[Samba] Why need to add a machine account to /etc/passwd first
with Samba+LDAP
Steve Zeng
szeng at mainframe.ca
Fri Mar 11 00:55:06 GMT 2005
> On Thursday 10 March 2005 17:13, Steve Zeng wrote:
>
>>John,
>>
>>You are the man. problem sovled. I change /etc/ldap.conf as you suggested:
>>
>>nss_base_passwd dc=mfelc?sub
>>nss_base_group dc=mfelc?sub
>>nss_base_hosts dc=mfelc?sub
>
>
> Why do you have the nss_base_hosts entry set in /etc/ldap.conf? Samba does not
> need/use that. Unless you know precisely how to use that I'd suggest
> commenting it out.
>
Good point.
>
>>and I have "add machine script=/usr/sbin/smbldap-useradd -w %u" included
>>in smb.conf. Now it works perfectly. machine account is created on the fly!
>>
>>One more question for you. if I use LDAP only for hosts lookup in
>>nsswitch, all the machine names come with a "$". In this case, how can I
>>resolve hostname?
>
>
> Please explain. Host entries are of the form:
>
> 192.168.0.1 hostname.domain.tld hostname
>
I don't have a local /etc/hosts file in the Samba PDC. So I need to
resolve hostname with LDAP. My nsswitch.conf looks like this:
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files ldap
> Where is the '$' in that?
>
It is from LDAP when machine account was created on the fly. I checked
the LDAP DIT, the dn for machine account is as follows:
uid=ajatar$,ou=Computers,dc=mfelc
> - John T.
>
>
>>Thanks.
>>
>>Steve
>>
>>
>>>On Thursday 10 March 2005 13:56, Steve Zeng wrote:
>>>
>>>>Hi,
>>>>
>>>>I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use
>>>>smbpasswd as passwd DB and every time I need to add a machine account
>>>>into /etc/passwd so that the mahcine can join the domain. My
>>>>understanding for LDAP is, this step is not needed any more since we
>>>>will put all machine account into "ou=Computers". But I am proved to be
>>>>wrong.
>>>>
>>>>Is this the way Samba works? I mean, samba has to make sure a machine
>>>>account exist in the /etc/passwd file of Samba PDC, doesn't it?
>>>
>>>Nope. If you use LDAP, then both the POSIX account and the
>>>SambaSAMAccount infromation should be in LDAP. On the other hand, if you
>>>put your machine accounts into the ou=Computers container and user
>>>accounts in ou=Users your /etc/ldap.conf file needs to point to the
>>>directory tree above the ou=Users and above ou=Computers. Additionally
>>>the loookup for user accounts will have to be a 'sub' type so look-ups
>>>will descend both trees.
>>>
>>>In other words, I am guessing that in your /etc/ldap.conf you have:
>>>
>>>nss_base_passwd ou=People,dc=abmas,dc=biz?one
>>>
>>>Instead of:
>>>
>>>nss_base_passwd dc=abmas,dc=biz?sub
>>>
>>>If my assumptions are correct, then if you set /etc/nsswitch.conf to
>>>have:
>>>
>>>passwd: ldap
>>>shadow: ldap
>>>group: ldap
>>>
>>>and then you execute:
>>>
>>> getent passwd
>>>
>>>You will not see a listing of accounts that includes the machine
>>>accounts. If this what you see, then making the change in /etc/ldap.conf
>>>so that:
>>>
>>>nss_base_passwd dc=abmas,dc=biz
>>>
>>>(of course substituting your directory domain component info) will list
>>>the machine accounts and you will no longer need them in your
>>>/etc/passwd.
>>>
>>>In summary, by putting the machine accounts into your /etc/passwd you are
>>>using a work-around for a broken LDAP/NSS environment.
>>>
>>>Does that answer your question and solve the problem?
>>>
>>>- John T.
>>>
>>>
>>>>--
>>>>Regards,
>>>>
>>>>Steve Zeng
>>>>Systems Administrator
>>>>Mainframe Entertainment Inc
>>>>T: (604) 628-1000 ext 5293
>
>
--
Regards,
Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293
More information about the samba
mailing list