Thierry Lacoste
2009-Mar-24 15:29 UTC
[Samba] problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
Hello, I did the steps described below and I have a problem with machine RIDs. When I first join a machine, samba adds to my sambaDomainName ldap entry a sambaNextRid attribute with a value of 1000. Now samba uses this value (incremented each time) to give its RID to the machine. This is going to be a real problem as my current samba computes RDIs as 1000+2*UID. FWIW I'm using smbldap-tools to create user accounts and I have add machine script = /usr/local/sbin/smbldap-useradd -w '%u' in my smb.conf though I don't think it is relevant because AFAIK this script is only called to create the posix machine account. What are my options? If at all possible, I'd rather stick to the 1000+2*UID algorithm. I googled about it and I know that others where caught too but I wasn't able to find a solution. Regards, Thierry. Quoting Adam Williams <awilliam@mdah.state.ms.us>:> your steps are fine. you don't need the samba LDAP entries you listed, > when ou do smbpasswd -a user, it will add the minimum required LDAP > entries for samba. > > lacoste@miage.univ-paris12.fr wrote: >> Hello, >> >> I plan to update my samba-3.0.22/openldap-2.3.24 >> to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. >> This is on FreeBSD. >> >> My idea is : >> 1) slapcat the openldap server and save the various tdb files. >> 2) deinstall samba and openldap and wipe out the bdb files >> 3) install the newer versions >> 4) slapadd to the new openldap server >> >> This seems to work in my test lab. >> During my tests I also built a new domain afresh and realized that the >> sambaDomainName ldap entry has some attributes that are not in my >> production server: sambaMinPwdLength, sambaLogonToChgPwd, >> sambaLockoutDuration, >> sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. >> >> Do I have to add these attributes to my ldif file before slapadd? >> More generally, do I have to add some attributes to my ldap entries? >> >> Regards, >> Thierry >> >> >>
Adam Williams
2009-Mar-24 23:59 UTC
[Samba] Re: problem with sambaNextRid (WAS: updating samba/ldap: do I need new attributes?)
samba creates the RID when smbpasswd -a is used (or machine is joined to the domain). smbldap-tools creates an entry in ldap to keep up with the next available UID. i don't remember what it is. personally, I just use a text file that contains my next available UID and GID in it and increment when i add a user. i do everything by hand with .ldif files though. Thierry Lacoste wrote:> Hello, > > I did the steps described below and I have a problem with machine RIDs. > > When I first join a machine, samba adds to my sambaDomainName ldap entry > a sambaNextRid attribute with a value of 1000. > Now samba uses this value (incremented each time) to give its RID > to the machine. > > This is going to be a real problem as my current samba computes RDIs > as 1000+2*UID. > > FWIW I'm using smbldap-tools to create user accounts and I have > add machine script = /usr/local/sbin/smbldap-useradd -w '%u' > in my smb.conf though I don't think it is relevant because > AFAIK this script is only called to create the posix machine account. > > What are my options? > If at all possible, I'd rather stick to the 1000+2*UID algorithm. > > I googled about it and I know that others where caught too > but I wasn't able to find a solution. > > Regards, > Thierry. > > Quoting Adam Williams <awilliam@mdah.state.ms.us>: > >> your steps are fine. you don't need the samba LDAP entries you listed, >> when ou do smbpasswd -a user, it will add the minimum required LDAP >> entries for samba. >> >> lacoste@miage.univ-paris12.fr wrote: >>> Hello, >>> >>> I plan to update my samba-3.0.22/openldap-2.3.24 >>> to samba-3.0.34/openldap-2.4.15 and I'm currently testing it. >>> This is on FreeBSD. >>> >>> My idea is : >>> 1) slapcat the openldap server and save the various tdb files. >>> 2) deinstall samba and openldap and wipe out the bdb files >>> 3) install the newer versions >>> 4) slapadd to the new openldap server >>> >>> This seems to work in my test lab. >>> During my tests I also built a new domain afresh and realized that the >>> sambaDomainName ldap entry has some attributes that are not in my >>> production server: sambaMinPwdLength, sambaLogonToChgPwd, >>> sambaLockoutDuration, >>> sambaLockoutObservationWindow, sambaLockoutThreshold, sambaForceLogoff. >>> >>> Do I have to add these attributes to my ldif file before slapadd? >>> More generally, do I have to add some attributes to my ldap entries? >>> >>> Regards, >>> Thierry >>> >>> >>> > >