samba - Jul 2004 - [Fwd: Re: posixAccount for Machines in LDAP?]

---------------------------- Original Message ----------------------------
Subject: Re: [Samba] posixAccount for Machines in LDAP?
From:    kent@www.warehamportal.mec.edu
Date:    Wed, July 14, 2004 12:19 pm
To:      "Paul Gienger" <pgienger@ae-solutions.com>
--------------------------------------------------------------------------

Hi Paul,
Finally got it to work. This is great!! I had 2 problems. First the script
paths were wrong, second neither the smbldap_conf.pm nor
smbldap-useradd.pl would pass perl -c syntax check. I should have checked
that first. I was tinkering with the perl scripts because I don't use
profiles and wanted to delete these from being created.

One more thing to do is to get the smb.conf and perl scripts straightened
out on the BDCs so everything is the same.

Thank you for your support!

Kent N
> kent@www.warehamportal.mec.edu wrote:
>
>>Hi Paul,
>>I'm getting a user not found after I made the changes. That's
what I
used to get when I didn't add the machine account to /etc/passwd
first.
>>
>>
> Ok, so now the question is this, when you try to join, are you giving it
the root user or root equivilent (uid=0) account?  Is it making the
posix account but not modifying it with sambaSAM information?  You are
sure that everything is using ou=People (or whatever users container
you're using)?

I use the root account. When I started this quest I tried to get a root
equivalent account to work and couldn't. I may revisit this now that
I've
overcome other obstacles.

I tried keeping the users separate from the computers in smb.conf. This
seems to work. It may have been a bug but seems to work for me. ??
Machines go under ou=Computers,dc=tow.net and users under
ou=users,dc=tow,net.
>
>>Just curious, do you have a working system that does just that, where if
you add a machine by joining it to the domain, smbldap_useradd.pl
creates the posixAccount and sambaSAMAccount in LDAP?
>>
>>
> I *did* when I was migration testing for samba3 but now my test box has
been scrapped for a Sun trade in. I need to rebuild it before I go live
with S3 (still on 2.2.8 here sadly) so I'll be building entirely from
scratch again, hopefully this week if other projects get taken care of.
I've done a pile of testing in my setup to get it to work with our
remote LDAP master and local and/or distributed DC boxes.  There were
some timing issues there if replication didn't happen quick enough, a
real PITA.
>
>>I'll continue to tinker with it. If you have any other suggestions,
let
>> me
>>know. I'm very close.
>>
>>
>>
>>>Changes below:
>>>
>>>kent@www.warehamportal.mec.edu wrote:
>>>
>>>
>>>
>>>>Thanks for getting back to me, Paul.
>>>>Here's the domain controllers smb.conf
>>>>
>>>>
>>>>[global]
>>>>       workgroup = WarehamPS
>>>>	encrypt passwords = Yes
>>>>	time server = Yes
>>>>	socket options = TCP_NODELAY
>>>>	security = user
>>>>	logon script = whs1.bat
>>>>	writable = Yes
>>>>	dns proxy = no
>>>>	directory mask = 02770
>>>>	preferred master = yes
>>>>       netbios name = WHS1
>>>>       server string = RedHat 8.0 LDAP Server
>>>>       passdb backend = ldapsam
>>>>       ldap passwd sync = Yes
>>>>	machine password timeout = 604800
>>>>       passwd program = /usr/local/samba/bin/smbpasswd %u
>>>>      passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
>>>>*Retype\snew\sUnix\spassword:* %n\n
>>>>       log file = /var/log/samba.%m
>>>>       debug level = 2
>>>>       max log size = 50
>>>>       add user script = /usr/local/sbin/smbldap-useradd.pl %u
delete
user script = /usr/local/sbin/smbldap-useradd.pl %u add group
script = /usr/local/sbin/smbldap-groupadd.pl
>>>>       delete group script = /usr/local/sbin/smbldap-groupdel.pl
add
machine script = /usr/sbin/useradd -c "Computer"
-d
>>>> /dev/null
>>>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
%u
>>>>
>>>>
>>>>
>>>>
>>>Change these scripts to be liks so:
>>>
>>>add user script = /usr/sbin/smbldap-useradd -a -m "%u"
>>>delete user script = /usr/sbin/smbldap-userdel "%u"
>>>add group script = /usr/sbin/smbldap-groupadd "%g"
>>>delete group script = /usr/sbin/smbldap-groupdel "%g"
>>>add user to group script = /usr/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u"
"%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g"
"%u" add
machine script = /usr/sbin/smbldap-useradd -w
"%u"
>>>
>>>make sure the paths line up of course.  The quotes are important in
case you get spaces in the parameters.
>>>
>>>
>>>
>>>>       logon script = whs1.bat
>>>>	logon path >>>>       logon drive = H:
>>>>	logon home >>>>       domain logons = Yes
>>>>       os level = 64
>>>>       domain master = Yes
>>>>       dns proxy = Yes
>>>>	admin users = @domain_admins
>>>>	wins support = Yes
>>>>	name resolve order = wins hosts bcast
>>>>       ldap suffix = dc=tow,dc=net
>>>>       ldap machine suffix = ou=Computers
>>>>
>>>>
>>>>
>>>>
>>>Make ldap machine suffix match ldap user suffix.  Known bug.
>>>
>>>
>>>
>>>>       ldap user suffix = ou=Users
>>>>       ldap group suffix = ou=Groups
>>>>       ldap admin dn = cn=admin,dc=tow,dc=net
>>>>       ldap ssl = no
>>>>
>>>>
>>>>
>>>>
>>><shares defs deleted>
>>>
>>>Of course, make sure your smbldap config file matches the above LDAP
dn
information for users, computers.  Check back after trying it
out.
>>>
>>>Paul
>>>
>>>
>>>
>>>>Kent
>>>>Wareham Public Schools
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>>kent@www.warehamportal.mec.edu wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>Hello,
>>>>>>I have a question about machine accounts.
>>>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52
on backend on
RedHat machines.
>>>>>>I also have 3 slave/BDC's and 1 master/PDC
>>>>>>
>>>>>>Right now all of my users and groups exist entirely in
the LDAP
directory.
>>>>>>I have a few accounts in addition to the normal system
accounts that
are
>>>>>>used for emergency access. All authention and group
enumeration uses
PAM_LDAP with NSS_LDAP.
>>>>>>
>>>>>>My question is that when I have a machine join the
domain, in the
>>>>>> LDAP
>>>>>>directory an objectclass Account and sambaSAMAccount are
created. I
still
>>>>>>need to create a machine account in /etc/passwd for this
to happen.
>>>>>> Is
>>>>>>there anyone out there that is first creating a
posixAccount with
appropriate attributes in LDAP then using the Samba/Windows
to
>>>>>> generate
>>>>>>the sambaSAMAccount object and attributes in LDAP also?
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>You shouldn't need anything in /etc/passwd.  Perhaps by
posting an
smb.conf you could be pointed in the right direction.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>I was so happy to get all of the user/group stuff
consolidated into
>>>>>> the
>>>>>>directory. Now I see that this is a possibility also but
I haven't
tried
>>>>>>it.
>>>>>>
>>>>>>Kent N
>>>>>>Wareham Public Schools
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>--
>>>>>Paul Gienger                     Office:		701-281-1884
>>>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>>>Information Systems Consultant   Fax:			701-281-1322
>>>>>URL: www.ae-solutions.com       
mailto:pgienger@ae-solutions.com
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>>
>>>--
>>>Paul Gienger                     Office:		701-281-1884
>>>Applied Engineering Inc.         Cell:			701-306-6254
>>>Information Systems Consultant   Fax:			701-281-1322
>>>URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
> --
> Paul Gienger                     Office:		701-281-1884
> Applied Engineering Inc.         Cell:			701-306-6254
> Information Systems Consultant   Fax:			701-281-1322
> URL: www.ae-solutions.com        mailto:pgienger@ae-solutions.com
>
>
>