Tim Verhoeven wrote: >On 6/4/05, Andres Toomsalu <[EMAIL PROTECTED]> wrote: > > >>I've reported this before but I guess I'll have to do it again, since >>it's not fixed yet or I'm understanding something wrong here. >> >>The problem is that smbldap-useradd -w 'machinename' will add only >>posixAccount entrys into ldap but it should add both posixAccount and >>sambaSAMAccount entrys. >> >>So if one doesn't add correct machine account entrys manually to ldap >>the windows workstation domain joining is impossible. >> >> > >In my experience the smbldap-useradd behaviour is correct. It will >only add the posicAccount part of a machine account. Then when you >actually join a machine to a domain Samba itself will modify the >machine account and add the sambaSAMAccount parts. > >For this to work you will ofcourse need also to configure Samba that >is has a ldap account that has the rights to update items in the ldap >tree. > > I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is "Access denied". In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is "Access denied". 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'". I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same "smbldap-useradd -w '%u'" command - which doesn't add any sambaSamAccount entrys. > > > >>The Samba Openldap howto clearly documents that smbldap-useradd -w >>'worsktation' should produce following entrys in ldap: >> >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG >>objectClass: top >>objectClass: posixAccount >>objectClass: sambaSAMAccount >>cn: testhost3$ >>gidNumber: 553 >>homeDirectory: /dev/null >>loginShell: /bin/false >>uid: testhost3$ >>uidNumber: 1005 >>sambaPwdLastSet: 0 >>sambaLogonTime: 0 >>sambaLogoffTime: 2147483647 >>sambaKickoffTime: 2147483647 >>sambaPwdCanChange: 0 >>sambaPwdMustChange: 2147483647 >>description: Computer Account >>rid: 0 >>primaryGroupID: 0 >>lmPassword: 7582BF7F733351347D485E46C8E6306E >>ntPassword: 7582BF7F733351347D485E46C8E6306E >>acctFlags: [W ] >> >> > >So my guess that this is a bug in the documentation and not in the code. > >Kind regards, >Tim > > > -- ---------------------------------------------- Andres Toomsalu, [EMAIL PROTECTED] juhataja - general manager, O� Active Systems Lille 4-205, P�rnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: [EMAIL PROTECTED] http://www.active.ee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
