Re: [Samba] Unable to add machine accounts
Anyone have any ideas on this? (Really, any ideas at all are welcome.) Thanks. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University On Fri, 27 Mar 2009, Chris St. Pierre wrote: I have the exact same problem as this guy: http://lists.samba.org/archive/samba/2006-September/125699.html He describes it much better and in much more detail than I could, so I'll let him speak for me. Unfortunately, I don't have the same solution. nss_ldap is configured properly, and things like 'getent passwd' and 'id machine-acct$' show the machine accounts as expected: % getent passwd | grep stpierre stpierre:x:2273:4000:Christopher St Pierre:/home/faculty/stpierre:/bin/zsh stpierre-pc$:*:1944:1000:Computer:/dev/null:/bin/false % id stpierre-pc$ uid=1944(stpierre-pc$) gid=1000 groups=1000 Unfortunately, fix nss_ldap is about the only suggestion I could find on this problem on Google. Any other suggestions? Thanks! I'm running samba 3.0.33 on RHEL 5. /etc/ldap.conf (nss_ldap.conf on other distros): uri ldap://ldap.nebrwesleyan.edu base o=NebrWesleyan.edu,o=isp timelimit 30 bind_timelimit 30 bind_policy soft nss_initgroups_ignoreusers root,ldap ssl start_tls tls_checkpeer no The [global] section of smb.conf: [global] server string = Huxley workgroup = NWU_HUXLEY netbios name = Huxley log level = 1 log file = /var/log/samba/%U.%m.log max log size = 102400 add machine script = /usr/sbin/smbldap-useradd -t 10 -w '%m' bind interfaces only = true interfaces = 10.1.1.44 logon path = logon home = logon drive = socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE max smbd processes = 0 encrypt passwords = yes domain logons = yes domain master = yes local master = yes preferred master = yes security = user os level = 33 wins server = 10.9.1.12 admin users = +ntadmin passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu ldap suffix = o=nebrwesleyan.edu,o=isp ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = cn=directory manager ldap ssl = off idmap uid = 1-2 idmap gid = 1-2 blocking locks = no unix extensions = no include = /etc/samba/%U.inc Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
On Mon, 30 Mar 2009, John Drescher wrote: I have had this on and off. I just end up adding machine accounts via LAM (Ldap acccount manager) http://lam.sourceforge.net/ and don't waste time on figuring out the cause. Now I actually consider this a good thing since only I can add machine accounts regardless of what users have the rights.. That's exactly the situation I'm trying to avoid. :) I can run smbldap-useradd manually and it works fine, but that means that everyone has to go through me whenever they want to add a machine to the domain, which is a waste of time IMO. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
On Mon, Mar 30, 2009 at 12:51 PM, Chris St. Pierre stpie...@nebrwesleyan.edu wrote: Anyone have any ideas on this? (Really, any ideas at all are welcome.) Thanks. I have had this on and off. I just end up adding machine accounts via LAM (Ldap acccount manager) http://lam.sourceforge.net/ and don't waste time on figuring out the cause. Now I actually consider this a good thing since only I can add machine accounts regardless of what users have the rights.. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
I had the same problem 2 weeks ago, and this is really a braincracking. http://www.mail-archive.com/samba@lists.samba.org/msg99586.html I solved it using smbldap-configure.pl script and making an smbldap-populate as is explained in ubuntu 8.10 documentation. Don't ask me why but it seems that smbldap wasn't working properly with hand configuration. I read about 2 weeks and lot of manuals and howto's, I recommend you to do the same, smbldap-configure. I also use LAM and adding machines at hand worked perfectly. I think that there was a problem with pdbedit and smbldap-tools tools auth. Pdbedit is who adds samba attributes to machine accounts once they are created, and it's called, I think, with smbldap. Take a look at your logs if you want, but smbldap-configure is the easiest an fastest solution. 2009/3/30 Chris St. Pierre stpie...@nebrwesleyan.edu On Mon, 30 Mar 2009, John Drescher wrote: I have had this on and off. I just end up adding machine accounts via LAM (Ldap acccount manager) http://lam.sourceforge.net/ and don't waste time on figuring out the cause. Now I actually consider this a good thing since only I can add machine accounts regardless of what users have the rights.. That's exactly the situation I'm trying to avoid. :) I can run smbldap-useradd manually and it works fine, but that means that everyone has to go through me whenever they want to add a machine to the domain, which is a waste of time IMO. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
I solved it using smbldap-configure.pl script and making an smbldap-populate as is explained in ubuntu 8.10 documentation. Don't ask me why but it seems that smbldap wasn't working properly with hand configuration. I read about 2 weeks and lot of manuals and howto's, I recommend you to do the same, smbldap-configure. Is that destructive to an existing setup? I have been using samba and openldap for around 5 years. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
On Mon, 30 Mar 2009, John Drescher wrote: Is that destructive to an existing setup? I have been using samba and openldap for around 5 years. Looks that way. I've also been using Samba + LDAP for about 5 years, and have 8000 users and 1000 machine accounts I'd kinda like to keep around. It also assumes that your Samba box is your OpenLDAP box. I have two of the former and four of the latter, none of which share hardware. Not that that would matter for me anyway, since that script assumes you use OpenLDAP, and I use Fedora DS. These are just the problems I found in about a 60-second perusal of the script. In other words, it looks fine if you're trying to get your shiny new Samba + LDAP setup working on your home server, but it's not exactly what I'd call enterprise quality software. That said, I figured out the problem -- kind of: nscd. As far as I can tell, what happens is: 1. In the process of creating a trust account, Samba checks to see if the account already exists. nscd caches a negative answer. 2. The account is created. 3. Samba again checks for the account, but gets nscd's cached negative reply. Not using nscd isn't really a good option for us. I tried reducing the nscd negative TTL so it was below the -t (wait) argument to smbldap-useradd, but that didn't appear to work. My other option is to wrap smbldap-useradd in a script that invalidates the entire nscd cache, but that's also not a very good option, since it torches the entire cache, not just the entry that needs to be invalidated. Admittedly, we don't add machine accounts that often, but it's not really my favorite solution. I'm sure other people must be running Samba + nscd. What other solutions are there to this problem? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
I wasn't using nscd and I got the same error. Don't know if it's destructive, first do it in a testing machine. 2009/3/30 Chris St. Pierre stpie...@nebrwesleyan.edu On Mon, 30 Mar 2009, John Drescher wrote: Is that destructive to an existing setup? I have been using samba and openldap for around 5 years. Looks that way. I've also been using Samba + LDAP for about 5 years, and have 8000 users and 1000 machine accounts I'd kinda like to keep around. It also assumes that your Samba box is your OpenLDAP box. I have two of the former and four of the latter, none of which share hardware. Not that that would matter for me anyway, since that script assumes you use OpenLDAP, and I use Fedora DS. These are just the problems I found in about a 60-second perusal of the script. In other words, it looks fine if you're trying to get your shiny new Samba + LDAP setup working on your home server, but it's not exactly what I'd call enterprise quality software. That said, I figured out the problem -- kind of: nscd. As far as I can tell, what happens is: 1. In the process of creating a trust account, Samba checks to see if the account already exists. nscd caches a negative answer. 2. The account is created. 3. Samba again checks for the account, but gets nscd's cached negative reply. Not using nscd isn't really a good option for us. I tried reducing the nscd negative TTL so it was below the -t (wait) argument to smbldap-useradd, but that didn't appear to work. My other option is to wrap smbldap-useradd in a script that invalidates the entire nscd cache, but that's also not a very good option, since it torches the entire cache, not just the entry that needs to be invalidated. Admittedly, we don't add machine accounts that often, but it's not really my favorite solution. I'm sure other people must be running Samba + nscd. What other solutions are there to this problem? Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
On Mon, Mar 30, 2009 at 4:23 PM, LiPi - lip...@gmail.com wrote: I wasn't using nscd and I got the same error. I am using nscd. File operations on servers that were not also ldap servers were too slow without nscd even with a nearly 100% gigabit network. John -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Re: [Samba] Unable to add machine accounts
On Mon, Mar 30, 2009 at 02:56:02PM -0500, Chris St. Pierre wrote: On Mon, 30 Mar 2009, John Drescher wrote: Is that destructive to an existing setup? I have been using samba and openldap for around 5 years. Looks that way. I've also been using Samba + LDAP for about 5 years, and have 8000 users and 1000 machine accounts I'd kinda like to keep around. It also assumes that your Samba box is your OpenLDAP box. I have two of the former and four of the latter, none of which share hardware. Not that that would matter for me anyway, since that script assumes you use OpenLDAP, and I use Fedora DS. These are just the problems I found in about a 60-second perusal of the script. In other words, it looks fine if you're trying to get your shiny new Samba + LDAP setup working on your home server, but it's not exactly what I'd call enterprise quality software. That said, I figured out the problem -- kind of: nscd. As far as I can tell, what happens is: 1. In the process of creating a trust account, Samba checks to see if the account already exists. nscd caches a negative answer. 2. The account is created. 3. Samba again checks for the account, but gets nscd's cached negative reply. Not using nscd isn't really a good option for us. I tried reducing the nscd negative TTL so it was below the -t (wait) argument to smbldap-useradd, but that didn't appear to work. My other option is to wrap smbldap-useradd in a script that invalidates the entire nscd cache, but that's also not a very good option, since it torches the entire cache, not just the entry that needs to be invalidated. Admittedly, we don't add machine accounts that often, but it's not really my favorite solution. I'm sure other people must be running Samba + nscd. What other solutions are there to this problem? The winbindd code uses nscd_flush_cache() calls to avoid this. I'd be happy with a patch to the Samba + LDAP code to do the same thing. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
[Samba] Unable to add machine accounts
I have the exact same problem as this guy: http://lists.samba.org/archive/samba/2006-September/125699.html He describes it much better and in much more detail than I could, so I'll let him speak for me. Unfortunately, I don't have the same solution. nss_ldap is configured properly, and things like 'getent passwd' and 'id machine-acct$' show the machine accounts as expected: % getent passwd | grep stpierre stpierre:x:2273:4000:Christopher St Pierre:/home/faculty/stpierre:/bin/zsh stpierre-pc$:*:1944:1000:Computer:/dev/null:/bin/false % id stpierre-pc$ uid=1944(stpierre-pc$) gid=1000 groups=1000 Unfortunately, fix nss_ldap is about the only suggestion I could find on this problem on Google. Any other suggestions? Thanks! I'm running samba 3.0.33 on RHEL 5. /etc/ldap.conf (nss_ldap.conf on other distros): uri ldap://ldap.nebrwesleyan.edu base o=NebrWesleyan.edu,o=isp timelimit 30 bind_timelimit 30 bind_policy soft nss_initgroups_ignoreusers root,ldap ssl start_tls tls_checkpeer no The [global] section of smb.conf: [global] server string = Huxley workgroup = NWU_HUXLEY netbios name = Huxley log level = 1 log file = /var/log/samba/%U.%m.log max log size = 102400 add machine script = /usr/sbin/smbldap-useradd -t 10 -w '%m' bind interfaces only = true interfaces = 10.1.1.44 logon path = logon home = logon drive = socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE max smbd processes = 0 encrypt passwords = yes domain logons = yes domain master = yes local master = yes preferred master = yes security = user os level = 33 wins server = 10.9.1.12 admin users = +ntadmin passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu ldap suffix = o=nebrwesleyan.edu,o=isp ldap machine suffix = ou=People ldap user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn = cn=directory manager ldap ssl = off idmap uid = 1-2 idmap gid = 1-2 blocking locks = no unix extensions = no include = /etc/samba/%U.inc Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
