[Samba] posixAccount for Machines in LDAP?

kent at www.warehamportal.mec.edu kent at www.warehamportal.mec.edu
Wed Jul 14 22:54:54 GMT 2004 

John,
I have everything running finally. Of course this is always in a state of
evolution as I'm sure you know. I posted a question about objectclasses
that are required to make machine accounts available if they reside
entirely in the LDAP directory. The perl scripts from IDEALX, seem to
include inetOrgPerson as an objectclass when using smbldap-useradd.pl for
machine accounts. I wanted to know if inetOrgPerson is necessary and if I
could adjust the perl scripts to include just:

sambaSAMAccount
posixAccount

Everything in /etc/passwd has been migrated to LDAP with exception of
system accounts (root,sys,nobody,etc), thanks to PAM_LDAP and NSS_LDAP.

I have to say that this is marvelous software. You guys do an excellent
job revising, advising and the support list server is without a doubt the
best tech support money can't buy.

Thanks for you help.

Kent N
Wareham Public Schools

> Kent,
>
> You may find value from reading chapter 6 of the book "Samba-3 by Example"
> that is available from Amazon.Com. This book is also available
> electronically
> from http://www.samba.org/samba/docs/Samba-Guide.pdf. The advantage of the
> book is that it comes with a CDROM that has all the example config files
> that
> might help you get this resolved faster.
>
> In any case, if the examples and documentation in this book do NOT solve
> your
> problem please let me know so I can update it.
>
> Cheers,
> John T.
>
> On Wednesday 14 July 2004 07:25, kent at www.warehamportal.mec.edu wrote:
>> Hi Paul,
>> I'm getting a user not found after I made the changes. That's what I
>> used
>> to get when I didn't add the machine account to /etc/passwd first.
>>
>> The good news is that I removed a machine account from /etc/passwd and
>> added it to LDAP to the existing account that was created with smbpasswd
>> (added posixAccount and attributes). This worked fine. All of the
>> posixAccount  information need only be in LDAP. I will migrate my
>> existing
>> machine account info from /etc/passwd to their respective accounts in
>> LDAP. Just seems that smbldap_useradd.pl is not able to add the account
>> information to LDAP on the fly.
>>
>> Just curious, do you have a working system that does just that, where if
>> you add a machine by joining it to the domain, smbldap_useradd.pl
>> creates
>> the posixAccount and sambaSAMAccount in LDAP?
>>
>> I'll continue to tinker with it. If you have any other suggestions, let
>> me
>> know. I'm very close.
>>
>> > Changes below:
>> >
>> > kent at www.warehamportal.mec.edu wrote:
>> >>Thanks for getting back to me, Paul.
>> >>Here's the domain controllers smb.conf
>> >>
>> >>
>> >>[global]
>> >>        workgroup = WarehamPS
>> >>	encrypt passwords = Yes
>> >>	time server = Yes
>> >>	socket options = TCP_NODELAY
>> >>	security = user
>> >>	logon script = whs1.bat
>> >>	writable = Yes
>> >>	dns proxy = no
>> >>	directory mask = 02770
>> >>	preferred master = yes
>> >>        netbios name = WHS1
>> >>        server string = RedHat 8.0 LDAP Server
>> >>        passdb backend = ldapsam
>> >>        ldap passwd sync = Yes
>> >>	machine password timeout = 604800
>> >>        passwd program = /usr/local/samba/bin/smbpasswd %u
>> >>       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>> >>*Retype\snew\sUnix\spassword:* %n\n
>> >>        log file = /var/log/samba.%m
>> >>        debug level = 2
>> >>        max log size = 50
>> >>        add user script = /usr/local/sbin/smbldap-useradd.pl %u
>> >>        delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>> >>        add group script = /usr/local/sbin/smbldap-groupadd.pl
>> >>        delete group script = /usr/local/sbin/smbldap-groupdel.pl
>> >>        add machine script = /usr/sbin/useradd -c "Computer" -d
>> /dev/null
>> >>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>> >>%u
>> >
>> > Change these scripts to be liks so:
>> >
>> > add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>> > delete user script = /usr/sbin/smbldap-userdel "%u"
>> > add group script = /usr/sbin/smbldap-groupadd "%g"
>> > delete group script = /usr/sbin/smbldap-groupdel "%g"
>> > add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>> > delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
>> "%g"
>> > set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>> > add machine script = /usr/sbin/smbldap-useradd -w "%u"
>> >
>> > make sure the paths line up of course.  The quotes are important in
>> case
>> > you get spaces in the parameters.
>> >
>> >>        logon script = whs1.bat
>> >>	logon path =
>> >>        logon drive = H:
>> >>	logon home =
>> >>        domain logons = Yes
>> >>        os level = 64
>> >>        domain master = Yes
>> >>        dns proxy = Yes
>> >>	admin users = @domain_admins
>> >>	wins support = Yes
>> >>	name resolve order = wins hosts bcast
>> >>        ldap suffix = dc=tow,dc=net
>> >>        ldap machine suffix = ou=Computers
>> >
>> > Make ldap machine suffix match ldap user suffix.  Known bug.
>> >
>> >>        ldap user suffix = ou=Users
>> >>        ldap group suffix = ou=Groups
>> >>        ldap admin dn = cn=admin,dc=tow,dc=net
>> >>        ldap ssl = no
>> >
>> > <shares defs deleted>
>> >
>> > Of course, make sure your smbldap config file matches the above LDAP
>> dn
>> > information for users, computers.  Check back after trying it out.
>> >
>> > Paul
>> >
>> >>Kent
>> >>Wareham Public Schools
>> >>
>> >>>kent at www.warehamportal.mec.edu wrote:
>> >>>>Hello,
>> >>>>I have a question about machine accounts.
>> >>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
>> >>>>RedHat machines.
>> >>>>I also have 3 slave/BDC's and 1 master/PDC
>> >>>>
>> >>>>Right now all of my users and groups exist entirely in the LDAP
>> >>>>directory.
>> >>>>I have a few accounts in addition to the normal system accounts that
>> >>>> are
>> >>>>used for emergency access. All authention and group enumeration uses
>> >>>>PAM_LDAP with NSS_LDAP.
>> >>>>
>> >>>>My question is that when I have a machine join the domain, in the
>> LDAP
>> >>>>directory an objectclass Account and sambaSAMAccount are created. I
>> >>>> still
>> >>>>need to create a machine account in /etc/passwd for this to happen.
>> Is
>> >>>>there anyone out there that is first creating a posixAccount with
>> >>>>appropriate attributes in LDAP then using the Samba/Windows to
>> generate
>> >>>>the sambaSAMAccount object and attributes in LDAP also?
>> >>>
>> >>>You shouldn't need anything in /etc/passwd.  Perhaps by posting an
>> >>>smb.conf you could be pointed in the right direction.
>> >>>
>> >>>>I was so happy to get all of the user/group stuff consolidated into
>> the
>> >>>>directory. Now I see that this is a possibility also but I haven't
>> >>>> tried
>> >>>>it.
>> >>>>
>> >>>>Kent N
>> >>>>Wareham Public Schools
>> >>>
>> >>>--
>> >>>Paul Gienger                     Office:		701-281-1884
>> >>>Applied Engineering Inc.         Cell:			701-306-6254
>> >>>Information Systems Consultant   Fax:			701-281-1322
>> >>>URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>> >
>> > --
>> > Paul Gienger                     Office:		701-281-1884
>> > Applied Engineering Inc.         Cell:			701-306-6254
>> > Information Systems Consultant   Fax:			701-281-1322
>> > URL: www.ae-solutions.com        mailto:pgienger at ae-solutions.com
>
> --
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> OpenLDAP by Example, ISBN: 0131488732
> Other books in production.
>
>

More information about the samba mailing list