[Samba] user creation with samba-tool issue
rowlandpenny at googlemail.com
Thu Oct 24 10:46:52 MDT 2013
On 24/10/13 17:28, steve wrote:
> On Thu, 2013-10-24 at 14:50 +0100, Rowland Penny wrote:
>> On 24/10/13 14:16, dahopkins at comcast.net wrote:
>>> ----- Original Message -----
>>> On 24/10/13 12:51, dahopkins at comcast.net wrote:
>>>> ----- Original Message -----
>>>> On Thu, 2013-10-24 at 02:48 +0000, dahopkins at comcast.net wrote:
>>>>>>> I am creating a user with samba-tool. I am essentially using the s4user script (very slight mods to echo some data and assign >>>>some site-specific data).
>>>>>>> The syntax in the script for a test user is
>>>>>>> samba-tool add user test.user47 Passw0rd!
>>>>>> No, strange. It doesn't work if you specify it on the command line of
>>>>>> the script but it does if you don't and type a password at the prompt.
>>>>>> Is specifying the password at user creation time an option for you?
>>>>> I actually didn't try not using a password with the script. I didn't want to delete that line of the script so I just echoed what the password had been set to instead. I'll test removing the password and typing it when prompted by the script. If this works, I guess it will have to be the work-around for the moment .. though doing this for 350+ accounts that need to be created isn't sounding very enticing.
>>>> Hi, when you try to login, just where are you trying to log into? a
>>>> windows machine or the samba 4 server?
>>> We have LTSP servers that users log onto in addition to Windows Terminal Servers, so both Linux and Windows. Account creation does work and it is possible as root to immediately use
>>> su - AccountName
>>> on a Linux system which logs in as that user. However,
>>> ssh AccountName at linuxserver
>>> prompts for a password and that comes back with permission denied. As mentioned, resetting the password in ADUC allows logins to work correctly, whether Linux or Windows.
>> This is what I am getting when trying to login via ssh, will have to
>> try resetting the password in ADUC.
>>>> Reason for asking is that I am using a similar script around samba-tool
>>>> and whilst I can login from windows with a domain user & password, I
>>>> seem to be struggling to login into the samba 4 server via ssh etc.
>>> I am using nslcd+nscd+k5start and keytab files for the Linux logins which is working well.
>>>> One last thing, I noticed that your script is adding the posixAccount
>>>> objectClass, you do not need to do this. The posixAccount & posixGroup
>>>> objectClasses are auxillaries of the 'user' objectClass and as such are
>>>> never added or required by windows.
>>> My understanding is that I need these for Linux (e.g. rfc-2307) compliance. I have that specified in the smb.conf file.
>> This seems to be everybodies understanding and it is wrong, if you
>> open /usr/local/samba/share/setup/ad-schema/MS-AD_Schema_2K8_Classes.txt in your favourite editor and search for 'cn: User' you will find 'auxiliaryClass: shadowAccount, posixAccount'. What this means is the mustContain, systemMustContain, mayContain, and
>> systemMayContain values of the auxiliary class are added to those of
>> the class, or in other words, you get the posix attributes without
>> adding the posixAccount objectclass. The same goes for posixGroup, it
>> is an auxillary of group.
> Rowland is correct, we do not need to add the posixAccount class.
> However, the OP is using nslcd and without it, we need to filter on user
> and group classes 'behind' the DN. In large domains, this slows down the
> lookup. I think this will be fixed in later versions of nss-ldapd so
> maybe meanwhile...
Hi Steve, if nss-ldapd relies on the posix objectClasses, then in my
opinion, against an AD server it is broken
Any Linux tool that you use against a Samba4, must also work against a
windows server WITHOUT any modifications, sorry to say but samba-tool
fails on this at the moment because it adds the totally un-needed posix
More information about the samba