Patches for smbldap-tools v0.8.8 and v0.9.1 to fix workstation domain joining with "smbldap-useradd -w '%u'"
With these patches workstation domain joining works for me. There is no need to make computer account first - workstation will make it automatically during joining process. Inside these patches sambaNTPassword attribute initial value is set to 'kala' - workstation will overwrite that value during joining process - so no need to worry. It has to be set at start because sambaNTPassword entry is needed for automatic one-step error free joining and sambaNTPassword entry can't be empty when adding inital entry set to ldap. Download links for these patches are: http://www.active.ee/download/smbldap-useradd-0.8.8.diff http://www.active.ee/download/smbldap-useradd-0.9.1.diff Cheers, -- ---------------------------------------------- Andres Toomsalu, [EMAIL PROTECTED] juhataja - general manager, OÜ Active Systems Lille 4-205, Pärnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: [EMAIL PROTECTED] http://www.active.ee Andres Toomsalu wrote: >Tim Verhoeven wrote: > > > >>On 6/4/05, Andres Toomsalu <[EMAIL PROTECTED]> wrote: >> >> >> >> >>>I've reported this before but I guess I'll have to do it again, since >>>it's not fixed yet or I'm understanding something wrong here. >>> >>>The problem is that smbldap-useradd -w 'machinename' will add only >>>posixAccount entrys into ldap but it should add both posixAccount and >>>sambaSAMAccount entrys. >>> >>>So if one doesn't add correct machine account entrys manually to ldap >>>the windows workstation domain joining is impossible. >>> >>> >>> >>> >>In my experience the smbldap-useradd behaviour is correct. It will >>only add the posicAccount part of a machine account. Then when you >>actually join a machine to a domain Samba itself will modify the >>machine account and add the sambaSAMAccount parts. >> >>For this to work you will ofcourse need also to configure Samba that >>is has a ldap account that has the rights to update items in the ldap >>tree. >> >> >> >> >I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + >smbldap-tools 0.88 just to be sure nothing has changed meanwhile: > >1) I can't join XP workstation to domain when I don't have computer >account in ldap - Error is "Access denied". In result it makes computer >account in ldap but only posixAccount part of it as smbldap-useradd -w >does it. >2) I can't join XP workstation to domain when I do have computer account >in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes >them like that - Error is "Access denied". >3) I can join XP workstation to domain when I manually make correct >computer account entrys in ldap with phpldapadmin - then there are both >posixAccount and sambaSamAccount entrys present. > >Here is copy-paste samples of computer accounts in my ldap - first >sample is made with smbldap-useradd -w and second that actually works is >made manually: > ># Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee >dn: uid=testmasin$,ou=Computers,dc=active,dc=ee >objectClass: top >objectClass: inetOrgPerson >objectClass: posixAccount >cn: testmasin$ >sn: testmasin$ >uid: testmasin$ >uidNumber: 1016 >gidNumber: 515 >homeDirectory: /dev/null >loginShell: /bin/false >description: Computer >gecos: Computer > > ># Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee >dn: uid=windesk$,ou=Computers,dc=active,dc=ee >gidNumber: 515 >uidNumber: 3002 >uid: windesk$ >sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 >sambaAcctFlags: [W ] >cn: windesk >homeDirectory: /dev/null >objectClass: top >objectClass: sambaSamAccount >objectClass: posixAccount >objectClass: account >sambaPwdMustChange: 2147483647 >sambaPwdCanChange: 1118035851 >sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 >sambaPwdLastSet: 1118035851 > > > >So joining XP workstations to domain with smbldap-tools doesn't work for >me. I still think there is a bug in smbldap-useradd script that it won't >add sambaSamAccount entrys when invoked as "smbldap-useradd -w '%u'". > >I don't think sambaSamAccount entry's are being added during domain >joining procedure because for domain joining samba uses the very same >"smbldap-useradd -w '%u'" command - which doesn't add any >sambaSamAccount entrys. > > > >> >> >> >> >>>The Samba Openldap howto clearly documents that smbldap-useradd -w >>>'worsktation' should produce following entrys in ldap: >>> >>>dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG >>>objectClass: top >>>objectClass: posixAccount >>>objectClass: sambaSAMAccount >>>cn: testhost3$ >>>gidNumber: 553 >>>homeDirectory: /dev/null >>>loginShell: /bin/false >>>uid: testhost3$ >>>uidNumber: 1005 >>>sambaPwdLastSet: 0 >>>sambaLogonTime: 0 >>>sambaLogoffTime: 2147483647 >>>sambaKickoffTime: 2147483647 >>>sambaPwdCanChange: 0 >>>sambaPwdMustChange: 2147483647 >>>description: Computer Account >>>rid: 0 >>>primaryGroupID: 0 >>>lmPassword: 7582BF7F733351347D485E46C8E6306E >>>ntPassword: 7582BF7F733351347D485E46C8E6306E >>>acctFlags: [W ] >>> >>> >>> >>> >>So my guess that this is a bug in the documentation and not in the code. >> >>Kind regards, >>Tim >> >> >> >> >> > > > >
-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba