[Samba] sssd / classicupgrade / computer accounts

steve steve at steve-ss.com
Thu Jan 23 03:42:55 MST 2014

On Thu, 2014-01-23 at 10:32 +0100, mourik jan heupink wrote:
> Hi Steve, list,
> > The only way I know is to remove:
> > objectClass: posixAccount
> > from your machine objects.
> >
> > As it shouldn't be there in the first place I'd advise removing it now.
> > HTH
> > Steve
> Right, and then configure sssd to look for posixAccounts.

No. You do not need to do that as it is the default. The sssd backend
will take are of the retrieval (or otherwise) of that attribute. Simply
make sure that is not visible under the DN of either users nor
computers. Both the old sssd config based on the rfc2307bis schema and
more recently, the superb new AD backend based on, erm, the AD schema
are perfectly aware of how AD works. If you can get your hands on the
latest 1.11.3 version of sssd you really are getting toward install and
> But if you say that the posixAccount should not be there 'in the first 
> place', is this then a bug in the classicupgrade..?

It's a known issue but it's not fatal. Just annoying. The classicupgrade
script also adds posixAccount to users which should also not be
> Searching the net for sample AD ldif's, I can see that computer accounts 
> generally do not have the posixAccount objectClass. I'll try extending 
> my php script to remove it.

Yes. I'd recommend you do that. It's there anyway, so why add it again?
M$ AD does not add it so neither should we.
> I feel that there is quite a bit of room for improvement in the 
> classicupgrade procedure.

I think it's quite an achievement. Given the very different nature of NT
and AD domains, that the devs have got anywhere near it is worthy of
>  Unfortunately I'm no programmer, so can't add 
> anything to classicupgrade, but I'll post my php script here, so others 
> can perhaps benefit from it.
Thanks. I'm sure that anything you can share here be most welcome.
> Regards and thanks,
> MJ
Good to have another sssd user on board.

More information about the samba mailing list