[Samba] smbldap-tools and joining workstation to domain
Andres Toomsalu
andres at active.ee
Sat Jun 4 16:24:06 GMT 2005
Hi,
I've reported this before but I guess I'll have to do it again, since
it's not fixed yet or I'm understanding something wrong here.
The problem is that smbldap-useradd -w 'machinename' will add only
posixAccount entrys into ldap but it should add both posixAccount and
sambaSAMAccount entrys.
So if one doesn't add correct machine account entrys manually to ldap
the windows workstation domain joining is impossible.
The Samba Openldap howto clearly documents that smbldap-useradd -w
'worsktation' should produce following entrys in ldap:
dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
objectClass: top
objectClass: posixAccount
objectClass: sambaSAMAccount
cn: testhost3$
gidNumber: 553
homeDirectory: /dev/null
loginShell: /bin/false
uid: testhost3$
uidNumber: 1005
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
description: Computer Account
rid: 0
primaryGroupID: 0
lmPassword: 7582BF7F733351347D485E46C8E6306E
ntPassword: 7582BF7F733351347D485E46C8E6306E
acctFlags: [W ]
Looking at smbldap-useradd script code I can see that sambaSAMAccount
entrys are only added when -i switch is used (trusted workstation account).
----------- CODE SNIP --------------------
# MACHINE ACCOUNT
if (defined($Options{'w'}) or defined($Options{'i'})) {
#print "About to create machine $userName:\n";
if (!add_posix_machine
($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
die "$0: error while adding posix account\n";
}
if (defined($Options{'i'})) {
# For machine trust account
# Objectclass sambaSAMAccount must be added now !
my $pass;
my $pass2;
system "stty -echo";
print "New password : ";
chomp($pass=<STDIN>);
print "\n";
system "stty echo";
system "stty -echo";
print "Retype new password : ";
chomp($pass2=<STDIN>);
print "\n";
system "stty echo";
if ($pass ne $pass2) {
print "New passwords don't match!\n";
exit (10);
}
my ($lmpassword,$ntpassword) = ntlmgen $pass;
my $date=time;
my $modify = $ldap_master->modify (
"uid=$userName,$config{computersdn}",
changes => [
replace => [objectClass => ['inetOrgPerson', 'posixAccount',
'sambaSAMAccount']],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => '0'],
add => [sambaPwdMustChange => '2147483647'],
add => [sambaPwdLastSet => "$date"],
add => [sambaAcctFlags => '[I ]'],
add => [sambaLMPassword => "$lmpassword"],
add => [sambaNTPassword => "$ntpassword"],
add => [sambaSID => "$user_sid"],
add => [sambaPrimaryGroupSID => "$config{SID}-515"]
]
);
$modify->code && die "failed to add entry: ", $modify->error ;
}
$ldap_master->unbind;
exit 0;
}
----------- CODE SNIP END ------------------
So whats the deal - misleading howto document or bug in smbldap-useradd
script or I'm getting something wrong here?
Cheers,
--
----------------------------------------------
Andres Toomsalu, andres at active.ee
juhataja - general manager, OÜ Active Systems
Lille 4-205, Pärnu 80041, phone +372 44 70 595
GSM +372 56 496 124, IM: frame at jabber.org
http://www.active.ee
More information about the samba
mailing list