Re: [Samba] Unable to add machine accounts
Chris St. Pierre
welcome.) Thanks.
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
On Fri, 27 Mar 2009, Chris St. Pierre wrote:
> I have the exact same problem as this guy:
>
> http://lists.samba.org/archive/samba/2006-September/125699.html
>
> He describes it much better and in much more detail than I could, so
> I'll let him speak for me.
>
> Unfortunately, I don't have the same solution. nss_ldap is configured
> properly, and things like 'getent passwd' and 'id machine-acct$' show
> the machine accounts as expected:
>
> % getent passwd | grep stpierre
> stpierre:x:2273:4000:Christopher St
> Pierre:/home/faculty/stpierre:/bin/zsh
> stpierre-pc$:*:1944:1000:Computer:/dev/null:/bin/false
> % id stpierre-pc$
> uid=1944(stpierre-pc$) gid=1000 groups=1000
>
> Unfortunately, "fix nss_ldap" is about the only suggestion I could
> find on this problem on Google. Any other suggestions? Thanks!
>
> I'm running samba 3.0.33 on RHEL 5. /etc/ldap.conf (nss_ldap.conf on
> other distros):
>
> uri ldap://ldap.nebrwesleyan.edu
> base o=NebrWesleyan.edu,o=isp
> timelimit 30
> bind_timelimit 30
> bind_policy soft
> nss_initgroups_ignoreusers root,ldap
> ssl start_tls
> tls_checkpeer no
>
> The [global] section of smb.conf:
>
> [global]
> server string = Huxley
> workgroup = NWU_HUXLEY
> netbios name = Huxley
>
> log level = 1
> log file = /var/log/samba/%U.%m.log
> max log size = 102400
>
> add machine script = /usr/sbin/smbldap-useradd -t 10 -w '%m'
>
> bind interfaces only = true
> interfaces = 10.1.1.44
>
> logon path =
> logon home =
> logon drive =
>
> socket options = TCP_NODELAY SO_RCVBUF=65536 SO_SNDBUF=65536 SO_KEEPALIVE
> max smbd processes = 0
>
> encrypt passwords = yes
> domain logons = yes domain master = yes local master = yes preferred master =
> yes security = user os level = 33 wins server = 10.9.1.12
> admin users = +ntadmin
>
> passdb backend = ldapsam:ldap://ldap.nebrwesleyan.edu
> ldap suffix = o=nebrwesleyan.edu,o=isp ldap machine suffix = ou=People ldap
> user suffix = ou=People ldap group suffix = ou=Groups ldap admin dn =
> cn=directory manager ldap ssl = off
>
> idmap uid = 10000-20000
> idmap gid = 10000-20000
>
> blocking locks = no
> unix extensions = no
> include = /etc/samba/%U.inc
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
Chris St. Pierre
> I have had this on and off. I just end up adding machine accounts via
> LAM (Ldap acccount manager)
>
> http://lam.sourceforge.net/
>
> and don't waste time on figuring out the cause.
>
> Now I actually consider this a good thing since only I can add machine
> accounts regardless of what users have the rights..
That's exactly the situation I'm trying to avoid. :)
I can run smbldap-useradd manually and it works fine, but that means
that everyone has to go through me whenever they want to add a machine
to the domain, which is a waste of time IMO.
John Drescher
<stpi...@nebrwesleyan.edu> wrote:
> Anyone have any ideas on this? =A0(Really, any ideas at all are
> welcome.) =A0Thanks.
>
I have had this on and off. I just end up adding machine accounts via
LAM (Ldap acccount manager)
and don't waste time on figuring out the cause.
Now I actually consider this a good thing since only I can add machine
accounts regardless of what users have the rights..
John
LiPi -
http://www.mail-archive.com/sa...@lists.samba.org/msg99586.html
I solved it using smbldap-configure.pl script and making an smbldap-populate
as is explained in ubuntu 8.10 documentation.
Don't ask me why but it seems that smbldap wasn't working properly with hand
configuration. I read about 2 weeks and lot of manuals and howto's, I
recommend you
to do the same, smbldap-configure.
I also use LAM and adding machines at hand worked perfectly. I think that
there was a problem with pdbedit and smbldap-tools tools auth. Pdbedit is
who adds samba
attributes to machine accounts once they are created, and it's called, I
think, with smbldap. Take a look at your logs if you want, but
smbldap-configure is the easiest an fastest solution.
2009/3/30 Chris St. Pierre <stpi...@nebrwesleyan.edu>
> On Mon, 30 Mar 2009, John Drescher wrote:
>
> I have had this on and off. I just end up adding machine accounts via
>> LAM (Ldap acccount manager)
>>
>> http://lam.sourceforge.net/
>>
>> and don't waste time on figuring out the cause.
>>
>> Now I actually consider this a good thing since only I can add machine
>> accounts regardless of what users have the rights..
>>
>
> That's exactly the situation I'm trying to avoid. :)
>
> I can run smbldap-useradd manually and it works fine, but that means
> that everyone has to go through me whenever they want to add a machine
> to the domain, which is a waste of time IMO.
>
> Chris St. Pierre
> Unix Systems Administrator
> Nebraska Wesleyan University
John Drescher
> as is explained in ubuntu 8.10 documentation.
>
> Don't ask me why but it seems that smbldap wasn't working properly with hand
> configuration. I read about 2 weeks and lot of manuals and howto's, I
> recommend you
> to do the same, smbldap-configure.
>
openldap for around 5 years.
John
Chris St. Pierre
> Is that destructive to an existing setup? I have been using samba and
> openldap for around 5 years.
Looks that way. I've also been using Samba + LDAP for about 5 years,
and have 8000 users and 1000 machine accounts I'd kinda like to keep
around.
It also assumes that your Samba box is your OpenLDAP box. I have two
of the former and four of the latter, none of which share hardware.
Not that that would matter for me anyway, since that script assumes
you use OpenLDAP, and I use Fedora DS. These are just the problems I
found in about a 60-second perusal of the script.
In other words, it looks fine if you're trying to get your shiny new
Samba + LDAP setup working on your home server, but it's not exactly
what I'd call enterprise quality software.
That said, I figured out the problem -- kind of: nscd. As far as I
can tell, what happens is:
1. In the process of creating a trust account, Samba checks to see if
the account already exists. nscd caches a negative answer.
2. The account is created.
3. Samba again checks for the account, but gets nscd's cached
negative reply.
Not using nscd isn't really a good option for us.
I tried reducing the nscd negative TTL so it was below the -t (wait)
argument to smbldap-useradd, but that didn't appear to work.
My other option is to wrap smbldap-useradd in a script that
invalidates the entire nscd cache, but that's also not a very good
option, since it torches the entire cache, not just the entry that
needs to be invalidated. Admittedly, we don't add machine accounts
that often, but it's not really my favorite solution.
I'm sure other people must be running Samba + nscd. What other
solutions are there to this problem?
Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University
--
LiPi -
Don't know if it's destructive, first do it in a testing machine.
2009/3/30 Chris St. Pierre <stpi...@nebrwesleyan.edu>
> On Mon, 30 Mar 2009, John Drescher wrote:
John Drescher
> I wasn't using nscd and I got the same error.
>
servers were too slow without nscd even with a nearly 100% gigabit
network.
John
Jeremy Allison
The winbindd code uses nscd_flush_cache() calls to avoid this.
I'd be happy with a patch to the Samba + LDAP code to do the
same thing.
Jeremy.