Re: Samba, ldap and adding machine accounts.
[Finn-Arne Johansen]
> Well, it seems like samba needs both posixAccount _and_ sambaAccount
Hm. Stupid samba. :(
> Only for those who know how to use getent passwd.
'getent passwd' is just a convenient way to list the users recognized
by the system. All programs handling or displaying users info (like
finger, ls, kdm, whatnot) would display deleted users and machines.
Showing deleted users as valid users is not acceptable.
>> Could it use a different object class, without these attributes?
>> Which attributes does it need the object to have?
>
> It needs to be a posixAccount and sambaAccount.
> And the "may of posixAccount"
I have parse error on the last sentence.
> The password for the client is generated on the client, it seems. The
> password is generated when you join the machine to the domain, and
> stored on the client.
OK.
> No . It needs to be an posixAccount. And it needs to be listed when
> one takes an "getent passwd"
Gah. Stubid samba.
>> Would it be enough for the windows user trying to add a machine to the
>> domain to be member of a group with write access to the Machine
>> subtree?
>
> Well, no.
Hm, sad.
I suggest moving the Machines subtree below the People subtree. This
will make the machines show up as normal users, but hopefully with
locked down accounts so no-one can use them. Also, this would avoid
changing the configuration of existing rc2 installation, and avoid
showing deleted users as valid users.
We need to find a solution where the LDAP server can be moved to a
separate machine under administration of a separate entity (think
central administration of several schools), and because of this make
sure the file servers do not need write access to the LDAP server.
I believe this solution would make this possible. If one want to move
the LDAP server to a separate machine, one would need to move the SMB
domain controler (samba with special config) to the same machine,
while leaving the SMB file server (samba with more generic config) on
the main-server.
Would this patch do it? It is untested.
Index: etc/samba/smb-debian-edu.conf
===================================================================
RCS file: /cvsroot/debian-edu/src/debian-edu-config/etc/samba/smb-debian-edu.conf,v
retrieving revision 1.3
diff -u -3 -p -u -r1.3 smb-debian-edu.conf
--- etc/samba/smb-debian-edu.conf 10 May 2004 12:38:48 -0000 1.3
+++ etc/samba/smb-debian-edu.conf 17 May 2004 13:14:08 -0000
@@ -32,7 +32,7 @@
passdb backend = ldapsam:ldaps://ldap
ldap suffix = dc=skole,dc=skolelinux,dc=no
ldap user suffix = ou=People
- ldap machine suffix = ou=Machines
+ ldap machine suffix = ou=Machines,ou=People
ldap admin dn = "cn=smbadmin,ou=People,dc=skole,dc=skolelinux,dc=no"
ldap filter = (&(uid=%u)(objectclass=sambaAccount))
Index: ldap-bootstrap/root.ldif
===================================================================
RCS file: /cvsroot/debian-edu/src/debian-edu-config/ldap-bootstrap/root.ldif,v
retrieving revision 1.12
diff -u -3 -p -u -r1.12 root.ldif
--- ldap-bootstrap/root.ldif 17 May 2004 13:06:48 -0000 1.12
+++ ldap-bootstrap/root.ldif 17 May 2004 13:14:08 -0000
@@ -10,7 +10,7 @@ objectClass: top
objectClass: organizationalUnit
ou: Attic
-dn: ou=Machines,dc=skole,dc=skolelinux,dc=no
+dn: ou=Machines,ou=People,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: organizationalUnit
ou: Machines
Reply to: