Cannot create valid workstations in SAMBA domain with LDAPSMB

English Network/Internet
#1

Hi everyone

I write this post because I’m completely lost

I configured a SAMBA server with LDAP backend, and I’m trying to use LDAPSMB for samba scripts.

I have problems with the add machine script. Previously to the use of LDAPSMB I’ve been using sucessfully the default add machine script:

add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$

After installed LDAPSMB first I change the add machine script for the following:

add machine script = /usr/sbin/ldapsmb -a --homedir /var/lib/nobody --shell /bin/false -wks %m$ --gid 515

Note: I use the following YouTube video as a guide https://www.youtube.com/watch?v= failed.



If I take out the --gid 515 option the result is the same except that the line that starts with _samb_create_user doesn't appear

I really don't know what's going on. And one thing that annoys me is that at minute 9:21 of the YouTube video you can see a navigation to the LDAP tree where the machine added appears with all the SAMBA attributes.

Can annyone help me with this?? I'm becoming crazy!!! :'(

I'm using opensuse 11.3 and LDAPSMB 1.34b that comes with the distro

Regards.
#2

On Fri July 30 2010 07:36 am, santiago78 wrote:

>
> Hi everyone
>
> I write this post because I’m completely lost
>
> I configured a SAMBA server with LDAP backend, and I’m trying to use
> LDAPSMB for samba scripts.
>
> I have problems with the add machine script. Previously to the use of
> LDAPSMB I’ve been using sucessfully the default add machine script:
>
>
> Code:
> --------------------
> add machine script = /usr/sbin/useradd -c
Machine -d /var/lib/nobody -s /bin/false %m$
> --------------------
>
>
> After installed LDAPSMB first I change the add machine script for the
> following:
>
>
> Code:
> --------------------
> add machine script
= /usr/sbin/ldapsmb -a --homedir /var/lib/nobody --shell /bin/false -wks %m$ --gid
515
> --------------------
>
>
> Note: I use the following YouTube video as a guide ‘YouTube -
> Enterprise Samba Management With ldapsmb’
> (http://www.youtube.com/watch?v=tM3cTKxqufs)
>
> With that usage of LDAPSMB the machine was add it to the LDAP tree but
> it doesn’t join the domain. Compare the machine entry created with
> LDAPSMB with the machines entries created with the default script, I
> found that the one created with LDAPSMB doesn’t have any SAMBA
> attributes like ex SambaSID
>
> I decided then, to add the -s option to de LDAPSMB script at the end.
> When I tried to join the domain from the Windows workstation, the
> Windows hangs looking for the domain so I tried to execute the script at
> bash command line like this
>
>
> Code:
> --------------------
> /usr/sbin/ldapsmb -a --homedir /var/lib/nobody --shell /bin/false -wks
PUESTO-05$ --gid 515 -s
> --------------------
>
>
> and the result was
>
>
> Code:
> --------------------
> adding machine: [PUESTO-05$] (with uidNumber:1012)
> adding machine-account: [PUESTO-05$]
> useradd: Invalid account name ‘$’.
> _samr_create_user: Running
command ‘/usr/sbin/ldapsmb -a --homedir /var/lib/nobody --shell /bin/false -wks
$ --gid 515’ gave 255
> Failed to add entry for user PUESTO-05$.
> Creating samba account of machine [PUESTO-05$] failed.
> --------------------
>
>
> If I take out the --gid 515 option the result is the same except that
> the line that starts with _samb_create_user doesn’t appear
>
> I really don’t know what’s going on. And one thing that annoys me is
> that at minute 9:21 of the YouTube video you can see a navigation to the
> LDAP tree where the machine added appears with all the SAMBA
> attributes.
>
> Can annyone help me with this?? I’m becoming crazy!!! :’(
>
> I’m using opensuse 11.3 and LDAPSMB 1.34b that comes with the distro
>
> Regards.
>
>
santiago78;

Try using an add machine script something like:


add machine script = ldapsmb -a -s -wks "%u"

I think you need the -wks and, maybe, the -s option. See “man ldapsmb”

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#3

I have the exact same problem:
/usr/sbin/ldapsmb -a -v --homedir /var/lib/nobody --shell /bin/false --gid 800 -wks MACHINE_NAME$ -s
Failed to add entry for user MACHINE_NAME$.
Creating samba account of machine [MACHINE_NAME$] failed.

Any solutions?
/Jakob

#4

venzkep:

The option for workstation is -w not -wks. I’ve seen in many sites the use of -wks but the man page says -w

jakobjanot:

I gave up with LDAPSMB, I tried SMBLDAP-TOOLS and the result was the same as with LDAPSMB, when I tried to join the domain from a Windows workstation the machine is added to the LDAP directory BUT without Samba attributes, so it fails to join.

I also tried to use the add_machine.ycp that is located at /usr/share/YaST2/data like this in smb.conf

add machine script = /sbin/yast /usr/share/YaST2/data/add_machine.ycp %m$

with this the machine is added to the LDAP directory WITH Samba attributes… BUT… user Samba attributes, not workstation attributes so the machine fails to join the domain and if you retry the joining process in the Windows workstations it tells you that the account already exists and it fails again to join the domain.

The only successful way that I found (which I’m not 100% comfortable with it), it’s to use the default machine script

add machine script = /usr/sbin/useradd -c Machine -d /var/lib/nobody -s /bin/false %m$

With this, tha machine is added to the LDAP directory with Samba workstation attributes and the joining process is successful. The only thing that I don’t like that’s why I’m not 100% comfortable with this solution is that the machine is also added to the local linux users, no matter if you set up the LDAP client so all linux users would be stored at the LDAP directory,

Notice that without the possibility to use LDAPSMB or SMBLDAP-TOOLS all the user and group management for the domain has to be done in the openSUSE, otherwise with scripts working, this can be done from any Windows with the necessary software.

The only thing I cannot understand it why the guy at https://www.youtube.com/watch?v=tM3cTKxqufs) could use LDAPSMB and get the machine added to the LDAP directory with workstation attributes.

If anyone out there got a successful result with this, please post how it was achieved.

Regards

#5

On Tue August 17 2010 06:36 am, santiago78 wrote:

>
> venzkep:
>
> The option for workstation is -w not -wks. I’ve seen in many sites the
> use of -wks but the man page says -w
>

>
> Regards
>
>
santiago78;

That’s curious, like you I had thought it was -w; but when I read man ldapsmb
(OpenSuse 11.2) I see:


NAME
ldapsmb - LDAP-Managment-Tool for a Samba Domain Controller

SYNOPSIS
ldapsmb [options]

Main Options:
--add|-a                                Add something
--config                                Show configuration
--delete|-d                             Delete something
--group|-g <groupname>                  Set Group-Name
--help|-h|?                             Display help
--init|-i                               Initialize LDAP
--join|-j                               Join a user to a group
--list|-l                               List Something
--modify|-m                             Modify something
--remove|-r                             Remove a user from a group
--smbacct|-s                            Promote to samba-Account
--user|-u <username>                    Set User-Name
--workstation|-wks <workstationname>    Set Workstation-Name


P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#6

On Tue August 17 2010 05:24 pm, PV wrote:

> On Tue August 17 2010 06:36 am, santiago78 wrote:
>
>>
>> venzkep:
>>
>> The option for workstation is -w not -wks. I’ve seen in many sites the
>> use of -wks but the man page says -w
>>
>
>>
>> Regards
>>
>>
> santiago78;
>
> That’s curious, like you I had thought it was -w; but when I read man
ldapsmb
> (OpenSuse 11.2) I see:
>


> NAME
>        ldapsmb - LDAP-Managment-Tool for a Samba Domain Controller
>
> SYNOPSIS
>        <snip>
>        --workstation|-wks <workstationname>    Set Workstation-Name
>
>

Added note: The smbldap-tools from IDEALX does use -w with “smbldap-useradd”

P. V.
“We’re all in this together, I’m pulling for you.” Red Green

#7

try this one hope this help you…i

https://www.youtube.com/watch?v=LdLwuIrW1jw