[Samba] Re: smbldap-tools don't create machine account properlly

John H Terpstra jht at samba.org
Fri Oct 22 14:30:14 GMT 2004 

On Friday 22 October 2004 07:52, Fernando Ribeiro wrote:
> Hi Igor,
>
> 	my slapd.conf
>
> 	include /usr/local/etc/openldap/schema/core.schema
> 	include /usr/local/etc/openldap/schema/cosine.schema
> 	include /usr/local/etc/openldap/schema/inetorgperson.schema
> 	include /usr/local/etc/openldap/schema/nis.schema
> 	include /usr/local/etc/openldap/schema/samba.schema
> 	include /usr/local/etc/openldap/schema/qmail.schema
>
> 	pidfile /usr/local/var/run/slapd.pid
> 	argsfile /usr/local/var/run/slapd.args
>
> 	database  bdb
> 	suffix "dc=unimix,dc=com,dc=br"
> 	rootdn "cn=suporte,dc=unimix,dc=com,dc=br"
> 	rootpw {SSHA}pass
> 	directory /usr/local/var/openldap-data
>
> 	password-hash {CRYPT}
> 	password-crypt-salt-format "$1$.8s"
>
> 	index objectClass,uidNumber,gidNumber eq
> 	index cn,sn,uid,displayName eq
> 	index
> memberUid,mail,mailAlternateAddress,givenname,accountStatus,mailHost,delive
>ryMode eq index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> 	index default sub
>
> 	access to attrs=userPassword,sambaLMPassword,sambaNTPassword
>   by self write
>   by anonymous auth
>   by * read
>
>   access to *
>   by * read
>
>
>   My ldap.conf
>
>   base dc=unimix,dc=com,dc=br
>   host ldap.unimix.com.br
>
>   rootbinddn cn=suporte,dc=unimix,dc=com,dc=br
>   nss_base_passwd ou=Usuarios,dc=unimix,dc=com,dc=br?one
>   nss_base_shadow ou=Usuarios,dc=unimix,dc=com,dc=br?one
>   nss_base_group ou=Grupos,dc=unimix,dc=com,dc=br?one

Change these to:

nss_base_passwd dc=unimix,dc=com,dc=br?sub
nss_base_shadow dc=unimix,dc=com,dc=br?sub
nss_base_group ou=Grupos,dc=unimix,dc=com,dc=br?one

- John T.
>
>
>  	My smb.conf
>
>
> [global]
>    workgroup = UNIMIX
>    netbios name = PDC
>    server string = PDC
>    security = user
>    encrypt passwords = yes
>    load printers = yes
>    log file = /var/log/samba/%m.log
>    max log size = 50
>    log level = 2
>    os level = 255
>    local master = yes
>    domain master = yes
>    preferred master = yes
>    domain logons = yes
>    admin users = Administrador, Administrator, fernando.ribeiro
>    logon script = %U.bat
>    logon path = \\%L\profiles\%U
>    ldap passwd sync = yes
> 	 ldap delete dn = Yes
>    passdb backend = ldapsam:ldap://ldap.unimix.com.br/
>    ldap admin dn = cn=suporte,dc=unimix,dc=com,dc=br
>    ldap suffix = dc=unimix,dc=com,dc=br
>    ldap group suffix = ou=Grupos
>    ldap user suffix = ou=Usuarios
>    ldap machine suffix = ou=Computadores
>    idmap uid = 10000-15000
> 	 idmap gid = 10000-15000
>    nt acl support = yes
>    create mask = 600
>    directory mask = 0700
>    force directory mode = 0700
>    passwd chat = *New*password* %n\n *Retype*new*password*
> %n\n*passwd:*all*authentication*tokens*updated*successfully* socket options
> = TCP_NODELAY IPTOS_LOWDELAY SO_RCVBUF=8192 SO_SNDBUF=8192 add user script
> = /usr/local/sbin/smbldap-useradd -m "%u"
> 	 add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> 	 add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>  	 add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u" "%g"
> 	 delete user script = /usr/local/sbin/smbldap-userdel "%u"
>  	 delete group script = /usr/local/sbin/smbldap-groupdel "%g"
>    delete user from group script = /usr/local/sbin/smbldap-groupmod -x "%u"
> "%g" set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> "%u" dos charset = UTF-8
> 	 unix charset = UTF-8
> 	 cups server = 10.0.0.11
>
> [homes]
> 	comment = Diretorio Home
> 	browseable = no
> 	writable = yes
>   force user = %U
>
> [profiles]
>   path = /home/profiles
>   read only = No
>   create mask = 0600
>   directory mask = 0700
>   browseable = No
>   guest ok = Yes
>   profile acls = Yes
>   csc policy = disable
>   force user = %U
> 	valid users = %U @"Domain Admins"
>
> [netlogon]
> 	path = /home/netlogon
> 	browseable = No
> 	read only = yes
>
> [printers]
>    comment = Impressoras
>    path = /var/spool/samba
>    browseable = no
>    guest ok = no
>    writable = no
>    printable = yes
>
>
> 	My samba return this errors:
>
> 	[2004/10/22 10:48:34, 5] lib/smbldap.c:smbldap_search(963)
>   smbldap_search: base => [dc=unimix,dc=com,dc=br], filter =>
>   [(&(uid=suporte$)(objectclass=sambaSamAccount))], scope => [2]
>   [2004/10/22 10:48:34, 4] passdb/pdb_ldap.c:ldapsam_getsampwnam(1266)
>   ldapsam_getsampwnam: Unable to locate user [suporte$] count=0
>   [2004/10/22 10:48:34, 3] smbd/sec_ctx.c:pop_sec_ctx(386)
>   pop_sec_ctx (0, 1000) - sec_ctx_stack_ndx = 0
>   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam(293)
>   Finding user suporte$
>   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(223)
>   Trying _Get_Pwnam(), username as lowercase is suporte$
>   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(239)
>   Trying _Get_Pwnam(), username as uppercase is SUPORTE$
>   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(247)
>   Checking combinations of 0 uppercase letters in suporte$
>   [2004/10/22 10:48:34, 5] lib/username.c:Get_Pwnam_internals(251)
>   Get_Pwnam_internals didn't find user [suporte$]!
>   [2004/10/22 10:48:35, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2245)
>   _samr_create_user: Running the command `/usr/local/sbin/smbldap-useradd
> -w "suporte$"' gave 9 [2004/10/22 10:48:35, 5]
> lib/username.c:Get_Pwnam(293)
>   Finding user suporte$
>   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(223)
>   Trying _Get_Pwnam(), username as lowercase is suporte$
>   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(239)
>   Trying _Get_Pwnam(), username as uppercase is SUPORTE$
>   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(247)
>   Checking combinations of 0 uppercase letters in suporte$
>   [2004/10/22 10:48:35, 5] lib/username.c:Get_Pwnam_internals(251)
>   Get_Pwnam_internals didn't find user [suporte$]!
>
> 	It don't found suporte$ machine.
> 	But it exists.
>
> > >	dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > >	objectClass: top
> > >	objectClass: inetOrgPerson
> > >	objectClass: posixAccount
> > >	cn: suporte$
> > >	sn: suporte$
> > >	uid: suporte$
> > >	uidNumber: 1020
> > >	gidNumber: 1000
> > >	homeDirectory: /dev/null
> > >	loginShell: /bin/false
> > >	description: Computer
> > >	gecos: Computer
>
> 	But without sambasamaccount.
>
> 	PS. s/Computers/Computadores/g =)
>
> 	Any idea?
>
> 	Thanks
>
> Palavras de Igor Belyi [Thu, Oct 21, 2004 at 06:32:27PM -0400]:
> > Is it possible that 'ldap admin dn' used in your smb.conf does not have
> > write access to 'ou=Computers,dc=unimix,dc=com,dc=br'? What was the
> > error in smbd log when machine failed to join the Domain?
> >
> > Igor
> >
> > Fernando Ribeiro wrote:
> > >Hi all,
> > >
> > >	I have smb.conf with:
> > >
> > >
> > >	add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > >	add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> > >	add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> > >	add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> > >	add user to group script = /usr/local/sbin/smbldap-groupmod -m "%u"
> > >	"%g"
> > >	delete user script = /usr/local/sbin/smbldap-userdel "%u"
> > >	delete group script = /usr/local/sbin/smbldap-groupdel "%g"
> > >	delete user from group script = /usr/local/sbin/smbldap-groupmod -x
> > >	"%u" "%g"
> > >	set primary group script = /usr/local/sbin/smbldap-usermod -g "%g"
> > >	"%u"
> > >
> > >	while i try include the w2k machine in samba domain it create the
> > >	ldap
> > >	machine account entry:
> > >
> > >	dn: uid=suporte$,ou=Computers,dc=unimix,dc=com,dc=br
> > >	objectClass: top
> > >	objectClass: inetOrgPerson
> > >	objectClass: posixAccount
> > >	cn: suporte$
> > >	sn: suporte$
> > >	uid: suporte$
> > >	uidNumber: 1020
> > >	gidNumber: 1000
> > >	homeDirectory: /dev/null
> > >	loginShell: /bin/false
> > >	description: Computer
> > >	gecos: Computer
> > >
> > >	And don't join in samba domain.
> > >
> > >	While i create a machine account manually with:
> > >
> > >	dn: uid=suporte$,ou=Computadores,dc=unimix,dc=com,dc=br
> > >	gidNumber: 30000
> > >	uidNumber: 1022
> > >	uid: suporte$
> > >	sambaSID: S-1-5-21-715268823-1473299472-2771147885-3044
> > >	sambaAcctFlags: [W          ]
> > >	cn: suporte
> > >	homeDirectory: /dev/null
> > >	objectClass: top
> > >	objectClass: sambaSamAccount
> > >	objectClass: posixAccount
> > >	objectClass: account
> > >
> > >	It join in the samba domain without problem.
> > >
> > >	Anyone know why it don't create sambaSamAccount ?
> > >	Machine account need inetOrgPerson ?
> > >
> > >	Thanks
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  http://lists.samba.org/mailman/listinfo/samba
>
> --
> Fernando Ribeiro - GPG-KEY: 0x8D7255F4
> Linux Counter: #273768 - ICQ: 175630330
> LPIC-2 - Advanced Linux
> Death the graph! Death the mouse
> Death patents! Death closed standards!
> http://www.nerdgroup.org
> http://musb.nerdgroup.org
> --------------------------------------
> "Grandes mentes discutem idéias;
> Mentes medianas discutem eventos;
> Mentes pequenas discutem pessoas."
> --------------------------------------
> "A mente que se abre a uma nova idéia
> jamais volta ao seu tamanho original."
> Albert Einstein

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
OpenLDAP by Example, ISBN: 0131488732
Other books in production.

More information about the samba mailing list