Re: Samba, ldap and adding machine accounts.

To: Debian Edu Mailinglist <debian-edu@lists.debian.org>
Subject: Re: Samba, ldap and adding machine accounts.
From: Petter Reinholdtsen <pere@hungry.com>
Date: Wed, 12 May 2004 22:19:03 +0200
Message-id: <[🔎] 2flu0yl5rgo.fsf@saruman.uio.no>
In-reply-to: <[🔎] 20040511152043.GB7758@bzzware.org> (Finn-Arne Johansen's message of "Tue, 11 May 2004 17:20:43 +0200")
References: <[🔎] 20040511152043.GB7758@bzzware.org>

[Finn-Arne Johansen]
> I repeat: Samba needs to store a password on disk.

As you are well aware, I am not happy with doing this.

> But then samba was not able to create SAM_ACCOUNT as samba called
> it.

What does this mean?

> The problem then was that getent passwd only listed to users from
> OU=People. 

Why was this a problem?  Isn't that where the users are?  'getenet
passwd' should not list machines, right?


> To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so
> the line that are actually in there now is: 
>   host ldap
>   base dc=skole,dc=skolelinux,dc=no
>   # nss_base_passwd ou=People,

Would this list machines when doing 'getent passwd'?

> To summon up: 
> smbadmin needs permission to add an object with the following
> objectclasses: posixAccount, top, sambaSamAccount

Why must a machine have a posixAccount?

> It needs to have permission to write to these entries: 
> dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and 
> loginShell, as well as the samba* -entries

Why must a machine have uid, uioNumber, gidNumber and homeDirectory?

> well, looking at the schema, I see that loginShell is optional, but
> what happens if someone tries to login in with that account ?

How can it be possible to log using a machine account?

> Also we can limmit writeaccess to the ou=Machines, if that is possible. 

This sounds like the very least we should do.

BTW: Isn't there some register setting one can use in windows 2k/xp to
get the machine to log in as win95/98?

> So we have 4 options: 
> 1 Create a gui for Adding Machine Accounts to the normal ou=People, and
>   let samba add objectClass sambaSamAccount, with the necessary
>   entries.

I need more info on the sambaSamAccount before I understand this
option.

> 2 Let samba add entries to ou=People through our script
>   smbaddclient.pl, and the stored password. smbadmin_does_not_need_to
>   have write access to the userPassword paramater

I am worried about the write access without an administrator present,
and less about the individual attributes.

Reply to:

Follow-Ups:
- Re: Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>

References:
- Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Re: mozilla, j2re1.4, Request for Test
Next by Date: Re: mozilla, j2re1.4, Request for Test
Previous by thread: Samba, ldap and adding machine accounts.
Next by thread: Re: Samba, ldap and adding machine accounts.
Index(es):
- Date
- Thread