[Samba] Using People for Machine accounts

Curtis Grote cgrote at memhosp.com
Tue Jan 13 20:40:30 GMT 2004 

Using Samba 3.0.2pre1 under SuSE 8.2.

I have seen several references now in this list noting that the browse
 for machine accounts in Samba 3 is broken, and 'People' should be used
 instead. I changed smb.conf to 'ldp machine suffix = ou=People' and I
changed smbldap_conf.pm to '$computersou=(People). I then cleared ldap,
ran smbldap-populate.pl, and changed the uid of 'Administrator' to 0. When
I try to add a machine account (with 'Administrator') from Windows NT or
Windows 2000 I can see in /var/log/messages that the machine account was
added successfully with an ou=People. After the add there are lookups for
the machine account and then another add is attempted which fails with a
duplicate:

slapd[30427]: conn=32 fd=30 ACCEPT from IP=127.0.0.1:40399 (IP=:: 389)
slapd[30429]: conn=32 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128
slapd[30429]: conn=32 op=0 AUTHZ dn="cn=admin,dc=pmmc,dc=com" mech=simple ssf=0
slapd[30429]: conn=32 op=0 RESULT tag=97 err=0 text=
slapd[30427]: conn=33 fd=31 ACCEPT from IP=127.0.0.1:40400 (IP=:: 389)
slapd[30560]: conn=33 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128
slapd[30560]: conn=33 op=0 AUTHZ dn="cn=admin,dc=pmmc,dc=com" mech=simple ssf=0
slapd[30560]: conn=33 op=0 RESULT tag=97 err=0 text=

slapd[30429]: conn=33 op=1 ADD dn="uid=silver$,ou=People,dc=pmmc,dc=com"

slapd[30429]: conn=33 op=1 RESULT tag=105 err=0 text=
slapd[30560]: conn=33 op=2 UNBIND
slapd[30560]: conn=33 fd=31 closed
slapd[30427]: conn=32 fd=30 closed
slapd[30427]: conn=28 fd=29 closed
slapd[30429]: conn=27 op=8 SRCH base="ou=People,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=silver$))"
slapd[30429]: conn=27 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[30560]: conn=26 op=5 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=553))"
slapd[30560]: conn=26 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
slapd[30429]: conn=26 op=6 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(&(uid=silver$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
slapd[30429]: conn=26 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30560]: conn=26 op=7 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-2297334754-555254534-3983410276-3000)(objectClass=sambaSamAccount))"
slapd[30560]: conn=26 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30429]: conn=26 op=8 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(uid=silver$)(objectClass=sambaSamAccount))"
slapd[30429]: conn=26 op=8 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30560]: conn=26 op=9 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-2297334754-555254534-3983410276-3000)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
slapd[30560]: conn=26 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text=

slapd[30429]: conn=26 op=10 ADD dn="uid=silver$,ou=People,dc=pmmc,dc=com"

slapd[30429]: conn=26 op=10 RESULT tag=105 err=68 text=
slapd[30560]: conn=26 op=11 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(&(uid=SILVER$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
slapd[30560]: conn=26 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30429]: conn=26 op=12 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(|(displayName=SILVER$)(cn=SILVER$)))"
slapd[30429]: conn=26 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30560]: conn=27 op=9 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=SILVER$))"
slapd[30560]: conn=27 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text=
slapd[30427]: conn=26 fd=26 closed

If I use an account of 'Administrator' (on the NT machine) when I try to
add a machine account an error returns 'The machine account for this
computer either does not exist or is inaccessible', even though the
machine is added to LDAP (posix entry only). If I manually create a user
account using 'smbldap-useradd.pl -a machineadd', then change the uid to 0
(and gidNumber to 0 or 512), then use this account on the NT side to add a
machine account, the same error is displayed, but the machine account is
NOT added to LDAP. Other posts have indicated the smbldap-useradd adds the
machine posix account and samba adds the samba entries when the domain is
joined.  I am assuming then that the second 'add' is samba trying to add
the samba entries to LDAP, but it fails with a duplicate entry. Here are
some pertinent smb.conf entries:

ldap suffix = dc=pmmc,dc=com
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap machine suffix = ou=People
ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"

add user script = /home/sambaldap/smbldap-useradd.pl -a -F
\\%L\profiles\%u %u delete user script =
/home/sambaldap/smbldap-userdel.pl '%u' add group script =
/home/sambaldap/smbldap-groupadd.pl '%g' delete group script =
/home/sambaldap/smbldap-groupdel.pl '%g' add user to group script =
/home/sambaldap/smbldap-groupmod.pl -m '%u' '%g' delete user from group
script = /home/sambaldap/smbldap-groupmod.pl -x '%u' '%g' set primary
group script = /home/sambaldap/smbldap-usermod.pl -g '%g' '%u' add machine
script = /home/sambaldap/smbldap-useradd.pl -a -w -d /dev/null -c 'Machine
Account' -s /bin/false %m

Any help would be greatly appreciated.

Curtis Grote
Memorial Hospital

More information about the samba mailing list