[Samba] posixAccount for Machines in LDAP?

kent at www.warehamportal.mec.edu kent at www.warehamportal.mec.edu
Wed Jul 14 13:25:06 GMT 2004


Hi Paul,
I'm getting a user not found after I made the changes. That's what I used
to get when I didn't add the machine account to /etc/passwd first.

The good news is that I removed a machine account from /etc/passwd and
added it to LDAP to the existing account that was created with smbpasswd
(added posixAccount and attributes). This worked fine. All of the
posixAccount  information need only be in LDAP. I will migrate my existing
machine account info from /etc/passwd to their respective accounts in
LDAP. Just seems that smbldap_useradd.pl is not able to add the account
information to LDAP on the fly.

Just curious, do you have a working system that does just that, where if
you add a machine by joining it to the domain, smbldap_useradd.pl creates
the posixAccount and sambaSAMAccount in LDAP?

I'll continue to tinker with it. If you have any other suggestions, let me
know. I'm very close.

> Changes below:
>
> kent at www.warehamportal.mec.edu wrote:
>
>>Thanks for getting back to me, Paul.
>>Here's the domain controllers smb.conf
>>
>>
>>[global]
>>        workgroup = WarehamPS
>>	encrypt passwords = Yes
>>	time server = Yes
>>	socket options = TCP_NODELAY
>>	security = user
>>	logon script = whs1.bat
>>	writable = Yes
>>	dns proxy = no
>>	directory mask = 02770
>>	preferred master = yes
>>        netbios name = WHS1
>>        server string = RedHat 8.0 LDAP Server
>>        passdb backend = ldapsam
>>        ldap passwd sync = Yes
>>	machine password timeout = 604800
>>        passwd program = /usr/local/samba/bin/smbpasswd %u
>>       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>*Retype\snew\sUnix\spassword:* %n\n
>>        log file = /var/log/samba.%m
>>        debug level = 2
>>        max log size = 50
>>        add user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        add group script = /usr/local/sbin/smbldap-groupadd.pl
>>        delete group script = /usr/local/sbin/smbldap-groupdel.pl
>>        add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null
>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>>%u
>>
>>
> Change these scripts to be liks so:
>
> add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> make sure the paths line up of course.  The quotes are important in case
> you get spaces in the parameters.
>
>>        logon script = whs1.bat
>>	logon path =
>>        logon drive = H:
>>	logon home =
>>        domain logons = Yes
>>        os level = 64
>>        domain master = Yes
>>        dns proxy = Yes
>>	admin users = @domain_admins
>>	wins support = Yes
>>	name resolve order = wins hosts bcast
>>        ldap suffix = dc=tow,dc=net
>>        ldap machine suffix = ou=Computers
>>
>>
> Make ldap machine suffix match ldap user suffix.  Known bug.
>
>>        ldap user suffix = ou=Users
>>        ldap group suffix = ou=Groups
>>        ldap admin dn = cn=admin,dc=tow,dc=net
>>        ldap ssl = no
>>
>>
> <shares defs deleted>
>
> Of course, make sure your smbldap config file matches the above LDAP dn
> information for users, computers.  Check back after trying it out.
>
> Paul
>
>>Kent
>>Wareham Public Schools
>>
>>
>>
>>>kent at www.warehamportal.mec.edu wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>I have a question about machine accounts.
>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
>>>>RedHat machines.
>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>
>>>>Right now all of my users and groups exist entirely in the LDAP
>>>>directory.
>>>>I have a few accounts in addition to the normal system accounts that
>>>> are
>>>>used for emergency access. All authention and group enumeration uses
>>>>PAM_LDAP with NSS_LDAP.
>>>>
>>>>My question is that when I have a machine join the domain, in the LDAP
>>>>directory an objectclass Account and sambaSAMAccount are created. I
>>>> still
>>>>need to create a machine account in /etc/passwd for this to happen. Is
>>>>there anyone out there that is first creating a posixAccount with
>>>>appropriate attributes in LDAP then using the Samba/Windows to generate
>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>
>>>>
>>>>
>>>>
>>>You shouldn't need anything in /etc/passwd.  Perhaps by posting an
>>>smb.conf you could be pointed in the right direction.
>>>
>>>
>>>
>>>>I was so happy to get all of the user/group stuff consolidated into the
>>>>directory. Now I see that this is a possibility also but I haven't
>>>> tried
>>>>it.
>>>>
>>>>Kent N
>>>>Wareham Public Schools
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Paul Gienger                     Office:		701-281-1884
>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>Information Systems Consultant   Fax:			701-281-1322
>>>URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
> --
> Paul Gienger                     Office:		701-281-1884
> Applied Engineering Inc.         Cell:			701-306-6254
> Information Systems Consultant   Fax:			701-281-1322
> URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>
>
>




More information about the samba mailing list