kent@www.warehamportal.mec.edu
2004-Jul-14 16:20 UTC
[Fwd: Re: [Samba] posixAccount for Machines in LDAP?]
---------------------------- Original Message ---------------------------- Subject: Re: [Samba] posixAccount for Machines in LDAP? From: kent@www.warehamportal.mec.edu Date: Wed, July 14, 2004 12:19 pm To: "Paul Gienger" <pgienger@ae-solutions.com> -------------------------------------------------------------------------- Hi Paul, Finally got it to work. This is great!! I had 2 problems. First the script paths were wrong, second neither the smbldap_conf.pm nor smbldap-useradd.pl would pass perl -c syntax check. I should have checked that first. I was tinkering with the perl scripts because I don't use profiles and wanted to delete these from being created. One more thing to do is to get the smb.conf and perl scripts straightened out on the BDCs so everything is the same. Thank you for your support! Kent N> kent@www.warehamportal.mec.edu wrote: > >>Hi Paul, >>I'm getting a user not found after I made the changes. That's what Iused to get when I didn't add the machine account to /etc/passwd first.>> >> > Ok, so now the question is this, when you try to join, are you giving itthe root user or root equivilent (uid=0) account? Is it making the posix account but not modifying it with sambaSAM information? You are sure that everything is using ou=People (or whatever users container you're using)? I use the root account. When I started this quest I tried to get a root equivalent account to work and couldn't. I may revisit this now that I've overcome other obstacles. I tried keeping the users separate from the computers in smb.conf. This seems to work. It may have been a bug but seems to work for me. ?? Machines go under ou=Computers,dc=tow.net and users under ou=users,dc=tow,net.> >>Just curious, do you have a working system that does just that, where ifyou add a machine by joining it to the domain, smbldap_useradd.pl creates the posixAccount and sambaSAMAccount in LDAP?>> >> > I *did* when I was migration testing for samba3 but now my test box hasbeen scrapped for a Sun trade in. I need to rebuild it before I go live with S3 (still on 2.2.8 here sadly) so I'll be building entirely from scratch again, hopefully this week if other projects get taken care of. I've done a pile of testing in my setup to get it to work with our remote LDAP master and local and/or distributed DC boxes. There were some timing issues there if replication didn't happen quick enough, a real PITA.> >>I'll continue to tinker with it. If you have any other suggestions, let >> me >>know. I'm very close. >> >> >> >>>Changes below: >>> >>>kent@www.warehamportal.mec.edu wrote: >>> >>> >>> >>>>Thanks for getting back to me, Paul. >>>>Here's the domain controllers smb.conf >>>> >>>> >>>>[global] >>>> workgroup = WarehamPS >>>> encrypt passwords = Yes >>>> time server = Yes >>>> socket options = TCP_NODELAY >>>> security = user >>>> logon script = whs1.bat >>>> writable = Yes >>>> dns proxy = no >>>> directory mask = 02770 >>>> preferred master = yes >>>> netbios name = WHS1 >>>> server string = RedHat 8.0 LDAP Server >>>> passdb backend = ldapsam >>>> ldap passwd sync = Yes >>>> machine password timeout = 604800 >>>> passwd program = /usr/local/samba/bin/smbpasswd %u >>>> passwd chat = *Enter\snew\sUNIX\spassword:* %n\n >>>>*Retype\snew\sUnix\spassword:* %n\n >>>> log file = /var/log/samba.%m >>>> debug level = 2 >>>> max log size = 50 >>>> add user script = /usr/local/sbin/smbldap-useradd.pl %u deleteuser script = /usr/local/sbin/smbldap-useradd.pl %u add group script = /usr/local/sbin/smbldap-groupadd.pl>>>> delete group script = /usr/local/sbin/smbldap-groupdel.pl addmachine script = /usr/sbin/useradd -c "Computer" -d>>>> /dev/null >>>>-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m %u >>>> >>>> >>>> >>>> >>>Change these scripts to be liks so: >>> >>>add user script = /usr/sbin/smbldap-useradd -a -m "%u" >>>delete user script = /usr/sbin/smbldap-userdel "%u" >>>add group script = /usr/sbin/smbldap-groupadd "%g" >>>delete group script = /usr/sbin/smbldap-groupdel "%g" >>>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g" set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u" add machine script = /usr/sbin/smbldap-useradd -w "%u">>> >>>make sure the paths line up of course. The quotes are important incase you get spaces in the parameters.>>> >>> >>> >>>> logon script = whs1.bat >>>> logon path >>>> logon drive = H: >>>> logon home >>>> domain logons = Yes >>>> os level = 64 >>>> domain master = Yes >>>> dns proxy = Yes >>>> admin users = @domain_admins >>>> wins support = Yes >>>> name resolve order = wins hosts bcast >>>> ldap suffix = dc=tow,dc=net >>>> ldap machine suffix = ou=Computers >>>> >>>> >>>> >>>> >>>Make ldap machine suffix match ldap user suffix. Known bug. >>> >>> >>> >>>> ldap user suffix = ou=Users >>>> ldap group suffix = ou=Groups >>>> ldap admin dn = cn=admin,dc=tow,dc=net >>>> ldap ssl = no >>>> >>>> >>>> >>>> >>><shares defs deleted> >>> >>>Of course, make sure your smbldap config file matches the above LDAP dninformation for users, computers. Check back after trying it out.>>> >>>Paul >>> >>> >>> >>>>Kent >>>>Wareham Public Schools >>>> >>>> >>>> >>>> >>>> >>>>>kent@www.warehamportal.mec.edu wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Hello, >>>>>>I have a question about machine accounts. >>>>>>I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend onRedHat machines.>>>>>>I also have 3 slave/BDC's and 1 master/PDC >>>>>> >>>>>>Right now all of my users and groups exist entirely in the LDAPdirectory.>>>>>>I have a few accounts in addition to the normal system accounts thatare>>>>>>used for emergency access. All authention and group enumeration usesPAM_LDAP with NSS_LDAP.>>>>>> >>>>>>My question is that when I have a machine join the domain, in the >>>>>> LDAP >>>>>>directory an objectclass Account and sambaSAMAccount are created. Istill>>>>>>need to create a machine account in /etc/passwd for this to happen. >>>>>> Is >>>>>>there anyone out there that is first creating a posixAccount withappropriate attributes in LDAP then using the Samba/Windows to>>>>>> generate >>>>>>the sambaSAMAccount object and attributes in LDAP also? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>You shouldn't need anything in /etc/passwd. Perhaps by posting ansmb.conf you could be pointed in the right direction.>>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>I was so happy to get all of the user/group stuff consolidated into >>>>>> the >>>>>>directory. Now I see that this is a possibility also but I haven'ttried>>>>>>it. >>>>>> >>>>>>Kent N >>>>>>Wareham Public Schools >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>-- >>>>>Paul Gienger Office: 701-281-1884 >>>>>Applied Engineering Inc. Cell: 701-306-6254 >>>>>Information Systems Consultant Fax: 701-281-1322 >>>>>URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>> >>>> >>>> >>>> >>>-- >>>Paul Gienger Office: 701-281-1884 >>>Applied Engineering Inc. Cell: 701-306-6254 >>>Information Systems Consultant Fax: 701-281-1322 >>>URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com >>> >>> >>> >>> >>> >> >> >> >> > > -- > Paul Gienger Office: 701-281-1884 > Applied Engineering Inc. Cell: 701-306-6254 > Information Systems Consultant Fax: 701-281-1322 > URL: www.ae-solutions.com mailto:pgienger@ae-solutions.com > > >