Andres Toomsalu
2005-Jun-04 16:24 UTC
[Samba] smbldap-tools and joining workstation to domain
Hi,
I've reported this before but I guess I'll have to do it again, since
it's not fixed yet or I'm understanding something wrong here.
The problem is that smbldap-useradd -w 'machinename' will add only
posixAccount entrys into ldap but it should add both posixAccount and
sambaSAMAccount entrys.
So if one doesn't add correct machine account entrys manually to ldap
the windows workstation domain joining is impossible.
The Samba Openldap howto clearly documents that smbldap-useradd -w
'worsktation' should produce following entrys in ldap:
dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
objectClass: top
objectClass: posixAccount
objectClass: sambaSAMAccount
cn: testhost3$
gidNumber: 553
homeDirectory: /dev/null
loginShell: /bin/false
uid: testhost3$
uidNumber: 1005
sambaPwdLastSet: 0
sambaLogonTime: 0
sambaLogoffTime: 2147483647
sambaKickoffTime: 2147483647
sambaPwdCanChange: 0
sambaPwdMustChange: 2147483647
description: Computer Account
rid: 0
primaryGroupID: 0
lmPassword: 7582BF7F733351347D485E46C8E6306E
ntPassword: 7582BF7F733351347D485E46C8E6306E
acctFlags: [W ]
Looking at smbldap-useradd script code I can see that sambaSAMAccount
entrys are only added when -i switch is used (trusted workstation account).
----------- CODE SNIP --------------------
# MACHINE ACCOUNT
if (defined($Options{'w'}) or defined($Options{'i'})) {
#print "About to create machine $userName:\n";
if (!add_posix_machine
($userName,$userUidNumber,$userGidNumber,$Options{'t'})) {
die "$0: error while adding posix account\n";
}
if (defined($Options{'i'})) {
# For machine trust account
# Objectclass sambaSAMAccount must be added now !
my $pass;
my $pass2;
system "stty -echo";
print "New password : ";
chomp($pass=<STDIN>);
print "\n";
system "stty echo";
system "stty -echo";
print "Retype new password : ";
chomp($pass2=<STDIN>);
print "\n";
system "stty echo";
if ($pass ne $pass2) {
print "New passwords don't match!\n";
exit (10);
}
my ($lmpassword,$ntpassword) = ntlmgen $pass;
my $date=time;
my $modify = $ldap_master->modify (
"uid=$userName,$config{computersdn}",
changes => [
replace => [objectClass => ['inetOrgPerson',
'posixAccount',
'sambaSAMAccount']],
add => [sambaLogonTime => '0'],
add => [sambaLogoffTime => '2147483647'],
add => [sambaKickoffTime => '2147483647'],
add => [sambaPwdCanChange => '0'],
add => [sambaPwdMustChange => '2147483647'],
add => [sambaPwdLastSet => "$date"],
add => [sambaAcctFlags => '[I ]'],
add => [sambaLMPassword => "$lmpassword"],
add => [sambaNTPassword => "$ntpassword"],
add => [sambaSID => "$user_sid"],
add => [sambaPrimaryGroupSID => "$config{SID}-515"]
]
);
$modify->code && die "failed to add entry: ",
$modify->error ;
}
$ldap_master->unbind;
exit 0;
}
----------- CODE SNIP END ------------------
So whats the deal - misleading howto document or bug in smbldap-useradd
script or I'm getting something wrong here?
Cheers,
--
----------------------------------------------
Andres Toomsalu, andres@active.ee
juhataja - general manager, O? Active Systems
Lille 4-205, P?rnu 80041, phone +372 44 70 595
GSM +372 56 496 124, IM: frame@jabber.org
http://www.active.ee
Stéphane Purnelle
2005-Jun-04 17:26 UTC
[Samba] smbldap-tools and joining workstation to domain
Hi, With samba-3.0, smbldap-tools msu add only PosixAccount, it's samba which add samba attribute to LDAP. NOTE : what is the ldap filter parameter in smb.conf In samba.idealx.org, you must use the howto available here : http://samba.idealx.org/smbldap-howto.fr.html Andres Toomsalu a ?crit :> Hi, > > I've reported this before but I guess I'll have to do it again, since > it's not fixed yet or I'm understanding something wrong here. > > The problem is that smbldap-useradd -w 'machinename' will add only > posixAccount entrys into ldap but it should add both posixAccount and > sambaSAMAccount entrys. > > So if one doesn't add correct machine account entrys manually to ldap > the windows workstation domain joining is impossible. > > The Samba Openldap howto clearly documents that smbldap-useradd -w > 'worsktation' should produce following entrys in ldap: > > dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG > objectClass: top > objectClass: posixAccount > objectClass: sambaSAMAccount > cn: testhost3$ > gidNumber: 553 > homeDirectory: /dev/null > loginShell: /bin/false > uid: testhost3$ > uidNumber: 1005 > sambaPwdLastSet: 0 > sambaLogonTime: 0 > sambaLogoffTime: 2147483647 > sambaKickoffTime: 2147483647 > sambaPwdCanChange: 0 > sambaPwdMustChange: 2147483647 > description: Computer Account > rid: 0 > primaryGroupID: 0 > lmPassword: 7582BF7F733351347D485E46C8E6306E > ntPassword: 7582BF7F733351347D485E46C8E6306E > acctFlags: [W ] > > > Looking at smbldap-useradd script code I can see that sambaSAMAccount > entrys are only added when -i switch is used (trusted workstation > account). > > ----------- CODE SNIP -------------------- > > # MACHINE ACCOUNT > if (defined($Options{'w'}) or defined($Options{'i'})) { > > #print "About to create machine $userName:\n"; > > if (!add_posix_machine > ($userName,$userUidNumber,$userGidNumber,$Options{'t'})) { > die "$0: error while adding posix account\n"; > } > > if (defined($Options{'i'})) { > # For machine trust account > # Objectclass sambaSAMAccount must be added now ! > my $pass; > my $pass2; > > system "stty -echo"; > print "New password : "; > chomp($pass=<STDIN>); > print "\n"; > system "stty echo"; > > system "stty -echo"; > print "Retype new password : "; > chomp($pass2=<STDIN>); > print "\n"; > system "stty echo"; > > if ($pass ne $pass2) { > print "New passwords don't match!\n"; > exit (10); > } > my ($lmpassword,$ntpassword) = ntlmgen $pass; > my $date=time; > my $modify = $ldap_master->modify ( > "uid=$userName,$config{computersdn}", > changes => [ > replace => [objectClass => > ['inetOrgPerson', 'posixAccount', 'sambaSAMAccount']], > add => [sambaLogonTime => '0'], > add => [sambaLogoffTime => '2147483647'], > add => [sambaKickoffTime => '2147483647'], > add => [sambaPwdCanChange => '0'], > add => [sambaPwdMustChange => '2147483647'], > add => [sambaPwdLastSet => "$date"], > add => [sambaAcctFlags => '[I ]'], > add => [sambaLMPassword => "$lmpassword"], > add => [sambaNTPassword => "$ntpassword"], > add => [sambaSID => "$user_sid"], > add => [sambaPrimaryGroupSID => > "$config{SID}-515"] > ] > ); > > $modify->code && die "failed to add entry: ", $modify->error ; > } > > $ldap_master->unbind; > exit 0; > } > > ----------- CODE SNIP END ------------------ > > So whats the deal - misleading howto document or bug in > smbldap-useradd script or I'm getting something wrong here? > > > > Cheers, >-- St?phane Purnelle <stephane.purnelle@tiscali.be> Site Web : http://www.linuxplusvalue.be
Roger Eisenecher
2005-Jun-04 20:39 UTC
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Andres Andres Toomsalu schrieb:> The problem is that smbldap-useradd -w 'machinename' will add only > posixAccount entrys into ldap but it should add both posixAccount and > sambaSAMAccount entrys. > > So if one doesn't add correct machine account entrys manually to ldap > the windows workstation domain joining is impossible.As Jerome said samba would add the additional necessary attributes when the workstation joins the domain. The ldap script has only to add the posix stuff. I do not know if this is correct because sometimes I have also the problem that some workstations could not join the domain. If I check then the ldap I could only see the entries necessary for a posixAccount. If I delete this information from ldap my workstation is able to join the domain which failed before... But only 2 to 5 of 200 workstations will fail... I hope this will help you. kindly regards rOger -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCohFgpF3l9rYt4bARAowhAJ0QgNETJ8lMRO1lER3hAYwDJgSDDACcDy/C N4KB4IuE3zeVPn6WeKoFPfw=P8d4 -----END PGP SIGNATURE-----
Andres Toomsalu
2005-Jun-06 05:53 UTC
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
Tim Verhoeven wrote:>On 6/4/05, Andres Toomsalu <andres@active.ee> wrote: > > >>I've reported this before but I guess I'll have to do it again, since >>it's not fixed yet or I'm understanding something wrong here. >> >>The problem is that smbldap-useradd -w 'machinename' will add only >>posixAccount entrys into ldap but it should add both posixAccount and >>sambaSAMAccount entrys. >> >>So if one doesn't add correct machine account entrys manually to ldap >>the windows workstation domain joining is impossible. >> >> > >In my experience the smbldap-useradd behaviour is correct. It will >only add the posicAccount part of a machine account. Then when you >actually join a machine to a domain Samba itself will modify the >machine account and add the sambaSAMAccount parts. > >For this to work you will ofcourse need also to configure Samba that >is has a ldap account that has the rights to update items in the ldap >tree. > >I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is "Access denied". In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is "Access denied". 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'". I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same "smbldap-useradd -w '%u'" command - which doesn't add any sambaSamAccount entrys.> > > >>The Samba Openldap howto clearly documents that smbldap-useradd -w >>'worsktation' should produce following entrys in ldap: >> >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG >>objectClass: top >>objectClass: posixAccount >>objectClass: sambaSAMAccount >>cn: testhost3$ >>gidNumber: 553 >>homeDirectory: /dev/null >>loginShell: /bin/false >>uid: testhost3$ >>uidNumber: 1005 >>sambaPwdLastSet: 0 >>sambaLogonTime: 0 >>sambaLogoffTime: 2147483647 >>sambaKickoffTime: 2147483647 >>sambaPwdCanChange: 0 >>sambaPwdMustChange: 2147483647 >>description: Computer Account >>rid: 0 >>primaryGroupID: 0 >>lmPassword: 7582BF7F733351347D485E46C8E6306E >>ntPassword: 7582BF7F733351347D485E46C8E6306E >>acctFlags: [W ] >> >> > >So my guess that this is a bug in the documentation and not in the code. > >Kind regards, >Tim > > >-- ---------------------------------------------- Andres Toomsalu, andres@active.ee juhataja - general manager, O? Active Systems Lille 4-205, P?rnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: frame@jabber.org http://www.active.ee