[Samba] Active Directory 'add machine script' parameter

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 23 08:12:32 MDT 2014 

On 23/06/14 14:56, Quentin Gibeaux wrote:
> On 23/06/2014 15:20, Rowland Penny wrote:
>> On 23/06/14 14:02, Quentin Gibeaux wrote:
>>> On 23/06/2014 14:22, Rowland Penny wrote:
>>>> On 23/06/14 13:05, Quentin Gibeaux wrote:
>>>>> On 23/06/2014 12:27, Rowland Penny wrote:
>>>>>> Just what else are you likely to what to do after adding a 
>>>>>> machine account? 
>>>>> Adding hostname/ip in some list that is used by my interface to 
>>>>> manage static dhcp leases and accesses. This interface doesn't 
>>>>> manage only machines that are added to the domain, that's why it's 
>>>>> not listing by requesting ldap.
>>>>
>>>> Are you wanting/trying to add machines dns details to AD DNS for 
>>>> machines that are not joined to the domain ??
>>>> If so, I cannot recommend doing this, the only machines that should 
>>>> be in AD, are machines joined to the domain
>>> No, that's not what i meant. I'm not trying to include my stuff to 
>>> AD, but connecting AD to my stuff.
>>
>> Er, but no, I think that you will find that you have to do it the 
>> other way round, connect your stuff to AD
>>
>>> I'll try to keep AD clean with AD machines, but on my own interface 
>>> i've both AD machines and not. 
>>
>> Just what do you mean by 'my own interface' ?? are you referring to 
>> your dns domain or something else.
>>
> I've a frontend web interface that manage hosts (name, ip, in domain 
> or not, and so on). I can add/remove/edit them. It then runs in 
> backend what needs to be run (joining domain, changing dhcp lease, and 
> so on). The adding of a machine to the domain through this interface 
> still require to join the domain on the host (for password matters), 
> but the computer exists on AD.

I take it that this web interface runs on the samba host and what you 
are actually doing is pre-creating the machine account

>
> What i was doing on S3, and am trying to still do with S4 is to feed 
> my configuration when adding a machine to the domain through windows' 
> interface : when added, it adds the machine to my general hosts' list 
> (AD and not in AD), automatically create a static DHCP lease, add dns 
> entry (not necessary now, i think), and so on.
>

You can pre-create machine accounts in AD, but it requires the use of 
ldif's on Unix, but I think that you are going to have to forget the 'AD 
and not in AD' bit or at least change it to 'add to AD' and 'add to 
somewhere else'.

> So two ways to add a machine to the domain : through my web frontend, 
> and through Samba. Both had the same effect on the server and the web 
> interface because of 'add machine script' call.
>

As I said earlier, you need to do things differently with AD from what 
you did in the past with your NT4 style PDC. As for your 'web 
interface', you could try downloading and installing (on a windows 
client) the RSAT tools and then run ADUC, I think that this will do most 
of what you are doing now.

Rowland

>>> I think i'll stay with my own bind with bind_dlz backend : is that 
>>> still not recommended to have DNS entries that aren't referenced as 
>>> AD hosts ?
>>
>> If you want to use samba4 with bind9 and dhcp, I can help you there, 
>> but you still shouldn't have machines in the AD dns zone that are not 
>> joined to the AD, the recommended way is to put your AD in a sub-zone 
>> of your domain i.e. if your dns domain is 'example.com', use 
>> 'samba.example.com' for your AD domain.
>>
>>>
>>>
>>> But the main point was the DHCP leases, i used 'add machine script' 
>>> to update my dhcpd server's configuration to add lease for this new 
>>> host.
>>> It was great because it was automatic, due to the fact that samba 
>>> was calling the script after adding machine to the domain, but if 
>>> there's no such trigger anymore, i'll find something else.
>>
>> You can use the 'net' command to join a machine to AD, this should 
>> add your machine to the AD forward zone, or there is msktutil or 
>> realmd available, neither of which I have tried, but both have their 
>> fans, so could be worth trying.
>>
>> Rowland
>>
>>>
>>>
>>>>>
>>>>> So in fact, what i was doing was calling my script with %I (ip 
>>>>> address) and %u (user, but here hostname) to work with my backend.
>>>>
>>>> If on the other hand, you are not doing what I think you are doing, 
>>>> you could try scripting around 'samba-tool dns', see 'samba-tool 
>>>> dns --help' for more info.
>>>>
>>> I'll take a look at it, but the main problem is to launch it 
>>> automatically.
>>>> Rowland
>>>>
>>>>
>>> Quentin Gibeaux
>>>
>>
>

More information about the samba mailing list