[Samba] smbldap-tools and joining workstation to domain
Stéphane Purnelle
stephane.purnelle at tiscali.be
Sat Jun 4 17:25:42 GMT 2005
Hi,
With samba-3.0, smbldap-tools msu add only PosixAccount, it's samba
which add samba attribute to LDAP.
NOTE : what is the ldap filter parameter in smb.conf
In samba.idealx.org, you must use the howto available here :
http://samba.idealx.org/smbldap-howto.fr.html
Andres Toomsalu a écrit :
> Hi,
>
> I've reported this before but I guess I'll have to do it again, since
> it's not fixed yet or I'm understanding something wrong here.
>
> The problem is that smbldap-useradd -w 'machinename' will add only
> posixAccount entrys into ldap but it should add both posixAccount and
> sambaSAMAccount entrys.
>
> So if one doesn't add correct machine account entrys manually to ldap
> the windows workstation domain joining is impossible.
>
> The Samba Openldap howto clearly documents that smbldap-useradd -w
> 'worsktation' should produce following entrys in ldap:
>
> dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
> objectClass: top
> objectClass: posixAccount
> objectClass: sambaSAMAccount
> cn: testhost3$
> gidNumber: 553
> homeDirectory: /dev/null
> loginShell: /bin/false
> uid: testhost3$
> uidNumber: 1005
> sambaPwdLastSet: 0
> sambaLogonTime: 0
> sambaLogoffTime: 2147483647
> sambaKickoffTime: 2147483647
> sambaPwdCanChange: 0
> sambaPwdMustChange: 2147483647
> description: Computer Account
> rid: 0
> primaryGroupID: 0
> lmPassword: 7582BF7F733351347D485E46C8E6306E
> ntPassword: 7582BF7F733351347D485E46C8E6306E
> acctFlags: [W ]
>
>
> Looking at smbldap-useradd script code I can see that sambaSAMAccount
> entrys are only added when -i switch is used (trusted workstation
> account).
>
> ----------- CODE SNIP --------------------
>
> # MACHINE ACCOUNT
> if (defined($Options{'w'}) or defined($Options{'i'})) {
>
> #print "About to create machine $userName:\n";
>
> if (!add_posix_machine
> ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
> die "$0: error while adding posix account\n";
> }
>
> if (defined($Options{'i'})) {
> # For machine trust account
> # Objectclass sambaSAMAccount must be added now !
> my $pass;
> my $pass2;
>
> system "stty -echo";
> print "New password : ";
> chomp($pass=<STDIN>);
> print "\n";
> system "stty echo";
>
> system "stty -echo";
> print "Retype new password : ";
> chomp($pass2=<STDIN>);
> print "\n";
> system "stty echo";
>
> if ($pass ne $pass2) {
> print "New passwords don't match!\n";
> exit (10);
> }
> my ($lmpassword,$ntpassword) = ntlmgen $pass;
> my $date=time;
> my $modify = $ldap_master->modify (
> "uid=$userName,$config{computersdn}",
> changes => [
> replace => [objectClass =>
> ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']],
> add => [sambaLogonTime => '0'],
> add => [sambaLogoffTime => '2147483647'],
> add => [sambaKickoffTime => '2147483647'],
> add => [sambaPwdCanChange => '0'],
> add => [sambaPwdMustChange => '2147483647'],
> add => [sambaPwdLastSet => "$date"],
> add => [sambaAcctFlags => '[I ]'],
> add => [sambaLMPassword => "$lmpassword"],
> add => [sambaNTPassword => "$ntpassword"],
> add => [sambaSID => "$user_sid"],
> add => [sambaPrimaryGroupSID =>
> "$config{SID}-515"]
> ]
> );
>
> $modify->code && die "failed to add entry: ", $modify->error ;
> }
>
> $ldap_master->unbind;
> exit 0;
> }
>
> ----------- CODE SNIP END ------------------
>
> So whats the deal - misleading howto document or bug in
> smbldap-useradd script or I'm getting something wrong here?
>
>
>
> Cheers,
>
--
Stéphane Purnelle <stephane.purnelle at tiscali.be>
Site Web : http://www.linuxplusvalue.be
More information about the samba
mailing list