samba - Mar 2005 - Why need to add a machine account to /etc/passwd first with Samba+LDAP

Hi,

I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use 
smbpasswd as passwd DB and every time I need to add a machine account 
into /etc/passwd so that the mahcine can join the domain. My 
understanding for LDAP is, this step is not needed any more since we 
will put all machine account into "ou=Computers". But I am proved to
be
wrong.

Is this the way Samba works? I mean, samba has to make sure a machine 
account exist in the /etc/passwd file of Samba PDC, doesn't it?

-- 
Regards,

Steve Zeng
Systems Administrator
Mainframe Entertainment Inc
T: (604) 628-1000 ext 5293

> Is this the way Samba works? I mean, samba has to make sure a machine 
> account exist in the /etc/passwd file of Samba PDC, doesn't it?
Samba needs to have a valid posix user on your system for the computer 
account.  Where you store that, LDAP, files, NIS is almost completely 
irrelevant.

-- 
Paul Gienger                    Office: 701-281-1884
Applied Engineering Inc.
Systems Architect               Fax:    701-281-1322
URL: www.ae-solutions.com       mailto: pgienger@ae-solutions.com

On Thu, Mar 10, 2005 at 12:56:26PM -0800, Steve Zeng
wrote:
> Hi,
> 
> I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use 
> smbpasswd as passwd DB and every time I need to add a machine account 
> into /etc/passwd so that the mahcine can join the domain. My 
> understanding for LDAP is, this step is not needed any more since we 
> will put all machine account into "ou=Computers". But I am proved
to be
> wrong.
Putting machine accounts into ou=Computers works just fine provided:
- smb.conf is configured to look into that branch
- nss_ldap is also configured to go into that branch

Regarding nss_ldap, you can point it either at the top of your tree, so
that it can reach both ou=Computers and ou=People using a subtree
search, or specify nss_base_passwd twice: once for ou=Computers and once
for ou=People.

On Thursday 10 March 2005 13:56, Steve Zeng wrote:
> Hi,
>
> I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use
> smbpasswd as passwd DB and every time I need to add a machine account
> into /etc/passwd so that the mahcine can join the domain. My
> understanding for LDAP is, this step is not needed any more since we
> will put all machine account into "ou=Computers". But I am proved
to be
> wrong.
>
> Is this the way Samba works? I mean, samba has to make sure a machine
> account exist in the /etc/passwd file of Samba PDC, doesn't it?
Nope. If you use LDAP, then both the POSIX account and the SambaSAMAccount 
infromation should be in LDAP. On the other hand, if you put your machine 
accounts into the ou=Computers container and user accounts in ou=Users 
your /etc/ldap.conf file needs to point to the directory tree above the 
ou=Users and above ou=Computers. Additionally the loookup for user accounts 
will have to be a 'sub' type so look-ups will descend both trees.

In other words, I am guessing that in your /etc/ldap.conf you have:

nss_base_passwd ou=People,dc=abmas,dc=biz?one

Instead of:

nss_base_passwd dc=abmas,dc=biz?sub

If my assumptions are correct, then if you set /etc/nsswitch.conf to have:

passwd: ldap
shadow: ldap
group: ldap

and then you execute:

	getent passwd

You will not see a listing of accounts that includes the machine accounts. If 
this what you see, then making the change in /etc/ldap.conf so that:

nss_base_passwd dc=abmas,dc=biz

(of course substituting your directory domain component info) will list the 
machine accounts and you will no longer need them in your /etc/passwd.

In summary, by putting the machine accounts into your /etc/passwd you are 
using a work-around for a broken LDAP/NSS environment.

Does that answer your question and solve the problem?

- John T.

>
> --
> Regards,
>
> Steve Zeng
> Systems Administrator
> Mainframe Entertainment Inc
> T: (604) 628-1000 ext 5293
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

p 242 says smb.conf should contain:
     ldap machine suffix = ou=People

p. 252 says /etc/smbldap-tools/smbldap.conf should contain
     computersdn="ou=Computers,${suffix}"

Is this correct or should they both read the same way - perhaps 
ou=Computers ?

On Sunday 13 March 2005 17:25, John Schmerold wrote:
> p 242 says smb.conf should contain:
>      ldap machine suffix = ou=People
>
> p. 252 says /etc/smbldap-tools/smbldap.conf should contain
>      computersdn="ou=Computers,${suffix}"
>
> Is this correct or should they both read the same way - perhaps
> ou=Computers ?
The problem is not LDAP or Samba. What you must accomodate is how through NSS 
you will resolve computer accounts to a UID. Since the only mechanism for 
looking up accounts is through the "passwd" facility this means that
LDAP
lookups must be made from a point in the LDAP directory tree that lies above 
both the ou=People and the ou=Computers. The alternative is to put the 
computer accounts in the ou=People container - this avoids the complexity as 
well as the huge performance hit of having to search two directory trees.

- John T.l
-- 
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

Author:
The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

those things are pretty regular here:

1) where to put computer accounts ?

2) wtf is going on when re-sharing nfs over samba ?

maybe ....

1) even have no idea what to do :-) FAQ maybe ?

2) can it be auto-detected by samba that it is NFS ? and complain loudly 
in that case ?
> On Sunday 13 March 2005 17:25, John Schmerold wrote:
>> p 242 says smb.conf should contain:
>>      ldap machine suffix = ou=People
>>
>> p. 252 says /etc/smbldap-tools/smbldap.conf should contain
>>      computersdn="ou=Computers,${suffix}"
>>
>> Is this correct or should they both read the same way - perhaps
>> ou=Computers ?
>
> The problem is not LDAP or Samba. What you must accomodate is how through
NSS
> you will resolve computer accounts to a UID. Since the only mechanism for
> looking up accounts is through the "passwd" facility this means
that LDAP
> lookups must be made from a point in the LDAP directory tree that lies
above
> both the ou=People and the ou=Computers. The alternative is to put the
> computer accounts in the ou=People container - this avoids the complexity
as
> well as the huge performance hit of having to search two directory trees.
>
> - John T.l
> -- 
> John H Terpstra
> Samba-Team Member
> Phone: +1 (650) 580-8668
>
> Author:
> The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
> Samba-3 by Example, ISBN: 0131472216
> Hardening Linux, ISBN: 0072254971
> Other books in production.
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/listinfo/samba
>

Pardon my confusion:
Does this mean the Samba guide is correct?  If so why the difference 
between p 242 & 252?

TIA

John H Terpstra wrote:
>On Sunday 13 March 2005 17:25, John Schmerold wrote:
>  
>
>>p 242 says smb.conf should contain:
>>     ldap machine suffix = ou=People
>>
>>p. 252 says /etc/smbldap-tools/smbldap.conf should contain
>>     computersdn="ou=Computers,${suffix}"
>>
>>Is this correct or should they both read the same way - perhaps
>>ou=Computers ?
>>    
>>
>
>The problem is not LDAP or Samba. What you must accomodate is how through
NSS
>you will resolve computer accounts to a UID. Since the only mechanism for 
>looking up accounts is through the "passwd" facility this means
that LDAP
>lookups must be made from a point in the LDAP directory tree that lies above
>both the ou=People and the ou=Computers. The alternative is to put the 
>computer accounts in the ou=People container - this avoids the complexity as
>well as the huge performance hit of having to search two directory trees.
>
>- John T.l
>  
>