RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain

spu at corman.be spu at corman.be
Mon Jun 6 10:37:59 GMT 2005


Hi,

There are a other parameter which cause to add machine account failed :
That is the ldap filter parameter, if the ldap filter contain the filter
(&(uid=%u)(objectclass=sambaSamAccount))
samba not add the machine account correctly

-----------------------------------
Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

samba-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit sur
06/06/2005 09:28:40 :

> The script only adds the posix stuff, when you join the workstation the
> sambaSam entries are created by samba.
> BUT...
> Samba NEEDS to find a posix account with the name of the machine being
> joined. How are you doing user lookups on your posix side?
> If you use nss_ldap and you have a seperate ou in your directory for
users
> and computers that could be where your problem is.
> i.e. if
> nss_ldap is set to look in "ou=users,dc=test,dc=com " for its posix
userbase
> then if you do:
> :~#getent passwd
> then it will return only users it finds in that ou. So if your add
machine
> script is creating "users"(machine accounts) in
ou=computers,dc=test,dc=com
> then as far as posix is concerned there is no posix account for the new
> machine. Samba will not find a possix account and will not add the
sambaSam
> entries and the join will fail. You have 2 options:
>  1.Add your user accounts and computer accounts to the same ou.
> 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your
base
> to "dc=test,dc=com" rather than "ou=users,dc=test,dc=com"
>  This is how I understand it anyhow, I might be wrong, Im no smaba pro
but I
> went for option 2.
>  If anyone can shed some more light on this is or set me straight if Im
> wrong, please do.
>  Cheers,
> Rhys
>
>
>  On 6/6/05, Andres Toomsalu <andres at active.ee> wrote:
> >
> > Tim Verhoeven wrote:
> >
> > >On 6/4/05, Andres Toomsalu <andres at active.ee> wrote:
> > >
> > >
> > >>I've reported this before but I guess I'll have to do it again, since
> > >>it's not fixed yet or I'm understanding something wrong here.
> > >>
> > >>The problem is that smbldap-useradd -w 'machinename' will add only
> > >>posixAccount entrys into ldap but it should add both posixAccount and
> > >>sambaSAMAccount entrys.
> > >>
> > >>So if one doesn't add correct machine account entrys manually to ldap
> > >>the windows workstation domain joining is impossible.
> > >>
> > >>
> > >
> > >In my experience the smbldap-useradd behaviour is correct. It will
> > >only add the posicAccount part of a machine account. Then when you
> > >actually join a machine to a domain Samba itself will modify the
> > >machine account and add the sambaSAMAccount parts.
> > >
> > >For this to work you will ofcourse need also to configure Samba that
> > >is has a ldap account that has the rights to update items in the ldap
> > >tree.
> > >
> > >
> > I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
> > smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
> >
> > 1) I can't join XP workstation to domain when I don't have computer
> > account in ldap - Error is "Access denied". In result it makes computer
> > account in ldap but only posixAccount part of it as smbldap-useradd -w
> > does it.
> > 2) I can't join XP workstation to domain when I do have computer
account
> > in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
> > them like that - Error is "Access denied".
> > 3) I can join XP workstation to domain when I manually make correct
> > computer account entrys in ldap with phpldapadmin - then there are both
> > posixAccount and sambaSamAccount entrys present.
> >
> > Here is copy-paste samples of computer accounts in my ldap - first
> > sample is made with smbldap-useradd -w and second that actually works
is
> > made manually:
> >
> > # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
> > dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
> > objectClass: top
> > objectClass: inetOrgPerson
> > objectClass: posixAccount
> > cn: testmasin$
> > sn: testmasin$
> > uid: testmasin$
> > uidNumber: 1016
> > gidNumber: 515
> > homeDirectory: /dev/null
> > loginShell: /bin/false
> > description: Computer
> > gecos: Computer
> >
> >
> > # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
> > dn: uid=windesk$,ou=Computers,dc=active,dc=ee
> > gidNumber: 515
> > uidNumber: 3002
> > uid: windesk$
> > sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
> > sambaAcctFlags: [W ]
> > cn: windesk
> > homeDirectory: /dev/null
> > objectClass: top
> > objectClass: sambaSamAccount
> > objectClass: posixAccount
> > objectClass: account
> > sambaPwdMustChange: 2147483647
> > sambaPwdCanChange: 1118035851
> > sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
> > sambaPwdLastSet: 1118035851
> >
> >
> >
> > So joining XP workstations to domain with smbldap-tools doesn't work
for
> > me. I still think there is a bug in smbldap-useradd script that it
won't
> > add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'".
> >
> > I don't think sambaSamAccount entry's are being added during domain
> > joining procedure because for domain joining samba uses the very same
> > "smbldap-useradd -w '%u'" command - which doesn't add any
> > sambaSamAccount entrys.
> >
> > >
> > >
> > >
> > >>The Samba Openldap howto clearly documents that smbldap-useradd -w
> > >>'worsktation' should produce following entrys in ldap:
> > >>
> > >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
> > >>objectClass: top
> > >>objectClass: posixAccount
> > >>objectClass: sambaSAMAccount
> > >>cn: testhost3$
> > >>gidNumber: 553
> > >>homeDirectory: /dev/null
> > >>loginShell: /bin/false
> > >>uid: testhost3$
> > >>uidNumber: 1005
> > >>sambaPwdLastSet: 0
> > >>sambaLogonTime: 0
> > >>sambaLogoffTime: 2147483647
> > >>sambaKickoffTime: 2147483647
> > >>sambaPwdCanChange: 0
> > >>sambaPwdMustChange: 2147483647
> > >>description: Computer Account
> > >>rid: 0
> > >>primaryGroupID: 0
> > >>lmPassword: 7582BF7F733351347D485E46C8E6306E
> > >>ntPassword: 7582BF7F733351347D485E46C8E6306E
> > >>acctFlags: [W ]
> > >>
> > >>
> > >
> > >So my guess that this is a bug in the documentation and not in the
code.
> > >
> > >Kind regards,
> > >Tim
> > >
> > >
> > >
> >
> >
> > --
> > ----------------------------------------------
> > Andres Toomsalu, andres at active.ee
> > juhataja - general manager, OÜ Active Systems
> > Lille 4-205, Pärnu 80041, phone +372 44 70 595
> > GSM +372 56 496 124, IM: frame at jabber.org
> > http://www.active.ee
> >
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions: https://lists.samba.org/mailman/listinfo/samba
> >
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba


More information about the samba mailing list