Original Message
Subject: Re: [Samba] posixAccount for Machines in LDAP?
From:[EMAIL PROTECTED]
Date:Wed, July 14, 2004 12:19 pm
To: Paul Gienger [EMAIL PROTECTED]
--
Hi Paul,
Finally got it to work. This is great!! I had 2 problems. First the script
paths were wrong, second neither the smbldap_conf.pm nor
smbldap-useradd.pl would pass perl -c syntax check. I should have checked
that first. I was tinkering with the perl scripts because I don't use
profiles and wanted to delete these from being created.
One more thing to do is to get the smb.conf and perl scripts straightened
out on the BDCs so everything is the same.
Thank you for your support!
Kent N
[EMAIL PROTECTED] wrote:
Hi Paul,
I'm getting a user not found after I made the changes. That's what I
used to get when I didn't add the machine account to /etc/passwd first.
Ok, so now the question is this, when you try to join, are you giving it
the root user or root equivilent (uid=0) account? Is it making the
posix account but not modifying it with sambaSAM information? You are
sure that everything is using ou=People (or whatever users container
you're using)?
I use the root account. When I started this quest I tried to get a root
equivalent account to work and couldn't. I may revisit this now that I've
overcome other obstacles.
I tried keeping the users separate from the computers in smb.conf. This
seems to work. It may have been a bug but seems to work for me. ??
Machines go under ou=Computers,dc=tow.net and users under
ou=users,dc=tow,net.
Just curious, do you have a working system that does just that, where if
you add a machine by joining it to the domain, smbldap_useradd.pl
creates the posixAccount and sambaSAMAccount in LDAP?
I *did* when I was migration testing for samba3 but now my test box has
been scrapped for a Sun trade in. I need to rebuild it before I go live
with S3 (still on 2.2.8 here sadly) so I'll be building entirely from
scratch again, hopefully this week if other projects get taken care of.
I've done a pile of testing in my setup to get it to work with our
remote LDAP master and local and/or distributed DC boxes. There were
some timing issues there if replication didn't happen quick enough, a
real PITA.
I'll continue to tinker with it. If you have any other suggestions, let
me
know. I'm very close.
Changes below:
[EMAIL PROTECTED] wrote:
Thanks for getting back to me, Paul.
Here's the domain controllers smb.conf
[global]
workgroup = WarehamPS
encrypt passwords = Yes
time server = Yes
socket options = TCP_NODELAY
security = user
logon script = whs1.bat
writable = Yes
dns proxy = no
directory mask = 02770
preferred master = yes
netbios name = WHS1
server string = RedHat 8.0 LDAP Server
passdb backend = ldapsam
ldap passwd sync = Yes
machine password timeout = 604800
passwd program = /usr/local/samba/bin/smbpasswd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUnix\spassword:* %n\n
log file = /var/log/samba.%m
debug level = 2
max log size = 50
add user script = /usr/local/sbin/smbldap-useradd.pl %u delete
user script = /usr/local/sbin/smbldap-useradd.pl %u add group
script = /usr/local/sbin/smbldap-groupadd.pl
delete group script = /usr/local/sbin/smbldap-groupdel.pl add
machine script = /usr/sbin/useradd -c Computer -d
/dev/null
-s /bin/false -g 502 -M %u; /usr/local/samba/bin/smbpasswd -a -m %u
Change these scripts to be liks so:
add user script = /usr/sbin/smbldap-useradd -a -m %u
delete user script = /usr/sbin/smbldap-userdel %u
add group script = /usr/sbin/smbldap-groupadd %g
delete group script = /usr/sbin/smbldap-groupdel %g
add user to group script = /usr/sbin/smbldap-groupmod -m %u %g
delete user from group script = /usr/sbin/smbldap-groupmod -x %u %g
set primary group script = /usr/sbin/smbldap-usermod -g %g %u add
machine script = /usr/sbin/smbldap-useradd -w %u
make sure the paths line up of course. The quotes are important in
case you get spaces in the parameters.
logon script = whs1.bat
logon path =
logon drive = H:
logon home =
domain logons = Yes
os level = 64
domain master = Yes
dns proxy = Yes
admin users = @domain_admins
wins support = Yes
name resolve order = wins hosts bcast
ldap suffix = dc=tow,dc=net
ldap machine suffix = ou=Computers
Make ldap machine suffix match ldap user suffix. Known bug.
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = cn=admin,dc=tow,dc=net
ldap ssl = no
shares defs deleted
Of course, make sure your smbldap config file matches the above LDAP dn
information for users, computers. Check back after trying it out.
Paul
Kent
