On 09/05/2012 15:27, Gaiseric Vandal wrote:
When you join the machine to the domain you should be prompted for
credentials of someone who has permissions to join the computer to the
domain - this is normally the domain administrator or someone in the
domain administrators group. Users who are not domain administrators
should not be able to join machines to the domain.
You may also want to change your LDAP structure to get a little more
control , e.g "ou=systeme" and "ou=temppeople" should be a children of
"ou=people." You can configure your ldap configuration to look for
users in "ou=people" and its children. "getent passwd" should still
list all the user accounts.
On 05/09/12 08:28, Thibaut Jacob wrote:
Hi,
I'm currently working on a server whitch use samba and openldap,
The OS used is Debian squeeze 6.0.1 64 on the server, the previous was
fedora 5
My Samba is the domain Master of the network, the users of the ldap
are link with the samba, and i try to join computer XP to this domain,
so the user present in the ldap could (with login and password) log
on in the domain, access shares etc ...
ldap schema : ou=people
ou=group
ou=temppeople
ou=tempgroups
ou=systeme
Samba is well configured with libpam-ldap, libnss-ldap, smb-ldaptools
and the file /etc/nsswitch.conf with
passwd files ldap
group files ldap
shadow files ldap
When using getent passwd, the server get all the users of the ldap.
But, ( and their is the problem ) : when trying to join the machine to
the domain, how do i say to samba that only my users in
ou = systeme ; are the only one able to join this one ? Beacause
currently, anyone can join the domain and i don't want it.
Other Strange things, when i try to join the domain with for exemple
admin99 ( whitch is present in the ou=systeme) , when i'm on the
server and open a Terminal, when i log in root ( su - root ) with the
right password of root, i obtain :
admin99@server , not root@server , and with a ls -lh on folder, files
are on admin99:root
If i stop ldap 2 minutes after, and re-open a terminal and log as
root, everything come back to normal.
If you need some infomations, I can give it in the next mail.
Regards.
Hi, thanks for your respond first.
The structure is from the beginning of the iufm, this can't be change so
easily.
In fact, in ou=system are the people who are ( currently ) able to join
the domain for a workstation, and ou=temppeople is only here for 'new
users whitch will not stay long'.
This is done this way because they're is some replication script between
servers (perl languages) and the users in ou=temppeople should not be
present in the master ldap ( there is one 'master' and several slave,
but in location different)
How i can say to samba that only users in ou=systeme are able to be
administrator of the samba ?
that's strange that the root name change in the server after joining
domain, no ?
thanks
--
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
