John H Terpstra
2005-May-26 18:14 UTC
[Samba] Re: RE pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount
St?phane, The book "Samba-3 by Example" is being reprinted very soon. Up to date builds of the PDF are available on the Samba web site daily. This document can be downloaded from: http://www.samba.org/samba/docs/Samba-Guide.pdf In chapter 5 I have fully documented how Samba-3 can be deployed with LDAP and using the smbldap-tools. It works perfectly for me and in many sites that have given me feedback that it works. Over the past two months I have received and applied about 40 suggestions for improvement. Every report that it does not work has been resolved, but given all of this I am 100% certain that there are still bugs in there. I would greatly appreciate if you could test-drive this chapter and report back any bugs or problems you come across. I will personally work with you to resolve any issues that you may find. Your claim below that there has been no reaction from the Samba Team is wrong. A number of us have worked with Jerome Tournier, that has resulted in the 0.9.0 release of the smbldap-tools. We do not make a practice of ignoring our uses. I have been working on updating our documentation also as a result of feedback an dbug reports. You have never been ignored. The smbldap-tools should be configured to handle only the POSIX part of LDAP based accounts. Samba should handle all the sambaSAM components. Please review chapter 5 and give me your feedback. I am anxious to fix any problem you may have. Cheers, John T. On Thursday 26 May 2005 09:12, spu@corman.be wrote:> Ok, > > I re-read the script and the sambasamaccount is only added with -i option. > > My position is : > - I asked the problem in 2004, I a put a BUG. For some reasons, no > reaction from samba team for this problem. > - My solution is modify the smbldap-script for add sambasamaccount > and add a machine on two step, it's work (until today) > > add theses lines after the > if (defined($Options{'i'})) { > > > ... > > } > > if (defined($Options{'w'})) { > # For machine account > # Objectclass sambaSAMAccount must be added now ! > > my $date=time; > my $modify = $ldap_master->modify ( > "uid=$userName,$config{computersdn}", > changes => [ > replace => [objectClass > => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], > add => [sambaLogonTime > => '0'], > add => [sambaLogoffTime > => '2147483647'], > add => > [sambaKickoffTime => '2147483647'], > add => > [sambaPwdCanChange => '0'], > add => > [sambaPwdMustChange => '2147483647'], > add => [sambaPwdLastSet > => "$date"], > add => [sambaAcctFlags > => '[W ]'], > add => [sambaSID => > "$user_sid"], > add => > [sambaPrimaryGroupSID => "$config{SID}-515"] > ] > ); > > $modify->code && die "failed to add entry: ", $modify->error ; > } > > ask me if problem, I cannot add machine today, but if you can test for me I > appreciate. > > thanks > > > St?phane Purnelle > > ----------------------------------- > St?phane PURNELLE stephane.purnelle@corman.be > Service Informatique Corman S.A. Tel : 00 32 087/342467 > > samba-technical-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit > > sur 26/05/2005 16:57:49 : > > spu@corman.be wrote: > > > I forgot some details. > > > the script add the sambasamaccount. > > > could you send me the smbldap-useradd script for see what version you > > use ? > > > > some smbldap script not add the sambasamaccount, because normally samba > > > must add it (and is this part which don't work). > > > the last version seems to add the sambasamaccount attributes and old > > > version too. > > > > Ah! smbldap-useradd in 0.8.7 certainly does not seem to add the > > sambasamaccount attributes. I just downloaded the latest 0.9.0 and that > > doesn't seem to either. Not with -w, which as i understand it is the way > > it should be used. -w just makes the posixaccount and expects samba to > > do the rest... > > > > # MACHINE ACCOUNT > > if (defined($Options{'w'}) or defined($Options{'i'})) { > > > > #print "About to create machine $userName:\n"; > > > > if (!add_posix_machine > > ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) { > > die "$0: error while adding posix account\n"; > > } > > > > if (defined($Options{'i'})) { > > ... > > } > > > > $ldap_master->unbind; > > exit 0; > > } > > > > Should the add machine script set up the samba attributes? It seems a > > bit mad. Surely samba should be finding that the user exists but doesn't > > have the samba attributes and then it should modify the user? That's > > what the code in my original post appears to be trying to do... > > > > John-- John H Terpstra Samba-Team Member Phone: +1 (650) 580-8668 Author: The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 Samba-3 by Example, ISBN: 0131472216 Hardening Linux, ISBN: 0072254971 Other books in production.
spu@corman.be
2005-May-27 14:33 UTC
[Samba] Re: RE pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount
John, I appreciate your reaction, but could you explain this error ? [2005/05/27 16:19:10, 1] passdb/pdb_ldap.c:ldapsam_modify_entry(1479) ldapsam_modify_entry: Failed to add user dnuid=infobcer$,ou=machines,dc=corman,dc=be with: Already exists [2005/05/27 16:19:10, 0] passdb/pdb_ldap.c:ldapsam_add_sam_account(1911) ldapsam_add_sam_account: failed to modify/add user with uid = infobcer$ (dn = uid=infobcer$,ou=machines,dc=corman,dc=be) [2005/05/27 16:19:10, 0] rpc_server/srv_samr_nt.c:_samr_create_user(2398) could not add user/computer infobcer$ to passdb. Check permissions? I use root for adding to my PDC, ldap version : 2.1.25 thanks ----------------------------------- St?phane PURNELLE stephane.purnelle@corman.be Service Informatique Corman S.A. Tel : 00 32 087/342467 samba-technical-bounces+stephane.purnelle=corman.be@lists.samba.org a ?crit sur 26/05/2005 20:15:05 :> St?phane, > > The book "Samba-3 by Example" is being reprinted very soon. Up to datebuilds> of the PDF are available on the Samba web site daily. This document canbe> downloaded from: > > http://www.samba.org/samba/docs/Samba-Guide.pdf > > In chapter 5 I have fully documented how Samba-3 can be deployed > with LDAP and > using the smbldap-tools. It works perfectly for me and in many sites that> have given me feedback that it works. Over the past two months I have > received and applied about 40 suggestions for improvement. Every reportthat> it does not work has been resolved, but given all of this I am 100%certain> that there are still bugs in there. > > I would greatly appreciate if you could test-drive this chapter andreport> back any bugs or problems you come across. > > I will personally work with you to resolve any issues that you may find. > > Your claim below that there has been no reaction from the Samba Teamiswrong.> A number of us have worked with Jerome Tournier, that has resulted in the> 0.9.0 release of the smbldap-tools. We do not make a practice of ignoringour> uses. I have been working on updating our documentation also as a resultof> feedback an dbug reports. You have never been ignored. > > The smbldap-tools should be configured to handle only the POSIX part ofLDAP> based accounts. Samba should handle all the sambaSAM components. > > Please review chapter 5 and give me your feedback. I am anxious to fixany> problem you may have. > > Cheers, > John T. > > > On Thursday 26 May 2005 09:12, spu@corman.be wrote: > > Ok, > > > > I re-read the script and the sambasamaccount is only added with -ioption.> > > > My position is : > > - I asked the problem in 2004, I a put a BUG. For some reasons,no> > reaction from samba team for this problem. > > - My solution is modify the smbldap-script for addsambasamaccount> > and add a machine on two step, it's work (until today) > > > > add theses lines after the > > if (defined($Options{'i'})) { > > > > > ... > > > } > > > > if (defined($Options{'w'})) { > > # For machine account > > # Objectclass sambaSAMAccount must be added now ! > > > > my $date=time; > > my $modify = $ldap_master->modify ( > > "uid=$userName,$config{computersdn}", > > changes => [ > > replace =>[objectClass> > => ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], > > add =>[sambaLogonTime> > => '0'], > > add =>[sambaLogoffTime> > => '2147483647'], > > add => > > [sambaKickoffTime => '2147483647'], > > add => > > [sambaPwdCanChange => '0'], > > add => > > [sambaPwdMustChange => '2147483647'], > > add =>[sambaPwdLastSet> > => "$date"], > > add =>[sambaAcctFlags> > => '[W ]'], > > add => [sambaSID => > > "$user_sid"], > > add => > > [sambaPrimaryGroupSID => "$config{SID}-515"] > > ] > > ); > > > > $modify->code && die "failed to add entry: ", $modify->error ; > > } > > > > ask me if problem, I cannot add machine today, but if you can test forme I> > appreciate. > > > > thanks > > > > > > St?phane Purnelle > > > > ----------------------------------- > > St?phane PURNELLE stephane.purnelle@corman.be > > Service Informatique Corman S.A. Tel : 00 32 087/342467 > > > > samba-technical-bounces+stephane.purnelle=corman.be@lists.samba.org a?crit> > > > sur 26/05/2005 16:57:49 : > > > spu@corman.be wrote: > > > > I forgot some details. > > > > the script add the sambasamaccount. > > > > could you send me the smbldap-useradd script for see what versionyou> > > > use ? > > > > > > some smbldap script not add the sambasamaccount, because normallysamba> > > > must add it (and is this part which don't work). > > > > the last version seems to add the sambasamaccount attributes andold> > > > version too. > > > > > > Ah! smbldap-useradd in 0.8.7 certainly does not seem to add the > > > sambasamaccount attributes. I just downloaded the latest 0.9.0 andthat> > > doesn't seem to either. Not with -w, which as i understand it is theway> > > it should be used. -w just makes the posixaccount and expects sambato> > > do the rest... > > > > > > # MACHINE ACCOUNT > > > if (defined($Options{'w'}) or defined($Options{'i'})) { > > > > > > #print "About to create machine $userName:\n"; > > > > > > if (!add_posix_machine > > > ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) { > > > die "$0: error while adding posix account\n"; > > > } > > > > > > if (defined($Options{'i'})) { > > > ... > > > } > > > > > > $ldap_master->unbind; > > > exit 0; > > > } > > > > > > Should the add machine script set up the samba attributes? It seems a > > > bit mad. Surely samba should be finding that the user exists butdoesn't> > > have the samba attributes and then it should modify the user? That's > > > what the code in my original post appears to be trying to do... > > > > > > John > > -- > John H Terpstra > Samba-Team Member > Phone: +1 (650) 580-8668 > > Author: > The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556 > Samba-3 by Example, ISBN: 0131472216 > Hardening Linux, ISBN: 0072254971 > Other books in production.