On Thursday 10 March 2005 17:13, Steve Zeng wrote:
John,
You are the man. problem sovled. I change /etc/ldap.conf as you suggested:
nss_base_passwd dc=mfelc?sub nss_base_group dc=mfelc?sub nss_base_hosts dc=mfelc?sub
Why do you have the nss_base_hosts entry set in /etc/ldap.conf? Samba does not need/use that. Unless you know precisely how to use that I'd suggest commenting it out.
Good point.
I don't have a local /etc/hosts file in the Samba PDC. So I need to resolve hostname with LDAP. My nsswitch.conf looks like this:
and I have "add machine script=/usr/sbin/smbldap-useradd -w %u" included in smb.conf. Now it works perfectly. machine account is created on the fly!
One more question for you. if I use LDAP only for hosts lookup in nsswitch, all the machine names come with a "$". In this case, how can I resolve hostname?
Please explain. Host entries are of the form:
192.168.0.1 hostname.domain.tld hostname
passwd: files ldap shadow: files ldap group: files ldap hosts: files ldap
Where is the '$' in that?
It is from LDAP when machine account was created on the fly. I checked the LDAP DIT, the dn for machine account is as follows:
uid=ajatar$,ou=Computers,dc=mfelc
- John T.
Thanks.
Steve
On Thursday 10 March 2005 13:56, Steve Zeng wrote:
Hi,
I am using Samba 3.0.10 PDC with LDAP as password DB. Before we use smbpasswd as passwd DB and every time I need to add a machine account into /etc/passwd so that the mahcine can join the domain. My understanding for LDAP is, this step is not needed any more since we will put all machine account into "ou=Computers". But I am proved to be wrong.
Is this the way Samba works? I mean, samba has to make sure a machine account exist in the /etc/passwd file of Samba PDC, doesn't it?
Nope. If you use LDAP, then both the POSIX account and the SambaSAMAccount infromation should be in LDAP. On the other hand, if you put your machine accounts into the ou=Computers container and user accounts in ou=Users your /etc/ldap.conf file needs to point to the directory tree above the ou=Users and above ou=Computers. Additionally the loookup for user accounts will have to be a 'sub' type so look-ups will descend both trees.
In other words, I am guessing that in your /etc/ldap.conf you have:
nss_base_passwd ou=People,dc=abmas,dc=biz?one
Instead of:
nss_base_passwd dc=abmas,dc=biz?sub
If my assumptions are correct, then if you set /etc/nsswitch.conf to have:
passwd: ldap shadow: ldap group: ldap
and then you execute:
getent passwd
You will not see a listing of accounts that includes the machine accounts. If this what you see, then making the change in /etc/ldap.conf so that:
nss_base_passwd dc=abmas,dc=biz
(of course substituting your directory domain component info) will list the machine accounts and you will no longer need them in your /etc/passwd.
In summary, by putting the machine accounts into your /etc/passwd you are using a work-around for a broken LDAP/NSS environment.
Does that answer your question and solve the problem?
- John T.
-- Regards,
Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293
-- Regards,
Steve Zeng Systems Administrator Mainframe Entertainment Inc T: (604) 628-1000 ext 5293 -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
