On Fri, 2005-12-02 at 08:22 -0500, Collins, Kevin wrote: > (This time to the list) > > Andrew and Craig: Thank you both for replying. > > Following Andrew's advice, I set out to add the line > > "objectClass: account" > > to all of my computer accounts in the LDIF. (None of them had this > declaration) > > After that was acommplished, I tried to re-import the LDIF. The process got > much farther than before, but it again failed a computer account. A little > closer investigation revealed a difference in these accounts. And it appears > to be coincidental to certain point in time. All of the older accounts are > one way and the newer accounts are a different way. Now, I'm wondering which > the "proper" way for me moving forward. Here are the examples: > > "Old" computer account > =============================================================================== > dn: uid=nei-10$,ou=Computers,dc=nesbitt,dc=local > uidNumber: 1008 > gidNumber: 553 > homeDirectory: /dev/null > loginShell: /bin/false > objectClass: top > objectClass: posixAccount > objectClass: sambaSamAccount > objectClass: account > uid: nei-10$ > displayName: NEI-10$ > cn: NEI-10$ > description: Computer > sambaSID: S-1-5-21-3325760187-3909277049-4208064797-3016 > sambaPrimaryGroupSID: S-1-5-21-3325760187-3909277049-4208064797-2107 > sambaAcctFlags: [W ] > sambaLogonTime: 0 > sambaLogoffTime: 0 > sambaKickoffTime: 0 > sambaPwdMustChange: 2147483647 > sambaPwdCanChange: 1130941262 > sambaNTPassword: 3520D823FF3A3EA0D246ACF5D99F5061 > sambaPwdLastSet: 1130941262 > modifiersName: cn=Manager,dc=nesbitt,dc=local > modifyTimestamp: 20051102142102Z > =============================================================================== > > > "New" computer account: > =============================================================================== > dn: uid=stargazer$,ou=Computers,dc=nesbitt,dc=local > objectClass: top > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: sambaSamAccount > objectClass: account > cn: stargazer$ > sn: stargazer$ > uid: stargazer$ > uidNumber: 1081 > gidNumber: 553 > homeDirectory: /dev/null > loginShell: /bin/false > description: Computer > creatorsName: cn=Manager,dc=nesbitt,dc=local > createTimestamp: 20040309024546Z > sambaSID: S-1-5-21-3325760187-3909277049-4208064797-3162 > sambaPrimaryGroupSID: S-1-5-21-3325760187-3909277049-4208064797-2107 > displayName: stargazer$ > sambaPwdMustChange: 2147483647 > sambaAcctFlags: [W ] > sambaPwdCanChange: 1078869765 > sambaLMPassword: F8490F746485FE71A1E92A4788FB2592 > sambaNTPassword: F8490F746485FE71A1E92A4788FB2592 > sambaPwdLastSet: 1078869765 > modifiersName: cn=Manager,dc=nesbitt,dc=local > modifyTimestamp: 20040309220245Z > =============================================================================== > > When I run the LDIF import, I get this error: > > slapadd: dn="uid=stargazer$,ou=Computers,dc=nesbitt,dc=local" (line=2415): > (65) invalid structural object class chain (inetOrgPerson/account) > > My "gut" tells me the "new" definition minus the "objectClass: account" is > the way to go, but before I do anything else, I'd like to know. > > John T: If you're reading this, it might not be a bad idea to show the > "proper" basic requirements for each of the account types in LDIF format > somewhere in one of your books. I searched through both of them looking for > the answer to this and couldn't find it. Maybe it would help someone in the > future. > ---- My domain workstations only have the account and sambaSamAccount objectclasses but when I looked at yours, I didn't know that sambaSamAccount had a specific requirements beyond uid and sambaSID but got the impression from Andrew's response that you must have the account objectclass and thought that your usage of posixAccount was enough.
thus one of my workstations would end up with this... # win-workstation$, People, azapple.com dn: uid=win-workstation$,ou=Computers,ou=Accounts,dc=azapple,dc=com uid: win-workstation$ sambaSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXX-2006 objectClass: sambaSamAccount objectClass: account displayName: WIN-WORKSTATION$ sambaPwdMustChange: 2147483647 sambaAcctFlags: [W ] sambaPrimaryGroupSID: S-1-5-21-XXXXXXXXXX-XXXXXXXXXXX-XXXXXXXXXX-553 sambaPwdCanChange: 1132660033 sambaNTPassword: removed sambaPwdLastSet: 1132660033 and thus, I don't have to deal with all the other attributes required by the posixAccount and inetOrgPerson objectclasses and the structural problems of all those, though it would seem that having to top structural object should put them in order...it may be as simple as the order of the objectclasses as they are presented within your ldif file. I would suggest that you consider... copying the ldif file and sectioning it to import all the easy stuff first and perhaps move the computer accounts to a separate section (file) to deal with separately. This way, you could try adding one computer account at a time to simplify troubleshooting use slapadd instead of ldapadd (you didn't specify which you are using) Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
