[Samba] Verification on HOW adding a machines works

Wes Deviers wdevie at hrcsb.org
Fri Sep 18 08:43:52 MDT 2009


On my setup, I have libnss and libpam set to filter out machine POSIX accounts.  
All of my machine accounts have a UID higher than 10000, so I can filter it 
something like this:

nss_base_passwd dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)
nss_base_shadow dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)

Standard Linux utilities will never "see" machine accounts using NSS calls 
(like getent), but the accounts do exist and Samba doesn't seem to have a 
problem with them.  So I think you'll be okay.

Wes


On Thursday 17 September 2009 11:46:32 pm Todd E Thomas wrote:
> I'm straddling the half-way point between samba and ldap. When adding a 
> machine to the domain, functionally, it works like you would expect. You 
> enter in the domain, enter your credentials, and reboot. The computer is 
> able to function as a machine on the domain.
> 
> I'm using the smbldap-tools as suggested in the wiki. Here's the script:
> add machine script = /usr/sbin/smbldap-useradd -w -g 100 -c "Workstation 
> (%u)" -d /dev/null -s /sbin/nologin "%u"
> 
> When checking on details of the process:
> # getent passwd
> biggie$:x:1008:100:Workstation (biggie$):/nohome:/sbin/nologin
> (works for me)
> 
> # getent group | grep users
> users:x:100:
> (the machine is not listed as a member of the group)
> Should machines be displayed as a member of the group they are added to 
> like users?
> 
> 
> ldapsearch -x -b "dc=ptest,dc=us" "(objectclass=*)" | less
> # machines, ptest.us
> dn: ou=machines,dc=ptest,dc=us
> ou: machines
> objectClass: organizationalRole
> cn: machines
> (the ou that biggie is added to)
> 
> # BIGGIE$, machines, ptest.us
> dn: uid=BIGGIE$,ou=machines,dc=ptest,dc=us
> uid: BIGGIE$
> objectClass: sambaSamAccount
> objectClass: account
> displayName: BIGGIE$
> (biggie's ldap entry)
> 
> -- 
> Thanks for the assist,
> 
> Todd E Thomas
> C: 515.778.6913
> "It's a frail music knits the world together."
> -Robert Dana
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
> 



More information about the samba mailing list