[Samba] Why need to add a machine account to /etc/passwd first with Samba+LDAP

Steve Zeng szeng at mainframe.ca
Fri Mar 11 00:13:44 GMT 2005


You are the man. problem sovled. I change /etc/ldap.conf as you suggested:

nss_base_passwd         dc=mfelc?sub
nss_base_group          dc=mfelc?sub
nss_base_hosts          dc=mfelc?sub

and I have "add machine script=/usr/sbin/smbldap-useradd -w %u" included 
in smb.conf. Now it works perfectly. machine account is created on the fly!

One more question for you. if I use LDAP only for hosts lookup in 
nsswitch, all the machine names come with a "$". In this case, how can I 
resolve hostname?



> On Thursday 10 March 2005 13:56, Steve Zeng wrote:
>>I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use
>>smbpasswd as passwd DB and every time I need to add a machine account
>>into /etc/passwd so that the mahcine can join the domain. My
>>understanding for LDAP is, this step is not needed any more since we
>>will put all machine account into "ou=Computers". But I am proved to be
>>Is this the way Samba works? I mean, samba has to make sure a machine
>>account exist in the /etc/passwd file of Samba PDC, doesn't it?
> Nope. If you use LDAP, then both the POSIX account and the SambaSAMAccount 
> infromation should be in LDAP. On the other hand, if you put your machine 
> accounts into the ou=Computers container and user accounts in ou=Users 
> your /etc/ldap.conf file needs to point to the directory tree above the 
> ou=Users and above ou=Computers. Additionally the loookup for user accounts 
> will have to be a 'sub' type so look-ups will descend both trees.
> In other words, I am guessing that in your /etc/ldap.conf you have:
> nss_base_passwd ou=People,dc=abmas,dc=biz?one
> Instead of:
> nss_base_passwd dc=abmas,dc=biz?sub
> If my assumptions are correct, then if you set /etc/nsswitch.conf to have:
> passwd: ldap
> shadow: ldap
> group: ldap
> and then you execute:
> 	getent passwd
> You will not see a listing of accounts that includes the machine accounts. If 
> this what you see, then making the change in /etc/ldap.conf so that:
> nss_base_passwd dc=abmas,dc=biz
> (of course substituting your directory domain component info) will list the 
> machine accounts and you will no longer need them in your /etc/passwd.
> In summary, by putting the machine accounts into your /etc/passwd you are 
> using a work-around for a broken LDAP/NSS environment.
> Does that answer your question and solve the problem?
> - John T.
>>Steve Zeng
>>Systems Administrator
>>Mainframe Entertainment Inc
>>T: (604) 628-1000 ext 5293


Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293

More information about the samba mailing list