Re: Samba, ldap and adding machine accounts.
On Wed, May 12, 2004 at 10:19:03PM +0200, Petter Reinholdtsen wrote:
> [Finn-Arne Johansen]
> > I repeat: Samba needs to store a password on disk.
> As you are well aware, I am not happy with doing this.
Yes, and thats why I'm trying to understand what happens.
> > But then samba was not able to create SAM_ACCOUNT as samba called
> > it.
> What does this mean?
It means that samba was'nt able to create an account for the machine,
and therefor was not able to join the domain.
> > The problem then was that getent passwd only listed to users from
> > OU=People.
> Why was this a problem? Isn't that where the users are? 'getenet
> passwd' should not list machines, right?
The was a problem for samba. Samba expects every machine to have an
account. That means, to be able to add log on using an useraccount from
the ldap server on the Samba client, the samba machine will have to be
a member of the domain. And for the machine to be a member of a domain,
an administrator has to add the machine to the domain.
> > To fix this I needed to comment out a line in /etc/libnss-ldap.conf, so
> > the line that are actually in there now is:
> > host ldap
> > base dc=skole,dc=skolelinux,dc=no
> > # nss_base_passwd ou=People,
> Would this list machines when doing 'getent passwd'?
Yes, as well as the people on the "attic"
> > To summon up:
> > smbadmin needs permission to add an object with the following
> > objectclasses: posixAccount, top, sambaSamAccount
> Why must a machine have a posixAccount?
Because, if not it is not possible to add the machine to the domain.
> > It needs to have permission to write to these entries:
> > dn, objectClass, uid, uidNumber, gidNumber, homeDirectory, cn and
> > loginShell, as well as the samba* -entries
> Why must a machine have uid, uioNumber, gidNumber and homeDirectory?
Because the machine needs to have an account. and these are "must" for
the PosixAccount
> > well, looking at the schema, I see that loginShell is optional, but
> > what happens if someone tries to login in with that account ?
> How can it be possible to log using a machine account?
Well, is it possible to log on to an posixAccount, without a password.
I don't think so.
> > Also we can limmit writeaccess to the ou=Machines, if that is possible.
> This sounds like the very least we should do.
but then we need the change in /etc/libnss-ldap.conf.
> BTW: Isn't there some register setting one can use in windows 2k/xp to
> get the machine to log in as win95/98?
Seriuosly, if some company should take responsibility, the would not
allow us to do this. But It is possible set up searate accounts on
every windows machine, and let them enter a password when they want to
connect to the samba server.
> > So we have 4 options:
> > 1 Create a gui for Adding Machine Accounts to the normal ou=People, and
> > let samba add objectClass sambaSamAccount, with the necessary
> > entries.
> I need more info on the sambaSamAccount before I understand this
> option.
Well this means that we need a _new_ wlms
(webmin-ldap-machines-simple). What kind of info do you need ?
> > 2 Let samba add entries to ou=People through our script
> > smbaddclient.pl, and the stored password. smbadmin_does_not_need_to
> > have write access to the userPassword paramater
> I am worried about the write access without an administrator present,
> and less about the individual attributes.
Well to use samba to write this passowrd, you either needs to be root
on the machine who has this password stored, or you need to know the
"samba root account" password to use it to join a machine to the
account.
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: