SV: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account - Success!

John H Terpstra jht at samba.org
Wed Nov 19 01:55:01 GMT 2003


Patrick,

Thank you for this feedback. It is highly valuable when people report back
what works. This is an excellent report as it highlights what not to do
and what if done correctly does work.

Three cheers!


- John T.

On Tue, 18 Nov 2003, Patrick wrote:

> Hello All,
>
> I just wanted to let everyone know how I was finally able to store
> computer accounts in ldap with a different suffix than the users
> accounts.  The whole problem ended up being the smb.conf file.  After
> reading a message that Gerald Carter responded to about the ldap search
> suffix, I decided to go make some changes and do some testing.
> Originally I had the following in my config file:
>
> # The machine and user suffix added to the base suffix
> # wrote WITHOUT quotes.  NULL suffixes by default
> ldap user suffix = ou=People,dc=fireru,dc=net
> ldap group suffix = ou=Group,dc=firerun,dc=net
> ldap idmap suffix = ou=Idmap,dc=firerun,dc=net
> ldap machine suffix = ou=Computers,dc=firerun,dc=net
>
> # Specify the base DN to use when searching the directory
> ldap suffix = "dc=firerun,dc=net"
>
> As it turns out this is incorrect  for the current state of samba 3.
> The ldap suffix should go first without quotes!  I thought is said in
> the Samba 3 HowTo to put quotes around the suffix, if it does it is
> incorrect.  After making the changes to the config file and doing some
> testing I now have the following:
>
> # Specify the base DN to use when searching the directory
> ldap suffix = dc=firerun,dc=net
>
> # The machine and user suffix added to the base suffix
> # wrote WITHOUT quotes.  NULL suffixes by default
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
>
> I can now use the add machine script to add a posixAccount object for
> the computer to the ou=Computers and then samba will add the
> sambaSamAccount attributes.  So bottom line is "ldap suffix" must appear
> before the other suffix options.  There should not be quotes around the
> suffix values.  The value of "ldap suffix" will be auto appended to the
> "ldap user suffix", "ldap machine suffix", etc.  To make sure the last
> comment is true just do testparm and you should see the whole suffix for
> each option.
>
> Also once the changes above were made I was able to move all current
> computer accounts to the ou=Computers and everything seems to be working
> fine.
>
> I do have to say that Samba is great.  Thank you to all the developers
> for your hard work!!!
>
> Patrick
>
> Patrick wrote:
>
> > Thanks, I did not notice the typo, but the funny thing is that it was
> > working with the typo.  I had an idea that using the people ou would
> > work, and I did some searching and found that someone else ran into the
> > same problem.  They used the same ou for user accounts and it worked.
> > So I tried it and everything seems to be working.  It looks like this is
> > a bug in samba 3.  Some one has already reported this as a bug so maybe
> > it will get fixed.
> >
> > Patrick
> >
> > Tarjei Bitustøyl wrote:
> >
> >> Hi,
> >>
> >> First, there's an error in the smb.conf: ldap user suffix has a typo.
> >>
> >> Second, I ran into a similar problem myself. No matter what I do, I
> >> cannot make a computer register in the LDAP *with ldap machine suffix
> >> different from ldap people suffix*.
> >>
> >> I have no idea why this is, but it's working with the people and machine
> >> suffix in the same dn.
> >>
> >> Regards
> >> Tarjei
> >>
> >> -----Opprinnelig melding-----
> >> Fra: samba-bounces+astaroth=uses.nofw.org at lists.samba.org
> >> [mailto:samba-bounces+astaroth=uses.nofw.org at lists.samba.org] På vegne
> >> av critter at rmci.net
> >> Sendt: 16. november 2003 21:58
> >> Til: samba at samba.org
> >> Emne: [Samba] SAMBA 3.0.0 PDC + LDAP - Adding Computer Account
> >>
> >> Hello all,
> >>
> >> I'm having an issue with adding machine accounts to a Samba 3.0.0 PDC
> >> with
> >> an LDAP passwd db backend.  This is on a RedHat 9 with an rpm I compiled
> >> from the 3.0.0 release. I have configured samba to where it is using
> >> LDAP
> >> and able to add user accounts and group mappings to LDAP, but when I try
> >> to add a computer account using smbpasswd -a -m data it is not able to
> >> add
> >> the account.  I ran it with the debug option and here is what I get:
> >>
> >> (pts/2)[root at impact samba]# smbpasswd -a -m data -D 10
> >> Netbios name list:-
> >> my_netbios_names[0]="IMPACT"
> >> Trying to load: ldapsam:ldap://127.0.0.1
> >> Attempting to register passdb backend ldapsam
> >> Successfully added passdb backend 'ldapsam'
> >> Attempting to register passdb backend ldapsam_compat
> >> Successfully added passdb backend 'ldapsam_compat'
> >> Attempting to register passdb backend smbpasswd
> >> Successfully added passdb backend 'smbpasswd'
> >> Attempting to register passdb backend tdbsam
> >> Successfully added passdb backend 'tdbsam'
> >> Attempting to register passdb backend guest
> >> Successfully added passdb backend 'guest'
> >> Attempting to find an passdb backend to match ldapsam:ldap://127.0.0.1
> >> (ldapsam)
> >> Found pdb backend ldapsam
> >> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MATRIX))]
> >> smbldap_search_suffix: searching
> >> for:[(&(objectClass=sambaDomain)(sambaDomainName=MATRIX))]
> >> smbldap_open_connection: ldap://127.0.0.1
> >> smbldap_open_connection: connection opened
> >> ldap_connect_system: Binding to ldap server ldap://127.0.0.1 as
> >> "cn=Samba
> >> Admin,ou=People,dc=firerun,dc=net"
> >> ldap_connect_system: succesful connection to the LDAP server
> >> The LDAP server is succesful connected
> >> pdb backend ldapsam:ldap://127.0.0.1 has a valid init
> >> Attempting to find an passdb backend to match guest (guest)
> >> Found pdb backend guest
> >> pdb backend guest has a valid init
> >> smbldap_search_suffix: searching
> >> for:[(&(uid=data$)(objectclass=sambaSamAccount))]
> >> ldapsam_getsampwnam: Unable to locate user [data$] count=0
> >> Finding user data$
> >> Trying _Get_Pwnam(), username as lowercase is data$
> >> Trying _Get_Pwnam(), username as uppercase is DATA$
> >> Checking combinations of 0 uppercase letters in data$
> >> Get_Pwnam_internals didn't find user [data$]!
> >> Failed initialise SAM_ACCOUNT for user data$.
> >> Failed to modify password entry for user data$
> >>
> >>
> >> My relavent smb.conf options are
> >>
> >> #====================== Password Database
> >>
> >> # Define the backend to use
> >> passdb backend = ldapsam:ldap://127.0.0.1
> >>
> >> # Define the DN that will be used to bind to the ldap directory
> >> # must have write access to lmPassword and ntPassword attributes
> >> # use smbpasswd -w secret to store password
> >> ldap admin dn = "cn=Samba Admin,ou=People,dc=firerun,dc=net"
> >>
> >> # Should ssl be used to connect to ldap server
> >> # (off, start tls, on) default = on
> >> ldap ssl = off
> >>
> >> # smbpasswd -x delete the entire dn-entry
> >> ldap delete dn = no
> >>
> >> # The machine and user suffix added to the base suffix
> >> # wrote WITHOUT quotes.  NULL suffixes by default
> >> ldap user suffix = ou=People,dc=fireru,dc=net
> >> ldap group suffix = ou=Group,dc=firerun,dc=net
> >> ldap idmap suffix = ou=Idmap,dc=firerun,dc=net
> >> ldap machine suffix = ou=Computers,dc=firerun,dc=net
> >>
> >> # Specify the base DN to use when searching the directory
> >> ldap suffix = "dc=firerun,dc=net"
> >>
> >> # Specify the search filter. Generally the default is okay
> >> # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
> >>
> >> # Should ldap passwords be synced with nt passwords
> >> # (yes, no, only) default = no
> >> ldap passwd sync = no
> >>
> >> # Allow adding a computer account to ldap
> >> add machine script = /etc/samba/ldapaddcomp %m$
> >>
> >> #======================
> >>
> >> As for the user data$ it already exists in the directory as:
> >>
> >> # data$, Computers, firerun, net
> >> dn: uid=data$,ou=Computers,dc=firerun,dc=net
> >> uid: data$
> >> cn: Computer Account
> >> objectClass: account
> >> objectClass: posixAccount
> >> objectClass: top
> >> objectClass: shadowAccount
> >> uidNumber: 1007
> >> gidNumber: 1003
> >> homeDirectory: /dev/null
> >> gecos: Computer Account
> >> loginShell: /sbin/nologin
> >> description: Computer Account
> >> shadowLastChange: 12372
> >> shadowMin: 0
> >> shadowMax: 99999
> >> shadowWarning: 7
> >>
> >> when I do a getent passwd the computer account data$ shows up in the
> >> listing so by all accounts the account exists. As for LDAP ACL the Samba
> >> admin has write access to the Computer ou in the Directory so it should
> >> be
> >> able to update the information.  I did find out that in the ldap log it
> >> has:
> >>
> >> Nov 16 13:32:42 impact slapd[10664]: conn=9 op=1 SRCH
> >> base="ou=People,dc=firerun,dc=net" scope=1
> >> filter="(&(objectClass=posixAccount)(uid=DATA$))"
> >>
> >> So it appears that it might be searching the wrong ou for the account
> >> information.  Does anyone have any ideas what is happening or why I am
> >> unable to add machine accounts?
> >>
> >> Thank you in advance.
> >> Patrick Gunerud
> >>
> >>
> >>
> >>
> >
> >
>
>

-- 
John H Terpstra
Email: jht at samba.org



More information about the samba mailing list