[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining
workstation to domain
Andres Toomsalu
andres at active.ee
Mon Jun 6 05:23:25 GMT 2005
Tim Verhoeven wrote:
>On 6/4/05, Andres Toomsalu <andres at active.ee> wrote:
>
>
>>I've reported this before but I guess I'll have to do it again, since
>>it's not fixed yet or I'm understanding something wrong here.
>>
>>The problem is that smbldap-useradd -w 'machinename' will add only
>>posixAccount entrys into ldap but it should add both posixAccount and
>>sambaSAMAccount entrys.
>>
>>So if one doesn't add correct machine account entrys manually to ldap
>>the windows workstation domain joining is impossible.
>>
>>
>
>In my experience the smbldap-useradd behaviour is correct. It will
>only add the posicAccount part of a machine account. Then when you
>actually join a machine to a domain Samba itself will modify the
>machine account and add the sambaSAMAccount parts.
>
>For this to work you will ofcourse need also to configure Samba that
>is has a ldap account that has the rights to update items in the ldap
>tree.
>
>
I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
1) I can't join XP workstation to domain when I don't have computer
account in ldap - Error is "Access denied". In result it makes computer
account in ldap but only posixAccount part of it as smbldap-useradd -w
does it.
2) I can't join XP workstation to domain when I do have computer account
in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
them like that - Error is "Access denied".
3) I can join XP workstation to domain when I manually make correct
computer account entrys in ldap with phpldapadmin - then there are both
posixAccount and sambaSamAccount entrys present.
Here is copy-paste samples of computer accounts in my ldap - first
sample is made with smbldap-useradd -w and second that actually works is
made manually:
# Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
cn: testmasin$
sn: testmasin$
uid: testmasin$
uidNumber: 1016
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer
# Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
dn: uid=windesk$,ou=Computers,dc=active,dc=ee
gidNumber: 515
uidNumber: 3002
uid: windesk$
sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
sambaAcctFlags: [W ]
cn: windesk
homeDirectory: /dev/null
objectClass: top
objectClass: sambaSamAccount
objectClass: posixAccount
objectClass: account
sambaPwdMustChange: 2147483647
sambaPwdCanChange: 1118035851
sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
sambaPwdLastSet: 1118035851
So joining XP workstations to domain with smbldap-tools doesn't work for
me. I still think there is a bug in smbldap-useradd script that it won't
add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'".
I don't think sambaSamAccount entry's are being added during domain
joining procedure because for domain joining samba uses the very same
"smbldap-useradd -w '%u'" command - which doesn't add any
sambaSamAccount entrys.
>
>
>
>>The Samba Openldap howto clearly documents that smbldap-useradd -w
>>'worsktation' should produce following entrys in ldap:
>>
>>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
>>objectClass: top
>>objectClass: posixAccount
>>objectClass: sambaSAMAccount
>>cn: testhost3$
>>gidNumber: 553
>>homeDirectory: /dev/null
>>loginShell: /bin/false
>>uid: testhost3$
>>uidNumber: 1005
>>sambaPwdLastSet: 0
>>sambaLogonTime: 0
>>sambaLogoffTime: 2147483647
>>sambaKickoffTime: 2147483647
>>sambaPwdCanChange: 0
>>sambaPwdMustChange: 2147483647
>>description: Computer Account
>>rid: 0
>>primaryGroupID: 0
>>lmPassword: 7582BF7F733351347D485E46C8E6306E
>>ntPassword: 7582BF7F733351347D485E46C8E6306E
>>acctFlags: [W ]
>>
>>
>
>So my guess that this is a bug in the documentation and not in the code.
>
>Kind regards,
>Tim
>
>
>
--
----------------------------------------------
Andres Toomsalu, andres at active.ee
juhataja - general manager, OÜ Active Systems
Lille 4-205, Pärnu 80041, phone +372 44 70 595
GSM +372 56 496 124, IM: frame at jabber.org
http://www.active.ee
More information about the samba
mailing list