samba - Feb 2008 - Re LDAP adding workstation accounts fails (but not really???)

I very much appreciate the help thus far, but I think it has strayed a
bit from the actual problem.

The problem is that when I join a system to the samba domain it
creates /some/ but not all of the required attributes for the computer
account.  The process then fails as samba looks in the wrong part of my
directory server.  I would strongly prefer to put the workstation
accounts in their own tree (ou=Computers).  I added the relevant bits to
the smb.conf for this to happen (ldap machine suffix = ou=Computers) and
restarted samba.  Yet the debug logs show me that, while it executes the
machine add script just fine, it is still looking in ou=People.  As a
leap into absurdity I even rebooted the whole box (in case a shared
memory segment was somehow hanging about), still the samba binary is
convinced my computer accounts live in ou=People.  The process becomes
more odd when I can see in the debug log that the samba binary has
successfully read in my machine suffix.

I find this a bit unusual.
Pat

On Tue, 2008-02-26 at 09:03 -0800, Chuck Kollars wrote:
> > ...Yet, if I search LDAP after the join attempt I 
> > find: dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
> 
> This convention of a "workstation" account being the
> same as a "people" account except with a dollar sign
> appended to the name is the way Windows works.
> Weird?Yes. Looks wrong?Yes. Needs "fixing"?Maybe Not. 
> 
> >   ...My LDAP logs show it is searching ou=People 
> > rather than ou=Computers to see if it was added 
> > successfully.  What must I do to make it search
> > ou=Computers? ...
> 
> Unfortunately it's pretty easy and pretty common to
> use LDAP in a way that doesn't match the "usual" human
> definitions of some words. This isn't necessarily
> wrong though. If an operation doesn't work, definitely
> dig in. But if an operation "works" but appears to use
> words differently than your definitions, it may not be
> a problem. 
> 
> Every LDAP tool has its own settings. Change it for
> one tool, and it will still behave the old way for
> other tools. 
> 
> For `ldapsearch`, there are several settings, the
> later of which override the earlier. One is "base" in
> a file named something like /etc/openldap/ldap.conf.
> This may be overridden by a command line parameter to
> `ldapsearch`. 
> 
> For LDAP name service lookups (if enabled in
> /etc/nsswitch.conf), again there's "base" but this
> time in /etc/ldap.conf (a separate file but with a
> name very similar to the first one). Sometimes you'll
> also find "nss_base_hosts", which takes precedence if
> it exists. There may also be a setting on pam_ldap.so.
> 
> 
> etc.
> 
> > Now the other half of the question, the part you 
> > didn't ask, which is not where to "search" but 
> > where to "store". (Obviously storing in one place 
> > but searching in the other won't work at all. 
> > Both storing and searching in the "wrong" place 
> > may work perfectly well for Samba, yet might be
> > inconsistent with some of your other tools and
> > procedures.)
> 
> Unfortunately there are a gazillion different ways to
> update an LDAP database and they all work differently
> and are all configured differently. Are you using some
> scripts, or a web application like 'phpldapadmin', or
> the `ldapadd` command, or ...; and are you calling it
> explicitly or letting it be called from within Samba
> via the 'add machine' parameter?
> 
> good luck!
> 
> 
> -Chuck Kollars
> 
> 
>      
____________________________________________________________________________________
> Looking for last minute shopping deals?  
> Find them fast with Yahoo! Search. 
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
>

Hello,

Still hitting the same wall, (Oh yeah, uhh... Debian linux samba
packages from SID)

# net rpc join -S TESTING -U root%password
Creation of workstation account failed
Unable to join domain TESTING

dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
cn: testing$
uid: testing$
uidNumber: 1001
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false 
description: Computer
gecos: Computer

my /etc/ldap/ldap.conf reads (it has been hard linked to /etc/ldap.conf)

# cat ldap.conf 
URI     ldap://127.0.0.1
BASE    dc=iwu,dc=edu
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_crypt local
nss_base_passwd dc=iwu,dc=edu?sub

Here are the ldap lines from my smb.conf
        passdb backend = ldapsam:ldap://localhost
        ldap group suffix = ou=Group
        ldap idmap suffix = ou=Idmap
        ldap machine suffix = ou=Computers
        ldap passwd sync = Yes
        ldap suffix = dc=iwu,dc=edu
        ldap ssl = no
        ldap user suffix = ou=People

Seems like I have missed something.... Just not sure what
Pat

On Tue, 2008-02-26 at 13:30 -0800, Dirk Kleinhesselink
wrote:
> On Tue, 26 Feb 2008, Pat Riehecky wrote:
> 
> Assuming you're running linux or a similar sytem (nsswitch) - I think
> you need to set the search scope for your LDAP lookups.  In my
> /etc/ldap.conf (the nsswitch ldap search configuration) I have:
> 
> nss_base_passwd set to my base DN with scope sub:
> 
> nss_base_passwd dc={},dc={}?sub
> 
> The default is to do something like:
> 
> nss_base_passwd ou=People,dc={}.dc={}?one
> 
> In my case People and Computers are underneath the base and so the passwd
> search starts at the base and seeks down.
> 
> Then in my smb.conf I have the ldap suffix set to my LDAP base
> and the ldap user suffix is set to: ou=People and
> ldap machine suffix to: ou=Computers
> 
> Dirk
> 
> > I very much appreciate the help thus far, but I think it has strayed a
> > bit from the actual problem.
> >
> > The problem is that when I join a system to the samba domain it
> > creates /some/ but not all of the required attributes for the computer
> > account.  The process then fails as samba looks in the wrong part of
my
> > directory server.  I would strongly prefer to put the workstation
> > accounts in their own tree (ou=Computers).  I added the relevant bits
to
> > the smb.conf for this to happen (ldap machine suffix = ou=Computers)
and
> > restarted samba.  Yet the debug logs show me that, while it executes
the
> > machine add script just fine, it is still looking in ou=People.  As a
> > leap into absurdity I even rebooted the whole box (in case a shared
> > memory segment was somehow hanging about), still the samba binary is
> > convinced my computer accounts live in ou=People.  The process becomes
> > more odd when I can see in the debug log that the samba binary has
> > successfully read in my machine suffix.
> >
> > I find this a bit unusual.
> > Pat
> >
> > On Tue, 2008-02-26 at 09:03 -0800, Chuck Kollars wrote:
> >>> ...Yet, if I search LDAP after the join attempt I
> >>> find: dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
> >>
> >> This convention of a "workstation" account being the
> >> same as a "people" account except with a dollar sign
> >> appended to the name is the way Windows works.
> >> Weird?Yes. Looks wrong?Yes. Needs "fixing"?Maybe Not.
> >>
> >>>   ...My LDAP logs show it is searching ou=People
> >>> rather than ou=Computers to see if it was added
> >>> successfully.  What must I do to make it search
> >>> ou=Computers? ...
> >>
> >> Unfortunately it's pretty easy and pretty common to
> >> use LDAP in a way that doesn't match the "usual"
human
> >> definitions of some words. This isn't necessarily
> >> wrong though. If an operation doesn't work, definitely
> >> dig in. But if an operation "works" but appears to use
> >> words differently than your definitions, it may not be
> >> a problem.
> >>
> >> Every LDAP tool has its own settings. Change it for
> >> one tool, and it will still behave the old way for
> >> other tools.
> >>
> >> For `ldapsearch`, there are several settings, the
> >> later of which override the earlier. One is "base" in
> >> a file named something like /etc/openldap/ldap.conf.
> >> This may be overridden by a command line parameter to
> >> `ldapsearch`.
> >>
> >> For LDAP name service lookups (if enabled in
> >> /etc/nsswitch.conf), again there's "base" but this
> >> time in /etc/ldap.conf (a separate file but with a
> >> name very similar to the first one). Sometimes you'll
> >> also find "nss_base_hosts", which takes precedence if
> >> it exists. There may also be a setting on pam_ldap.so.
> >>
> >>
> >> etc.
> >>
> >>> Now the other half of the question, the part you
> >>> didn't ask, which is not where to "search" but
> >>> where to "store". (Obviously storing in one place
> >>> but searching in the other won't work at all.
> >>> Both storing and searching in the "wrong" place
> >>> may work perfectly well for Samba, yet might be
> >>> inconsistent with some of your other tools and
> >>> procedures.)
> >>
> >> Unfortunately there are a gazillion different ways to
> >> update an LDAP database and they all work differently
> >> and are all configured differently. Are you using some
> >> scripts, or a web application like 'phpldapadmin', or
> >> the `ldapadd` command, or ...; and are you calling it
> >> explicitly or letting it be called from within Samba
> >> via the 'add machine' parameter?
> >>
> >> good luck!
> >>
> >>
> >> -Chuck Kollars
> >>
> >>
> >>      
____________________________________________________________________________________
> >> Looking for last minute shopping deals?
> >> Find them fast with Yahoo! Search. 
http://tools.search.yahoo.com/newsearch/category.php?category=shopping
> >>
> >
> >
>

Blast.

My workstation account looks like the following after my failure to join
the domain.

dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
objectClass: top
objectClass: account
objectClass: posixAccount
cn: testing$
uid: testing$
uidNumber: 1006
gidNumber: 515
homeDirectory: /dev/null
loginShell: /bin/false
description: Computer
gecos: Computer

I built up a Fedora 8 box and pointed it at my LDAP server and I still
cannot su down to that user.  I figured using the graphical tool for
setting up pam_ldap would eliminate whatever mistake I have made that I
just cannot seem to find.  But it too cannot su down to testing$.  

I just removed and reinstalled samba, now more stuff is not working.  I
am going to assume my test box is just too hosed up and leave it at
that.  When I get around to rebuilding it I will almost certainly have
this problem again since I don't know what caused it I am doomed to
repeat it....

Thanks for all the help
Pat

On Thu, 2008-02-28 at 13:08 -0600, Adam Williams wrote:
> see, I can su -l to my account:
> 
> [root@gomer ~]# su -l domain2\$
> su: warning: cannot change directory to /dev/null: Not a directory
> -sh: /dev/null/.profile: Not a directory
> -sh-3.2$
> 
> and its info is:
> 
> dn: uid=domain2$,ou=People,dc=gomer,dc=mdah,dc=state,dc=ms,dc=us
> objectClass: posixAccount
> objectClass: account
> objectClass: top
> objectClass: sambaSamAccount
> uid: domain2$
> uidNumber: 2003
> gidNumber: 514
> homeDirectory: /dev/null
> cn: domain2$
> sambaSID: S-1-5-21-2139886109-2393431639-217723040-1017
> displayName: domain2$
> sambaAcctFlags: [W          ]
> sambaNTPassword: 890AE051A9ADB4707CD86824CF76F9B4
> 
> 
> 
>