[Samba] Re: smbldap-tools don't create machine account properlly

Fernando Ribeiro musb at nerdgroup.org
Fri Oct 22 14:22:14 GMT 2004 

My ldap.conf restrict search to ou=Usuarios

only comment nss_base options and it work fine

Thanks all


Palavras de daves-jr at cecom.ufmg.br [Fri, Oct 22, 2004 at 11:22:12AM -0300]:
> 
> 
> Your ldap.conf
>   nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
> Your smb.conf
>   ldap machine suffix = ou=Computadores
> 
> Your search on ldap base by nsswitch is restrict at ou=Usuarios,
> dc=unimix,dc=com,dc=br ...
> You need change your machine suffix to the same suffix used by
> nss_base_passwd or leave nsswitch search in machine suffix base
> 
> 
> ---------------------------------------------------
> Emerson Henrique Kfuri Pereira
> 
> Divisão de Atendimento e Consultoria
> CECOM - Reitoria - UFMG
> Telefone: 34994009
> ---------------------------------------------------
> 
> > Fernando Ribeiro <musb at nerdgroup.org>
> > Enviado Por: samba-bounces+daves-jr=ufmg.br at lists.samba.org
> >
> > 22/10/2004 11:52
> >
> > Para
> >
> > samba at lists.samba.org
> >
> > cc
> >
> > Assunto
> >
> > Re: [Samba] Re: smbldap-tools don't create machine account properlly
> >
> > Hi Igor,
> >
> >    my slapd.conf
> >
> >    include /usr/local/etc/openldap/schema/core.schema
> >    include /usr/local/etc/openldap/schema/cosine.schema
> >    include /usr/local/etc/openldap/schema/inetorgperson.schema
> >    include /usr/local/etc/openldap/schema/nis.schema
> >    include /usr/local/etc/openldap/schema/samba.schema
> >    include /usr/local/etc/openldap/schema/qmail.schema
> >
> >    pidfile /usr/local/var/run/slapd.pid
> >    argsfile /usr/local/var/run/slapd.args
> >
> >    database  bdb
> >    suffix "dc=unimix,dc=com,dc=br"
> >    rootdn "cn=suporte,dc=unimix,dc=com,dc=br"
> >    rootpw {SSHA}pass
> >    directory /usr/local/var/openldap-data
> >
> >    password-hash {CRYPT}
> >    password-crypt-salt-format "$1$.8s"
> >
> >    index objectClass,uidNumber,gidNumber eq
> >    index cn,sn,uid,displayName eq
> >    index memberUid,mail,mailAlternateAddress,givenname,
> > accountStatus,mailHost,deliveryMode eq
> >    index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> >    index default sub
> >
> >    access to attrs=userPassword,sambaLMPassword,sambaNTPassword
> >   by self write
> >   by anonymous auth
> >   by * read
> >
> >   access to *
> >   by * read
> >
> >
> >   My ldap.conf
> >
> >   base dc=unimix,dc=com,dc=br
> >   host ldap.unimix.com.br
> >
> >   rootbinddn cn=suporte,dc=unimix,dc=com,dc=br
> >   nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
> >   nss_base_shadow ou=Usuarios,dc=unimix,dc=com,dc=br?one
> >   nss_base_group ou=Grupos,dc=unimix,dc=com,dc=br?one
> >
> >
> >     My smb.conf
> >
> >
> > [global]
> >    workgroup = UNIMIX
> >    netbios name = PDC
> >    server string = PDC
> >    security = user
> >    encrypt passwords = yes
> >    load printers = yes
> >    log file = /var/log/samba/%m.log
> >    max log size = 50
> >    log level = 2
> >    os level = 255
> >    local master = yes
> >    domain master = yes
> >    preferred master = yes
> >    domain logons = yes
> >    admin users = Administrador, Administrator, fernando.ribeiro
> >    logon script = %U.bat
> >    logon path = \\%L\profiles\%U
> >    ldap passwd sync = yes
> >     ldap delete dn = Yes
> >    passdb backend = ldapsam:ldap://ldap.unimix.com.br/
> >    ldap admin dn = cn=suporte,dc=unimix,dc=com,dc=br
> >    ldap suffix = dc=unimix,dc=com,dc=br
> >    ldap group suffix = ou=Grupos
> >    ldap user suffix = ou=Usuarios
> >    ldap machine suffix = ou=Computadores
> >    idmap uid = 10000-15000
> >     idmap gid = 10000-15000
> >    nt acl support = yes
> >    create mask = 600
> >    directory mask = 0700
> >    force directory mode = 0700
> >    passwd chat = *New*password* %n\n *Retype*new*password* %
> > n\n*passwd:*all*authentication*tokens*updated*successfully*
> >    socket options = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192
> SO_SNDBUF=8192
> >     add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> >     add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> >     add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> >      add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> "%g"
> >     delete user script = /usr/local/sbin/smbldap-userdel "%u"
> >      delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> >    delete user from group script = /usr/local/sbin/smbldap-groupmod
> > -x "%u" "%g"
> >      set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u"
> >    dos charset = UTF-8
> >     unix charset = UTF-8
> >     cups server = 10.0.0.11
> >
> > [homes]
> >    comment = Diretorio Home
> >    browseable = no
> >    writable = yes
> >   force user = %U
> >
> > [profiles]
> >   path = /home/profiles
> >   read only = No
> >   create mask = 0600
> >   directory mask = 0700
> >   browseable = No
> >   guest ok = Yes
> >   profile acls = Yes
> >   csc policy = disable
> >   force user = %U
> >    valid users = %U @"Domain Admins"
> >
> > [netlogon]
> >    path = /home/netlogon
> >    browseable = No
> >    read only = yes
> >
> > [printers]
> >    comment = Impressoras
> >    path = /var/spool/samba
> >    browseable = no
> >    guest ok = no
> >    writable = no
> >    printable = yes
> >
> >
> >    My samba return this errors:
> >
> >    [2004/10/22 10:48:34, 5] lib/smbldap.c:smbldap_search(963)
> >   smbldap_search: base => [dc=unimix,dc=com,dc=br], filter =>
> >   [(&(uid=suporte$)(objectclass=sambaSamAccount))], scope => [2]
> >   [2004/10/22 10:48:34, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1266)
> >   ldapsam_getsampwnam: Unable to locate user [suporte$] count=0
> >   [2004/10/22 10:48:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
> >   pop_sec_ctx (0, 1000) - sec_ctx_stack_ndx = 0
> >   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam(293)
> >   Finding user suporte$
> >   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(223)
> >   Trying _Get_Pwnam(), username as lowercase is suporte$
> >   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(239)
> >   Trying _Get_Pwnam(), username as uppercase is SUPORTE$
> >   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(247)
> >   Checking combinations of 0 uppercase letters in suporte$
> >   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(251)
> >   Get_Pwnam_internals didn't find user [suporte$]!
> >   [2004/10/22 10:48:35, 3]
> rpc_server/srv_samr_nt.c:_samr_create_user(2245)
> >   _samr_create_user: Running the command `/usr/local/sbin/smbldap-
> > useradd -w "suporte$"' gave 9
> >   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam(293)
> >   Finding user suporte$
> >   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(223)
> >   Trying _Get_Pwnam(), username as lowercase is suporte$
> >   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(239)
> >   Trying _Get_Pwnam(), username as uppercase is SUPORTE$
> >   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(247)
> >   Checking combinations of 0 uppercase letters in suporte$
> >   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(251)
> >   Get_Pwnam_internals didn't find user [suporte$]!
> >
> >    It don't found suporte$ machine.
> >    But it exists.
> >
> > > >   dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > > >   objectClass: top
> > > >   objectClass: inetOrgPerson
> > > >   objectClass: posixAccount
> > > >   cn: suporte$
> > > >   sn: suporte$
> > > >   uid: suporte$
> > > >   uidNumber: 1020
> > > >   gidNumber: 1000
> > > >   homeDirectory: /dev/null
> > > >   loginShell: /bin/false
> > > >   description: Computer
> > > >   gecos: Computer
> >
> >    But without sambasamaccount.
> >
> >    PS. s/Computers/Computadores/g =)
> >
> >    Any idea?
> >
> >    Thanks
> >
> >
> > Palavras de Igor Belyi [Thu, Oct 21, 2004 at 06:32:27PM -0400]:
> > > Is it possible that 'ldap admin dn' used in your smb.conf does not have
> 
> > > write access to 'ou=Computers,dc=unimix,dc=com,dc=br'? What was the
> > > error in smbd log when machine failed to join the Domain?
> > >
> > > Igor
> > >
> > > Fernando Ribeiro wrote:
> > > >Hi all,
> > > >
> > > >   I have smb.conf with:
> > > >
> > > >
> > > >   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > > >   add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > > >   add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > > >   add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> > > >   add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> 
> > > >   "%g"
> > > >   delete user script = /usr/local/sbin/smbldap-userdel "%u"
> > > >   delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> > > >   delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> 
> > > >   "%u" "%g"
> > > >   set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> > > >   "%u"
> > > >
> > > >   while i try include the w2k machine in samba domain it create the
> > > >   ldap
> > > >   machine account entry:
> > > >
> > > >   dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br
> > > >   objectClass: top
> > > >   objectClass: inetOrgPerson
> > > >   objectClass: posixAccount
> > > >   cn: suporte$
> > > >   sn: suporte$
> > > >   uid: suporte$
> > > >   uidNumber: 1020
> > > >   gidNumber: 1000
> > > >   homeDirectory: /dev/null
> > > >   loginShell: /bin/false
> > > >   description: Computer
> > > >   gecos: Computer
> > > >
> > > >   And don't join in samba domain.
> > > >
> > > >   While i create a machine account manually with:
> > > >
> > > >   dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > > >   gidNumber: 30000
> > > >   uidNumber: 1022
> > > >   uid: suporte$
> > > >   sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044
> > > >   sambaAcctFlags: [W          ]
> > > >   cn: suporte
> > > >   homeDirectory: /dev/null
> > > >   objectClass: top
> > > >   objectClass: sambaSamAccount
> > > >   objectClass: posixAccount
> > > >   objectClass: account
> > > >
> > > >   It join in the samba domain without problem.
> > > >
> > > >   Anyone know why it don't create sambaSamAccount ?
> > > >   Machine account need inetOrgPerson ?
> > > >
> > > >   Thanks
> > > >
> > > >
> > >
> > > --
> > > To unsubscribe from this list go to the following URL and read the
> > > instructions:  http://lists.samba.org/mailman/listinfo/samba
> > >
> >
> > --
> > Fernando Ribeiro - GPG-KEY: 0x8D7255F4
> > Linux Counter: #273768 - ICQ: 175630330
> > LPIC-2 - Advanced Linux
> > Death the graph! Death the mouse
> > Death patents! Death closed standards!
> > http://www.nerdgroup.org
> > http://musb.nerdgroup.org
> > --------------------------------------
> > "Grandes mentes discutem idéias;
> > Mentes medianas discutem eventos;
> > Mentes pequenas discutem pessoas."
> > --------------------------------------
> > "A mente que se abre a uma nova idéia
> > jamais volta ao seu tamanho original."
> > Albert Einstein
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
-- 
Fernando Ribeiro - GPG-KEY: 0x8D7255F4
Linux Counter: #273768 - ICQ: 175630330
LPIC-2 - Advanced Linux
Death the graph! Death the mouse
Death patents! Death closed standards!
http://www.nerdgroup.org
http://musb.nerdgroup.org
--------------------------------------
"Grandes mentes discutem idéias;
Mentes medianas discutem eventos;
Mentes pequenas discutem pessoas."
--------------------------------------
"A mente que se abre a uma nova idéia
jamais volta ao seu tamanho original."
Albert Einstein

More information about the samba mailing list