[Samba] Why need to add a machine account to /etc/passwd first with Samba+LDAP

John H Terpstra jht at samba.org
Fri Mar 11 00:34:54 GMT 2005


On Thursday 10 March 2005 17:13, Steve Zeng wrote:
> John,
>
> You are the man. problem sovled. I change /etc/ldap.conf as you suggested:
>
> nss_base_passwd         dc=mfelc?sub
> nss_base_group          dc=mfelc?sub
> nss_base_hosts          dc=mfelc?sub

Why do you have the nss_base_hosts entry set in /etc/ldap.conf? Samba does not 
need/use that. Unless you know precisely how to use that I'd suggest 
commenting it out.

>
> and I have "add machine script=/usr/sbin/smbldap-useradd -w %u" included
> in smb.conf. Now it works perfectly. machine account is created on the fly!
>
> One more question for you. if I use LDAP only for hosts lookup in
> nsswitch, all the machine names come with a "$". In this case, how can I
> resolve hostname?

Please explain. Host entries are of the form:

192.168.0.1	hostname.domain.tld hostname

Where is the '$' in that?

- John T.

>
> Thanks.
>
> Steve
>
> > On Thursday 10 March 2005 13:56, Steve Zeng wrote:
> >>Hi,
> >>
> >>I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use
> >>smbpasswd as passwd DB and every time I need to add a machine account
> >>into /etc/passwd so that the mahcine can join the domain. My
> >>understanding for LDAP is, this step is not needed any more since we
> >>will put all machine account into "ou=Computers". But I am proved to be
> >>wrong.
> >>
> >>Is this the way Samba works? I mean, samba has to make sure a machine
> >>account exist in the /etc/passwd file of Samba PDC, doesn't it?
> >
> > Nope. If you use LDAP, then both the POSIX account and the
> > SambaSAMAccount infromation should be in LDAP. On the other hand, if you
> > put your machine accounts into the ou=Computers container and user
> > accounts in ou=Users your /etc/ldap.conf file needs to point to the
> > directory tree above the ou=Users and above ou=Computers. Additionally
> > the loookup for user accounts will have to be a 'sub' type so look-ups
> > will descend both trees.
> >
> > In other words, I am guessing that in your /etc/ldap.conf you have:
> >
> > nss_base_passwd ou=People,dc=abmas,dc=biz?one
> >
> > Instead of:
> >
> > nss_base_passwd dc=abmas,dc=biz?sub
> >
> > If my assumptions are correct, then if you set /etc/nsswitch.conf to
> > have:
> >
> > passwd: ldap
> > shadow: ldap
> > group: ldap
> >
> > and then you execute:
> >
> > 	getent passwd
> >
> > You will not see a listing of accounts that includes the machine
> > accounts. If this what you see, then making the change in /etc/ldap.conf
> > so that:
> >
> > nss_base_passwd dc=abmas,dc=biz
> >
> > (of course substituting your directory domain component info) will list
> > the machine accounts and you will no longer need them in your
> > /etc/passwd.
> >
> > In summary, by putting the machine accounts into your /etc/passwd you are
> > using a work-around for a broken LDAP/NSS environment.
> >
> > Does that answer your question and solve the problem?
> >
> > - John T.
> >
> >>--
> >>Regards,
> >>
> >>Steve Zeng
> >>Systems Administrator
> >>Mainframe Entertainment Inc
> >>T: (604) 628-1000 ext 5293

-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.


More information about the samba mailing list