[Samba] Using People for Machine accounts

John H Terpstra jht at samba.org
Tue Jan 13 22:52:04 GMT 2004


Curtis,

Do not set the UID of Administrator to 0, it will break winbind use.
Instead, use the account root in LDAP, set UID=0, GID=0, RID=500

With these setting winbind should be happy.

Also, add the '-a' option where appropriate, so you create in LDAP both
Posix and SambaSamAccounts. You must create both entries in one operation.

- John T.

On Tue, 13 Jan 2004, Curtis Grote wrote:

> Using Samba 3.0.2pre1 under SuSE 8.2.
>
> I have seen several references now in this list noting that the browse
>  for machine accounts in Samba 3 is broken, and 'People' should be used
>  instead. I changed smb.conf to 'ldp machine suffix = ou=People' and I
> changed smbldap_conf.pm to '$computersou=(People). I then cleared ldap,
> ran smbldap-populate.pl, and changed the uid of 'Administrator' to 0. When
> I try to add a machine account (with 'Administrator') from Windows NT or
> Windows 2000 I can see in /var/log/messages that the machine account was
> added successfully with an ou=People. After the add there are lookups for
> the machine account and then another add is attempted which fails with a
> duplicate:
>
> slapd[30427]: conn=32 fd=30 ACCEPT from IP=127.0.0.1:40399 (IP=:: 389)
> slapd[30429]: conn=32 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128
> slapd[30429]: conn=32 op=0 AUTHZ dn="cn=admin,dc=pmmc,dc=com" mech=simple ssf=0
> slapd[30429]: conn=32 op=0 RESULT tag=97 err=0 text=
> slapd[30427]: conn=33 fd=31 ACCEPT from IP=127.0.0.1:40400 (IP=:: 389)
> slapd[30560]: conn=33 op=0 BIND dn="cn=admin,dc=pmmc,dc=com" method=128
> slapd[30560]: conn=33 op=0 AUTHZ dn="cn=admin,dc=pmmc,dc=com" mech=simple ssf=0
> slapd[30560]: conn=33 op=0 RESULT tag=97 err=0 text=
>
> slapd[30429]: conn=33 op=1 ADD dn="uid=silver$,ou=People,dc=pmmc,dc=com"
>
> slapd[30429]: conn=33 op=1 RESULT tag=105 err=0 text=
> slapd[30560]: conn=33 op=2 UNBIND
> slapd[30560]: conn=33 fd=31 closed
> slapd[30427]: conn=32 fd=30 closed
> slapd[30427]: conn=28 fd=29 closed
> slapd[30429]: conn=27 op=8 SRCH base="ou=People,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=posixAccount)(uid=silver$))"
> slapd[30429]: conn=27 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
> slapd[30560]: conn=26 op=5 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(gidNumber=553))"
> slapd[30560]: conn=26 op=5 SEARCH RESULT tag=101 err=0 nentries=1 text=
> slapd[30429]: conn=26 op=6 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(&(uid=silver$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
> slapd[30429]: conn=26 op=6 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30560]: conn=26 op=7 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-2297334754-555254534-3983410276-3000)(objectClass=sambaSamAccount))"
> slapd[30560]: conn=26 op=7 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30429]: conn=26 op=8 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(uid=silver$)(objectClass=sambaSamAccount))"
> slapd[30429]: conn=26 op=8 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30560]: conn=26 op=9 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(sambaSID=S-1-5-21-2297334754-555254534-3983410276-3000)(|(objectClass=sambaIdmapEntry)(objectClass=sambaSidEntry)))"
> slapd[30560]: conn=26 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text=
>
> slapd[30429]: conn=26 op=10 ADD dn="uid=silver$,ou=People,dc=pmmc,dc=com"
>
> slapd[30429]: conn=26 op=10 RESULT tag=105 err=68 text=
> slapd[30560]: conn=26 op=11 SRCH base="dc=pmmc,dc=com" scope=2 filter="(&(&(uid=SILVER$)(objectClass=sambaSamAccount))(objectClass=sambaSamAccount))"
> slapd[30560]: conn=26 op=11 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30429]: conn=26 op=12 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=sambaGroupMapping)(|(displayName=SILVER$)(cn=SILVER$)))"
> slapd[30429]: conn=26 op=12 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30560]: conn=27 op=9 SRCH base="ou=Groups,dc=pmmc,dc=com" scope=2 filter="(&(objectClass=posixGroup)(cn=SILVER$))"
> slapd[30560]: conn=27 op=9 SEARCH RESULT tag=101 err=0 nentries=0 text=
> slapd[30427]: conn=26 fd=26 closed
>
> If I use an account of 'Administrator' (on the NT machine) when I try to
> add a machine account an error returns 'The machine account for this
> computer either does not exist or is inaccessible', even though the
> machine is added to LDAP (posix entry only). If I manually create a user
> account using 'smbldap-useradd.pl -a machineadd', then change the uid to 0
> (and gidNumber to 0 or 512), then use this account on the NT side to add a
> machine account, the same error is displayed, but the machine account is
> NOT added to LDAP. Other posts have indicated the smbldap-useradd adds the
> machine posix account and samba adds the samba entries when the domain is
> joined.  I am assuming then that the second 'add' is samba trying to add
> the samba entries to LDAP, but it fails with a duplicate entry. Here are
> some pertinent smb.conf entries:
>
> ldap suffix = dc=pmmc,dc=com
> ldap user suffix = ou=People
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=People
> ldap filter = "(&(uid=%u)(objectclass=sambaSamAccount))"
>
> add user script = /home/sambaldap/smbldap-useradd.pl -a -F
> \\%L\profiles\%u %u delete user script =
> /home/sambaldap/smbldap-userdel.pl '%u' add group script =
> /home/sambaldap/smbldap-groupadd.pl '%g' delete group script =
> /home/sambaldap/smbldap-groupdel.pl '%g' add user to group script =
> /home/sambaldap/smbldap-groupmod.pl -m '%u' '%g' delete user from group
> script = /home/sambaldap/smbldap-groupmod.pl -x '%u' '%g' set primary
> group script = /home/sambaldap/smbldap-usermod.pl -g '%g' '%u' add machine
> script = /home/sambaldap/smbldap-useradd.pl -a -w -d /dev/null -c 'Machine
> Account' -s /bin/false %m
>
> Any help would be greatly appreciated.
>
> Curtis Grote
> Memorial Hospital
>
>

-- 
John H Terpstra
Email: jht at samba.org


More information about the samba mailing list