[Samba] PDC witch LDAP and machine account lookup

Stefan Michalsky stefan.michalsky at farbwahl.de
Thu Oct 1 11:01:27 MDT 2009 

Hey Bruno,

it seems that the problem is something else. I tested on one computer
(farbwahl06 - WinXP Pro Client)
most of the time. But i have another machine to test (farbwahl04 - WinVista
client).
I moved the machine account for farbwahl04 from People to Computers and
everything
works fine. So i tried all variants for farbwahl06 (account in People and
Computers,
changed suffixes and so on) and the machine account for farbwahl06 seems to
be
broken. I tried to create a new one, but this doesn't help too.

So how do you create machine accounts? Perhaps i am missing something.
Adding machine
accounts automatically doesn't work too by the way. The Samba server is a
gentoo (Linux version 2.6.23-hardened-r12).

Please find attached my smb.conf (farbwahl04 is working with this)

>>>
[global]
        dos charset = 850
        unix charset = ISO8859-1
        workgroup = TEST-DOMAIN
        interfaces = eth0
        map to guest = Bad User
        passdb backend = ldapsam:ldap://localhost
        username map = /etc/samba/smbusers
        log level = 10
        log file = /var/log/samba/log.%m
        max log size = 50000
        add user script = /usr/sbin/smbldap-useradd -a -d '/home/%u' -m -g
'Domain Users' '%u'
        delete user script = /usr/sbin/smbldap-userdel '%u'
        add group script = /usr/sbin/smbldap-groupadd '%g' &&
/usr/sbin/smbldap-groupshow %g|awk '/^gidNumber:/ {print $2}'
        delete group script = /usr/sbin/smbldap-userdel '%g'
        add user to group script = /usr/sbin/smbldap-groupmod -m '%u' '%g'
        delete user from group script = /usr/sbin/smbldap-groupmod -x '%u'
'%g'
        set primary group script = /usr/sbin/smbldap-usermod -g '%g' '%u'
        add machine script = /usr/sbin/smbldap-useradd -w -d /dev/null -g
'Domain Computers' -c 'Machine Account' -s /bin/false '%u'
        logon path = \\%L\Profiles\%U
        logon drive = w:
        logon home = \\%L\%U
        logon script = logonscripts\%U
        domain logons = Yes
        os level = 65
        preferred master = Yes
        domain master = Yes
        dns proxy = No
        wins support = Yes
        ldap admin dn = cn=smbadmin,ou=People,dc=testing,dc=de
        ldap group suffix = ou=Groups
        ldap idmap suffix = cn=Idmap
        ldap machine suffix = ou=Computers
        ldap suffix = dc=testing,dc=de
        ldap user suffix = ou=People
        winbind separator = #
        winbind use default domain = Yes
        hosts allow = 192.168.2.

[homes]
        comment = Home Directories
        valid users = %S
        read only = No
        browseable = No

[netlogon]
        comment = Network Logon Service
        path = /home/__netlogon__
        admin users = root
        read only = No
        browseable = No
        preexec = /home/__netlogon__/genlogon.pl %U %m

[Profiles]
        comment = For Windows Profile
        path = /var/lib/samba/profiles/%U
        read only = No
        profile acls = Yes
        browseable = No
        create mask = 0600
        directory mask = 0700

[public]
        path = /home/__public__
        force user = public
        force group = public
        read only = No

[sharehome]
        path = /home/share
        read only = No

[sharesrc]
        path = /usr/src
        read only = No

[backup]
        comment = The folder for backups
        path = /home/backup
        force user = backupexternal
        force group = backup
        read only = No
        guest ok = Yes

[Projekt_A]
        comment = For the Project A
        path = /home/projekt_a
        directory mask = 0770
        force group = Projekt A
        force create mode = 0770
        force directory mode = 0770
        read only = No
        guest ok = No
        browsable = No
        hide unreadable = Yes
        read list = @projekt_a_read
<<<

Kind regards,
Stefan



-----Ursprüngliche Nachricht-----
Von: Bruno MACADRE [mailto:bruno.macadre at univ-rouen.fr] 
Gesendet: Donnerstag, 1. Oktober 2009 17:51
An: Stefan Michalsky
Betreff: Re: [Samba] PDC witch LDAP and machine account lookup

Stefan Michalsky a écrit :
> Hey all,
> 
> i do have the following problem: i set up a PDC with Samba with an LDAP
> backend. Everything works fine but the machine account lookup. If i try to
> logon to the domain i have to create the machine account in
> ou=People,dc=testing,dc=de. Everything works fine with this. But if i
create
> the machine account in ou=Computers,dc=testing,dc=de and change all
suffixes
> according to this the search performed looks like this in slapd log file:
> 
> Oct  1 15:42:59 [slapd] conn=908 op=4 SRCH
base="ou=People,dc=testing,dc=de"
> scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=farbwahl06$))"_
> 
> So where is the mistake? I found some forum posts but all with no answers.
> Is it a configuration issue or a software problem?
> 
> Thanks
> 
> Stefan
> 
Hi,

	Are you sure that your "ldap machine suffix" is changed to "ldap
machine suffix = ou=Computers" ?

	Can you show your smb.conf when you want to have machine account in
ou=Computers ?

	Regards,
	Bruno

-- 

Bruno MACADRE
-------------------------------------------------------------------
 Ingénieur Systèmes et Réseau     | Systems and Network Engineer
 Département Informatique         | Department of computer science
 Responsable Réseau et Téléphonie | Telecom and Network Manager
 Université de Rouen              | University of Rouen
-------------------------------------------------------------------
Coordonnées / Contact :
	Université de Rouen
	Faculté des Sciences et Techniques - Madrillet
	Avenue de l'Université - BP12
	76801 St Etienne du Rouvray CEDEX

	Tél : +33 (0)2-32-95-51-86
	Fax : +33 (0)2-32-95-51-87
-------------------------------------------------------------------

More information about the samba mailing list