RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
Since samba 3.0.2a, samba add sambaSAMAccount directly in LDAP tree. What user you use for adding machine to domain ? --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 06/06/2005 07:23:25 : Tim Verhoeven wrote: On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote: I've reported this before but I guess I'll have to do it again, since it's not fixed yet or I'm understanding something wrong here. The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. In my experience the smbldap-useradd behaviour is correct. It will only add the posicAccount part of a machine account. Then when you actually join a machine to a domain Samba itself will modify the machine account and add the sambaSAMAccount parts. For this to work you will ofcourse need also to configure Samba that is has a ldap account that has the rights to update items in the ldap tree. I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is Access denied. In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is Access denied. 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'. I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same smbldap-useradd -w '%u' command - which doesn't add any sambaSamAccount entrys. The Samba Openldap howto clearly documents that smbldap-useradd -w 'worsktation' should produce following entrys in ldap: dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG objectClass: top objectClass: posixAccount objectClass: sambaSAMAccount cn: testhost3$ gidNumber: 553 homeDirectory: /dev/null loginShell: /bin/false uid: testhost3$ uidNumber: 1005 sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 description: Computer Account rid: 0 primaryGroupID: 0 lmPassword: 7582BF7F733351347D485E46C8E6306E ntPassword: 7582BF7F733351347D485E46C8E6306E acctFlags: [W ] So my guess that this is a bug in the documentation and not in the code. Kind regards, Tim -- -- Andres Toomsalu, [EMAIL PROTECTED] juhataja - general manager, OÜ Active Systems Lille 4-205, Pärnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: [EMAIL PROTECTED] http://www.active.ee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
The script only adds the posix stuff, when you join the workstation the sambaSam entries are created by samba. BUT... Samba NEEDS to find a posix account with the name of the machine being joined. How are you doing user lookups on your posix side? If you use nss_ldap and you have a seperate ou in your directory for users and computers that could be where your problem is. i.e. if nss_ldap is set to look in ou=users,dc=test,dc=com for its posix userbase then if you do: :~#getent passwd then it will return only users it finds in that ou. So if your add machine script is creating users(machine accounts) in ou=computers,dc=test,dc=com then as far as posix is concerned there is no posix account for the new machine. Samba will not find a possix account and will not add the sambaSam entries and the join will fail. You have 2 options: 1.Add your user accounts and computer accounts to the same ou. 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your base to dc=test,dc=com rather than ou=users,dc=test,dc=com This is how I understand it anyhow, I might be wrong, Im no smaba pro but I went for option 2. If anyone can shed some more light on this is or set me straight if Im wrong, please do. Cheers, Rhys On 6/6/05, Andres Toomsalu [EMAIL PROTECTED] wrote: Tim Verhoeven wrote: On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote: I've reported this before but I guess I'll have to do it again, since it's not fixed yet or I'm understanding something wrong here. The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. In my experience the smbldap-useradd behaviour is correct. It will only add the posicAccount part of a machine account. Then when you actually join a machine to a domain Samba itself will modify the machine account and add the sambaSAMAccount parts. For this to work you will ofcourse need also to configure Samba that is has a ldap account that has the rights to update items in the ldap tree. I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is Access denied. In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is Access denied. 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'. I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same smbldap-useradd -w '%u' command - which doesn't add any sambaSamAccount entrys. The Samba Openldap howto clearly documents that smbldap-useradd -w 'worsktation' should produce following entrys in ldap: dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG objectClass: top objectClass: posixAccount objectClass: sambaSAMAccount cn: testhost3$ gidNumber: 553 homeDirectory: /dev/null loginShell: /bin/false uid: testhost3$ uidNumber: 1005 sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 description: Computer Account
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain - fix patches
Patches for smbldap-tools v0.8.8 and v0.9.1 to fix workstation domain joining with smbldap-useradd -w '%u' With these patches workstation domain joining works for me. There is no need to make computer account first - workstation will make it automatically during joining process. Inside these patches sambaNTPassword attribute initial value is set to 'kala' - workstation will overwrite that value during joining process - so no need to worry. It has to be set at start because sambaNTPassword entry is needed for automatic one-step error free joining and sambaNTPassword entry can't be empty when adding inital entry set to ldap. Download links for these patches are: http://www.active.ee/download/smbldap-useradd-0.8.8.diff http://www.active.ee/download/smbldap-useradd-0.9.1.diff Cheers, -- -- Andres Toomsalu, [EMAIL PROTECTED] juhataja - general manager, OÜ Active Systems Lille 4-205, Pärnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: [EMAIL PROTECTED] http://www.active.ee Andres Toomsalu wrote: Tim Verhoeven wrote: On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote: I've reported this before but I guess I'll have to do it again, since it's not fixed yet or I'm understanding something wrong here. The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. In my experience the smbldap-useradd behaviour is correct. It will only add the posicAccount part of a machine account. Then when you actually join a machine to a domain Samba itself will modify the machine account and add the sambaSAMAccount parts. For this to work you will ofcourse need also to configure Samba that is has a ldap account that has the rights to update items in the ldap tree. I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is Access denied. In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is Access denied. 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'. I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same smbldap-useradd -w '%u' command - which doesn't add any sambaSamAccount entrys. The Samba Openldap howto clearly documents that smbldap-useradd -w 'worsktation' should produce following entrys in ldap: dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG objectClass: top objectClass: posixAccount objectClass: sambaSAMAccount cn: testhost3$ gidNumber: 553 homeDirectory: /dev/null loginShell: /bin/false uid: testhost3$ uidNumber: 1005 sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 description: Computer Account rid: 0 primaryGroupID: 0 lmPassword: 7582BF7F733351347D485E46C8E6306E ntPassword: 7582BF7F733351347D485E46C8E6306E acctFlags: [W ] So my guess that this is a bug in the documentation and not in the code. Kind regards, Tim -- To unsubscribe from this list go to
RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
Hi, There are a other parameter which cause to add machine account failed : That is the ldap filter parameter, if the ldap filter contain the filter ((uid=%u)(objectclass=sambaSamAccount)) samba not add the machine account correctly --- Stéphane PURNELLE [EMAIL PROTECTED] Service Informatique Corman S.A. Tel : 00 32 087/342467 [EMAIL PROTECTED] a écrit sur 06/06/2005 09:28:40 : The script only adds the posix stuff, when you join the workstation the sambaSam entries are created by samba. BUT... Samba NEEDS to find a posix account with the name of the machine being joined. How are you doing user lookups on your posix side? If you use nss_ldap and you have a seperate ou in your directory for users and computers that could be where your problem is. i.e. if nss_ldap is set to look in ou=users,dc=test,dc=com for its posix userbase then if you do: :~#getent passwd then it will return only users it finds in that ou. So if your add machine script is creating users(machine accounts) in ou=computers,dc=test,dc=com then as far as posix is concerned there is no posix account for the new machine. Samba will not find a possix account and will not add the sambaSam entries and the join will fail. You have 2 options: 1.Add your user accounts and computer accounts to the same ou. 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your base to dc=test,dc=com rather than ou=users,dc=test,dc=com This is how I understand it anyhow, I might be wrong, Im no smaba pro but I went for option 2. If anyone can shed some more light on this is or set me straight if Im wrong, please do. Cheers, Rhys On 6/6/05, Andres Toomsalu [EMAIL PROTECTED] wrote: Tim Verhoeven wrote: On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote: I've reported this before but I guess I'll have to do it again, since it's not fixed yet or I'm understanding something wrong here. The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. In my experience the smbldap-useradd behaviour is correct. It will only add the posicAccount part of a machine account. Then when you actually join a machine to a domain Samba itself will modify the machine account and add the sambaSAMAccount parts. For this to work you will ofcourse need also to configure Samba that is has a ldap account that has the rights to update items in the ldap tree. I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is Access denied. In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is Access denied. 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'. I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same smbldap-useradd -w '%u' command - which doesn't add any sambaSamAccount entrys.
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
Tim Verhoeven wrote: On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote: I've reported this before but I guess I'll have to do it again, since it's not fixed yet or I'm understanding something wrong here. The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. In my experience the smbldap-useradd behaviour is correct. It will only add the posicAccount part of a machine account. Then when you actually join a machine to a domain Samba itself will modify the machine account and add the sambaSAMAccount parts. For this to work you will ofcourse need also to configure Samba that is has a ldap account that has the rights to update items in the ldap tree. I just made fresh tests again with win xp pro sp2 and samba 3.0.14a + smbldap-tools 0.88 just to be sure nothing has changed meanwhile: 1) I can't join XP workstation to domain when I don't have computer account in ldap - Error is Access denied. In result it makes computer account in ldap but only posixAccount part of it as smbldap-useradd -w does it. 2) I can't join XP workstation to domain when I do have computer account in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes them like that - Error is Access denied. 3) I can join XP workstation to domain when I manually make correct computer account entrys in ldap with phpldapadmin - then there are both posixAccount and sambaSamAccount entrys present. Here is copy-paste samples of computer accounts in my ldap - first sample is made with smbldap-useradd -w and second that actually works is made manually: # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee dn: uid=testmasin$,ou=Computers,dc=active,dc=ee objectClass: top objectClass: inetOrgPerson objectClass: posixAccount cn: testmasin$ sn: testmasin$ uid: testmasin$ uidNumber: 1016 gidNumber: 515 homeDirectory: /dev/null loginShell: /bin/false description: Computer gecos: Computer # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee dn: uid=windesk$,ou=Computers,dc=active,dc=ee gidNumber: 515 uidNumber: 3002 uid: windesk$ sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004 sambaAcctFlags: [W ] cn: windesk homeDirectory: /dev/null objectClass: top objectClass: sambaSamAccount objectClass: posixAccount objectClass: account sambaPwdMustChange: 2147483647 sambaPwdCanChange: 1118035851 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0 sambaPwdLastSet: 1118035851 So joining XP workstations to domain with smbldap-tools doesn't work for me. I still think there is a bug in smbldap-useradd script that it won't add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'. I don't think sambaSamAccount entry's are being added during domain joining procedure because for domain joining samba uses the very same smbldap-useradd -w '%u' command - which doesn't add any sambaSamAccount entrys. The Samba Openldap howto clearly documents that smbldap-useradd -w 'worsktation' should produce following entrys in ldap: dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG objectClass: top objectClass: posixAccount objectClass: sambaSAMAccount cn: testhost3$ gidNumber: 553 homeDirectory: /dev/null loginShell: /bin/false uid: testhost3$ uidNumber: 1005 sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 description: Computer Account rid: 0 primaryGroupID: 0 lmPassword: 7582BF7F733351347D485E46C8E6306E ntPassword: 7582BF7F733351347D485E46C8E6306E acctFlags: [W ] So my guess that this is a bug in the documentation and not in the code. Kind regards, Tim -- -- Andres Toomsalu, [EMAIL PROTECTED] juhataja - general manager, OÜ Active Systems Lille 4-205, Pärnu 80041, phone +372 44 70 595 GSM +372 56 496 124, IM: [EMAIL PROTECTED] http://www.active.ee -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
[Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi Andres Andres Toomsalu schrieb: The problem is that smbldap-useradd -w 'machinename' will add only posixAccount entrys into ldap but it should add both posixAccount and sambaSAMAccount entrys. So if one doesn't add correct machine account entrys manually to ldap the windows workstation domain joining is impossible. As Jerome said samba would add the additional necessary attributes when the workstation joins the domain. The ldap script has only to add the posix stuff. I do not know if this is correct because sometimes I have also the problem that some workstations could not join the domain. If I check then the ldap I could only see the entries necessary for a posixAccount. If I delete this information from ldap my workstation is able to join the domain which failed before... But only 2 to 5 of 200 workstations will fail... I hope this will help you. kindly regards rOger -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCohFgpF3l9rYt4bARAowhAJ0QgNETJ8lMRO1lER3hAYwDJgSDDACcDy/C N4KB4IuE3zeVPn6WeKoFPfw= =P8d4 -END PGP SIGNATURE- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba