[Samba] : Server's root name change when log-in

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 9 13:51:06 MDT 2012

On 05/09/12 09:57, Thibaut Jacob wrote:
> On 09/05/2012 15:27, Gaiseric Vandal wrote:
>> When you join the machine to the domain you should be prompted for
>> credentials of someone who has permissions to join the computer to the
>> domain -    this is normally the domain administrator or someone in the
>> domain administrators group.     Users who are not domain administrators
>> should not be able to join machines to the domain.
>> You may also want to change your LDAP structure to get a little more
>> control , e.g "ou=systeme" and "ou=temppeople" should be a children of
>> "ou=people."     You can configure your ldap configuration to look for
>> users in "ou=people" and its children.    "getent passwd" should still
>> list all the user  accounts.  
>> On 05/09/12 08:28, Thibaut Jacob wrote:
>>> Hi,
>>> I'm currently working on a server whitch use samba and openldap,
>>> The OS used is Debian squeeze 6.0.1 64 on the server, the previous was
>>> fedora 5
>>> My Samba is the domain Master of the network, the users of the ldap
>>> are link with the samba, and i try to join computer XP to this domain,
>>> so the user present in the ldap could  (with login and password) log
>>> on in the domain, access shares etc ...
>>> ldap schema :  ou=people
>>>                ou=group
>>>                ou=temppeople
>>>                ou=tempgroups
>>>                ou=systeme
>>> Samba is well configured with libpam-ldap, libnss-ldap, smb-ldaptools
>>> and the file /etc/nsswitch.conf with
>>> passwd files ldap
>>> group    files ldap
>>> shadow files ldap
>>> When using getent passwd, the server get all the users of the ldap.
>>> But, ( and their is the problem ) : when trying to join the machine to
>>> the domain, how do i say to samba that only my users in
>>> ou = systeme ; are the only one able to join this one ? Beacause
>>> currently, anyone can join the domain and i don't want it.
>>> Other Strange things, when i try to join the domain with for exemple
>>> admin99 ( whitch is present in the ou=systeme) , when i'm on the
>>> server and open a Terminal, when i log in root ( su - root ) with the
>>> right password of root, i obtain :
>>> admin99 at server , not root at server , and with a ls -lh on folder, files
>>> are on admin99:root
>>> If i stop ldap 2 minutes after, and re-open a terminal and log as
>>> root, everything come back to normal.
>>> If you need some infomations, I can give it in the next mail.
>>> Regards.
> Hi, thanks for your respond first.
> The structure is from the beginning of the iufm, this can't be change
> so easily.
> In fact, in ou=system are the people who are ( currently ) able to
> join the domain for a workstation, and ou=temppeople is only here for
> 'new users whitch will not stay long'.
> This is done this way because they're is some replication script
> between servers (perl languages) and the users in ou=temppeople should
> not be present in the master ldap ( there is one 'master' and several
> slave, but in location different)
> How i can say to samba that only users in ou=systeme are able to be
> administrator of the samba ?
> that's strange that the root name change in the server after joining
> domain, no ?
> thanks
> -- 

For ldap, as long as "getent passwd" shows your user and computer
accounts, that is what really matters.     

Is samba is looking for users in your ldap base (e.g.
dc=univ-orleans,dc=fr)  ?  If so it will see all users.  However it will
not distinguish between users in ou=people or ou =systeme.    Any users
you wish to have administrator privledges should be added to the "Domain
Admins" group. 

Verify that you have a group mapping for domain admins.

# net groupmap list | grep "Domain Admins"
Domain Admins (S-1-5-21-XXX-XXX-XXX-512 ) -> Domain Admins

I have a unix group in ldap called "Domain Admins" -  my unix system
allows groups with spaces in it.  I don't know if yours will. 

Verify with

  net rpc group MEMBERS  "Domain Admins" -U Administrator

However,   even if you are a system administrator, you should not
normally be logged in as an admin-equivalent.    Instead, you should
only use an admin-equivalent account when you specifically need it. 

If you wish to allow some users to add machines to the domain  but not
give them full admin privlegdes you should be able to grant the
SeMachineAccountPrivilege right.


I don't understand the "admin99" issue.  You have a samba user called
"admin99", and you use that to join a Windows  machine to the
domain?     Where are you opening a terminal from?   What does "pbdedit
-Lv admin99" show?

More information about the samba mailing list