On my setup, I have libnss and libpam set to filter out machine POSIX accounts.
All of my machine accounts have a UID higher than 10000, so I can filter it
something like this:
nss_base_passwd dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)
nss_base_shadow dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)
Standard Linux utilities will never "see" machine accounts using NSS
calls
(like getent), but the accounts do exist and Samba doesn't seem to have a
problem with them. So I think you'll be okay.
Wes
On Thursday 17 September 2009 11:46:32 pm Todd E Thomas
wrote:> I'm straddling the half-way point between samba and ldap. When adding a
> machine to the domain, functionally, it works like you would expect. You
> enter in the domain, enter your credentials, and reboot. The computer is
> able to function as a machine on the domain.
>
> I'm using the smbldap-tools as suggested in the wiki. Here's the
script:
> add machine script = /usr/sbin/smbldap-useradd -w -g 100 -c
"Workstation
> (%u)" -d /dev/null -s /sbin/nologin "%u"
>
> When checking on details of the process:
> # getent passwd
> biggie$:x:1008:100:Workstation (biggie$):/nohome:/sbin/nologin
> (works for me)
>
> # getent group | grep users
> users:x:100:
> (the machine is not listed as a member of the group)
> Should machines be displayed as a member of the group they are added to
> like users?
>
>
> ldapsearch -x -b "dc=ptest,dc=us" "(objectclass=*)" |
less
> # machines, ptest.us
> dn: ou=machines,dc=ptest,dc=us
> ou: machines
> objectClass: organizationalRole
> cn: machines
> (the ou that biggie is added to)
>
> # BIGGIE$, machines, ptest.us
> dn: uid=BIGGIE$,ou=machines,dc=ptest,dc=us
> uid: BIGGIE$
> objectClass: sambaSamAccount
> objectClass: account
> displayName: BIGGIE$
> (biggie's ldap entry)
>
> --
> Thanks for the assist,
>
> Todd E Thomas
> C: 515.778.6913
> "It's a frail music knits the world together."
> -Robert Dana
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>