[Samba] : Server's root name change when log-in

Thibaut Jacob thibaut.jacob at univ-orleans.fr
Wed May 9 07:57:17 MDT 2012 

On 09/05/2012 15:27, Gaiseric Vandal wrote:
> When you join the machine to the domain you should be prompted for
> credentials of someone who has permissions to join the computer to the
> domain -    this is normally the domain administrator or someone in the
> domain administrators group.     Users who are not domain administrators
> should not be able to join machines to the domain.
>
> You may also want to change your LDAP structure to get a little more
> control , e.g "ou=systeme" and "ou=temppeople" should be a children of
> "ou=people."     You can configure your ldap configuration to look for
> users in "ou=people" and its children.    "getent passwd" should still
> list all the user  accounts.
>
>
>
>
>
>
> On 05/09/12 08:28, Thibaut Jacob wrote:
>> Hi,
>>
>> I'm currently working on a server whitch use samba and openldap,
>> The OS used is Debian squeeze 6.0.1 64 on the server, the previous was
>> fedora 5
>>
>> My Samba is the domain Master of the network, the users of the ldap
>> are link with the samba, and i try to join computer XP to this domain,
>> so the user present in the ldap could  (with login and password) log
>> on in the domain, access shares etc ...
>>
>> ldap schema :  ou=people
>>                 ou=group
>>                 ou=temppeople
>>                 ou=tempgroups
>>                 ou=systeme
>>
>> Samba is well configured with libpam-ldap, libnss-ldap, smb-ldaptools
>> and the file /etc/nsswitch.conf with
>> passwd files ldap
>> group    files ldap
>> shadow files ldap
>>
>> When using getent passwd, the server get all the users of the ldap.
>>
>> But, ( and their is the problem ) : when trying to join the machine to
>> the domain, how do i say to samba that only my users in
>> ou = systeme ; are the only one able to join this one ? Beacause
>> currently, anyone can join the domain and i don't want it.
>>
>> Other Strange things, when i try to join the domain with for exemple
>> admin99 ( whitch is present in the ou=systeme) , when i'm on the
>> server and open a Terminal, when i log in root ( su - root ) with the
>> right password of root, i obtain :
>> admin99 at server , not root at server , and with a ls -lh on folder, files
>> are on admin99:root
>>
>> If i stop ldap 2 minutes after, and re-open a terminal and log as
>> root, everything come back to normal.
>>
>> If you need some infomations, I can give it in the next mail.
>>
>> Regards.
>>
>>
Hi, thanks for your respond first.

The structure is from the beginning of the iufm, this can't be change so 
easily.
In fact, in ou=system are the people who are ( currently ) able to join 
the domain for a workstation, and ou=temppeople is only here for 'new 
users whitch will not stay long'.

This is done this way because they're is some replication script between 
servers (perl languages) and the users in ou=temppeople should not be 
present in the master ldap ( there is one 'master' and several slave, 
but in location different)

How i can say to samba that only users in ou=systeme are able to be 
administrator of the samba ?

that's strange that the root name change in the server after joining 
domain, no ?

thanks

--

More information about the samba mailing list