samba - Sep 2009 - Verification on HOW adding a machines works

I'm straddling the half-way point between samba and ldap. When adding a 
machine to the domain, functionally, it works like you would expect. You 
enter in the domain, enter your credentials, and reboot. The computer is 
able to function as a machine on the domain.

I'm using the smbldap-tools as suggested in the wiki. Here's the script:
add machine script = /usr/sbin/smbldap-useradd -w -g 100 -c "Workstation 
(%u)" -d /dev/null -s /sbin/nologin "%u"

When checking on details of the process:
# getent passwd
biggie$:x:1008:100:Workstation (biggie$):/nohome:/sbin/nologin
(works for me)

# getent group | grep users
users:x:100:
(the machine is not listed as a member of the group)
Should machines be displayed as a member of the group they are added to 
like users?


ldapsearch -x -b "dc=ptest,dc=us" "(objectclass=*)" | less
# machines, ptest.us
dn: ou=machines,dc=ptest,dc=us
ou: machines
objectClass: organizationalRole
cn: machines
(the ou that biggie is added to)

# BIGGIE$, machines, ptest.us
dn: uid=BIGGIE$,ou=machines,dc=ptest,dc=us
uid: BIGGIE$
objectClass: sambaSamAccount
objectClass: account
displayName: BIGGIE$
(biggie's ldap entry)

-- 
Thanks for the assist,

Todd E Thomas
C: 515.778.6913
"It's a frail music knits the world together."
-Robert Dana

On my setup, I have libnss and libpam set to filter out machine POSIX accounts.
All of my machine accounts have a UID higher than 10000, so I can filter it 
something like this:

nss_base_passwd dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)
nss_base_shadow dc=domain,dc=com?sub?&(uidNumber<=9999)
(objectClass=posixAccount)

Standard Linux utilities will never "see" machine accounts using NSS
calls
(like getent), but the accounts do exist and Samba doesn't seem to have a 
problem with them.  So I think you'll be okay.

Wes


On Thursday 17 September 2009 11:46:32 pm Todd E Thomas
wrote:
> I'm straddling the half-way point between samba and ldap. When adding a
> machine to the domain, functionally, it works like you would expect. You 
> enter in the domain, enter your credentials, and reboot. The computer is 
> able to function as a machine on the domain.
> 
> I'm using the smbldap-tools as suggested in the wiki. Here's the
script:
> add machine script = /usr/sbin/smbldap-useradd -w -g 100 -c
"Workstation
> (%u)" -d /dev/null -s /sbin/nologin "%u"
> 
> When checking on details of the process:
> # getent passwd
> biggie$:x:1008:100:Workstation (biggie$):/nohome:/sbin/nologin
> (works for me)
> 
> # getent group | grep users
> users:x:100:
> (the machine is not listed as a member of the group)
> Should machines be displayed as a member of the group they are added to 
> like users?
> 
> 
> ldapsearch -x -b "dc=ptest,dc=us" "(objectclass=*)" |
less
> # machines, ptest.us
> dn: ou=machines,dc=ptest,dc=us
> ou: machines
> objectClass: organizationalRole
> cn: machines
> (the ou that biggie is added to)
> 
> # BIGGIE$, machines, ptest.us
> dn: uid=BIGGIE$,ou=machines,dc=ptest,dc=us
> uid: BIGGIE$
> objectClass: sambaSamAccount
> objectClass: account
> displayName: BIGGIE$
> (biggie's ldap entry)
> 
> -- 
> Thanks for the assist,
> 
> Todd E Thomas
> C: 515.778.6913
> "It's a frail music knits the world together."
> -Robert Dana
> 
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>