[Samba] samba ldap domain join

lenny at edpausa.com lenny at edpausa.com
Thu May 11 16:19:25 GMT 2006


> You don't need to give anonymous write access.
> You just need to give the ldap admin you set in smb.conf write access to
> the tree and properly set the ldap password with smbpasswd -w
>
Thank you, but this isn't really the issue for me right now. The rest of
the message described the problem I can't figure out.
By the way,  I had smbpasswd -w set to Directory Manager's credentials,
all the time, but I was getting
Insufficient 'write' privilege to the 'uidNumber' attribute of
> entry 'sambadomainname
and Insufficient add privileges for ou=computers, until I just made both
objects writable by anyone. anyway... this is working right now and I'll
deal with security implications later, but joining the domain still
produces errors that I described below.  Maybe it's worth mentioning that
I use Sun ONE directory 5.2, not OpenLDAP ?


It seems that eventhough the machine accounts get created upon successful
authentication, it fails to find that same machine account during the same
or another operation to actually join the domain.
The search string it uses has objectclass=sambaSamAccount. Apparently, the
newly created machine account doesn't have that object class. Also there's
no sambasid entry for the machine account ( not sure if it needs one, but
if sambaSamAccount requires that, I guess it does ? )

In addition to that, the search base it uses to look for the machine
accounts only has the parent suffix, without the "ou=computers.

Samba user accounts can be added with smbpasswd and all the sids,
passwords and other attributes are set correctly.

Another issue is that idmap ou doesn't get seem to get populated with any
entries at all, but I also don't know if it should be.



base => [dc=mydomain,dc=com]


> > [(&(uid=computer$)(objectclass=sambaSamAccount))]


smb.conf

  add user script = /usr/local/samba/bin/smbldap-useradd -n "%u"
   add machine script = /usr/local/samba/bin/smbldap-useradd -n -d
/dev/null -s /bin/false -w "%m"

        ldap admin dn = "cn=Directory Manager"
        ldap group suffix = ou=groups
        ldap idmap suffix = ou=idmap
        ldap machine suffix = ou=computers
        ldap suffix = dc=mydomain,dc=com
        ldap ssl = no
        ldap user suffix = ou=people
        idmap backend = ldapsam:ldap://myldapserver
        idmap uid = 10000-30000
        idmap gid = 10000-30000



smb-ldap.conf

suffix="dc=mydomain,dc=com"

usersdn="ou=People,${suffix}"
computersdn="ou=computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
idmapdn="ou=idmap,${suffix}"
sambaUnixIdPooldn="sambaDomainName=LDAPAUTH,${suffix}"







More information about the samba mailing list