samba - Jul 2004 - posixAccount for Machines in LDAP?

Hello,
I have a question about machine accounts.
I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
RedHat machines.
I also have 3 slave/BDC's and 1 master/PDC

Right now all of my users and groups exist entirely in the LDAP directory.
I have a few accounts in addition to the normal system accounts that are
used for emergency access. All authention and group enumeration uses
PAM_LDAP with NSS_LDAP.

My question is that when I have a machine join the domain, in the LDAP
directory an objectclass Account and sambaSAMAccount are created. I still
need to create a machine account in /etc/passwd for this to happen. Is
there anyone out there that is first creating a posixAccount with
appropriate attributes in LDAP then using the Samba/Windows to generate
the sambaSAMAccount object and attributes in LDAP also?

I was so happy to get all of the user/group stuff consolidated into the
directory. Now I see that this is a possibility also but I haven't tried
it.

Kent N
Wareham Public Schools

kent@www.warehamportal.mec.edu wrote:
>Hello,
>I have a question about machine accounts.
>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
>RedHat machines.
>I also have 3 slave/BDC's and 1 master/PDC
>
>Right now all of my users and groups exist entirely in the LDAP directory.
>I have a few accounts in addition to the normal system accounts that are
>used for emergency access. All authention and group enumeration uses
>PAM_LDAP with NSS_LDAP.
>
>My question is that when I have a machine join the domain, in the LDAP
>directory an objectclass Account and sambaSAMAccount are created. I still
>need to create a machine account in /etc/passwd for this to happen. Is
>there anyone out there that is first creating a posixAccount with
>appropriate attributes in LDAP then using the Samba/Windows to generate
>the sambaSAMAccount object and attributes in LDAP also?
>  
>
You shouldn't need anything in /etc/passwd.  Perhaps by posting an 
smb.conf you could be pointed in the right direction.
>I was so happy to get all of the user/group stuff consolidated into the
>directory. Now I see that this is a possibility also but I haven't tried
>it.
>
>Kent N
>Wareham Public Schools
>
>  
>
-- 
Paul Gienger                     Office:		701-281-1884
Applied Engineering Inc.         Cell:			701-306-6254
Information Systems Consultant   Fax:			701-281-1322
URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com

Thanks, I'll give this a try tomorrow and let you know how things go. I
really appreciate your help. This is the last major hurdle that I can see.

Kent N
> Changes below:
>
> kent@www.warehamportal.mec.edu wrote:
>
>>Thanks for getting back to me, Paul.
>>Here's the domain controllers smb.conf
>>
>>
>>[global]
>>        workgroup = WarehamPS
>>	encrypt passwords = Yes
>>	time server = Yes
>>	socket options = TCP_NODELAY
>>	security = user
>>	logon script = whs1.bat
>>	writable = Yes
>>	dns proxy = no
>>	directory mask = 02770
>>	preferred master = yes
>>        netbios name = WHS1
>>        server string = RedHat 8.0 LDAP Server
>>        passdb backend = ldapsam
>>        ldap passwd sync = Yes
>>	machine password timeout = 604800
>>        passwd program = /usr/local/samba/bin/smbpasswd %u
>>       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>*Retype\snew\sUnix\spassword:* %n\n
>>        log file = /var/log/samba.%m
>>        debug level = 2
>>        max log size = 50
>>        add user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        add group script = /usr/local/sbin/smbldap-groupadd.pl
>>        delete group script = /usr/local/sbin/smbldap-groupdel.pl
>>        add machine script = /usr/sbin/useradd -c "Computer"
-d /dev/null
>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>>%u
>>
>>
> Change these scripts to be liks so:
>
> add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> make sure the paths line up of course.  The quotes are important in case
> you get spaces in the parameters.
>
>>        logon script = whs1.bat
>>	logon path >>        logon drive = H:
>>	logon home >>        domain logons = Yes
>>        os level = 64
>>        domain master = Yes
>>        dns proxy = Yes
>>	admin users = @domain_admins
>>	wins support = Yes
>>	name resolve order = wins hosts bcast
>>        ldap suffix = dc=tow,dc=net
>>        ldap machine suffix = ou=Computers
>>
>>
> Make ldap machine suffix match ldap user suffix.  Known bug.
>
>>        ldap user suffix = ou=Users
>>        ldap group suffix = ou=Groups
>>        ldap admin dn = cn=admin,dc=tow,dc=net
>>        ldap ssl = no
>>
>>
> <shares defs deleted>
>
> Of course, make sure your smbldap config file matches the above LDAP dn
> information for users, computers.  Check back after trying it out.
>
> Paul
>
>>Kent
>>Wareham Public Schools
>>
>>
>>
>>>kent@www.warehamportal.mec.edu wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>I have a question about machine accounts.
>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on
backend on
>>>>RedHat machines.
>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>
>>>>Right now all of my users and groups exist entirely in the LDAP
>>>>directory.
>>>>I have a few accounts in addition to the normal system accounts
that
>>>> are
>>>>used for emergency access. All authention and group enumeration
uses
>>>>PAM_LDAP with NSS_LDAP.
>>>>
>>>>My question is that when I have a machine join the domain, in
the LDAP
>>>>directory an objectclass Account and sambaSAMAccount are
created. I
>>>> still
>>>>need to create a machine account in /etc/passwd for this to
happen. Is
>>>>there anyone out there that is first creating a posixAccount
with
>>>>appropriate attributes in LDAP then using the Samba/Windows to
generate
>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>
>>>>
>>>>
>>>>
>>>You shouldn't need anything in /etc/passwd.  Perhaps by posting
an
>>>smb.conf you could be pointed in the right direction.
>>>
>>>
>>>
>>>>I was so happy to get all of the user/group stuff consolidated
into the
>>>>directory. Now I see that this is a possibility also but I
haven't
>>>> tried
>>>>it.
>>>>
>>>>Kent N
>>>>Wareham Public Schools
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Paul Gienger                     Office:		701-281-1884
>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>Information Systems Consultant   Fax:			701-281-1322
>>>URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
> --
> Paul Gienger                     Office:		701-281-1884
> Applied Engineering Inc.         Cell:			701-306-6254
> Information Systems Consultant   Fax:			701-281-1322
> URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>
>
>

Hi Paul,
I'm getting a user not found after I made the changes. That's what I
used
to get when I didn't add the machine account to /etc/passwd first.

The good news is that I removed a machine account from /etc/passwd and
added it to LDAP to the existing account that was created with smbpasswd
(added posixAccount and attributes). This worked fine. All of the
posixAccount  information need only be in LDAP. I will migrate my existing
machine account info from /etc/passwd to their respective accounts in
LDAP. Just seems that smbldap_useradd.pl is not able to add the account
information to LDAP on the fly.

Just curious, do you have a working system that does just that, where if
you add a machine by joining it to the domain, smbldap_useradd.pl creates
the posixAccount and sambaSAMAccount in LDAP?

I'll continue to tinker with it. If you have any other suggestions, let me
know. I'm very close.
> Changes below:
>
> kent@www.warehamportal.mec.edu wrote:
>
>>Thanks for getting back to me, Paul.
>>Here's the domain controllers smb.conf
>>
>>
>>[global]
>>        workgroup = WarehamPS
>>	encrypt passwords = Yes
>>	time server = Yes
>>	socket options = TCP_NODELAY
>>	security = user
>>	logon script = whs1.bat
>>	writable = Yes
>>	dns proxy = no
>>	directory mask = 02770
>>	preferred master = yes
>>        netbios name = WHS1
>>        server string = RedHat 8.0 LDAP Server
>>        passdb backend = ldapsam
>>        ldap passwd sync = Yes
>>	machine password timeout = 604800
>>        passwd program = /usr/local/samba/bin/smbpasswd %u
>>       passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>*Retype\snew\sUnix\spassword:* %n\n
>>        log file = /var/log/samba.%m
>>        debug level = 2
>>        max log size = 50
>>        add user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        delete user script = /usr/local/sbin/smbldap-useradd.pl %u
>>        add group script = /usr/local/sbin/smbldap-groupadd.pl
>>        delete group script = /usr/local/sbin/smbldap-groupdel.pl
>>        add machine script = /usr/sbin/useradd -c "Computer"
-d /dev/null
>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
>>%u
>>
>>
> Change these scripts to be liks so:
>
> add user script = /usr/sbin/smbldap-useradd -a -m "%u"
> delete user script = /usr/sbin/smbldap-userdel "%u"
> add group script = /usr/sbin/smbldap-groupadd "%g"
> delete group script = /usr/sbin/smbldap-groupdel "%g"
> add user to group script = /usr/sbin/smbldap-groupmod -m "%u"
"%g"
> delete user from group script = /usr/sbin/smbldap-groupmod -x
"%u" "%g"
> set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u"
> add machine script = /usr/sbin/smbldap-useradd -w "%u"
>
> make sure the paths line up of course.  The quotes are important in case
> you get spaces in the parameters.
>
>>        logon script = whs1.bat
>>	logon path >>        logon drive = H:
>>	logon home >>        domain logons = Yes
>>        os level = 64
>>        domain master = Yes
>>        dns proxy = Yes
>>	admin users = @domain_admins
>>	wins support = Yes
>>	name resolve order = wins hosts bcast
>>        ldap suffix = dc=tow,dc=net
>>        ldap machine suffix = ou=Computers
>>
>>
> Make ldap machine suffix match ldap user suffix.  Known bug.
>
>>        ldap user suffix = ou=Users
>>        ldap group suffix = ou=Groups
>>        ldap admin dn = cn=admin,dc=tow,dc=net
>>        ldap ssl = no
>>
>>
> <shares defs deleted>
>
> Of course, make sure your smbldap config file matches the above LDAP dn
> information for users, computers.  Check back after trying it out.
>
> Paul
>
>>Kent
>>Wareham Public Schools
>>
>>
>>
>>>kent@www.warehamportal.mec.edu wrote:
>>>
>>>
>>>
>>>>Hello,
>>>>I have a question about machine accounts.
>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on
backend on
>>>>RedHat machines.
>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>
>>>>Right now all of my users and groups exist entirely in the LDAP
>>>>directory.
>>>>I have a few accounts in addition to the normal system accounts
that
>>>> are
>>>>used for emergency access. All authention and group enumeration
uses
>>>>PAM_LDAP with NSS_LDAP.
>>>>
>>>>My question is that when I have a machine join the domain, in
the LDAP
>>>>directory an objectclass Account and sambaSAMAccount are
created. I
>>>> still
>>>>need to create a machine account in /etc/passwd for this to
happen. Is
>>>>there anyone out there that is first creating a posixAccount
with
>>>>appropriate attributes in LDAP then using the Samba/Windows to
generate
>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>
>>>>
>>>>
>>>>
>>>You shouldn't need anything in /etc/passwd.  Perhaps by posting
an
>>>smb.conf you could be pointed in the right direction.
>>>
>>>
>>>
>>>>I was so happy to get all of the user/group stuff consolidated
into the
>>>>directory. Now I see that this is a possibility also but I
haven't
>>>> tried
>>>>it.
>>>>
>>>>Kent N
>>>>Wareham Public Schools
>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Paul Gienger                     Office:		701-281-1884
>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>Information Systems Consultant   Fax:			701-281-1322
>>>URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
> --
> Paul Gienger                     Office:		701-281-1884
> Applied Engineering Inc.         Cell:			701-306-6254
> Information Systems Consultant   Fax:			701-281-1322
> URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>
>
>