Re: Samba, ldap and adding machine accounts.

To: debian-edu@lists.debian.org
Subject: Re: Samba, ldap and adding machine accounts.
From: Petter Reinholdtsen <pere@hungry.com>
Date: Wed, 12 May 2004 23:14:56 +0200
Message-id: <[🔎] 20040512211456.GA24190@saruman.uio.no>
In-reply-to: <[🔎] 20040512204033.GA22439@bzzware.org>
References: <[🔎] 20040511152043.GB7758@bzzware.org> <[🔎] 2flu0yl5rgo.fsf@saruman.uio.no> <[🔎] 20040512204033.GA22439@bzzware.org>

[Finn-Arne Johansen]
>>> But then samba was not able to create SAM_ACCOUNT as samba called
>>> it.
>> What does this mean?
> 
> It means that samba was'nt able to create an account for the machine,
> and therefor was not able to join the domain. 
> 
>>> The problem then was that getent passwd only listed to users from
>>> OU=People. 
>> Why was this a problem?  Isn't that where the users are?  'getenet
>> passwd' should not list machines, right?
> 
> The was a problem for samba. Samba expects every machine to have an
> account. That means, to be able to add log on using an useraccount from
> the ldap server on the Samba client, the samba machine will have to be
> a member of the domain. And for the machine to be a member of a domain,
> an administrator has to add the machine to the domain. 

I do not get this.  Samba need the machine to be visible using NSS,
even though it have it's own LDAP configuration in smv.conf:

    passdb backend = ldapsam:ldaps://ldap
    ldap suffix = dc=skole,dc=skolelinux,dc=no
    ldap user suffix = ou=People
    ldap machine suffix = ou=Machines
    ldap admin dn = "cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
    ldap filter = (&(uid=%u)(objectclass=sambaAccount))

This seem to indicate that it should be able to use only sambaAccount
(and not posixAccount), and that it should not care about the
configuration of NSS.  Is this wrong?  Does samba use both its own
LDAP connection, and NSS?

>> Would this list machines when doing 'getent passwd'?
> 
> Yes, as well as the people on the "attic"

Oh, even worse.  Then deleted users would show up on the user list.

>> Why must a machine have a posixAccount?
> 
> Because, if not it is not possible to add the machine to the domain. 

But the smb.conf filter indicates that it only look for sambaAccount.
Am I mistaken?


> Because the machine needs to have an account. and these are "must"
> for the PosixAccount

Could it use a different object class, without these attributes?
Which attributes does it need the object to have?

>> I need more info on the sambaSamAccount before I understand this
>> option.
> 
> Well this means that we need a _new_ wlms
> (webmin-ldap-machines-simple). What kind of info do you need ? 

I need to know what kind of attributes are used by samba, where the
content of these attributes are generated (on the client, on the samba
server, by ldap, somewhere else?)

If the objects created by samba isn't using posixAccount, the machine
accounts would not show up on 'getent passwd', and we could move the
Machine tree below the People branch.  Would that work?


> Well to use samba to write this passowrd, you either needs to be
> root on the machine who has this password stored, or you need to
> know the "samba root account" password to use it to join a machine
> to the account.

Would it be enough for the windows user trying to add a machine to the
domain to be member of a group with write access to the Machine
subtree?

Reply to:

Follow-Ups:
- Re: Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>

References:
- Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>
- Re: Samba, ldap and adding machine accounts.
  - From: Petter Reinholdtsen <pere@hungry.com>
- Re: Samba, ldap and adding machine accounts.
  - From: Finn-Arne Johansen <faj@bzz.no>

Prev by Date: Re: default file system?
Next by Date: Re: default file system?
Previous by thread: Re: Samba, ldap and adding machine accounts.
Next by thread: Re: Samba, ldap and adding machine accounts.
Index(es):
- Date
- Thread