Re [Samba] LDAP adding workstation accounts fails (but
not really???)
Adam Williams
awilliam at mdah.state.ms.us
Thu Feb 28 15:01:12 GMT 2008
you need in ldap.conf:
nss_base_passwd ou=People,dc=iwu,dc=edu?one
nss_base_passwd ou=Computers,dc=iwu,dc=edu?one
and then see if you can su -l testing\$
(it should complain about no home directory but let you su to the user)
Pat Riehecky wrote:
> Hello,
>
> Still hitting the same wall, (Oh yeah, uhh... Debian linux samba
> packages from SID)
>
> # net rpc join -S TESTING -U root%password
> Creation of workstation account failed
> Unable to join domain TESTING
>
> dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
> objectClass: top
> objectClass: account
> objectClass: posixAccount
> cn: testing$
> uid: testing$
> uidNumber: 1001
> gidNumber: 515
> homeDirectory: /dev/null
> loginShell: /bin/false
> description: Computer
> gecos: Computer
>
> my /etc/ldap/ldap.conf reads (it has been hard linked to /etc/ldap.conf)
>
> # cat ldap.conf
> URI ldap://127.0.0.1
> BASE dc=iwu,dc=edu
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_crypt local
> nss_base_passwd dc=iwu,dc=edu?sub
>
> Here are the ldap lines from my smb.conf
> passdb backend = ldapsam:ldap://localhost
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
> ldap machine suffix = ou=Computers
> ldap passwd sync = Yes
> ldap suffix = dc=iwu,dc=edu
> ldap ssl = no
> ldap user suffix = ou=People
>
> Seems like I have missed something.... Just not sure what
> Pat
>
> On Tue, 2008-02-26 at 13:30 -0800, Dirk Kleinhesselink wrote:
>
>> On Tue, 26 Feb 2008, Pat Riehecky wrote:
>>
>> Assuming you're running linux or a similar sytem (nsswitch) - I think
>> you need to set the search scope for your LDAP lookups. In my
>> /etc/ldap.conf (the nsswitch ldap search configuration) I have:
>>
>> nss_base_passwd set to my base DN with scope sub:
>>
>> nss_base_passwd dc={},dc={}?sub
>>
>> The default is to do something like:
>>
>> nss_base_passwd ou=People,dc={}.dc={}?one
>>
>> In my case People and Computers are underneath the base and so the passwd
>> search starts at the base and seeks down.
>>
>> Then in my smb.conf I have the ldap suffix set to my LDAP base
>> and the ldap user suffix is set to: ou=People and
>> ldap machine suffix to: ou=Computers
>>
>> Dirk
>>
>>
>>> I very much appreciate the help thus far, but I think it has strayed a
>>> bit from the actual problem.
>>>
>>> The problem is that when I join a system to the samba domain it
>>> creates /some/ but not all of the required attributes for the computer
>>> account. The process then fails as samba looks in the wrong part of my
>>> directory server. I would strongly prefer to put the workstation
>>> accounts in their own tree (ou=Computers). I added the relevant bits to
>>> the smb.conf for this to happen (ldap machine suffix = ou=Computers) and
>>> restarted samba. Yet the debug logs show me that, while it executes the
>>> machine add script just fine, it is still looking in ou=People. As a
>>> leap into absurdity I even rebooted the whole box (in case a shared
>>> memory segment was somehow hanging about), still the samba binary is
>>> convinced my computer accounts live in ou=People. The process becomes
>>> more odd when I can see in the debug log that the samba binary has
>>> successfully read in my machine suffix.
>>>
>>> I find this a bit unusual.
>>> Pat
>>>
>>> On Tue, 2008-02-26 at 09:03 -0800, Chuck Kollars wrote:
>>>
>>>>> ...Yet, if I search LDAP after the join attempt I
>>>>> find: dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
>>>>>
>>>> This convention of a "workstation" account being the
>>>> same as a "people" account except with a dollar sign
>>>> appended to the name is the way Windows works.
>>>> Weird?Yes. Looks wrong?Yes. Needs "fixing"?Maybe Not.
>>>>
>>>>
>>>>> ...My LDAP logs show it is searching ou=People
>>>>> rather than ou=Computers to see if it was added
>>>>> successfully. What must I do to make it search
>>>>> ou=Computers? ...
>>>>>
>>>> Unfortunately it's pretty easy and pretty common to
>>>> use LDAP in a way that doesn't match the "usual" human
>>>> definitions of some words. This isn't necessarily
>>>> wrong though. If an operation doesn't work, definitely
>>>> dig in. But if an operation "works" but appears to use
>>>> words differently than your definitions, it may not be
>>>> a problem.
>>>>
>>>> Every LDAP tool has its own settings. Change it for
>>>> one tool, and it will still behave the old way for
>>>> other tools.
>>>>
>>>> For `ldapsearch`, there are several settings, the
>>>> later of which override the earlier. One is "base" in
>>>> a file named something like /etc/openldap/ldap.conf.
>>>> This may be overridden by a command line parameter to
>>>> `ldapsearch`.
>>>>
>>>> For LDAP name service lookups (if enabled in
>>>> /etc/nsswitch.conf), again there's "base" but this
>>>> time in /etc/ldap.conf (a separate file but with a
>>>> name very similar to the first one). Sometimes you'll
>>>> also find "nss_base_hosts", which takes precedence if
>>>> it exists. There may also be a setting on pam_ldap.so.
>>>>
>>>>
>>>> etc.
>>>>
>>>>
>>>>> Now the other half of the question, the part you
>>>>> didn't ask, which is not where to "search" but
>>>>> where to "store". (Obviously storing in one place
>>>>> but searching in the other won't work at all.
>>>>> Both storing and searching in the "wrong" place
>>>>> may work perfectly well for Samba, yet might be
>>>>> inconsistent with some of your other tools and
>>>>> procedures.)
>>>>>
>>>> Unfortunately there are a gazillion different ways to
>>>> update an LDAP database and they all work differently
>>>> and are all configured differently. Are you using some
>>>> scripts, or a web application like 'phpldapadmin', or
>>>> the `ldapadd` command, or ...; and are you calling it
>>>> explicitly or letting it be called from within Samba
>>>> via the 'add machine' parameter?
>>>>
>>>> good luck!
>>>>
>>>>
>>>> -Chuck Kollars
>>>>
>>>>
>>>> ____________________________________________________________________________________
>>>> Looking for last minute shopping deals?
>>>> Find them fast with Yahoo! Search. http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>>>>
>>>>
>>>
>
>
More information about the samba
mailing list