Samba, ldap and adding machine accounts.
We have for some time now had samba3.0.2a included in skolelinux.
And for a long time before we included samba3, it was impossible to add
samba client workstations. It was not a problem to use win95/98
machines in the network, neither was it a problem to use win2k/XP
machines in the network without joining them to the domain. But in
order to get one common userdb, we needed to add the samba workstations
to the domain.
There were some errors that prevented this. To try to make the rest of
you understand what all the fuzz is about, I'll try to summon up the
process of adding samba users and samba clients.
All the users are stored in our LDAP server :)
for things to happen correctly, only some users are allowed to write to
the LDAP-db. admin are allowed to write everything, the authenticated
user are allowed to update their password, everyone else is allowed to
read almost everything, except for passwords. You know the drill.
But when we add samba. we add some 2 more passwords:
sambaLMPassword, the password used by old win9x users (I think)
sambaNTPassword, The samba used by the rest.
Samba also adds some other values, see [1] for reference.
To be able to update the samba-values, samba needs to have a username
and password for connecting to LDAP. This password is stored on disk on
the main samba-server. It is encrypted, but there is a commandline
tools that decrypts the password. The file were this password is saved
is /var/lib/samba/secret.tdb, and it should (and by default is) only
read/writeable by root.
I repeat: Samba needs to store a password on disk.
Now when it comes to users, it could be no problem to just give
smbadmin (our samba admin user) write access to the samba* entries. But
then we cant have win2k clients (or XP) in the network sharing the
same userDB.
To be able to use the WIn2k/XP as client machines, the machines needs
an account on the main samba server. This can be done by creating a
user account for the machine, the name of the account is
"<machinename>$". The "$" at the end is mandatory. One example of such
an account can be found at [2]. Either this account has to be defined
in LDAP, or it has to be defined in /etc/passwd on the
main-samba-server. We want to use LDAP for our userdb, and this also
applies to the machine accounts.
If the machine account (like [2]) does not exist samba will try to add
the machine account before adding the samba-information. this is done
by specifying a command to do this in /etc/samba/etc/smb.conf
we have /etc/samba/smbaddclient.pl to do this. The script needed to be
rewritten when we went from samba-2.2.x to 3.0.x. One problem, which I
by the way only have seen with wlus, not with the old wls, is that the
machine accounts showed up in the user admin interface. this is because
they were not separated in a ou=Machines, but were in ou=People.
Separate them we created a ou=Machines, and started to add the machines
into there. This would also make it possible to let smbadmin only
create new entries into ou=Machines, and not in the entire LDAPdb.
But then samba was not able to create SAM_ACCOUNT as samba called it.
The problem then was that getent passwd only listed to users from
OU=People.
To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so
the line that are actually in there now is:
host ldap
base dc=skole,dc=skolelinux,dc=no
# nss_base_passwd ou=People,
nss_base_group ou=Group,
nss_base_netgroup ou=Netgroup,
ldap_version 3
To summon up:
smbadmin needs permission to add an object with the following
objectclasses: posixAccount, top, sambaSamAccount
It needs to have permission to write to these entries:
dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and
loginShell, as well as the samba* -entries
well, looking at the schema, I see that loginShell is optional, but
what happens if someone tries to login in with that account ?
Also we can limmit writeaccess to the ou=Machines, if that is possible.
So we have 4 options:
1 Create a gui for Adding Machine Accounts to the normal ou=People, and
let samba add objectClass sambaSamAccount, with the necessary
entries.
2 Let samba add entries to ou=People through our script
smbaddclient.pl, and the stored password. smbadmin_does_not_need_to
have write access to the userPassword paramater
3 Let samba add entries to the ou=Machines through our script,
4 Release SKolelinux 1.0 without Samba, or at least without support for
using win2k/XP Clients.
I vote for number 3, which is committed to cvs (the necesarry changes
are in debian-edu-config), but is not tested on a new installation,
only by patching an old one. Someone has to release a new
debian-edu-config to make me test it. (Beware : Andreas released a new
debian-edu-config without committing at least the changelog, to cvs, so
one has to do some debugging there, The version in cvs is 0.383, and
the version on CD is 0.383, but they are not the same)
[1] http://bugs.skolelinux.no/attachment.cgi?id=232&action=view
[2] http://bugs.skolelinux.no/attachment.cgi?id=231&action=view
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: