Re: Samba, ldap and adding machine accounts.

To: Petter Reinholdtsen <pere@hungry.com>
Cc: debian-edu@lists.debian.org
Subject: Re: Samba, ldap and adding machine accounts.
From: Finn-Arne Johansen <faj@bzz.no>
Date: Fri, 14 May 2004 08:18:52 +0200
Message-id: <[🔎] 20040514061852.GA19649@bzzware.org>
In-reply-to: <[🔎] 20040512211456.GA24190@saruman.uio.no>
References: <[🔎] 20040511152043.GB7758@bzzware.org> <[🔎] 2flu0yl5rgo.fsf@saruman.uio.no> <[🔎] 20040512204033.GA22439@bzzware.org> <[🔎] 20040512211456.GA24190@saruman.uio.no>

On Wed, May 12, 2004 at 11:14:56PM +0200, Petter Reinholdtsen wrote:
> [Finn-Arne Johansen]
> >>> But then samba was not able to create SAM_ACCOUNT as samba called
> >>> it.
> >> What does this mean?
> > 
> > It means that samba was'nt able to create an account for the machine,
> > and therefor was not able to join the domain. 
> > 
> >>> The problem then was that getent passwd only listed to users from
> >>> OU=People. 
> >> Why was this a problem?  Isn't that where the users are?  'getenet
> >> passwd' should not list machines, right?
> > 
> > The was a problem for samba. Samba expects every machine to have an
> > account. That means, to be able to add log on using an useraccount from
> > the ldap server on the Samba client, the samba machine will have to be
> > a member of the domain. And for the machine to be a member of a domain,
> > an administrator has to add the machine to the domain. 
> 
> I do not get this.  Samba need the machine to be visible using NSS,
> even though it have it's own LDAP configuration in smv.conf:
> 
>     passdb backend = ldapsam:ldaps://ldap
>     ldap suffix = dc=skole,dc=skolelinux,dc=no
>     ldap user suffix = ou=People
>     ldap machine suffix = ou=Machines
>     ldap admin dn = "cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
>     ldap filter = (&(uid=%u)(objectclass=sambaAccount))
> 
> This seem to indicate that it should be able to use only sambaAccount
> (and not posixAccount), and that it should not care about the
> configuration of NSS.  Is this wrong?  Does samba use both its own
> LDAP connection, and NSS?

Well, it seems like samba needs both posixAccount _and_ sambaAccount

> >> Would this list machines when doing 'getent passwd'?
> > 
> > Yes, as well as the people on the "attic"
> 
> Oh, even worse.  Then deleted users would show up on the user list.

Only for those who know how to use getent passwd. 

> >> Why must a machine have a posixAccount?
> > 
> > Because, if not it is not possible to add the machine to the domain. 
> 
> But the smb.conf filter indicates that it only look for sambaAccount.
> Am I mistaken?

Well, the filter filters out thos who is not sambaAccount, but so you
are partly right.

> > Because the machine needs to have an account. and these are "must"
> > for the PosixAccount
> 
> Could it use a different object class, without these attributes?
> Which attributes does it need the object to have?

It needs to be a posixAccount and sambaAccount. 
And the "may of posixAccount"

> >> I need more info on the sambaSamAccount before I understand this
> >> option.
> > 
> > Well this means that we need a _new_ wlms
> > (webmin-ldap-machines-simple). What kind of info do you need ? 
> 
> I need to know what kind of attributes are used by samba, where the
> content of these attributes are generated (on the client, on the samba
> server, by ldap, somewhere else?)

The password for the client is generated on the client, it seems. The
password is generated when you join the machine to the domain, and
stored on the client. 

> If the objects created by samba isn't using posixAccount, the machine
> accounts would not show up on 'getent passwd', and we could move the
> Machine tree below the People branch.  Would that work?

No . It needs to be an posixAccount. And it needs to be listed when one
takes an "getent passwd"

> > Well to use samba to write this passowrd, you either needs to be
> > root on the machine who has this password stored, or you need to
> > know the "samba root account" password to use it to join a machine
> > to the account.
> 
> Would it be enough for the windows user trying to add a machine to the
> domain to be member of a group with write access to the Machine
> subtree?

Well, no. 
smbadmin needs to have write access. but I think you may be a member of
an admin group. This did not work with samba < 3.0, but I'm told (by
Max ?) , that this works in samba >3.0. But that is just to be
authenticated against samba, samba still uses the smbadmin account. 

but I'm getting tired of all this. 
Lets remove the samba support, and tell the whole world that we dont
trust samba, and the rest of the world should not either. 

-- 
Finn-Arne Johansen 
faj@bzz.no
http://bzz.no/

Reply to:

Follow-Ups:
- Re: Samba, ldap and adding machine accounts.
  - From: Petter Reinholdtsen <petter.reinholdtsen@usit.uio.no>
- Re: Samba, ldap and adding machine accounts.
  - From: Petter Reinholdtsen <pere@hungry.com>

References:
- Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: Samba, ldap and adding machine accounts.
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: Samba, ldap and adding machine accounts.
  - From: Petter Reinholdtsen <pere@hungry.com>

Prev by Date: Re: default file system?
Next by Date: Kicker starts invisible
Previous by thread: Re: Samba, ldap and adding machine accounts.
Next by thread: Re: Samba, ldap and adding machine accounts.
Index(es):
- Date
- Thread