[Samba] user creation with samba-tool issue

[Stéphane PURNELLE]

do what you want to do and let other do what he want to do.
-----------------------------------
Stéphane PURNELLE                         Admin. Systèmes et Réseaux 
Service Informatique       Corman S.A.           Tel : 00 32 (0)87/342467

samba-bounces at lists.samba.org wrote on 24/10/2013 15:50:52:

> De : Rowland Penny <rowlandpenny at googlemail.com>
> A : dahopkins at comcast.net, 
> Cc : samba at lists.samba.org
> Date : 24/10/2013 15:51
> Objet : Re: [Samba] user creation with samba-tool issue
> Envoyé par : samba-bounces at lists.samba.org
> 
> On 24/10/13 14:16, dahopkins at comcast.net wrote:
> >
> > ----- Original Message -----
> > On 24/10/13 12:51, dahopkins at comcast.net wrote:
> >> ----- Original Message -----
> >> On Thu, 2013-10-24 at 02:48 +0000, dahopkins at comcast.net wrote:
> >>>>> I am creating a user with samba-tool. I am essentially using 
> the s4user script (very slight mods to echo some data and assign 
> >>>>some site-specific data).
> >>>>> The syntax in the script for a test user is
> >>>>> samba-tool add user test.user47 Passw0rd!
> >>>> Hi
> >>>> No, strange. It doesn't work if you specify it on the command line 
of
> >>>> the script but it does if you don't and type a password at the 
prompt.
> >>>> Is specifying the password at user creation time an option for you?
> >>>> Steve
> >>> I actually didn't try not using a password with the script. I 
> didn't want to delete that line of the script so I just echoed what 
> the password had been set to instead. I'll test removing the 
> password and typing it when prompted by the script. If this works, I
> guess it will have to be the work-around for the moment .. though 
> doing this for 350+ accounts that need to be created isn't sounding 
> very enticing.
> >>> Sincerely,
> >>> Dave
> >> 
> >> Hi, when you try to login, just where are you trying to log into? a
> >> windows machine or the samba 4 server?
> > We have LTSP servers that users log onto in addition to Windows 
> Terminal Servers, so both Linux and Windows.  Account creation does 
> work and it is possible as root to immediately use
> > su - AccountName
> > on a Linux system which logs in as that user.  However,
> > ssh AccountName at linuxserver
> > prompts for a password and that comes back with permission denied.
> As mentioned, resetting the password in ADUC allows logins to work 
> correctly, whether Linux or Windows.
> This is what I am getting when trying to login via ssh, will have to try 

> resetting the password in ADUC.
> >> Reason for asking is that I am using a similar script around 
samba-tool
> >> and whilst I can login from windows with a domain user & password, I
> >> seem to be struggling to login into the samba 4 server via ssh etc.
> > I am using nslcd+nscd+k5start and keytab files for the Linux 
> logins which is working well.
> >
> >> One last thing, I noticed that your script is adding the posixAccount
> >> objectClass, you do not need to do this. The posixAccount & 
posixGroup
> >> objectClasses are auxillaries of the 'user' objectClass and as such 
are
> >> never added or required by windows.
> > My understanding is that I need these for Linux (e.g. rfc-2307) 
> compliance. I have that specified in the smb.conf file.
> >
> > Dave
> This seems to be everybodies understanding and it is wrong, if you open 
> /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_Classes.txt in 
> your favourite editor and search for 'cn: User' you will find 
> 'auxiliaryClass: shadowAccount, posixAccount'. What this means is the 
> mustContain**, systemMustContain**, mayContain**, and
> systemMayContain** values of the auxiliary class are added to those of 
> the class, or in other words, you get the posix attributes without 
> adding the posixAccount objectclass. The same goes for posixGroup, it is 

> an auxillary of group.
> 
> Rowland
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba