[KLUG Members] Help
for upgrade to Samba 3.0.1 (LDAPSAM) fm 2.2.8a anybody?
Adam Williams
members@kalamazoolinux.org
Sat, 24 Jan 2004 22:57:16 -0500
> Here is an idealogical problem. Adam, you say that the sambaSamAccount
> objectclass is added to a machine account when that machine joins the
> domain, right?
> OK, here is the problem:
> In previous versions of Samba, the machine account was added by the "add
> user script" attribute in smb.conf.
And this script couldn't be used to add "normal" users (in 2.2.x). This
was previosuly just a hack to automate joining the domain.
> In this version it is added by the
> "add machine script" attribute but it is still essentially the same,
> right?
More or less, yes. Normal user accounts quite possibly have alot more
information (i.e. more objectclasses) than a machine account might.
> Does the samba server have other means for adding/editing machine
> accounts other than this script?
No, the Samba server does not create user objects in LDAP, nor does it
ever remove them (this might not be true for idMap stuff). This is left
up to the scripts, and thus the administrator (the real CIS guy, not
"Administrator" in the CIFS sense).
> This *is* the same script I would use
> to add a machine from the command line. It doesn't seem very efficient
> to edit the machine account twice
Well, you've got two steps. The script must create the posixAccount
object with a unique uidNumber, valid gidNumber, etc... Samba can't
possibly have a clue as to how to go about doing this. The sequence for
getting a uidNumber, etc... is all quite site specific. This
posixAccount must exist before a domain operation can succeed (there
always has to be a valid POSIX security context).
So Samba performs a fient or slight of hand; Oh, he wants to join the
domain? Quick call this script - and a posixAccount object appears!
Now proceed with the domain join operation as if nothing special just
happened. Is it "efficient"? No. But niether is the method by which
humans reproduce - still seems to have worked out pretty well.
Sometimes a kludge is the most 'effective' solution in an environment of
kludges (and Oh man of man is CIFS/SMB one @*$(%#-up **KLUDGE**).
> and samba can't seem to find it at all
> if the script does not also add the sambaSamAccount objectclass.
Hm? Not sure what you mean. The exact opposite is true - at least
here. If the object already exists with a sambaSamAccount objectclass
the join operation fails; it requires a bare posixAccount object.