[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining
workstation to domain
Rhys Goodwin
rhys.goodwin at gmail.com
Mon Jun 6 07:28:40 GMT 2005
The script only adds the posix stuff, when you join the workstation the
sambaSam entries are created by samba.
BUT...
Samba NEEDS to find a posix account with the name of the machine being
joined. How are you doing user lookups on your posix side?
If you use nss_ldap and you have a seperate ou in your directory for users
and computers that could be where your problem is.
i.e. if
nss_ldap is set to look in "ou=users,dc=test,dc=com " for its posix userbase
then if you do:
:~#getent passwd
then it will return only users it finds in that ou. So if your add machine
script is creating "users"(machine accounts) in ou=computers,dc=test,dc=com
then as far as posix is concerned there is no posix account for the new
machine. Samba will not find a possix account and will not add the sambaSam
entries and the join will fail. You have 2 options:
1.Add your user accounts and computer accounts to the same ou.
2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your base
to "dc=test,dc=com" rather than "ou=users,dc=test,dc=com"
This is how I understand it anyhow, I might be wrong, Im no smaba pro but I
went for option 2.
If anyone can shed some more light on this is or set me straight if Im
wrong, please do.
Cheers,
Rhys
On 6/6/05, Andres Toomsalu <andres at active.ee> wrote:
>
> Tim Verhoeven wrote:
>
> >On 6/4/05, Andres Toomsalu <andres at active.ee> wrote:
> >
> >
> >>I've reported this before but I guess I'll have to do it again, since
> >>it's not fixed yet or I'm understanding something wrong here.
> >>
> >>The problem is that smbldap-useradd -w 'machinename' will add only
> >>posixAccount entrys into ldap but it should add both posixAccount and
> >>sambaSAMAccount entrys.
> >>
> >>So if one doesn't add correct machine account entrys manually to ldap
> >>the windows workstation domain joining is impossible.
> >>
> >>
> >
> >In my experience the smbldap-useradd behaviour is correct. It will
> >only add the posicAccount part of a machine account. Then when you
> >actually join a machine to a domain Samba itself will modify the
> >machine account and add the sambaSAMAccount parts.
> >
> >For this to work you will ofcourse need also to configure Samba that
> >is has a ldap account that has the rights to update items in the ldap
> >tree.
> >
> >
> I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
> smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
>
> 1) I can't join XP workstation to domain when I don't have computer
> account in ldap - Error is "Access denied". In result it makes computer
> account in ldap but only posixAccount part of it as smbldap-useradd -w
> does it.
> 2) I can't join XP workstation to domain when I do have computer account
> in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
> them like that - Error is "Access denied".
> 3) I can join XP workstation to domain when I manually make correct
> computer account entrys in ldap with phpldapadmin - then there are both
> posixAccount and sambaSamAccount entrys present.
>
> Here is copy-paste samples of computer accounts in my ldap - first
> sample is made with smbldap-useradd -w and second that actually works is
> made manually:
>
> # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
> dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
> objectClass: top
> objectClass: inetOrgPerson
> objectClass: posixAccount
> cn: testmasin$
> sn: testmasin$
> uid: testmasin$
> uidNumber: 1016
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
>
> # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
> dn: uid=windesk$,ou=Computers,dc=active,dc=ee
> gidNumber: 515
> uidNumber: 3002
> uid: windesk$
> sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
> sambaAcctFlags: [W ]
> cn: windesk
> homeDirectory: /dev/null
> objectClass: top
> objectClass: sambaSamAccount
> objectClass: posixAccount
> objectClass: account
> sambaPwdMustChange: 2147483647
> sambaPwdCanChange: 1118035851
> sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
> sambaPwdLastSet: 1118035851
>
>
>
> So joining XP workstations to domain with smbldap-tools doesn't work for
> me. I still think there is a bug in smbldap-useradd script that it won't
> add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'".
>
> I don't think sambaSamAccount entry's are being added during domain
> joining procedure because for domain joining samba uses the very same
> "smbldap-useradd -w '%u'" command - which doesn't add any
> sambaSamAccount entrys.
>
> >
> >
> >
> >>The Samba Openldap howto clearly documents that smbldap-useradd -w
> >>'worsktation' should produce following entrys in ldap:
> >>
> >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
> >>objectClass: top
> >>objectClass: posixAccount
> >>objectClass: sambaSAMAccount
> >>cn: testhost3$
> >>gidNumber: 553
> >>homeDirectory: /dev/null
> >>loginShell: /bin/false
> >>uid: testhost3$
> >>uidNumber: 1005
> >>sambaPwdLastSet: 0
> >>sambaLogonTime: 0
> >>sambaLogoffTime: 2147483647
> >>sambaKickoffTime: 2147483647
> >>sambaPwdCanChange: 0
> >>sambaPwdMustChange: 2147483647
> >>description: Computer Account
> >>rid: 0
> >>primaryGroupID: 0
> >>lmPassword: 7582BF7F733351347D485E46C8E6306E
> >>ntPassword: 7582BF7F733351347D485E46C8E6306E
> >>acctFlags: [W ]
> >>
> >>
> >
> >So my guess that this is a bug in the documentation and not in the code.
> >
> >Kind regards,
> >Tim
> >
> >
> >
>
>
> --
> ----------------------------------------------
> Andres Toomsalu, andres at active.ee
> juhataja - general manager, OÜ Active Systems
> Lille 4-205, Pärnu 80041, phone +372 44 70 595
> GSM +372 56 496 124, IM: frame at jabber.org
> http://www.active.ee
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/listinfo/samba
>
More information about the samba
mailing list