[Samba] Re: RE pdb_ldap.c, ..., existing poxisaccount (possible
solution)
Stéphane Purnelle
stephane.purnelle at tiscali.be
Fri May 27 18:10:45 GMT 2005
Just a question,
In samba code, for know if samba must add a dn or modify a dn in ldap tree,
samba call function ldap_count_entries, but how ldap_count_entries work.
I ask this question because, I found that the ldap filter parameter is
different of howto.
I have something like ((uid=%u)(SambaSamAccount)), but if
ldap_count_entries use these filter,
samba never find the entry with posix_account and of course try to add a dn.
num_result = ldap_count_entries(ldap_state->smbldap_state->ldap_struct,
result);
if (num_result > 1) {
DEBUG (0, ("ldapsam_add_sam_account: More than one user
with that uid exists: bailing out!\n"));
free_attr_list( attr_list );
ldap_msgfree(result);
return NT_STATUS_UNSUCCESSFUL;
}
/* Check if we need to update an existing entry */
if (num_result == 1) {
char *tmp;
....
}
can me confirm or not these possibility ...
spu at corman.be a écrit :
>John,
>
>I appreciate your reaction, but could you explain this error ?
>
>[2005/05/27 16:19:10, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1479)
> ldapsam_modify_entry: Failed to add user dn=
>uid=infobcer$,ou=machines,dc=corman,dc=be with: Already exists
>[2005/05/27 16:19:10, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1911)
> ldapsam_add_sam_account: failed to modify/add user with uid = infobcer$
>(dn = uid=infobcer$,ou=machines,dc=corman,dc=be)
>[2005/05/27 16:19:10, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2398)
> could not add user/computer infobcer$ to passdb. Check permissions?
>
>I use root for adding to my PDC, ldap version : 2.1.25
>
>thanks
>
>-----------------------------------
>Stéphane PURNELLE stephane.purnelle at corman.be
>Service Informatique Corman S.A. Tel : 00 32 087/342467
>
>samba-technical-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit
>sur 26/05/2005 20:15:05 :
>
>
>
>>Stéphane,
>>
>>The book "Samba-3 by Example" is being reprinted very soon. Up to date
>>
>>
>builds
>
>
>>of the PDF are available on the Samba web site daily. This document can
>>
>>
>be
>
>
>>downloaded from:
>>
>> http://www.samba.org/samba/docs/Samba-Guide.pdf
>>
>>In chapter 5 I have fully documented how Samba-3 can be deployed
>>with LDAP and
>>using the smbldap-tools. It works perfectly for me and in many sites that
>>
>>
>
>
>
>>have given me feedback that it works. Over the past two months I have
>>received and applied about 40 suggestions for improvement. Every report
>>
>>
>that
>
>
>>it does not work has been resolved, but given all of this I am 100%
>>
>>
>certain
>
>
>>that there are still bugs in there.
>>
>>I would greatly appreciate if you could test-drive this chapter and
>>
>>
>report
>
>
>>back any bugs or problems you come across.
>>
>>I will personally work with you to resolve any issues that you may find.
>>
>>Your claim below that there has been no reaction from the Samba Teamis
>>
>>
>wrong.
>
>
>>A number of us have worked with Jerome Tournier, that has resulted in the
>>
>>
>
>
>
>>0.9.0 release of the smbldap-tools. We do not make a practice of ignoring
>>
>>
>our
>
>
>>uses. I have been working on updating our documentation also as a result
>>
>>
>of
>
>
>>feedback an dbug reports. You have never been ignored.
>>
>>The smbldap-tools should be configured to handle only the POSIX part of
>>
>>
>LDAP
>
>
>>based accounts. Samba should handle all the sambaSAM components.
>>
>>Please review chapter 5 and give me your feedback. I am anxious to fix
>>
>>
>any
>
>
>>problem you may have.
>>
>>Cheers,
>>John T.
>>
>>
>>On Thursday 26 May 2005 09:12, spu at corman.be wrote:
>>
>>
>>>Ok,
>>>
>>>I re-read the script and the sambasamaccount is only added with -i
>>>
>>>
>option.
>
>
>>>My position is :
>>> - I asked the problem in 2004, I a put a BUG. For some reasons,
>>>
>>>
>no
>
>
>>>reaction from samba team for this problem.
>>> - My solution is modify the smbldap-script for add
>>>
>>>
>sambasamaccount
>
>
>>>and add a machine on two step, it's work (until today)
>>>
>>>add theses lines after the
>>>if (defined($Options{'i'})) {
>>>
>>>
>>>
>>>>...
>>>>}
>>>>
>>>>
>>> if (defined($Options{'w'})) {
>>> # For machine account
>>> # Objectclass sambaSAMAccount must be added now !
>>>
>>> my $date=time;
>>> my $modify = $ldap_master->modify (
>>>"uid=$userName,$config{computersdn}",
>>> changes => [
>>> replace =>
>>>
>>>
>[objectClass
>
>
>>>=> ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
>>> add =>
>>>
>>>
>[sambaLogonTime
>
>
>>>=> '0'],
>>> add =>
>>>
>>>
>[sambaLogoffTime
>
>
>>>=> '2147483647'],
>>> add =>
>>>[sambaKickoffTime => '2147483647'],
>>> add =>
>>>[sambaPwdCanChange => '0'],
>>> add =>
>>>[sambaPwdMustChange => '2147483647'],
>>> add =>
>>>
>>>
>[sambaPwdLastSet
>
>
>>>=> "$date"],
>>> add =>
>>>
>>>
>[sambaAcctFlags
>
>
>>>=> '[W ]'],
>>> add => [sambaSID =>
>>>"$user_sid"],
>>> add =>
>>>[sambaPrimaryGroupSID => "$config{SID}-515"]
>>> ]
>>> );
>>>
>>> $modify->code && die "failed to add entry: ", $modify->error ;
>>> }
>>>
>>>ask me if problem, I cannot add machine today, but if you can test for
>>>
>>>
>me I
>
>
>>>appreciate.
>>>
>>>thanks
>>>
>>>
>>> Stéphane Purnelle
>>>
>>>-----------------------------------
>>>Stéphane PURNELLE stephane.purnelle at corman.be
>>>Service Informatique Corman S.A. Tel : 00 32 087/342467
>>>
>>>samba-technical-bounces+stephane.purnelle=corman.be at lists.samba.org a
>>>
>>>
>écrit
>
>
>>>sur 26/05/2005 16:57:49 :
>>>
>>>
>>>>spu at corman.be wrote:
>>>>
>>>>
>>>>>I forgot some details.
>>>>>the script add the sambasamaccount.
>>>>>could you send me the smbldap-useradd script for see what version
>>>>>
>>>>>
>you
>
>
>>>use ?
>>>
>>>
>>>
>>>>>some smbldap script not add the sambasamaccount, because normally
>>>>>
>>>>>
>samba
>
>
>>>>>must add it (and is this part which don't work).
>>>>>the last version seems to add the sambasamaccount attributes and
>>>>>
>>>>>
>old
>
>
>>>>>version too.
>>>>>
>>>>>
>>>>Ah! smbldap-useradd in 0.8.7 certainly does not seem to add the
>>>>sambasamaccount attributes. I just downloaded the latest 0.9.0 and
>>>>
>>>>
>that
>
>
>>>>doesn't seem to either. Not with -w, which as i understand it is the
>>>>
>>>>
>way
>
>
>>>>it should be used. -w just makes the posixaccount and expects samba
>>>>
>>>>
>to
>
>
>>>>do the rest...
>>>>
>>>># MACHINE ACCOUNT
>>>>if (defined($Options{'w'}) or defined($Options{'i'})) {
>>>>
>>>> #print "About to create machine $userName:\n";
>>>>
>>>> if (!add_posix_machine
>>>>($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
>>>> die "$0: error while adding posix account\n";
>>>> }
>>>>
>>>> if (defined($Options{'i'})) {
>>>>...
>>>>}
>>>>
>>>> $ldap_master->unbind;
>>>> exit 0;
>>>>}
>>>>
>>>>Should the add machine script set up the samba attributes? It seems a
>>>>bit mad. Surely samba should be finding that the user exists but
>>>>
>>>>
>doesn't
>
>
>>>>have the samba attributes and then it should modify the user? That's
>>>>what the code in my original post appears to be trying to do...
>>>>
>>>>John
>>>>
>>>>
>>--
>>John H Terpstra
>>Samba-Team Member
>>Phone: +1 (650) 580-8668
>>
>>Author:
>>The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
>>Samba-3 by Example, ISBN: 0131472216
>>Hardening Linux, ISBN: 0072254971
>>Other books in production.--
>>
>>
>To unsubscribe from this list go to the following URL and read the
>instructions: https://lists.samba.org/mailman/listinfo/samba
>
>
>
--
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be
More information about the samba-technical
mailing list