[Samba] Re: Can't add Machine account ( LDAP ) ... (solved)

Buchan Milne bgmilne at cae.co.za
Wed Jan 22 19:12:01 GMT 2003 

> Message: 1
> Date: Tue, 21 Jan 2003 19:08:07 +0200
> From: "C.Lee Taylor" <leet at leenx.co.za>
> Organization: LeeNX
> To: samba at lists.samba.org
> Subject: [Samba] Re: Can't add Machine account ( LDAP ) ...
> 
>      Just got bitten in the ass by not been able to join the domain with 
> 2.2.7a
> 
>      Correct me if I am wrong, Jerry did give me a quick explaination.  It
> has to do with usernames and what allowable characters  in it for security.
> 

It was basically dismissing the weird entry as a security mechanism in
the logging/DEBUG code, it shouln't have affected the script.

>      Now, I need to fix this, does anybody have a patch/fix or tell me where
> to look in the source to try and fix this.
>      Finally was able to find the freaking message ... but I think that 
> this might be something else ...
> 

OK, I am looking at this now ...

Hmmm, after a bit of debugging work, I found that I could not join as a
domain admin, but could join as root, and that was due to wrong perms on
the smbldap-tools, essentially a non-root domain admin did not have
permission to run the 'add user script' (due to a new setup where we
hadn't fixed the perms).

It seems to work now ...

> 
>      I really need domain joining, or at least a work around for it ... 
> Please help me!!!


If you have the smbldap tools setup, then you should be able to
pre-create machine accounts. On Mandrake, we have them in
/usr/share/samba/scripts, so I would run something like this:

# /usr/share/samba/scripts/smbldap-useradd.pl -w -c "Samba Machine
Account' -s /bin/false -d /dev/null -g machines machine$

(the equivalent of the script you would have as a 'add user script' in
smb.conf, just replacing the macros).

Then you should be able to join with any domain admin account.

Now, if the user you are going to join as can run the script (requires
rx perms on the scripts:
[root at hercules bgmilne]# ll /usr/share/samba/scripts/
total 112
-rwx------    1 root     domadm       1720 Jan 14 02:29 export_smbpasswd.pl*
-rwx------    1 root     domadm       3498 Jan 14 02:29 import_smbpasswd.pl*
-rwxr-xr-x    1 root     domadm       1703 Jan 14 02:29 print-pdf*
lrwxrwxrwx    1 root     domadm         26 Jan 17 16:24 smbldap_conf.pm
-> /etc/samba/smbldap_conf.pm
-rwxr-x---    1 root     domadm       2389 Jan 14 02:29 smbldap-groupadd.pl*
-rwxr-x---    1 root     domadm       2369 Jan 14 02:29 smbldap-groupdel.pl*
-rwxr-x---    1 root     domadm       5362 Jan 14 02:29 smbldap-groupmod.pl*
-rwxr-x---    1 root     domadm       1821 Jan 14 02:29
smbldap-groupshow.pl*
-rwxr-x---    1 root     domadm       6923 Jan 14 02:29
smbldap-migrate-accounts.pl*
-rwxr-x---    1 root     domadm       4874 Jan 14 02:29
smbldap-migrate-groups.pl*
-rwxr-x---    1 root     domadm       4994 Jan 14 02:29 smbldap-passwd.pl*
-rwxr-x---    1 root     domadm       7147 Jan 14 02:29 smbldap-populate.pl*
-rw-r--r--    1 root     domadm      11685 Jan 14 02:29 smbldap_tools.pm
-rwxr-x---    1 root     domadm      13439 Jan 14 02:29 smbldap-useradd.pl*
-rwxr-x---    1 root     domadm       2913 Jan 14 02:29 smbldap-userdel.pl*
-rwxr-x---    1 root     domadm      10697 Jan 14 02:29 smbldap-usermod.pl*
-rwxr-x---    1 root     domadm       1762 Jan 14 02:29 smbldap-usershow.pl*


And something like this on the config file:
[root at hercules bgmilne]# ll /etc/samba/smbldap_conf.pm
-rw-r-----    1 root     domadm       6947 Jan 17 22:02
/etc/samba/smbldap_conf.pm


Then any member of domadm (assuming @domadm is in the 'domain admin
users' list in smb.conf) you should be able to join a machine.

OK, this means I just need to verify some issues (like testing password
changes on referrals, which I may be able to do tomorrow or Friday) and
we will have new samba packages for Mandrake ... hopefully by the
weekend at the latest.

If anyone has a setup to test large file support (smbtar, smbclient,
files > 4GB) on Mandrake 8.0, 8.2 or 9.0, please contact me and I will
get you a set of RPMs that have the two fixes applied.

FYI:
[root at hercules bgmilne]# rpm -q samba-server-ldap
samba-server-ldap-2.2.7a-3mdk

Sorry for the false alarm Jerry ...

Buchan

-- 
|--------------Another happy Mandrake Club member--------------|
Buchan Milne                Mechanical Engineer, Network Manager
Cellphone * Work            +27 82 472 2231 * +27 21 8828820x121
Stellenbosch Automotive Engineering         http://www.cae.co.za
GPG Key                   http://ranger.dnsalias.com/bgmilne.asc
1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7

More information about the samba mailing list