RE pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount

John H Terpstra jht at Samba.Org
Thu May 26 18:15:05 GMT 2005


Stéphane,

The book "Samba-3 by Example" is being reprinted very soon. Up to date builds 
of the PDF are available on the Samba web site daily. This document can be 
downloaded from:

	http://www.samba.org/samba/docs/Samba-Guide.pdf

In chapter 5 I have fully documented how Samba-3 can be deployed with LDAP and 
using the smbldap-tools. It works perfectly for me and in many sites that 
have given me feedback that it works. Over the past two months I have 
received and applied about 40 suggestions for improvement. Every report that 
it does not work has been resolved, but given all of this I am 100% certain 
that there are still bugs in there.

I would greatly appreciate if you could test-drive this chapter and report 
back any bugs or problems you come across.

I will personally work with you to resolve any issues that you may find.

Your claim below that there has been no reaction from the Samba Team is wrong. 
A number of us have worked with Jerome Tournier, that has resulted in the 
0.9.0 release of the smbldap-tools. We do not make a practice of ignoring our 
uses. I have been working on updating our documentation also as a result of 
feedback an dbug reports. You have never been ignored.

The smbldap-tools should be configured to handle only the POSIX part of LDAP 
based accounts. Samba should handle all the sambaSAM components.

Please review chapter 5 and give me your feedback. I am anxious to fix any 
problem you may have.

Cheers,
John T.


On Thursday 26 May 2005 09:12, spu at corman.be wrote:
> Ok,
>
> I re-read the script and the sambasamaccount is only added with  -i option.
>
> My position is :
>       - I asked the problem in 2004, I a put a BUG.  For some reasons, no
> reaction from samba team for this problem.
>       - My solution is modify the smbldap-script for add sambasamaccount
> and add a machine on two step, it's work (until today)
>
> add theses lines after the
> if (defined($Options{'i'})) {
>
> > ...
> > }
>
>  if (defined($Options{'w'})) {
>     # For machine account
>     # Objectclass sambaSAMAccount must be added now !
>
>     my $date=time;
>     my $modify = $ldap_master->modify (
> "uid=$userName,$config{computersdn}",
>                                         changes => [
>                                                     replace => [objectClass
> => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
>                                                     add => [sambaLogonTime
> => '0'],
>                                                     add => [sambaLogoffTime
> => '2147483647'],
>                                                     add =>
> [sambaKickoffTime => '2147483647'],
>                                                     add =>
> [sambaPwdCanChange => '0'],
>                                                     add =>
> [sambaPwdMustChange => '2147483647'],
>                                                     add => [sambaPwdLastSet
> => "$date"],
>                                                     add => [sambaAcctFlags
> => '[W          ]'],
>                                                     add => [sambaSID =>
> "$user_sid"],
>                                                     add =>
> [sambaPrimaryGroupSID => "$config{SID}-515"]
>                                                    ]
>                                       );
>
>     $modify->code && die "failed to add entry: ", $modify->error ;
>     }
>
> ask me if problem, I cannot add machine today, but if you can test for me I
> appreciate.
>
> thanks
>
>
>       Stéphane Purnelle
>
> -----------------------------------
> Stéphane PURNELLE                         stephane.purnelle at corman.be
> Service Informatique       Corman S.A.           Tel : 00 32 087/342467
>
> samba-technical-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit
>
> sur 26/05/2005 16:57:49 :
> > spu at corman.be wrote:
> > > I forgot some details.
> > > the script add the sambasamaccount.
> > > could you send me the smbldap-useradd script for see what version you
>
> use ?
>
> > > some smbldap script not add the sambasamaccount, because normally samba
> > > must add it (and is this part which don't work).
> > > the last version seems to add the sambasamaccount attributes and old
> > > version too.
> >
> > Ah! smbldap-useradd in 0.8.7 certainly does not seem to add the
> > sambasamaccount attributes. I just downloaded the latest 0.9.0 and that
> > doesn't seem to either. Not with -w, which as i understand it is the way
> > it should be used. -w just makes the posixaccount and expects samba to
> > do the rest...
> >
> > # MACHINE ACCOUNT
> > if (defined($Options{'w'}) or defined($Options{'i'})) {
> >
> >   #print "About to create machine $userName:\n";
> >
> >   if (!add_posix_machine
> > ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
> >     die "$0: error while adding posix account\n";
> >   }
> >
> >   if (defined($Options{'i'})) {
> > ...
> > }
> >
> >   $ldap_master->unbind;
> >   exit 0;
> > }
> >
> > Should the add machine script set up the samba attributes? It seems a
> > bit mad. Surely samba should be finding that the user exists but doesn't
> > have the samba attributes and then it should modify the user? That's
> > what the code in my original post appears to be trying to do...
> >
> > John

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.


More information about the samba-technical mailing list