[Finn-Arne Johansen] > I repeat: Samba needs to store a password on disk.
As you are well aware, I am not happy with doing this. > But then samba was not able to create SAM_ACCOUNT as samba called > it. What does this mean? > The problem then was that getent passwd only listed to users from > OU=People. Why was this a problem? Isn't that where the users are? 'getenet passwd' should not list machines, right? > To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so > the line that are actually in there now is: > host ldap > base dc=skole,dc=skolelinux,dc=no > # nss_base_passwd ou=People, Would this list machines when doing 'getent passwd'? > To summon up: > smbadmin needs permission to add an object with the following > objectclasses: posixAccount, top, sambaSamAccount Why must a machine have a posixAccount? > It needs to have permission to write to these entries: > dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and > loginShell, as well as the samba* -entries Why must a machine have uid, uioNumber, gidNumber and homeDirectory? > well, looking at the schema, I see that loginShell is optional, but > what happens if someone tries to login in with that account ? How can it be possible to log using a machine account? > Also we can limmit writeaccess to the ou=Machines, if that is possible. This sounds like the very least we should do. BTW: Isn't there some register setting one can use in windows 2k/xp to get the machine to log in as win95/98? > So we have 4 options: > 1 Create a gui for Adding Machine Accounts to the normal ou=People, and > let samba add objectClass sambaSamAccount, with the necessary > entries. I need more info on the sambaSamAccount before I understand this option. > 2 Let samba add entries to ou=People through our script > smbaddclient.pl, and the stored password. smbadmin_does_not_need_to > have write access to the userPassword paramater I am worried about the write access without an administrator present, and less about the individual attributes.
