[Samba] samba ldap domain join
lenny at edpausa.com
lenny at edpausa.com
Thu May 11 16:19:25 GMT 2006
> You don't need to give anonymous write access.
> You just need to give the ldap admin you set in smb.conf write access to
> the tree and properly set the ldap password with smbpasswd -w
>
Thank you, but this isn't really the issue for me right now. The rest of
the message described the problem I can't figure out.
By the way, I had smbpasswd -w set to Directory Manager's credentials,
all the time, but I was getting
Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname
and Insufficient add privileges for ou=computers, until I just made both
objects writable by anyone. anyway... this is working right now and I'll
deal with security implications later, but joining the domain still
produces errors that I described below. Maybe it's worth mentioning that
I use Sun ONE directory 5.2, not OpenLDAP ?
It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )
In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.
Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.
Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.
base => [dc=mydomain,dc=com]
> > [(&(uid=computer$)(objectclass=sambaSamAccount))]
smb.conf
add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"
ldap admin dn = "cn=Directory Manager"
ldap group suffix = ou=groups
ldap idmap suffix = ou=idmap
ldap machine suffix = ou=computers
ldap suffix = dc=mydomain,dc=com
ldap ssl = no
ldap user suffix = ou=people
idmap backend = ldapsam:ldap://myldapserver
idmap uid = 10000-30000
idmap gid = 10000-30000
smb-ldap.conf
suffix="dc=mydomain,dc=com"
usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"
More information about the samba
mailing list