Parameters are: Samba 2.2.7a PDC setup with LDAP includeing posix authentication for Linux. OK, the tutorial I've based my setup on is the Mandrake tutorial found at http://www.mandrakesecure.net/en/docs/ldap-auth.php Works great for autenticateing Linux from LDAP but it is really sparse on the Samba side of things. Esepcially when it comes to adding machine trust accounts. So anyway I have some theories I would like verified. I've found that I can add a posix based machine name and that works fine BUT it only works in ou=People. The system cannot find a machine account in ou=Computers. Seems to me that several things have occured:> Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) > Jan 18 14:08:42 enigma smbd[12254]: LDAP search "(&(uid=spartack_)(objectclass=sambaAccount))" returned 0 entries.1. Search for a uid=spartack$ which also has objectclass=sambaAccount.> Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(176)2. Get the password.> Jan 18 14:08:42 enigma smbd[12254]: get_md4pw: Workstation spartack$: no account in domain3. Can't find the account.(of course because the user has not been added by the 'add user script' setting in smb.conf yet.)> Jan 18 14:08:49 enigma smbd[12255]: [2003/01/18 14:08:49, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) > Jan 18 14:08:49 enigma smbd[12255]: LDAP search "(&(uid=spartack_)(objectclass=sambaAccount))" returned 0 entries. > Jan 18 14:08:50 enigma smbd[12255]: [2003/01/18 14:08:50, 0] rpc_server/srv_samr_nt.c:_api_samr_create_user(1929) > Jan 18 14:08:50 enigma smbd[12255]: User spartack$ does not exist in system password file (usually /etc/passwd). Cannot add account without > a valid local system user.4. Try again only execute the 'add user script' first. Theoretically, it did not find one because there is no objectClass sambaAccount in the entry HOWEVER, I know from previous attempts it does find the posix only Computer account when it is placed in ou=People. Is there perhaps a different search performed the fist time around despite the log entry or is my understanding of "(&(uid=spartack_)(objectclass=sambaAccount))" flawed? So am I on target here? I can solve the problem if I can understand it. :-)
I meditated long and hard on how to do this separation on 2.2.7a, even going so far as to code most of the patch, but ran into the stone wall that the search for the computer account is ALWAYS done as a search for a user account (just with a "different" name - meaning the trailing $), so I'd have to recode a lot of the stuff that searches for user accounts to handle that. Also, the way the user account is searched for is spread throughout, and calls to getpwent() are made as well to find it, and THAT I definitely could not change, since it is the correct behavior. What's actually needed is full separation of the search for users and computers, and that's not worth it (IMHO) in 2.2.7a if 3.0alpha has it already (I believe it does). I'd rather contribute to 3.0alpha and help get it out the door quicker than try to expand functionality on 2.2.7a. Just my 2 cent's worth! :) Best Diego On Sat, 2003-01-18 at 16:56, Jim wrote:> Parameters are: > Samba 2.2.7a PDC setup with LDAP includeing posix authentication for Linux. > > OK, the tutorial I've based my setup on is the Mandrake tutorial found > at http://www.mandrakesecure.net/en/docs/ldap-auth.php > Works great for autenticateing Linux from LDAP but it is really sparse > on the Samba side of things. Esepcially when it comes to adding machine > trust accounts. > > So anyway I have some theories I would like verified. > I've found that I can add a posix based machine name and that works fine > BUT it only works in ou=People. The system cannot find a machine > account in ou=Computers. > > Seems to me that several things have occured: > > Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) > > Jan 18 14:08:42 enigma smbd[12254]: LDAP search "(&(uid=spartack_)(objectclass=sambaAccount))" returned 0 entries. > > 1. Search for a uid=spartack$ which also has objectclass=sambaAccount. > > > Jan 18 14:08:42 enigma smbd[12254]: [2003/01/18 14:08:42, 0] rpc_server/srv_netlog_nt.c:get_md4pw(176) > > 2. Get the password. > > > Jan 18 14:08:42 enigma smbd[12254]: get_md4pw: Workstation spartack$: no account in domain > > 3. Can't find the account.(of course because the user has not been added > by the 'add user script' setting in smb.conf yet.) > > > Jan 18 14:08:49 enigma smbd[12255]: [2003/01/18 14:08:49, 0] passdb/pdb_ldap.c:pdb_getsampwnam(859) > > Jan 18 14:08:49 enigma smbd[12255]: LDAP search "(&(uid=spartack_)(objectclass=sambaAccount))" returned 0 entries. > > Jan 18 14:08:50 enigma smbd[12255]: [2003/01/18 14:08:50, 0] rpc_server/srv_samr_nt.c:_api_samr_create_user(1929) > > Jan 18 14:08:50 enigma smbd[12255]: User spartack$ does not exist in system password file (usually /etc/passwd). Cannot add account without > > a valid local system user. > > 4. Try again only execute the 'add user script' first. > > Theoretically, it did not find one because there is no objectClass > sambaAccount in the entry HOWEVER, I know from previous attempts it does > find the posix only Computer account when it is placed in ou=People. Is > there perhaps a different search performed the fist time around despite > the log entry or is my understanding of > "(&(uid=spartack_)(objectclass=sambaAccount))" flawed? > > So am I on target here? I can solve the problem if I can understand it. :-) > > > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba
Dariush Forouher
2003-Jan-19 00:03 UTC
[Samba] Adding a machine; I think I am onto something
Am Sam, 2003-01-18 um 23.56 schrieb Jim:> So anyway I have some theories I would like verified. > I've found that I can add a posix based machine name and that works fine > BUT it only works in ou=People. The system cannot find a machine > account in ou=Computers.Is ou=Computers below ou=People? If not, neither Samba nor pam will notice it.> Theoretically, it did not find one because there is no objectClass > sambaAccount in the entry HOWEVER, I know from previous attempts it does > find the posix only Computer account when it is placed in ou=People. Is > there perhaps a different search performed the fist time around despite > the log entry or is my understanding of > "(&(uid=spartack_)(objectclass=sambaAccount))" flawed?Samba itself doesn't lookup posix things in LDAP. That is the job of nsswitch/pam. You have to configure in your libnss-ldap.conf a searchbase that includes ou=People and ou=Computers as well. regards Dariush -- PGP Fingerprint: 0x886C99A1 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Dies ist ein digital signierter Nachrichtenteil Url : http://lists.samba.org/archive/samba/attachments/20030119/e509f592/attachment.bin
> Message: 19 > Subject: Re: [Samba] Adding a machine; I think I am onto something > From: Dariush Forouher <dariush@forouher.de> > To: Jim C <jcllings@tsunamicomm.net> > Cc: Samba ML <samba@lists.samba.org> > Date: 19 Jan 2003 12:52:37 +0100 > > > --=-+wK3KcK7Sqyp6lPAjR1a > Content-Type: text/plain > Content-Transfer-Encoding: quoted-printable > > Am Son, 2003-01-19 um 10.19 schrieb Jim C: > >>> libnss-ldap.conf? I don't seem to have that file anywhere. >>> I suppose I should warn you that this is a Mandrake system. I do have=20 >>> nss-ldap installed as well as pam-ldap. > > Well, it might be named different by Mandrake. SuSE's one is somewhere > behind /etc/ldap. Have a look into your docs provided by mandrake or > perform a find after 'ldap'./etc/ldap.conf> Why do you wan't to put the machines somewhere else anyway? You can't > hide them before unix because samba uses them. If you wan't to make your > ldap more clear and easier to administrate, just put all your machine > trust accounts into a "folder" below ou=3DPeople, e.g. > ou=3Dcomputers,ou=3DPeople,... Samba will find them without changing any > configuration.Actually, what you can do is use a different search-base on your DCs than on your other desktops and other servers, then 'getent passwd' or a {k,g,x}dm wil only show user accounts. Of course, on the DCs, both samba and nss should be looking in the right places BTW, you are aware that machine addition worked fine on 2.2.6 (AFAICR)? I will try and take a look again shortly, but we've just migrated from our old DC/LDAP server to a new one and one or two things are still broken (unix password changes in LDAP ...). Buchan -- |--------------Another happy Mandrake Club member--------------| Buchan Milne Mechanical Engineer, Network Manager Cellphone * Work +27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7