We have for some time now had samba3.0.2a included in skolelinux. And for a long time before we included samba3, it was impossible to add samba client workstations. It was not a problem to use win95/98 machines in the network, neither was it a problem to use win2k/XP machines in the network without joining them to the domain. But in order to get one common userdb, we needed to add the samba workstations to the domain.
There were some errors that prevented this. To try to make the rest of you understand what all the fuzz is about, I'll try to summon up the process of adding samba users and samba clients. All the users are stored in our LDAP server :) for things to happen correctly, only some users are allowed to write to the LDAP-db. admin are allowed to write everything, the authenticated user are allowed to update their password, everyone else is allowed to read almost everything, except for passwords. You know the drill. But when we add samba. we add some 2 more passwords: sambaLMPassword, the password used by old win9x users (I think) sambaNTPassword, The samba used by the rest. Samba also adds some other values, see [1] for reference. To be able to update the samba-values, samba needs to have a username and password for connecting to LDAP. This password is stored on disk on the main samba-server. It is encrypted, but there is a commandline tools that decrypts the password. The file were this password is saved is /var/lib/samba/secret.tdb, and it should (and by default is) only read/writeable by root. I repeat: Samba needs to store a password on disk. Now when it comes to users, it could be no problem to just give smbadmin (our samba admin user) write access to the samba* entries. But then we cant have win2k clients (or XP) in the network sharing the same userDB. To be able to use the WIn2k/XP as client machines, the machines needs an account on the main samba server. This can be done by creating a user account for the machine, the name of the account is "<machinename>$". The "$" at the end is mandatory. One example of such an account can be found at [2]. Either this account has to be defined in LDAP, or it has to be defined in /etc/passwd on the main-samba-server. We want to use LDAP for our userdb, and this also applies to the machine accounts. If the machine account (like [2]) does not exist samba will try to add the machine account before adding the samba-information. this is done by specifying a command to do this in /etc/samba/etc/smb.conf we have /etc/samba/smbaddclient.pl to do this. The script needed to be rewritten when we went from samba-2.2.x to 3.0.x. One problem, which I by the way only have seen with wlus, not with the old wls, is that the machine accounts showed up in the user admin interface. this is because they were not separated in a ou=Machines, but were in ou=People. Separate them we created a ou=Machines, and started to add the machines into there. This would also make it possible to let smbadmin only create new entries into ou=Machines, and not in the entire LDAPdb. But then samba was not able to create SAM_ACCOUNT as samba called it. The problem then was that getent passwd only listed to users from OU=People. To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so the line that are actually in there now is: host ldap base dc=skole,dc=skolelinux,dc=no # nss_base_passwd ou=People, nss_base_group ou=Group, nss_base_netgroup ou=Netgroup, ldap_version 3 To summon up: smbadmin needs permission to add an object with the following objectclasses: posixAccount, top, sambaSamAccount It needs to have permission to write to these entries: dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and loginShell, as well as the samba* -entries well, looking at the schema, I see that loginShell is optional, but what happens if someone tries to login in with that account ? Also we can limmit writeaccess to the ou=Machines, if that is possible. So we have 4 options: 1 Create a gui for Adding Machine Accounts to the normal ou=People, and let samba add objectClass sambaSamAccount, with the necessary entries. 2 Let samba add entries to ou=People through our script smbaddclient.pl, and the stored password. smbadmin_does_not_need_to have write access to the userPassword paramater 3 Let samba add entries to the ou=Machines through our script, 4 Release SKolelinux 1.0 without Samba, or at least without support for using win2k/XP Clients. I vote for number 3, which is committed to cvs (the necesarry changes are in debian-edu-config), but is not tested on a new installation, only by patching an old one. Someone has to release a new debian-edu-config to make me test it. (Beware : Andreas released a new debian-edu-config without committing at least the changelog, to cvs, so one has to do some debugging there, The version in cvs is 0.383, and the version on CD is 0.383, but they are not the same) [1] http://bugs.skolelinux.no/attachment.cgi?id=232&action=view [2] http://bugs.skolelinux.no/attachment.cgi?id=231&action=view -- Finn-Arne Johansen [EMAIL PROTECTED] http://bzz.no/
