Since samba 3.0.2a, samba add sambaSAMAccount directly in LDAP tree. What user you use for adding machine to domain ?
----------------------------------- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 06/06/2005 07:23:25 : > Tim Verhoeven wrote: > > >On 6/4/05, Andres Toomsalu <[EMAIL PROTECTED]> wrote: > > > > > >>I've reported this before but I guess I'll have to do it again, since > >>it's not fixed yet or I'm understanding something wrong here. > >> > >>The problem is that smbldap-useradd -w 'machinename' will add only > >>posixAccount entrys into ldap but it should add both posixAccount and > >>sambaSAMAccount entrys. > >> > >>So if one doesn't add correct machine account entrys manually to ldap > >>the windows workstation domain joining is impossible. > >> > >> > > > >In my experience the smbldap-useradd behaviour is correct. It will > >only add the posicAccount part of a machine account. Then when you > >actually join a machine to a domain Samba itself will modify the > >machine account and add the sambaSAMAccount parts. > > > >For this to work you will ofcourse need also to configure Samba that > >is has a ldap account that has the rights to update items in the ldap > >tree. > > > > > I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + > smbldap-tools 0.88 just to be sure nothing has changed meanwhile: > > 1) I can't join XP workstation to domain when I don't have computer > account in ldap - Error is "Access denied". In result it makes computer > account in ldap but only posixAccount part of it as smbldap-useradd -w > does it. > 2) I can't join XP workstation to domain when I do have computer account > in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes > them like that - Error is "Access denied". > 3) I can join XP workstation to domain when I manually make correct > computer account entrys in ldap with phpldapadmin - then there are both > posixAccount and sambaSamAccount entrys present. > > Here is copy-paste samples of computer accounts in my ldap - first > sample is made with smbldap-useradd -w and second that actually works is > made manually: > > # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee > dn: uid=testmasin$,ou=Computers,dc=active,dc=ee > objectClass: top > objectClass: inetOrgPerson > objectClass: posixAccount > cn: testmasin$ > sn: testmasin$ > uid: testmasin$ > uidNumber: 1016 > gidNumber: 515 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > gecos: Computer > > > # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee > dn: uid=windesk$,ou=Computers,dc=active,dc=ee > gidNumber: 515 > uidNumber: 3002 > uid: windesk$ > sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 > sambaAcctFlags: [W ] > cn: windesk > homeDirectory: /dev/null > objectClass: top > objectClass: sambaSamAccount > objectClass: posixAccount > objectClass: account > sambaPwdMustChange: 2147483647 > sambaPwdCanChange: 1118035851 > sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 > sambaPwdLastSet: 1118035851 > > > > So joining XP workstations to domain with smbldap-tools doesn't work for > me. I still think there is a bug in smbldap-useradd script that it won't > add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'". > > I don't think sambaSamAccount entry's are being added during domain > joining procedure because for domain joining samba uses the very same > "smbldap-useradd -w '%u'" command - which doesn't add any > sambaSamAccount entrys. > > > > > > > > >>The Samba Openldap howto clearly documents that smbldap-useradd -w > >>'worsktation' should produce following entrys in ldap: > >> > >>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG > >>objectClass: top > >>objectClass: posixAccount > >>objectClass: sambaSAMAccount > >>cn: testhost3$ > >>gidNumber: 553 > >>homeDirectory: /dev/null > >>loginShell: /bin/false > >>uid: testhost3$ > >>uidNumber: 1005 > >>sambaPwdLastSet: 0 > >>sambaLogonTime: 0 > >>sambaLogoffTime: 2147483647 > >>sambaKickoffTime: 2147483647 > >>sambaPwdCanChange: 0 > >>sambaPwdMustChange: 2147483647 > >>description: Computer Account > >>rid: 0 > >>primaryGroupID: 0 > >>lmPassword: 7582BF7F733351347D485E46C8E6306E > >>ntPassword: 7582BF7F733351347D485E46C8E6306E > >>acctFlags: [W ] > >> > >> > > > >So my guess that this is a bug in the documentation and not in the code. > > > >Kind regards, > >Tim > > > > > > > > > -- > ---------------------------------------------- > Andres Toomsalu, [EMAIL PROTECTED] > juhataja - general manager, OÜ Active Systems > Lille 4-205, Pärnu 80041, phone +372 44 70 595 > GSM +372 56 496 124, IM: [EMAIL PROTECTED] > http://www.active.ee > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba