Re: Samba, ldap and adding machine accounts.
On Mon, May 17, 2004 at 10:19:25PM +0200, Petter Reinholdtsen wrote:
>
> Anyone know samba details enough to give some answers to my questions?
> I discussed this briefly on IRC, and I discovered that I am still
> wondering how samba and Windows works. Anyone got glues to spare?
>
> If we move the Machines LDAP tree as a subtree of People, would it be
> enough to give samba write access to the Machines tree, or does it
> also need write access in People? I suspect it need write access to
> People too, but would like to have it verified.
It needs write access to the samba* entries of the userAccounts.
> During what kind of operations do samba need write access to the LDAP
> tree? I'm aware of these operations. Are there others?
>
> - Adding a host to the SMB domain
> - Logging a user into a host in the SMB domain
You mean the last logged on entry ?
> - Changing password of a user
> - Removing a host from the SMB domain
+ When creating a user.
wlus still uses smbpasswd to setup the samba part of the account
> What attributes does it need to read and write to in LDAP and where in
> the LDAP tree does it need to read and write during these operations?
the attributes with the samba prefix.
> Can we block password changes from windows, or can we make password
> changes from windows update both the UNIX-hash and the windows hashes?
> I do not want users to end up with different passwords on Windows and
> UNIX.
Dont know. But we can, if we give samba access to it, make the unix
password change when a user changes the samba password
If I got time, I will try to move the machines into the
ou=Machines,ou=People subtree
Then I will try to create the needed samba-attributes (as root), and
only let samba update the ones it needs to update
Then I will ty to block password updates from samba.
--
Finn-Arne Johansen
faj@bzz.no
http://bzz.no/
Reply to: