Hi All,
I am current working on Samba + LDAP PDC in RHEL-4.
I some problem when doing the smbldap-useradd -w command.
When I have a WinXP box try to join the PDC,
smbldap-useradd -w "%u" will add a workstation account to the LDAP
tree
with all POSIX attribute but without all the SambaSAMAccount attribute.
So, the WinXP box can find it's workstation account and wouldn't join
the account.
After searcing the Samba archive I found a patch that added an extra
if (defined($Options{'w'})) section and will force to add an workstation
account with all SambaSAMAccount attribute.
But, magic happend here. When the first time a machine joining the PDC,
it will eventually failed as the machine still not be able to find it's
workstation account. But immidiately at the second time, it works. And
it has been proven that it behave this way after joing 7 workstation to
the PDC.
Attached files is the patch file. Please advise.
Thaks for all the good comment and help.
--
Regards,
C. K. Ong (Chris) Linux System Engineer,
RHCT Cert No: 603004347692007
http://www.redhat.com/rhce/rhce603004347692007.html
My Directory Sdn. Bhd.
Your Open Source Partner.
http://www.md.com.my http://www.net.my 2005
-----------------------------------------------------------------------
After watching Gentoo in Antartica, I decided to go home with RedHat
on my head.
-----------------------------------------------------------------------
*********************************************
* *POWERED BY BYNARI INSIGHT SERVER* *
* The Enterprise Email Server That Rocks! *
*********************************************
-------------- next part --------------
--- smbldap-useradd 2005-05-31 11:49:26.000000000 +0300
+++ patched 2005-06-06 09:53:50.000000000 +0300
@@ -1,6 +1,6 @@
#!/usr/bin/perl -w
-# $Id: smbldap-useradd,v 1.27 2005/05/27 14:21:00 jtournier Exp $
+# $Id: smbldap-useradd,v 1.26 2005/02/26 11:12:25 jtournier Exp $
#
# This code was developped by IDEALX (http://IDEALX.org/) and
# contributors (their names can be found in the CONTRIBUTORS file).
@@ -164,7 +164,7 @@
my $userGroupSID;
my $userRid;
my $user_sid;
-if (defined $Options{'a'} or defined $Options{'i'}) {
+if (defined $Options{'a'} or defined $Options{'i'} or defined
$Options{'w'}) {
# as grouprid we use the value of the sambaSID attribute for
# group of gidNumber=$userGidNumber
$group_entry = read_group_entry_gid($userGidNumber);
@@ -265,6 +265,28 @@
$modify->code && die "failed to add entry: ",
$modify->error ;
}
+
+ if (defined($Options{'w'})) {
+ my $date=time;
+ my $modify = $ldap_master->modify (
"uid=$userName,$config{computersdn}",
+ changes => [
+ replace => [objectClass
=> ['inetOrgPerson', 'posixAccount',
'sambaSAMAccount']],
+ add => [sambaAcctFlags
=> '[W ]'],
+ add => [sambaSID =>
"$user_sid"],
+ add => [sambaLogonTime
=> '0'],
+ add => [sambaLogoffTime
=> '2147483647'],
+ add => [sambaLMPassword
=> "kala"],
+ add => [sambaNTPassword
=> "kala"],
+ add => [sambaKickoffTime
=> '2147483647'],
+ add => [sambaPwdCanChange
=> '0'],
+ add =>
[sambaPwdMustChange => '2147483647'],
+ add => [sambaPwdLastSet
=> "$date"],
+ add =>
[sambaPrimaryGroupSID => "$config{SID}-515"]
+ ]
+ );
+
+ $modify->code && die "failed to add entry: ",
$modify->error ;
+ }
$ldap_master->unbind;
exit 0;
@@ -311,11 +333,7 @@
system "mkdir $userHomeDirectory 2>/dev/null";
system "cp -a $config{skeletonDir}/.[a-z,A-Z]*
$config{skeletonDir}/* $userHomeDirectory 2>/dev/null";
system "chown -R $userUidNumber:$userGidNumber $userHomeDirectory
2>/dev/null";
- if (defined $config{userHomeDirectoryMode}) {
- system "chmod $config{userHomeDirectoryMode}
$userHomeDirectory 2>/dev/null";
- } else {
- system "chmod 700 $userHomeDirectory 2>/dev/null";
- }
+ system "chmod 700 $userHomeDirectory 2>/dev/null";
}
}
}
Chris Ong wrote:> smbldap-useradd -w "%u" will add a workstation account to the LDAP > tree with all POSIX attribute but without all the SambaSAMAccount > attribute.Is this on the command line? Because in the smb.conf this would be correct, as samba adds the necessary SambaSAMAccount attributes by itself. But if you are using the smbldap-tools on the command line you need to specify the "-a" option to have SambaSAMAccount attributes added. Eg: -a is a Windows User (otherwise, Posix stuff only) Regards Geoff
hi, have the same problem with the smbldap-tools v0.9.0 , but on suse 9.3. if i say: ./smbldap-useradd -w -a xxx it only adds the posix stuff, not the samba things. i have read, that computers should not be in the computers dn in ldap. it should be in the users dn. is that right? http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2 can somebody send the filechanges from smb.conf, nss???... greetings markus Am Freitag, 12. August 2005 12:17 schrieb Chris Ong:> Geert Stappers wrote: > > Recently changed the LDAP master account passwd in phpldapadmin? > > Did you also update it the samba side? ( smbpasswd -w ) > > Nope. The LDAP master account passwd has never been changed since the > implementation. > > -- > Regards, > C. K. Ong (Chris) Linux System Engineer, > RHCT Cert No: 603004347692007 > http://www.redhat.com/rhce/rhce603004347692007.html > > My Directory Sdn. Bhd. > Your Open Source Partner. > http://www.md.com.my http://www.net.my 2005 > > ----------------------------------------------------------------------- > After watching Gentoo in Antartica, I decided to go home with RedHat > on my head. > ----------------------------------------------------------------------- > > ********************************************* > * *POWERED BY BYNARI INSIGHT SERVER* * > * The Enterprise Email Server That Rocks! * > *********************************************
i found the problem in the smbldap-tools. the problem in my case is, that if i add a workstation with smbldap-useradd -w test, that the computer is added in computers, but the id of this computer is not set in the group "Domain Computers" in the field "memberUid". hope this is the global failure of the scripts. can somebody confirm this? Am Freitag, 12. August 2005 14:46 schrieb Markus Markert:> hi, have the same problem with the smbldap-tools v0.9.0 , but on suse 9.3. > if i say: > > ./smbldap-useradd -w -a xxx > > it only adds the posix stuff, not the samba things. > > i have read, that computers should not be in the computers dn in ldap. it > should be in the users dn. is that right? > http://marc.theaimsgroup.com/?l=samba&m=108439612826440&w=2 > > can somebody send the filechanges from smb.conf, nss???... > > greetings > > markus > > Am Freitag, 12. August 2005 12:17 schrieb Chris Ong: > > Geert Stappers wrote: > > > Recently changed the LDAP master account passwd in phpldapadmin? > > > Did you also update it the samba side? ( smbpasswd -w ) > > > > Nope. The LDAP master account passwd has never been changed since the > > implementation. > > > > -- > > Regards, > > C. K. Ong (Chris) Linux System Engineer, > > RHCT Cert No: 603004347692007 > > http://www.redhat.com/rhce/rhce603004347692007.html > > > > My Directory Sdn. Bhd. > > Your Open Source Partner. > > http://www.md.com.my http://www.net.my 2005 > > > > ----------------------------------------------------------------------- > > After watching Gentoo in Antartica, I decided to go home with RedHat > > on my head. > > ----------------------------------------------------------------------- > > > > ********************************************* > > * *POWERED BY BYNARI INSIGHT SERVER* * > > * The Enterprise Email Server That Rocks! * > > *********************************************
On August 11, 2005 10:21 am, Chris Ong wrote: Sounds like the same issue I was having before. I posted to the list with my solution. But here is the link to marc http://marc.theaimsgroup.com/?l=samba&m=111886542309160&w=2 hope that helps! Ryan> Hi All, > > I am current working on Samba + LDAP PDC in RHEL-4. > > I some problem when doing the smbldap-useradd -w command. > > When I have a WinXP box try to join the PDC, > > smbldap-useradd -w "%u" will add a workstation account to the LDAP tree > with all POSIX attribute but without all the SambaSAMAccount attribute. > So, the WinXP box can find it's workstation account and wouldn't join > the account. > > After searcing the Samba archive I found a patch that added an extra > if (defined($Options{'w'})) section and will force to add an workstation > account with all SambaSAMAccount attribute. > > But, magic happend here. When the first time a machine joining the PDC, > it will eventually failed as the machine still not be able to find it's > workstation account. But immidiately at the second time, it works. And > it has been proven that it behave this way after joing 7 workstation to > the PDC. > > Attached files is the patch file. Please advise. > > Thaks for all the good comment and help.