Re: Samba, ldap and adding machine accounts.
[Finn-Arne Johansen]
> I repeat: Samba needs to store a password on disk.
As you are well aware, I am not happy with doing this.
> But then samba was not able to create SAM_ACCOUNT as samba called
> it.
What does this mean?
> The problem then was that getent passwd only listed to users from
> OU=People.
Why was this a problem? Isn't that where the users are? 'getenet
passwd' should not list machines, right?
> To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so
> the line that are actually in there now is:
> host ldap
> base dc=skole,dc=skolelinux,dc=no
> # nss_base_passwd ou=People,
Would this list machines when doing 'getent passwd'?
> To summon up:
> smbadmin needs permission to add an object with the following
> objectclasses: posixAccount, top, sambaSamAccount
Why must a machine have a posixAccount?
> It needs to have permission to write to these entries:
> dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and
> loginShell, as well as the samba* -entries
Why must a machine have uid, uioNumber, gidNumber and homeDirectory?
> well, looking at the schema, I see that loginShell is optional, but
> what happens if someone tries to login in with that account ?
How can it be possible to log using a machine account?
> Also we can limmit writeaccess to the ou=Machines, if that is possible.
This sounds like the very least we should do.
BTW: Isn't there some register setting one can use in windows 2k/xp to
get the machine to log in as win95/98?
> So we have 4 options:
> 1 Create a gui for Adding Machine Accounts to the normal ou=People, and
> let samba add objectClass sambaSamAccount, with the necessary
> entries.
I need more info on the sambaSamAccount before I understand this
option.
> 2 Let samba add entries to ou=People through our script
> smbaddclient.pl, and the stored password. smbadmin_does_not_need_to
> have write access to the userPassword paramater
I am worried about the write access without an administrator present,
and less about the individual attributes.
Reply to: