[Samba] Samba and LDAP: Trouble adding Win XP machines to the domain

mikelOn mikel.santos at idom.es
Wed Jun 27 18:30:25 GMT 2007



I will install nss tomorrow I soon as I get to work and I will give feedback
of the experience. I hope the problem is there!

Thank you very much


Edmundo Valle Neto wrote:
> 
> mikelOn escreveu:
>> I am using debian etch for the testing but I have had the same problem
>> with
>> gentoo 2007.0. I used smbldap-populate (the admin user is "root" so no
>> parameters at all) and I also tried with "-u 50000 and -g 50000" so that
>> user ids do not overlap.
>>   
> 
> Probably you didnt configured something in all the distros.
> High ids are used principally in migrations when you dont want them to 
> clash with old ids (made who knows how).
> 
>> Do I need anything else (nss) if I am not authenticating *nix clients?
>>
>> getent passwd does not show the machine accounts, should they be also be
>> there and not only in the ldap? I thought that was not necessary.
>>   
> 
> Yes, do you need NSS working. I dont know where exactly it breaks when 
> you dont have it. If you dont want to use posix accounts with samba 
> simply give them a null shell (set the loginShell attribute with 
> /bin/false) and they will not be able to be used (if you dont have 
> configured PAM, I doubt that you can use them too). (If I remember right 
> smbldap-tools in debian already creates accounts with a null shell)
> 
> Samba has an option called "ldap:trusted = yes", but I dont know if NSS 
> is really NOT USED even if you do that in recent versions of samba. 
> Maybe the developers can answer that.
> 
> Anyway the system uses NSS to resolve posix account names. And samba 
> need posix accounts to map samba accounts.
> 
> In debian you install and configure the package libnss-ldap and set it 
> to be used in /etc/nsswitch.conf.
> 
> You can test NSS with "getent passwd" and "getent group", your accounts 
> in ldap must be visible then.
> 
> 
> Regards.
> 
> Edmundo Valle Neto
> 
>> I user the root user to join the machines and the smb query you suggest
>> works properly. I can even list the samba shares from the windows
>> machines.
>>
>> Thanks again
>>
>>
>> Edmundo Valle Neto wrote:
>>   
>>> What distro are you using?
>>> How did you populate it?
>>> I use Debian (its a little different), but how did you configured NSS? 
>>> ("getent passwd" shows your machine accounts?)
>>> What user are you using to join? (if root, "smbclient -L localhost 
>>> -Uroot" works on the shell to list the shares?)
>>>
>>> Regards.
>>>
>>> Edmundo Valle Neto
>>>
>>> mikelOn escreveu:
>>>     
>>>> I am not running nscd :(
>>>>
>>>> Thanks for your response
>>>>
>>>>
>>>> simo-7 wrote:
>>>>   
>>>>       
>>>>> On Wed, 2007-06-27 at 09:45 -0700, mikelOn wrote:
>>>>>     
>>>>>         
>>>>>>> About the samba attributes, when you add a machine account the
>>>>>>> script 
>>>>>>> "add machine" must NOT ADD SAMBA ATTRIBUTES, only posix, samba does
>>>>>>> that 
>>>>>>> alone. Refer to the idealx documentation (if you really want that
>>>>>>> things 
>>>>>>> work properly, reading the documentation is not an option), it was 
>>>>>>> already discussed here and the documentation explains how to
>>>>>>> configure 
>>>>>>> that and how it should work.
>>>>>>>         
>>>>>>>             
>>>>>> I did set a debug level of 4 and what I saw was a
>>>>>> NT_STATUS_NO_SUCH_USER
>>>>>> (or
>>>>>> something alike) but no more specific details. The machine account
>>>>>> (posix)
>>>>>> gets created automatically but the samba attributes are not added by
>>>>>> samba.
>>>>>>       
>>>>>>           
>>>>> look for nscd running, it may cache a negative response and samba
>>>>> never
>>>>> see the created posix attributes in time to add samba stuff.
>>>>>
>>>>> Simo.
>>>>>
>>>>> -- 
>>>>> Simo Sorce
>>>>> Samba Team GPL Compliance Officer
>>>>> email: idra at samba.org
>>>>> http://samba.org
>>>>>
>>>>> -- 
>>>>> To unsubscribe from this list go to the following URL and read the
>>>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>>>
>>>>>
>>>>>     
>>>>>         
>>>>   
>>>>       
>>> -- 
>>> To unsubscribe from this list go to the following URL and read the
>>> instructions:  https://lists.samba.org/mailman/listinfo/samba
>>>
>>>
>>>     
>>
>>   
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
> 
> 

-- 
View this message in context: http://www.nabble.com/Samba-and-LDAP%3A-Trouble-adding-Win-XP-machines-to-the-domain-tf3981091.html#a11330033
Sent from the Samba - General mailing list archive at Nabble.com.



More information about the samba mailing list