samba - Dec 2009 - UNIX accounts needed for machine accounts?

Hi,

I have the following problem: My structure is stored in LDAP that way:

dc=example,dc=com
  + ou=groups
  |  + cn=Account Operators
  |  + ...
  + ou=machines
  |  + uid=workstation1$
  |  + uid=workstation2$
  |  + ...
  + ou=users
     + ou=int
     |  + uid=user1
     |  + uid=user2
     |  + ...
     + ou=ext
        + uid=user3
        + uid=user4
        + ...
    ...

Only internal users (in ou=int) branch have the samba object classes and 
should be available on internal servers.

Therefore I set the in the libnss-ldap the search scope for the users to 
ou=int,ou=users,dc=example,dc=com.

But this also means that the machine accounts are not available on the 
UNIX server.

Is this necessary? Does it cause any problems?

If yes, is there a solution for that (except putting the machine 
accounts into the ou=int branch)?

Regards,
Luke

Lukas Haase <lukashaase at gmx.at> wrote:
> Is this necessary? Does it cause any problems?
Only the samba DC must be able to access the machine objects. So if  
you plan to reduce the scope on your PDC, machine autentication, or  
joining a machine to domain will allways fail.

On client side I can't see problems so far...

Ralf Hornik Mailings schrieb:
> Lukas Haase <lukashaase at gmx.at> schreibte:
> 
>> Yes I think that is the one solution. But the reason why I did not yet 
>> do it is simple: Because the machine Accounts are not users!
> 
> Machine accounts are very well users! ;-)
> Respective samba users. So by design they have to reside your samba 
> containers.
> However you can seperate them by name (as in my suggestion of your LDAP 
> design) but getent will (and should) always find them.
Yes.

Are you familiar with LDAP?

I created an alias now:

ou=machines,ou=int,ou=users,dc=example,dc=com --> 
ou=machines,dc=example,dc=com

That works really good on the fly ... if I enable dereference aliases in 
my LDAP browser I there is even no difference.

libnss-ldap seems to support "dereferencing aliases".

So it should work...BUT is this a good idea or is it better to "move" 
the machines there instead of linking?

Regards,
Luke

Lukas Haase schrieb:
> Ralf Hornik Mailings schrieb:
>> Lukas Haase <lukashaase at gmx.at> schreibte:
>>
>>> Yes I think that is the one solution. But the reason why I did not 
>>> yet do it is simple: Because the machine Accounts are not users!
>>
>> Machine accounts are very well users! ;-)
>> Respective samba users. So by design they have to reside your samba 
>> containers.
>> However you can seperate them by name (as in my suggestion of your 
>> LDAP design) but getent will (and should) always find them.
> 
> Yes.
> 
> Are you familiar with LDAP?
> 
> I created an alias now:
> 
> ou=machines,ou=int,ou=users,dc=example,dc=com --> 
> ou=machines,dc=example,dc=com
> 
> That works really good on the fly ... if I enable dereference aliases in 
> my LDAP browser I there is even no difference.
> 
> libnss-ldap seems to support "dereferencing aliases".
> 
> So it should work...BUT is this a good idea or is it better to
"move"
> the machines there instead of linking?
Sorry to quote myself...but I think that would have another big 
advantage: I would only need to dereference the aliases on the PDC 
machine and nowhere other I would have the ugly machine accounts in the 
system :)
> Regards,
> Luke