[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain - fix patches

Andres Toomsalu andres at active.ee
Mon Jun 6 06:59:57 GMT 2005 

Patches for smbldap-tools v0.8.8 and v0.9.1 to fix workstation domain
joining with "smbldap-useradd -w '%u'"

With these patches workstation domain joining works for me.  There is no
need to make computer account first - workstation will make it
automatically during joining process.  Inside these patches
sambaNTPassword attribute initial value is set to 'kala' - workstation
will overwrite that value during joining process - so no need to worry.
It has to be set at start because sambaNTPassword entry is needed for
automatic one-step error free joining and sambaNTPassword entry can't be
empty when adding inital entry set to ldap.

Download links for these patches are:
http://www.active.ee/download/smbldap-useradd-0.8.8.diff
http://www.active.ee/download/smbldap-useradd-0.9.1.diff

Cheers,

-- 
----------------------------------------------
Andres Toomsalu, andres at active.ee
juhataja - general manager, OÜ Active Systems
Lille 4-205, Pärnu 80041, phone +372 44 70 595
GSM +372 56 496 124, IM: frame at jabber.org
http://www.active.ee


Andres Toomsalu wrote:

>Tim Verhoeven wrote:
>
>  
>
>>On 6/4/05, Andres Toomsalu <andres at active.ee> wrote:
>> 
>>
>>    
>>
>>>I've reported this before but I guess I'll have to do it again, since
>>>it's not fixed yet or I'm understanding something wrong here.
>>>
>>>The problem is that smbldap-useradd -w 'machinename' will add only
>>>posixAccount entrys into ldap but it should add both posixAccount and
>>>sambaSAMAccount entrys.
>>>
>>>So if one doesn't add correct machine account entrys manually to ldap
>>>the windows workstation domain joining is impossible.
>>>   
>>>
>>>      
>>>
>>In my experience the smbldap-useradd behaviour is correct. It will
>>only add the posicAccount part of a machine account. Then when you
>>actually join a machine to a domain Samba itself will modify the
>>machine account and add the sambaSAMAccount parts.
>>
>>For this to work you will ofcourse need also to configure Samba that
>>is has a ldap account that has the rights to update items in the ldap
>>tree.
>> 
>>
>>    
>>
>I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
>smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
>
>1) I can't join XP workstation to domain when I don't have computer
>account in ldap - Error is "Access denied".  In result it makes computer
>account in ldap but only posixAccount part of it as smbldap-useradd -w
>does it.
>2) I can't join XP workstation to domain when I do have computer account
>in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
>them like that - Error is "Access denied".
>3) I can join XP workstation to domain when I manually make correct
>computer account entrys in ldap with phpldapadmin - then there are both
>posixAccount and sambaSamAccount entrys present.
>
>Here is copy-paste samples of computer accounts in my ldap - first
>sample is made with smbldap-useradd -w and second that actually works is
>made manually:
>
># Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
>dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
>objectClass: top
>objectClass: inetOrgPerson
>objectClass: posixAccount
>cn: testmasin$
>sn: testmasin$
>uid: testmasin$
>uidNumber: 1016
>gidNumber: 515
>homeDirectory: /dev/null
>loginShell: /bin/false
>description: Computer
>gecos: Computer
>
>
># Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
>dn: uid=windesk$,ou=Computers,dc=active,dc=ee
>gidNumber: 515
>uidNumber: 3002
>uid: windesk$
>sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
>sambaAcctFlags: [W          ]
>cn: windesk
>homeDirectory: /dev/null
>objectClass: top
>objectClass: sambaSamAccount
>objectClass: posixAccount
>objectClass: account
>sambaPwdMustChange: 2147483647
>sambaPwdCanChange: 1118035851
>sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
>sambaPwdLastSet: 1118035851
>
>
>
>So joining XP workstations to domain with smbldap-tools doesn't work for
>me. I still think there is a bug in smbldap-useradd script that it won't
>add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'".
>
>I don't think sambaSamAccount entry's are being added during domain
>joining procedure because for domain joining samba uses the very same
>"smbldap-useradd -w '%u'" command - which doesn't add any
>sambaSamAccount entrys.
>
>  
>
>> 
>>
>>    
>>
>>>The Samba Openldap howto clearly documents that smbldap-useradd -w
>>>'worsktation' should produce following entrys in ldap:
>>>
>>>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
>>>objectClass: top
>>>objectClass: posixAccount
>>>objectClass: sambaSAMAccount
>>>cn: testhost3$
>>>gidNumber: 553
>>>homeDirectory: /dev/null
>>>loginShell: /bin/false
>>>uid: testhost3$
>>>uidNumber: 1005
>>>sambaPwdLastSet: 0
>>>sambaLogonTime: 0
>>>sambaLogoffTime: 2147483647
>>>sambaKickoffTime: 2147483647
>>>sambaPwdCanChange: 0
>>>sambaPwdMustChange: 2147483647
>>>description: Computer Account
>>>rid: 0
>>>primaryGroupID: 0
>>>lmPassword: 7582BF7F733351347D485E46C8E6306E
>>>ntPassword: 7582BF7F733351347D485E46C8E6306E
>>>acctFlags: [W          ]
>>>   
>>>
>>>      
>>>
>>So my guess that this is a bug in the documentation and not in the code.
>>
>>Kind regards,
>>Tim
>>
>> 
>>
>>    
>>
>
>
>  
>

More information about the samba mailing list