[EMAIL PROTECTED] wrote:
Hi Paul,
I'm getting a user not found after I made the changes. That's what I used
to get when I didn't add the machine account to /etc/passwd first.
Ok, so now the question is this, when you try to join, are you giving it
the root user or root equivilent (uid=0) account? Is it making the
posix account but not modifying it with sambaSAM information? You are
sure that everything is using ou=People (or whatever users container
you're using)?
Just curious, do you have a working system that does just that, where if
you add a machine by joining it to the domain, smbldap_useradd.pl creates
the posixAccount and sambaSAMAccount in LDAP?
I *did* when I was migration testing for samba3 but now my test box has
been scrapped for a Sun trade in. I need to rebuild it before I go live
with S3 (still on 2.2.8 here sadly) so I'll be building entirely from
scratch again, hopefully this week if other projects get taken care of.
I've done a pile of testing in my setup to get it to work with our
remote LDAP master and local and/or distributed DC boxes. There were
some timing issues there if replication didn't happen quick enough, a
real PITA.
I'll continue to tinker with it. If you have any other suggestions, let me
know. I'm very close.
Changes below:
[EMAIL PROTECTED] wrote:
Thanks for getting back to me, Paul.
Here's the domain controllers smb.conf
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = whs1.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = WHS1
server string = RedHat 8.0 LDAP Server
passdb backend = ldapsam
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u
delete user script = /usr/local/sbin/smbldap-useradd.pl %u
add group script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl
add machine script = /usr/sbin/useradd -c "Computer" -d /dev/null
-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m
%u
Change these scripts to be liks so:
add user script = /usr/sbin/smbldap-useradd -a -m "%u"
delete user script = /usr/sbin/smbldap-userdel "%u"
add group script = /usr/sbin/smbldap-groupadd "%g"
delete group script = /usr/sbin/smbldap-groupdel "%g"
add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
add machine script = /usr/sbin/smbldap-useradd -w "%u"
make sure the paths line up of course. The quotes are important in case
you get spaces in the parameters.
logon script = whs1.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 64
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
name resolve order = wins hosts bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
Make ldap machine suffix match ldap user suffix. Known bug.
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
<shares defs deleted>
Of course, make sure your smbldap config file matches the above LDAP dn
information for users, computers. Check back after trying it out.
Paul
Kent
Wareham Public Schools
[EMAIL PROTECTED] wrote:
Hello,
I have a question about machine accounts.
I using Samba 3.0, OpenLDAP 2.1.30 and Berkeley 4.2.52 on backend on
RedHat machines.
I also have 3 slave/BDC's and 1 master/PDC
Right now all of my users and groups exist entirely in the LDAP
directory.
I have a few accounts in addition to the normal system accounts that
are
used for emergency access. All authention and group enumeration uses
PAM_LDAP with NSS_LDAP.
My question is that when I have a machine join the domain, in the LDAP
directory an objectclass Account and sambaSAMAccount are created. I
still
need to create a machine account in /etc/passwd for this to happen. Is
there anyone out there that is first creating a posixAccount with
appropriate attributes in LDAP then using the Samba/Windows to generate
the sambaSAMAccount object and attributes in LDAP also?
You shouldn't need anything in /etc/passwd. Perhaps by posting an
smb.conf you could be pointed in the right direction.
I was so happy to get all of the user/group stuff consolidated into the
directory. Now I see that this is a possibility also but I haven't
tried
it.
Kent N
Wareham Public Schools
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:[EMAIL PROTECTED]
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:[EMAIL PROTECTED]
--
Paul Gienger Office: 701-281-1884
Applied Engineering Inc. Cell: 701-306-6254
Information Systems Consultant Fax: 701-281-1322
URL: www.ae-solutions.com mailto:[EMAIL PROTECTED]
--
To unsubscribe from this list go to the following URL and read the
instructions: http://lists.samba.org/mailman/listinfo/samba
