subject:"RE \[Samba\] Re\: \[idx\-smbldap\-tools \] smbldap\-tools and joining workstation to domain"

RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain

2005-06-06 Thread spu


Since samba 3.0.2a, samba add sambaSAMAccount directly in LDAP tree.

What user you use for adding machine to domain ?

---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

[EMAIL PROTECTED] a écrit sur
06/06/2005 07:23:25 :

 Tim Verhoeven wrote:

 On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote:
 
 
 I've reported this before but I guess I'll have to do it again, since
 it's not fixed yet or I'm understanding something wrong here.
 
 The problem is that smbldap-useradd -w 'machinename' will add only
 posixAccount entrys into ldap but it should add both posixAccount and
 sambaSAMAccount entrys.
 
 So if one doesn't add correct machine account entrys manually to ldap
 the windows workstation domain joining is impossible.
 
 
 
 In my experience the smbldap-useradd behaviour is correct. It will
 only add the posicAccount part of a machine account. Then when you
 actually join a machine to a domain Samba itself will modify the
 machine account and add the sambaSAMAccount parts.
 
 For this to work you will ofcourse need also to configure Samba that
 is has a ldap account that has the rights to update items in the ldap
 tree.
 
 
 I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
 smbldap-tools 0.88 just to be sure nothing has changed meanwhile:

 1) I can't join XP workstation to domain when I don't have computer
 account in ldap - Error is Access denied.  In result it makes computer
 account in ldap but only posixAccount part of it as smbldap-useradd -w
 does it.
 2) I can't join XP workstation to domain when I do have computer account
 in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
 them like that - Error is Access denied.
 3) I can join XP workstation to domain when I manually make correct
 computer account entrys in ldap with phpldapadmin - then there are both
 posixAccount and sambaSamAccount entrys present.

 Here is copy-paste samples of computer accounts in my ldap - first
 sample is made with smbldap-useradd -w and second that actually works is
 made manually:

 # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
 dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
 objectClass: top
 objectClass: inetOrgPerson
 objectClass: posixAccount
 cn: testmasin$
 sn: testmasin$
 uid: testmasin$
 uidNumber: 1016
 gidNumber: 515
 homeDirectory: /dev/null
 loginShell: /bin/false
 description: Computer
 gecos: Computer


 # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
 dn: uid=windesk$,ou=Computers,dc=active,dc=ee
 gidNumber: 515
 uidNumber: 3002
 uid: windesk$
 sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
 sambaAcctFlags: [W  ]
 cn: windesk
 homeDirectory: /dev/null
 objectClass: top
 objectClass: sambaSamAccount
 objectClass: posixAccount
 objectClass: account
 sambaPwdMustChange: 2147483647
 sambaPwdCanChange: 1118035851
 sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
 sambaPwdLastSet: 1118035851



 So joining XP workstations to domain with smbldap-tools doesn't work for
 me. I still think there is a bug in smbldap-useradd script that it won't
 add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'.

 I don't think sambaSamAccount entry's are being added during domain
 joining procedure because for domain joining samba uses the very same
 smbldap-useradd -w '%u' command - which doesn't add any
 sambaSamAccount entrys.

 
 
 
 The Samba Openldap howto clearly documents that smbldap-useradd -w
 'worsktation' should produce following entrys in ldap:
 
 dn: uid=testhost3$,ou=Computers,dc=IDEALX,dc=ORG
 objectClass: top
 objectClass: posixAccount
 objectClass: sambaSAMAccount
 cn: testhost3$
 gidNumber: 553
 homeDirectory: /dev/null
 loginShell: /bin/false
 uid: testhost3$
 uidNumber: 1005
 sambaPwdLastSet: 0
 sambaLogonTime: 0
 sambaLogoffTime: 2147483647
 sambaKickoffTime: 2147483647
 sambaPwdCanChange: 0
 sambaPwdMustChange: 2147483647
 description: Computer Account
 rid: 0
 primaryGroupID: 0
 lmPassword: 7582BF7F733351347D485E46C8E6306E
 ntPassword: 7582BF7F733351347D485E46C8E6306E
 acctFlags: [W  ]
 
 
 
 So my guess that this is a bug in the documentation and not in the code.
 
 Kind regards,
 Tim
 
 
 


 --
 --
 Andres Toomsalu, [EMAIL PROTECTED]
 juhataja - general manager, OÜ Active Systems
 Lille 4-205, Pärnu 80041, phone +372 44 70 595
 GSM +372 56 496 124, IM: [EMAIL PROTECTED]
 http://www.active.ee

 --
 To unsubscribe from this list go to the following URL and read the
 instructions:  https://lists.samba.org/mailman/listinfo/samba--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/listinfo/samba

RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain

2005-06-06 Thread spu


Hi,

There are a other parameter which cause to add machine account failed :
That is the ldap filter parameter, if the ldap filter contain the filter
((uid=%u)(objectclass=sambaSamAccount))
samba not add the machine account correctly

---
Stéphane PURNELLE [EMAIL PROTECTED]
Service Informatique   Corman S.A.   Tel : 00 32 087/342467

[EMAIL PROTECTED] a écrit sur
06/06/2005 09:28:40 :

 The script only adds the posix stuff, when you join the workstation the
 sambaSam entries are created by samba.
 BUT...
 Samba NEEDS to find a posix account with the name of the machine being
 joined. How are you doing user lookups on your posix side?
 If you use nss_ldap and you have a seperate ou in your directory for
users
 and computers that could be where your problem is.
 i.e. if
 nss_ldap is set to look in ou=users,dc=test,dc=com  for its posix
userbase
 then if you do:
 :~#getent passwd
 then it will return only users it finds in that ou. So if your add
machine
 script is creating users(machine accounts) in
ou=computers,dc=test,dc=com
 then as far as posix is concerned there is no posix account for the new
 machine. Samba will not find a possix account and will not add the
sambaSam
 entries and the join will fail. You have 2 options:
  1.Add your user accounts and computer accounts to the same ou.
 2. Tell nss_ldap to do sub tree searches of the parent ou. eg. set your
base
 to dc=test,dc=com rather than ou=users,dc=test,dc=com
  This is how I understand it anyhow, I might be wrong, Im no smaba pro
but I
 went for option 2.
  If anyone can shed some more light on this is or set me straight if Im
 wrong, please do.
  Cheers,
 Rhys


  On 6/6/05, Andres Toomsalu [EMAIL PROTECTED] wrote:
 
  Tim Verhoeven wrote:
 
  On 6/4/05, Andres Toomsalu [EMAIL PROTECTED] wrote:
  
  
  I've reported this before but I guess I'll have to do it again, since
  it's not fixed yet or I'm understanding something wrong here.
  
  The problem is that smbldap-useradd -w 'machinename' will add only
  posixAccount entrys into ldap but it should add both posixAccount and
  sambaSAMAccount entrys.
  
  So if one doesn't add correct machine account entrys manually to ldap
  the windows workstation domain joining is impossible.
  
  
  
  In my experience the smbldap-useradd behaviour is correct. It will
  only add the posicAccount part of a machine account. Then when you
  actually join a machine to a domain Samba itself will modify the
  machine account and add the sambaSAMAccount parts.
  
  For this to work you will ofcourse need also to configure Samba that
  is has a ldap account that has the rights to update items in the ldap
  tree.
  
  
  I just made fresh tests again with win xp pro sp2 and samba 3.0.14a +
  smbldap-tools 0.88 just to be sure nothing has changed meanwhile:
 
  1) I can't join XP workstation to domain when I don't have computer
  account in ldap - Error is Access denied. In result it makes computer
  account in ldap but only posixAccount part of it as smbldap-useradd -w
  does it.
  2) I can't join XP workstation to domain when I do have computer
account
  in ldap - but only posixAccount entrys as smbldap-useradd -w '%u' makes
  them like that - Error is Access denied.
  3) I can join XP workstation to domain when I manually make correct
  computer account entrys in ldap with phpldapadmin - then there are both
  posixAccount and sambaSamAccount entrys present.
 
  Here is copy-paste samples of computer accounts in my ldap - first
  sample is made with smbldap-useradd -w and second that actually works
is
  made manually:
 
  # Entry 1: uid=testmasin$,ou=Computers,dc=active,dc=ee
  dn: uid=testmasin$,ou=Computers,dc=active,dc=ee
  objectClass: top
  objectClass: inetOrgPerson
  objectClass: posixAccount
  cn: testmasin$
  sn: testmasin$
  uid: testmasin$
  uidNumber: 1016
  gidNumber: 515
  homeDirectory: /dev/null
  loginShell: /bin/false
  description: Computer
  gecos: Computer
 
 
  # Entry 1: uid=windesk$,ou=Computers,dc=active,dc=ee
  dn: uid=windesk$,ou=Computers,dc=active,dc=ee
  gidNumber: 515
  uidNumber: 3002
  uid: windesk$
  sambaSID: S-1-5-21-530076877-4031960640-1585896771-7004
  sambaAcctFlags: [W ]
  cn: windesk
  homeDirectory: /dev/null
  objectClass: top
  objectClass: sambaSamAccount
  objectClass: posixAccount
  objectClass: account
  sambaPwdMustChange: 2147483647
  sambaPwdCanChange: 1118035851
  sambaNTPassword: D8B4AEB073153BADC4CD6DE75CF1BFB0
  sambaPwdLastSet: 1118035851
 
 
 
  So joining XP workstations to domain with smbldap-tools doesn't work
for
  me. I still think there is a bug in smbldap-useradd script that it
won't
  add sambaSamAccount entrys when invoked as smbldap-useradd -w '%u'.
 
  I don't think sambaSamAccount entry's are being added during domain
  joining procedure because for domain joining samba uses the very same
  smbldap-useradd -w '%u' command - which doesn't add any
  sambaSamAccount entrys.

RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain

RE [Samba] Re: [idx-smbldap-tools ] smbldap-tools and joining workstation to domain

2 matches

Site Navigation

Mail list logo

Footer information