[Samba] add machine account + ldap (again)

Edmundo Valle Neto edmundo.valle at terra.com.br
Mon Jun 26 21:02:01 GMT 2006 

Edmundo Valle Neto escreveu:
> Geraldo Coelho escreveu:
>> Hi all,
>>
>> I have a problem. I need to create an account machine with samba.
>> The smbldap-useradd created the account, but only an unix account, like
>> this:
>>
>>
>> dn: uid=notedell$,ou=computers,dc=grupora,dc=com,dc=br
>> objectClass: top
>> objectClass: inetOrgPerson
>> objectClass: posixAccount
>> cn: notedell$
>> sn: notedell$
>> uid: notedell$
>> uidNumber: 15025
>> gidNumber: 515
>> homeDirectory: /dev/null
>> loginShell: /bin/false
>> description: Computer
>> gecos: Computer
>>
>>   
> How are you doing that? The "recommended" add machine script only does 
> that what you are seeing.
> If you execute: smbldap-useradd -w machinename it will only create the 
> account with posix attributes.
>
> As stated in the smbldap-tools documentation:
> "The script defined with the add machine script MUST NOT add the 
> sambaSAMAccount
> objectclass of the machine account. The script must only add the Posix 
> machine account.
> Samba will add the sambaSAMAccount when joining the domain."
>
> Look at an example of smbldap-useradd beeing executed through "add 
> machine script" option:
>
> A samba log with a level 3 output:
>
> ...
> [2006/06/26 14:47:28, 3] rpc_server/srv_samr_nt.c:_samr_create_user(2324)
>  _samr_create_user: Running the command `/usr/sbin/smbldap-useradd -w 
> "testmachine$"' gave 0
> ...
> [2006/06/26 14:47:28, 3] passdb/pdb_ldap.c:ldapsam_add_sam_account(1832)
>  ldapsam_add_sam_account: User exists without samba attributes: adding 
> them
> [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:init_ldap_from_sam(912)
>  init_ldap_from_sam: Setting entry for user: testmachine$
> [2006/06/26 14:47:28, 2] passdb/pdb_ldap.c:ldapsam_add_sam_account(1942)
>  ldapsam_add_sam_account: added: uid == testmachine$ in the LDAP database
> ...
>
>
> So, "User exists without samba attributes: adding them", isnt the 
> script that creates the samba attributes, samba do that.
>
>
>> But, the samba doesn't created an valid account.
>> Like this:
>>
>>
>> dn: uid=notedell$,ou=Computers,dc=grupora,dc=com,dc=br
>> uid: notedell$
>> sambaSID: S-1-5-21-243819190-2830005574-892836686-31036
>> sambaPrimaryGroupSID: S-1-5-21-243819190-2830005574-892836686-515
>> objectClass: sambaSamAccount
>> objectClass: account
>> displayName: NOTEDELL$
>> sambaPwdCanChange: 1150829558
>> sambaPwdMustChange: 2147483647
>> sambaNTPassword: D7CD95C07847C9DD38F14D8751D0B8F4
>> sambaPwdLastSet: 1150829558
>> sambaAcctFlags: [W          ]
>>
>>   
>
> Well, it should.
>
>> so, windows rejects my login with a "bad password" error
>> and doesn't join the domain
>>
>> I'm using user id = 0 (root)
>>   
>
> Does your root account have both posix and samba attributes?
> Have you configured the "add * script" and the ldap options properly?
> Have you added the ldap admin password to samba (smbpasswd -w 
> yourldappassword)?
> What your logs say?
>
>> Someone knows what's happening.
>>
>>
>> Thanks in advance
>> -- 
>> -- 
>> No virus found in this outgoing message.
>> Checked by AVG Free Edition.
>> Version: 7.1.394 / Virus Database: 268.9.4/375 - Release Date: 25/6/2006
>>
>>   
>
> OR if you want to do that by hand:
>
> smbldap-useradd -w -i machinename
> then put a blank password
> then join the workstation without typing a username or password.
>
> Regards.
>
> Edmundo Valle Neto
>

Only to correct the last bullshit that I writed :)
-i is for interdomain trust accounts

To create a machine trust account by hand in LDAP:
smbldap-useradd -w machinename
smbpasswd -a -m machinename$
then join with a user that have rights to do it.


Edmundo Valle Neto

More information about the samba mailing list