Buchan Milne
2003-Jan-22 19:12 UTC
[Samba] Re: Can't add Machine account ( LDAP ) ... (solved)
> Message: 1 > Date: Tue, 21 Jan 2003 19:08:07 +0200 > From: "C.Lee Taylor" <leet@leenx.co.za> > Organization: LeeNX > To: samba@lists.samba.org > Subject: [Samba] Re: Can't add Machine account ( LDAP ) ... > > Just got bitten in the ass by not been able to join the domain with > 2.2.7a > > Correct me if I am wrong, Jerry did give me a quick explaination. It > has to do with usernames and what allowable characters in it for security. >It was basically dismissing the weird entry as a security mechanism in the logging/DEBUG code, it shouln't have affected the script.> Now, I need to fix this, does anybody have a patch/fix or tell me where > to look in the source to try and fix this. > Finally was able to find the freaking message ... but I think that > this might be something else ... >OK, I am looking at this now ... Hmmm, after a bit of debugging work, I found that I could not join as a domain admin, but could join as root, and that was due to wrong perms on the smbldap-tools, essentially a non-root domain admin did not have permission to run the 'add user script' (due to a new setup where we hadn't fixed the perms). It seems to work now ...> > I really need domain joining, or at least a work around for it ... > Please help me!!!If you have the smbldap tools setup, then you should be able to pre-create machine accounts. On Mandrake, we have them in /usr/share/samba/scripts, so I would run something like this: # /usr/share/samba/scripts/smbldap-useradd.pl -w -c "Samba Machine Account' -s /bin/false -d /dev/null -g machines machine$ (the equivalent of the script you would have as a 'add user script' in smb.conf, just replacing the macros). Then you should be able to join with any domain admin account. Now, if the user you are going to join as can run the script (requires rx perms on the scripts: [root@hercules bgmilne]# ll /usr/share/samba/scripts/ total 112 -rwx------ 1 root domadm 1720 Jan 14 02:29 export_smbpasswd.pl* -rwx------ 1 root domadm 3498 Jan 14 02:29 import_smbpasswd.pl* -rwxr-xr-x 1 root domadm 1703 Jan 14 02:29 print-pdf* lrwxrwxrwx 1 root domadm 26 Jan 17 16:24 smbldap_conf.pm -> /etc/samba/smbldap_conf.pm -rwxr-x--- 1 root domadm 2389 Jan 14 02:29 smbldap-groupadd.pl* -rwxr-x--- 1 root domadm 2369 Jan 14 02:29 smbldap-groupdel.pl* -rwxr-x--- 1 root domadm 5362 Jan 14 02:29 smbldap-groupmod.pl* -rwxr-x--- 1 root domadm 1821 Jan 14 02:29 smbldap-groupshow.pl* -rwxr-x--- 1 root domadm 6923 Jan 14 02:29 smbldap-migrate-accounts.pl* -rwxr-x--- 1 root domadm 4874 Jan 14 02:29 smbldap-migrate-groups.pl* -rwxr-x--- 1 root domadm 4994 Jan 14 02:29 smbldap-passwd.pl* -rwxr-x--- 1 root domadm 7147 Jan 14 02:29 smbldap-populate.pl* -rw-r--r-- 1 root domadm 11685 Jan 14 02:29 smbldap_tools.pm -rwxr-x--- 1 root domadm 13439 Jan 14 02:29 smbldap-useradd.pl* -rwxr-x--- 1 root domadm 2913 Jan 14 02:29 smbldap-userdel.pl* -rwxr-x--- 1 root domadm 10697 Jan 14 02:29 smbldap-usermod.pl* -rwxr-x--- 1 root domadm 1762 Jan 14 02:29 smbldap-usershow.pl* And something like this on the config file: [root@hercules bgmilne]# ll /etc/samba/smbldap_conf.pm -rw-r----- 1 root domadm 6947 Jan 17 22:02 /etc/samba/smbldap_conf.pm Then any member of domadm (assuming @domadm is in the 'domain admin users' list in smb.conf) you should be able to join a machine. OK, this means I just need to verify some issues (like testing password changes on referrals, which I may be able to do tomorrow or Friday) and we will have new samba packages for Mandrake ... hopefully by the weekend at the latest. If anyone has a setup to test large file support (smbtar, smbclient, files > 4GB) on Mandrake 8.0, 8.2 or 9.0, please contact me and I will get you a set of RPMs that have the two fixes applied. FYI: [root@hercules bgmilne]# rpm -q samba-server-ldap samba-server-ldap-2.2.7a-3mdk Sorry for the false alarm Jerry ... Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7