[Samba] posixAccount for Machines in LDAP?

kent at www.warehamportal.mec.edu kent at www.warehamportal.mec.edu
Tue Jul 13 22:12:11 GMT 2004 

Thanks, I'll give this a try tomorrow and let you know how things go. I
really appreciate your help. This is the last major hurdle that I can see.

Kent N

> Changes below:
>
> kent at www.warehamportal.mec.edu wrote:
>
>>Thanks for getting back to me, Paul.
>>Here's the domain controllers smb.conf
>>
>>
>>[global]
>>        workgroup = WarehamPS
>>	encrypt passwords = Yes
>>	time server = Yes
>>	socket options = TCP_NODELAY
>>	security = user
>>	logon script = whs1.bat
>>	writable = Yes
>>	dns proxy = no
>>	directory mask = 02770
>>	preferred master = yes
>>        netbios name = WHS1
>>        server string = RedHat 8.0 LDAP Server
>>        passdb backend = ldapsam
>>        ldap passwd sync = Yes
>>	machine password timeout = 604800
>>        passwd program = /usr/local/samba/bin/smbpasswd %u
>>       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>*Retype\snew\sUnix\spassword:* %n\n
>>        log file = /var/log/samba.%m
>>        debug level = 2
>>        max log size = 50
>>        add user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        add group script = /usr/local/sbin/smbldap-groupadd.pl
>>        delete group script = /usr/local/sbin/smbldap-groupdel.pl
>>        add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null
>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>>%u
>>
>>
> Change these scripts to be liks so:
>
> add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> make sure the paths line up of course.  The quotes are important in case
> you get spaces in the parameters.
>
>>        logon script = whs1.bat
>>	logon path =
>>        logon drive = H:
>>	logon home =
>>        domain logons = Yes
>>        os level = 64
>>        domain master = Yes
>>        dns proxy = Yes
>>	admin users = @domain_admins
>>	wins support = Yes
>>	name resolve order = wins hosts bcast
>>        ldap suffix = dc=tow,dc=net
>>        ldap machine suffix = ou=Computers
>>
>>
> Make ldap machine suffix match ldap user suffix.  Known bug.
>
>>        ldap user suffix = ou=Users
>>        ldap group suffix = ou=Groups
>>        ldap admin dn = cn=admin,dc=tow,dc=net
>>        ldap ssl = no
>>
>>
> <shares defs deleted>
>
> Of course, make sure your smbldap config file matches the above LDAP dn
> information for users, computers.  Check back after trying it out.
>
> Paul
>
>>Kent
>>Wareham Public Schools
>>
>>
>>
>>>kent at www.warehamportal.mec.edu wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>I have a question about machine accounts.
>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
>>>>RedHat machines.
>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>
>>>>Right now all of my users and groups exist entirely in the LDAP
>>>>directory.
>>>>I have a few accounts in addition to the normal system accounts that
>>>> are
>>>>used for emergency access. All authention and group enumeration uses
>>>>PAM_LDAP with NSS_LDAP.
>>>>
>>>>My question is that when I have a machine join the domain, in the LDAP
>>>>directory an objectclass Account and sambaSAMAccount are created. I
>>>> still
>>>>need to create a machine account in /etc/passwd for this to happen. Is
>>>>there anyone out there that is first creating a posixAccount with
>>>>appropriate attributes in LDAP then using the Samba/Windows to generate
>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>
>>>>
>>>>
>>>>
>>>You shouldn't need anything in /etc/passwd.  Perhaps by posting an
>>>smb.conf you could be pointed in the right direction.
>>>
>>>
>>>
>>>>I was so happy to get all of the user/group stuff consolidated into the
>>>>directory. Now I see that this is a possibility also but I haven't
>>>> tried
>>>>it.
>>>>
>>>>Kent N
>>>>Wareham Public Schools
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Paul Gienger                     Office:		701-281-1884
>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>Information Systems Consultant   Fax:			701-281-1322
>>>URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
> --
> Paul Gienger                     Office:		701-281-1884
> Applied Engineering Inc.         Cell:			701-306-6254
> Information Systems Consultant   Fax:			701-281-1322
> URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>
>
>

More information about the samba mailing list