[Samba] Samba and LDAP: Trouble adding Win XP machines to the domain

Edmundo Valle Neto edmundo.valle at terra.com.br
Wed Jun 27 18:24:37 GMT 2007


mikelOn escreveu:
> I am using debian etch for the testing but I have had the same problem with
> gentoo 2007.0. I used smbldap-populate (the admin user is "root" so no
> parameters at all) and I also tried with "-u 50000 and -g 50000" so that
> user ids do not overlap.
>   

Probably you didnt configured something in all the distros.
High ids are used principally in migrations when you dont want them to 
clash with old ids (made who knows how).

> Do I need anything else (nss) if I am not authenticating *nix clients?
>
> getent passwd does not show the machine accounts, should they be also be
> there and not only in the ldap? I thought that was not necessary.
>   

Yes, do you need NSS working. I dont know where exactly it breaks when 
you dont have it. If you dont want to use posix accounts with samba 
simply give them a null shell (set the loginShell attribute with 
/bin/false) and they will not be able to be used (if you dont have 
configured PAM, I doubt that you can use them too). (If I remember right 
smbldap-tools in debian already creates accounts with a null shell)

Samba has an option called "ldap:trusted = yes", but I dont know if NSS 
is really NOT USED even if you do that in recent versions of samba. 
Maybe the developers can answer that.

Anyway the system uses NSS to resolve posix account names. And samba 
need posix accounts to map samba accounts.

In debian you install and configure the package libnss-ldap and set it 
to be used in /etc/nsswitch.conf.

You can test NSS with "getent passwd" and "getent group", your accounts 
in ldap must be visible then.


Regards.

Edmundo Valle Neto

> I user the root user to join the machines and the smb query you suggest
> works properly. I can even list the samba shares from the windows machines.
>
> Thanks again
>
>
> Edmundo Valle Neto wrote:
>   
>> What distro are you using?
>> How did you populate it?
>> I use Debian (its a little different), but how did you configured NSS? 
>> ("getent passwd" shows your machine accounts?)
>> What user are you using to join? (if root, "smbclient -L localhost 
>> -Uroot" works on the shell to list the shares?)
>>
>> Regards.
>>
>> Edmundo Valle Neto
>>
>> mikelOn escreveu:
>>     
>>> I am not running nscd :(
>>>
>>> Thanks for your response
>>>
>>>
>>> simo-7 wrote:
>>>   
>>>       
>>>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>>>     
>>>>         
>>>>>> About the samba attributes, when you add a machine account the script 
>>>>>> "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does
>>>>>> that 
>>>>>> alone. Refer to the idealx documentation (if you really want that
>>>>>> things 
>>>>>> work properly, reading the documentation is not an option), it was 
>>>>>> already discussed here and the documentation explains how to configure 
>>>>>> that and how it should work.
>>>>>>         
>>>>>>             
>>>>> I did set a debug level of 4 and what I saw was a
>>>>> NT_STATUS_NO_SUCH_USER
>>>>> (or
>>>>> something alike) but no more specific details. The machine account
>>>>> (posix)
>>>>> gets created automatically but the samba attributes are not added by
>>>>> samba.
>>>>>       
>>>>>           
>>>> look for nscd running, it may cache a negative response and samba never
>>>> see the created posix attributes in time to add samba stuff.
>>>>
>>>> Simo.
>>>>
>>>> -- 
>>>> Simo Sorce
>>>> Samba Team GPL Compliance Officer
>>>> email: idra at samba.org
>>>> http://samba.org
>>>>
>>>> -- 
>>>> To unsubscribe from this list go to the following URL and read the
>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>>
>>>>
>>>>     
>>>>         
>>>   
>>>       
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>
>>
>>     
>
>   



More information about the samba mailing list