Ryan Braun
2005-Jun-15 19:56 UTC
[Samba] Solution to smbldap-tools not adding sambaSAMAccount
Well I finally managed to get my machines added to my ldap/samba domain. The problem was that I had defined an ou each for Computers and Users. ie dc=base,dc=org | ------ ou = Users | ------ ou = Computers Now the problem was that the nss_ldap library was searching in Users only, and apparently the samba server needs to be able to resolve the Computers tree aswell to add the sambaSAMAccount objectclass. Not wanting to have a mess of computer and user accounts in one tree, I added a ou for Computers under Users. So now it looks like dc=base,dc=org | ----- ou = Users | ------- ou = Computers After making that addition and changing the smb.conf entry ldap machine suffix = ou=Computers,ou=Users and the smbldap.conf entry computersdn="ou=Computers,ou=Users,${suffix}" and lastly changing the search scope for nss_ldap by changing libnss-ldap.conf (debian) (not 100% sure how each search scope works but this worked for me) scope sub And then just make sure that getent passwd is resolving all the way down the Computers branch by copying an account into there just to make sure. If you see the account when you run getent passwd you should be ok. Restart samba aswell. Many thanks to John H Terpstra for the excellent sidebar in Ch 5 of Samba3 by example stating the nss_ldap resolving issue. Ryan Braun (Now my new problem to follow in the next message :P )
Tony Earnshaw
2005-Jun-15 22:39 UTC
[Samba] Solution to smbldap-tools not adding sambaSAMAccount
ons, 15.06.2005 kl. 21.53 skrev Ryan Braun:> Now the problem was that the nss_ldap library was searching in Users only, > and apparently the samba server needs to be able to resolve the Computers > tree aswell to add the sambaSAMAccount objectclass.<rant> I don't want to upset you unduly, but nss has nothing to do with this and it's not necessary to have the computers dn under the users dn to make things work. It's all those "/&@?{# idealx scripts and peoples' basic ignorance of how LDAP works at all that fsck up the otherwise brilliant Samba daemon, ldapsam and command line utilities.How on earth something so banal as the idealx scripts can have been packaged together with these brilliant utilities stupefies me. At my site (3.0.14a) I have masses (5) of different user dns in different places in my tree, goodness knows how many group dns and a single computers dn way down deep in the tree, far apart from the users. The basic Samba utilities (smbd, ldapsam, smbpasswd, pdbedit) can cope with all of these just fine. But I don't use the idealx scripts, I use my own awk script to make the initial custom posixAccounts (have to have masses of special stuff that the idealx scripts have never heard of) and shell scripts for administering the rest of the Samba stuff. It's the way the Samba people treat LDAP, as if it were a breeding ground for morons. LDAP is a never-empty Pandora's box, that is there for a totally different purpose than that to which the samba people allude. It is the basis of a network-wide authentication system that should be installed and understood long before one has even begun to think about Samba or any other service whatsoever. I realize that the Samba people have attempted to, and largely attained, the aim of supplying an out-of-the box solution for averagely intelligent Windows-minded people (the Samba people have written this themselves), but it would perhaps be as well if they drew peoples' attention to the importance of, and wealth of possibilities of, LDAP as a basic sovereign multi-OS, multi-vendor service on which Samba is dependent, rather than the idea they convey at the moment that it is some kind of an add-on purely present to satisfy samba's needs. </rant>> (Now my new problem to follow in the next message :P )Well, that was my problem. Best, --Tonni -- mail: tonye@billy.demon.nl http://www.billy.demon.nl
Geoff Scott
2005-Jun-16 00:04 UTC
[Samba] Solution to smbldap-tools not adding sambaSAMAccount
Tony Earnshaw wrote:> ons, 15.06.2005 kl. 21.53 skrev Ryan Braun: > >> Now the problem was that the nss_ldap library was searching in Users >> only, and apparently the samba server needs to be able to resolve the >> Computers tree aswell to add the sambaSAMAccount objectclass. > > <rant> > I don't want to upset you unduly, but nss has nothing to do with this > and it's not necessary to have the computers dn under the users dn to > make things work. It's all those "/&@?{# idealx scripts and peoples' > basic ignorance of how LDAP works at all that fsck up the otherwise > brilliant Samba daemon, ldapsam and command line utilities.How on > earth something so banal as the idealx scripts can have been packaged > together with these brilliant utilities stupefies me. >Bullshit Tony. Utter bullshit. You spread FUD about the smbldap tools. The smbldap tools now handle user accounts (which includes computer accounts) in multiple ou's but nss has to know where the base starts that's the problem. The solution supplied by Ryan is fine.> At my site (3.0.14a) I have masses (5) of different user dns in > different places in my tree,And how have you configured nss? Do you point it at a common root for those accounts?> goodness knows how many group dns and a > single computers dn way down deep in the tree, far apart from the > users.So does Adam Tuano Williams. But we don't hear him ranting on this list every five seconds about how crap the smbldap tools scripts are. He has designed his own schema for morrison industries. Written his own scripts. He is more competant than you, yet we don't hear him cramming his own opinion down other peoples throats. In fact I've noticed traffic on this list go down since you came onto it. If you want to know anything about how cyrus, or xfs, or quite a few other useful things work you can find it on Adam's site. Not everyone gets an erection about how good GQ is either. Even if it is that good.> > It's the way the Samba people treat LDAP, as if it were a breeding > ground for morons. LDAP is a never-empty Pandora's box,It is if you are only using it for samba.> It is the basis of a network-wide authentication system that > should be installed and understood long before one has even begun to > think about Samba or any other service whatsoever.And who has time to do that?> I realize that the > Samba people have attempted to, and largely attained, the aim of > supplying an out-of-the box solution for averagely intelligent > Windows-minded people (the Samba people have written this > themselves), but it would perhaps be as well if they drew peoples' > attention to the importance of, and wealth of possibilities of, LDAP > as a basic sovereign multi-OS, multi-vendor service on which Samba is > dependent, rather than the idea they convey at the moment that it is > some kind of an add-on purely present to satisfy samba's needs. > </rant> >Yudda, yudda, yudda. So it goes every fortnight. Smbldap tools are crap. You are far more intelligent than anyone else. Yet have we seen you post an alternative toolset? Nope. When you are challenged to do something about your claims you withdraw and say things about how disjointed your user management scripts are, and that you wouldn't post them onto the web. Etc, etc I for one, am sick and tired of it. Please stop it. Geoff
Possibly Parallel Threads
- Machine account with object class sambaSAMAccount required?
- smbldap-useradd -w problem
- smbldap-tools and joining workstation to domain
- With sambaSamAccount, do I need an add user script and an add machine script?
- smbldap-useradd not creating machine accounts in correct fashion