem pessoas."
> --------------------------------------
> "A mente que se abre a uma nova idéia
> jamais volta ao seu tamanho original."
> Albert Einstein
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: http://lists.samba.org/mailman/listinfo/samba
More information about the samba
mailing list