When setting up an LDAP PDC do I have to have both user and machines
in the ou=People container? Here's what I've got.
LDAP Tree
ou=People,o=umd.umich.edu
ou=NIS,ou=Groups,o=umd.umich.eud
ou=machines,ou=Samba,ou=Services,o=umd.umich.edu
ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu
smb.conf (ldap stuff)
ldap delete dn = no
ldap suffix = o=umd.umich.edu
ldap user suffix = ou=People
ldap group suffix = ou=NIS,ou=Groups
ldap machine suffix = ou=machines,ou=Samba,ou=Services
ldap idmap suffix = ou=Idmap,ou=Services
ldapsam:trusted = yes
idmap backend = ldap:ldap://tien.its.umd.umich.edu
passdb backend = ldapsam:ldap://tien.its.umd.umich.edu
NSS setting
nss_base_passwd ou=People
nss_base_groups ou=NIS
When I attempt to join a workstation to the domain the smbldap-
useradd script works and creates the posix entry, but the samba
attributes are never add and the workstation returns the error user
can not be found. If I try adding the workstation using smbpasswd -a
-m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does
this user exist in the UNIX password database" which would be correct
since machine accounts aren't under ou=People the local workstation
won't be able to look them up. I don't want my unix users seeing all
the windows workstations.
Thanks,
Derek
On Fri, Sep 30, 2005 at 09:37:02AM -0400, Derek Harkness wrote:> When setting up an LDAP PDC do I have to have both user and machines > in the ou=People container? Here's what I've got. > > LDAP Tree > > ou=People,o=umd.umich.edu > ou=NIS,ou=Groups,o=umd.umich.eud > ou=machines,ou=Samba,ou=Services,o=umd.umich.edu > ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu ><snip/>> -m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does > this user exist in the UNIX password database" which would be correct > since machine accounts aren't under ou=People the local workstation > won't be able to look them up. I don't want my unix users seeing all > the windows workstations.I think that http://lists.samba.org/archive/samba/2005-August/109641.html can help. St
Derek Harkness wrote:> I don't want my unix users seeing all the windows workstations.Unfortunately, there seems no way to prevent this. Samba makes no difference looking up users and computers. They are both looked up in the "passwd" NSS table. One could argue, a computer account should belong to the "hosts" table, looked up with gethostbyname and tied to the Host object from nis.schema. But given the fact hosts being handled by DNS and /etc/hosts, this would probably open several cans of worms. The other approach would be to detect computer accounts looking for $ at the end of the name (if this is a valid assumption) and give them their own codepath. greetings Paul
Le ven 30/09/2005 ? 15:37, Derek Harkness a ?crit :> When setting up an LDAP PDC do I have to have both user and machines > in the ou=People container? Here's what I've got. > > LDAP Tree > > ou=People,o=umd.umich.edu > ou=NIS,ou=Groups,o=umd.umich.eud > ou=machines,ou=Samba,ou=Services,o=umd.umich.edu > ou=Idmap,ou=Samba,ou=Services,o=umd.umich.edu >> -m I get "Failed to initialise SAM_ACCOUNT for user its-1150d$. Does > this user exist in the UNIX password database" which would be correct > since machine accounts aren't under ou=People the local workstation > won't be able to look them up. I don't want my unix users seeing all > the windows workstations.The domain controllers have to see machine account. I have a setup like yours but on the pdc my nss setup is: base o=umd.umich.edu #nss_base_passwd ou=People so the whole tree is searched while on other machines it is: base o=umd.umich.edu nss_base_passwd ou=People and here the machines account are not seen. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e=2E?Url : http://lists.samba.org/archive/samba/attachments/20051004/8c9edc87/attachment.bin