When you join the machine to the domain you should be prompted for
credentials of someone who has permissions to join the computer to the
domain - this is normally the domain administrator or someone in the
domain administrators group. Users who are not domain administrators
should not be able to join machines to the domain.
You may also want to change your LDAP structure to get a little more
control , e.g "ou=systeme" and "ou=temppeople" should be a
children of
"ou=people." You can configure your ldap configuration to look for
users in "ou=people" and its children. "getent passwd"
should still
list all the user accounts.
On 05/09/12 08:28, Thibaut Jacob wrote:> Hi,
>
> I'm currently working on a server whitch use samba and openldap,
> The OS used is Debian squeeze 6.0.1 64 on the server, the previous was
> fedora 5
>
> My Samba is the domain Master of the network, the users of the ldap
> are link with the samba, and i try to join computer XP to this domain,
> so the user present in the ldap could (with login and password) log
> on in the domain, access shares etc ...
>
> ldap schema : ou=people
> ou=group
> ou=temppeople
> ou=tempgroups
> ou=systeme
>
> Samba is well configured with libpam-ldap, libnss-ldap, smb-ldaptools
> and the file /etc/nsswitch.conf with
> passwd files ldap
> group files ldap
> shadow files ldap
>
> When using getent passwd, the server get all the users of the ldap.
>
> But, ( and their is the problem ) : when trying to join the machine to
> the domain, how do i say to samba that only my users in
> ou = systeme ; are the only one able to join this one ? Beacause
> currently, anyone can join the domain and i don't want it.
>
> Other Strange things, when i try to join the domain with for exemple
> admin99 ( whitch is present in the ou=systeme) , when i'm on the
> server and open a Terminal, when i log in root ( su - root ) with the
> right password of root, i obtain :
> admin99 at server , not root at server , and with a ls -lh on folder, files
> are on admin99:root
>
> If i stop ldap 2 minutes after, and re-open a terminal and log as
> root, everything come back to normal.
>
> If you need some infomations, I can give it in the next mail.
>
> Regards.
>
>