[Samba] Why need to add a machine account to /etc/passwd first
with Samba+LDAP
Steve Zeng
szeng at mainframe.ca
Fri Mar 11 00:13:44 GMT 2005
John,
You are the man. problem sovled. I change /etc/ldap.conf as you suggested:
nss_base_passwd dc=mfelc?sub
nss_base_group dc=mfelc?sub
nss_base_hosts dc=mfelc?sub
and I have "add machine script=/usr/sbin/smbldap-useradd -w %u" included
in smb.conf. Now it works perfectly. machine account is created on the fly!
One more question for you. if I use LDAP only for hosts lookup in
nsswitch, all the machine names come with a "$". In this case, how can I
resolve hostname?
Thanks.
Steve
> On Thursday 10 March 2005 13:56, Steve Zeng wrote:
>
>>Hi,
>>
>>I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use
>>smbpasswd as passwd DB and every time I need to add a machine account
>>into /etc/passwd so that the mahcine can join the domain. My
>>understanding for LDAP is, this step is not needed any more since we
>>will put all machine account into "ou=Computers". But I am proved to be
>>wrong.
>>
>>Is this the way Samba works? I mean, samba has to make sure a machine
>>account exist in the /etc/passwd file of Samba PDC, doesn't it?
>
>
> Nope. If you use LDAP, then both the POSIX account and the SambaSAMAccount
> infromation should be in LDAP. On the other hand, if you put your machine
> accounts into the ou=Computers container and user accounts in ou=Users
> your /etc/ldap.conf file needs to point to the directory tree above the
> ou=Users and above ou=Computers. Additionally the loookup for user accounts
> will have to be a 'sub' type so look-ups will descend both trees.
>
> In other words, I am guessing that in your /etc/ldap.conf you have:
>
> nss_base_passwd ou=People,dc=abmas,dc=biz?one
>
> Instead of:
>
> nss_base_passwd dc=abmas,dc=biz?sub
>
> If my assumptions are correct, then if you set /etc/nsswitch.conf to have:
>
> passwd: ldap
> shadow: ldap
> group: ldap
>
> and then you execute:
>
> getent passwd
>
> You will not see a listing of accounts that includes the machine accounts. If
> this what you see, then making the change in /etc/ldap.conf so that:
>
> nss_base_passwd dc=abmas,dc=biz
>
> (of course substituting your directory domain component info) will list the
> machine accounts and you will no longer need them in your /etc/passwd.
>
> In summary, by putting the machine accounts into your /etc/passwd you are
> using a work-around for a broken LDAP/NSS environment.
>
> Does that answer your question and solve the problem?
>
> - John T.
>
>
>
>>--
>>Regards,
>>
>>Steve Zeng
>>Systems Administrator
>>Mainframe Entertainment Inc
>>T: (604) 628-1000 ext 5293
>
>
--
Regards,
Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293
More information about the samba
mailing list