[Samba] posixAccount for Machines in LDAP?
Paul Gienger
pgienger at ae-solutions.com
Wed Jul 14 13:34:12 GMT 2004
kent at www.warehamportal.mec.edu wrote:
>Hi Paul,
>I'm getting a user not found after I made the changes. That's what I used
>to get when I didn't add the machine account to /etc/passwd first.
>
>
Ok, so now the question is this, when you try to join, are you giving it
the root user or root equivilent (uid=0) account? Is it making the
posix account but not modifying it with sambaSAM information? You are
sure that everything is using ou=People (or whatever users container
you're using)?
>Just curious, do you have a working system that does just that, where if
>you add a machine by joining it to the domain, smbldap_useradd.pl creates
>the posixAccount and sambaSAMAccount in LDAP?
>
>
I *did* when I was migration testing for samba3 but now my test box has
been scrapped for a Sun trade in. I need to rebuild it before I go live
with S3 (still on 2.2.8 here sadly) so I'll be building entirely from
scratch again, hopefully this week if other projects get taken care of.
I've done a pile of testing in my setup to get it to work with our
remote LDAP master and local and/or distributed DC boxes. There were
some timing issues there if replication didn't happen quick enough, a
real PITA.
>I'll continue to tinker with it. If you have any other suggestions, let me
>know. I'm very close.
>
>
>
>>Changes below:
>>
>>kent at www.warehamportal.mec.edu wrote:
>>
>>
>>
>>>Thanks for getting back to me, Paul.
>>>Here's the domain controllers smb.conf
>>>
>>>
>>>[global]
>>> workgroup = WarehamPS
>>> encrypt passwords = Yes
>>> time server = Yes
>>> socket options = TCP_NODELAY
>>> security = user
>>> logon script = whs1.bat
>>> writable = Yes
>>> dns proxy = no
>>> directory mask = 02770
>>> preferred master = yes
>>> netbios name = WHS1
>>> server string = RedHat 8.0 LDAP Server
>>> passdb backend = ldapsam
>>> ldap passwd sync = Yes
>>> machine password timeout = 604800
>>> passwd program = /usr/local/samba/bin/smbpasswd %u
>>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>>*Retype\snew\sUnix\spassword:* %n\n
>>> log file = /var/log/samba.%m
>>> debug level = 2
>>> max log size = 50
>>> add user script = /usr/local/sbin/smbldap-useradd.pl %u
>>> delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>>> add group script = /usr/local/sbin/smbldap-groupadd.pl
>>> delete group script = /usr/local/sbin/smbldap-groupdel.pl
>>> add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null
>>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>>>%u
>>>
>>>
>>>
>>>
>>Change these scripts to be liks so:
>>
>>add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>>delete user script = /usr/sbin/smbldap-userdel "%u"
>>add group script = /usr/sbin/smbldap-groupadd "%g"
>>delete group script = /usr/sbin/smbldap-groupdel "%g"
>>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>>delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>>set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>>add machine script = /usr/sbin/smbldap-useradd -w "%u"
>>
>>make sure the paths line up of course. The quotes are important in case
>>you get spaces in the parameters.
>>
>>
>>
>>> logon script = whs1.bat
>>> logon path =
>>> logon drive = H:
>>> logon home =
>>> domain logons = Yes
>>> os level = 64
>>> domain master = Yes
>>> dns proxy = Yes
>>> admin users = @domain_admins
>>> wins support = Yes
>>> name resolve order = wins hosts bcast
>>> ldap suffix = dc=tow,dc=net
>>> ldap machine suffix = ou=Computers
>>>
>>>
>>>
>>>
>>Make ldap machine suffix match ldap user suffix. Known bug.
>>
>>
>>
>>> ldap user suffix = ou=Users
>>> ldap group suffix = ou=Groups
>>> ldap admin dn = cn=admin,dc=tow,dc=net
>>> ldap ssl = no
>>>
>>>
>>>
>>>
>><shares defs deleted>
>>
>>Of course, make sure your smbldap config file matches the above LDAP dn
>>information for users, computers. Check back after trying it out.
>>
>>Paul
>>
>>
>>
>>>Kent
>>>Wareham Public Schools
>>>
>>>
>>>
>>>
>>>
>>>>kent at www.warehamportal.mec.edu wrote:
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>Hello,
>>>>>I have a question about machine accounts.
>>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
>>>>>RedHat machines.
>>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>>
>>>>>Right now all of my users and groups exist entirely in the LDAP
>>>>>directory.
>>>>>I have a few accounts in addition to the normal system accounts that
>>>>>are
>>>>>used for emergency access. All authention and group enumeration uses
>>>>>PAM_LDAP with NSS_LDAP.
>>>>>
>>>>>My question is that when I have a machine join the domain, in the LDAP
>>>>>directory an objectclass Account and sambaSAMAccount are created. I
>>>>>still
>>>>>need to create a machine account in /etc/passwd for this to happen. Is
>>>>>there anyone out there that is first creating a posixAccount with
>>>>>appropriate attributes in LDAP then using the Samba/Windows to generate
>>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>You shouldn't need anything in /etc/passwd. Perhaps by posting an
>>>>smb.conf you could be pointed in the right direction.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>I was so happy to get all of the user/group stuff consolidated into the
>>>>>directory. Now I see that this is a possibility also but I haven't
>>>>>tried
>>>>>it.
>>>>>
>>>>>Kent N
>>>>>Wareham Public Schools
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>--
>>>>Paul Gienger Office: 701-281-1884
>>>>Applied Engineering Inc. Cell: 701-306-6254
>>>>Information Systems Consultant Fax: 701-281-1322
>>>>URL: www.ae-solutions.com mailto:pgienger at ae-solutions.com
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>
>>>
>>>
>>>
>>--
>>Paul Gienger Office: 701-281-1884
>>Applied Engineering Inc. Cell: 701-306-6254
>>Information Systems Consultant Fax: 701-281-1322
>>URL: www.ae-solutions.com mailto:pgienger at ae-solutions.com
>>
>>
>>
>>
>>
>
>
>
>
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:pgienger at ae-solutions.com
More information about the samba
mailing list