samba - Aug 2003 - Samba 3 + PDC + LDAP machine accounts

Hiya all, this should hopefully be a simple question.
I've noticed that their is a setting:
ldap machine suffix
Allowing you to put all the machine accounts in a different tree in your
ldap directory (which is a definate plus).
However, I note, that it is almost impossible to do so.
Has anyone done this (eg had machines in ou=Machines,dc=domain,dc=com and
people in ou=People,dc=domain,dc=com)?
If so, how did you add machines?
I've tried smbpasswd -a -m MACHINE
and with debugging, it shows that it tries to find a posix account for
MACHINE$ first, which obviously doesn't exist.
The actual fault is, after determining that a sambaSamAccount object
doesn't exist, it goes back to getpwnam to try and find an account.
Obviously if I am putting machines in a different tree, pam_ldap, etc
aren't going to find them there.
I've enabled "ldap trust ids", and put the machine suffix
correctly.
I have also tried creating a sambaSamAccount object in the right tree, but
the sambaSamAccount requires a sambaSID, which I can't generate (its
suppose to be smbpasswd's job).

If anyone can shed some light on this, it would be most helpful, otherwise
its back to having MACHINE$'s amoungst the list of users in LDAP trees,
which seems rather stupid, considering the purpose of LDAP is to organise
everything neatly.

Thanks heaps,
Nick

Tuesday, August 5, 2003, 12:38:15 PM, System wrote:
> Hiya all, this should hopefully be a simple question.
> I've noticed that their is a setting:
> ldap machine suffix
> Allowing you to put all the machine accounts in a different tree in your
> ldap directory (which is a definate plus).
> However, I note, that it is almost impossible to do so.
> Has anyone done this (eg had machines in ou=Machines,dc=domain,dc=com and
> people in ou=People,dc=domain,dc=com)?
Yes.
> If so, how did you add machines?
> I've tried smbpasswd -a -m MACHINE
use pdbedit or better use tools to modify ldap directly.





--beast

On Tue, 5 Aug 2003 17:38:15 +1200
System_Administrator@koppersarch.co.nz wrote:

Hi!
> (eg had machines in ou=Machines,dc=domain,dc=com
> and people in ou=People,dc=domain,dc=com)?
> If so, how did you add machines?
> I've tried smbpasswd -a -m MACHINE
> and with debugging, it shows that it tries to find a posix account for
> MACHINE$ first, which obviously doesn't exist.
As you probably know: you have to create a Linux-User first which
resides in ou=Machines.
In order to have the system find it when doing the lookup, you'll need
to tell your NSS to also search in the Machines-tree for users:
In /etc/ldap.conf (e.g. Mandrake) or /etc/libnss-ldap.conf (Debian),
change as follows:

  # nss_base_passwd ou=People,dc=domain,dc=net
  nss_base_passwd dc=domain,dc=net?sub
> The actual fault is, after determining that a sambaSamAccount object
> doesn't exist, it goes back to getpwnam to try and find an account.
> Obviously if I am putting machines in a different tree, pam_ldap, etc
> aren't going to find them there.
Right. Just that it's not pam_ldap but lib-nss. (PAM does the
authentication-stuff while NSS does the user-lookups.)
(At least Samba 2.2.x relies on NSS too.)


The problem I had while trying this with Debian's 2.2.3a yesterday was
that I _could_ get the system (and Samba) to find the Linux user, but
"smbpasswd -m -a " created an entry in "ou=People"
nevertheless.
This means, I got two entries for one machine: the Linux-User
"machine$" in ou=Machines, and the Samba-part in ou=People.

Any idea how to fix this?

(I move machines to ou=People now, but I'd also rather see them in
ou=Machines...)

Cheers,
Max

-- 
The first time any man's freedom is trodden on, we're all damaged.
                       <Cpt. Picard, "The Drumhead", StarTrek
TNG>

http://homex.subnet.at/~max/

> As you probably know: you have to create a Linux-User first
> which resides in ou=Machines.In order to have the system
> find it when doing the lookup, you'll need to tell
> your NSS to also search in the Machines-tree for users:
> In /etc/ldap.conf (e.g. Mandrake) or /etc/libnss-ldap.conf
> (Debian),change as follows:
> # nss_base_passwd ou=People,dc=domain,dc=net  nss_base_passwd
dc=domain,dc=net?sub

Much thanks, by simply add'ing the machine as a user account (with
posixAccount objectType) to the ou=Machines tree, samba found it.

> The problem I had while trying this with Debian's 2.2.3a
> yesterday was that I _could_ get the system (and Samba) to
> find the Linux user, but"smbpasswd -m -a " created an entry
> in "ou=People" nevertheless. This means, I got two entries
> for one machine: the Linux-User"machine$" in ou=Machines,
> and the Samba-part in ou=People.Any idea how to fix this?
Interestingly enough, using Debian woody (3.0) with Samba 3beta3 self
compiled, plus some blood, sweat, and a whole lot of tears, a few other
packages back ported or self-packaged... It worked fine once I added the
user/machine to the ou=Machines tree (as above).

The next step is to see if I can get Samba to autoadd machines to the
domain on demand. I think I'll have to use a custom script which inserts a
custom ldiff into the machines tree, modified with the machine name. Should
be a pretty straight forward awk+base or perl script.

Oh, on one other side note, why do you need a posix/unix account for a
machine? It never "accesses" files on the server.. or does it?

Nick