Results 1 to 6 of 6

Thread: Zimbra Samba ext - no machine accounts

  1. #1
    Join Date
    May 2007
    Posts
    8
    Rep Power
    8

    Default Zimbra Samba ext - no machine accounts

    I've been following the http://wiki.zimbra.com/index.php?tit...imbra_Admin_UI howto and got all working exept joining machines into domain. I have granted 'SeAddUsersPrivilege SeMachineAccountPrivilege' to the 'Domain Admins' group - but when joining machine to the domain with user in 'Domain Admins' group I can see from slapd log that it searches for machine account but it's not there - so joining fails. How this machine account should be created - frankly I'm a bit confused as this howto smb.conf has the following line -
    'add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u' - this is for adding machine account into local passwd not ldap, right? So how the machine account should get created at all?

    Tried manually 'smbpasswd -a -m machinename' - but that gives an error too as it searches ldap for already existing machinename to change passwd. Strange that it doesn't add anything before doing search.

    Adding Zimbra user as Samba Workstation Trust account will put it under ou=people not machines - so that won't do either.

    Am I missing something here?
    Last edited by mainframe; 05-09-2007 at 04:06 AM. Reason: corrected typo

  2. #2
    Join Date
    May 2007
    Posts
    8
    Rep Power
    8

    Default Issue solved...

    As this official howto was written using Ubuntu setup and I used CentOS 5 instead - well it turned out that smb.conf 'add machine script' value should be a bit different for RHEL systems for it to work. Changing this line worked for me:

    add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u

    Also I believe the 'add user script' has to be changed as well for it to work.

  3. #3
    Join Date
    Feb 2006
    Posts
    92
    Rep Power
    9

    Default

    mainframe,
    i did no try adding a machine yet, but i do have a question?
    when you add a machine, from the windows client, this machine account is created in the zimbra ldap or in the CentOS 5 /etc/passwd file?

    thanks
    Patricio Bruna
    http://www.itlinux.cl

  4. #4
    Join Date
    May 2007
    Posts
    8
    Rep Power
    8

    Default

    Quote Originally Posted by pbruna View Post
    mainframe,
    i did no try adding a machine yet, but i do have a question?
    when you add a machine, from the windows client, this machine account is created in the zimbra ldap or in the CentOS 5 /etc/passwd file?

    thanks
    It does both actually - I can see machine entries in /etc/passwd and in Zimbra LDAP afterwords. I think only ldap part is really needed in our case but it adds also local stuff - must be useradd 'feature' to do it like that.

  5. #5
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    8

    Default

    Hello Mainframe,
    Thank you for the sharing. I think that is the script I need for my Opensuse too. I will try it tonight.

  6. #6
    Join Date
    Nov 2009
    Posts
    11
    Rep Power
    5

    Default

    Hi to all.
    I think that adding machine accounts via useradd command is not OK. If your samba is on the HA cluster like Sun Cluster or RHCS, then accounts will be added to /etc/passwd only. This might be OK for a Samba PDC that is run on a single server node, but generally I don't want to polute system that way.

    Machine accounts should be added to LDAP via smbldap-tools. Problem is I can't find information on the internet how to set it up to work with Zimbra LDAP. I get the following error:
    Code:
    [root@node02 ~]# smbldap-useradd -w terminal3$
    Could not find base dn, to get next uidNumber at /usr/lib/perl5/vendor_perl/5.8.8/smbldap_tools.pm line 1073.
    I'm on CentOS 5. Here is my smbldap.conf:
    Code:
    [root@node02 ~]# cat /etc/smbldap-tools/smbldap.conf
    ##############################################################################
    #
    # General Configuration
    #
    ##############################################################################
    
    # Put your own SID. To obtain this number do: "net getlocalsid".
    # If not defined, parameter is taking from "net getlocalsid" return
    SID=S-1-5-21-94915242-3187215094-145361964
    
    # Domain name the Samba server is in charged.
    # If not defined, parameter is taking from smb.conf configuration file
    # Ex: sambaDomain="IDEALX-NT"
    sambaDomain="MYDOMAIN"
    
    ##############################################################################
    #
    # LDAP Configuration
    #
    ##############################################################################
    
    # Notes: to use to dual ldap servers backend for Samba, you must patch
    # Samba with the dual-head patch from IDEALX. If not using this patch
    # just use the same server for slaveLDAP and masterLDAP.
    # Those two servers declarations can also be used when you have 
    # . one master LDAP server where all writing operations must be done
    # . one slave LDAP server where all reading operations must be done
    #   (typically a replication directory)
    
    # Slave LDAP server
    # Ex: slaveLDAP=127.0.0.1
    # If not defined, parameter is set to "127.0.0.1"
    slaveLDAP="192.168.1.186"
    
    # Slave LDAP port
    # If not defined, parameter is set to "389"
    slavePort="389"
    
    # Master LDAP server: needed for write operations
    # Ex: masterLDAP=127.0.0.1
    # If not defined, parameter is set to "127.0.0.1"
    masterLDAP="192.168.1.186"
    
    # Master LDAP port
    # If not defined, parameter is set to "389"
    masterPort="389"
    
    # Use TLS for LDAP
    # If set to 1, this option will use start_tls for connection
    # (you should also used the port 389)
    # If not defined, parameter is set to "1"
    ldapTLS="0"
    
    # How to verify the server's certificate (none, optional or require)
    # see "man Net::LDAP" in start_tls section for more details
    verify="require"
    
    # CA certificate
    # see "man Net::LDAP" in start_tls section for more details
    cafile="/etc/pki/tls/certs/ldapserverca.pem"
    
    # certificate to use to connect to the ldap server
    # see "man Net::LDAP" in start_tls section for more details
    clientcert="/etc/pki/tls/certs/ldapclient.pem"
    
    # key certificate to use to connect to the ldap server
    # see "man Net::LDAP" in start_tls section for more details
    clientkey="/etc/pki/tls/certs/ldapclientkey.pem"
    
    # LDAP Suffix
    # Ex: suffix=dc=IDEALX,dc=ORG
    suffix="dc=company,dc=com"
    
    # Where are stored Users
    # Ex: usersdn="ou=Users,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for usersdn
    usersdn="ou=people,dc=zimbra,${suffix}"
    
    # Where are stored Computers
    # Ex: computersdn="ou=Computers,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for computersdn
    computersdn="ou=machines,${suffix}"
    
    # Where are stored Groups
    # Ex: groupsdn="ou=Groups,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for groupsdn
    groupsdn="ou=group,${suffix}"
    
    # Where are stored Idmap entries (used if samba is a domain member server)
    # Ex: idmapdn="ou=Idmap,dc=IDEALX,dc=ORG"
    # Warning: if 'suffix' is not set here, you must set the full dn for idmapdn
    idmapdn="ou=Idmap,${suffix}"
    
    # Where to store next uidNumber and gidNumber available for new users and groups
    # If not defined, entries are stored in sambaDomainName object.
    # Ex: sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
    # Ex: sambaUnixIdPooldn="cn=NextFreeUnixId,${suffix}"
    sambaUnixIdPooldn="sambaDomainName=${sambaDomain},${suffix}"
    
    # Default scope Used
    scope="sub"
    
    # Unix password encryption (CRYPT, MD5, SMD5, SSHA, SHA, CLEARTEXT)
    hash_encrypt="SSHA"
    
    # if hash_encrypt is set to CRYPT, you may set a salt format.
    # default is "%s", but many systems will generate MD5 hashed
    # passwords if you use "$1$%.8s". This parameter is optional!
    crypt_salt_format="%s"
    
    ##############################################################################
    # 
    # Unix Accounts Configuration
    # 
    ##############################################################################
    
    # Login defs
    # Default Login Shell
    # Ex: userLoginShell="/bin/bash"
    userLoginShell="/bin/bash"
    
    # Home directory
    # Ex: userHome="/home/%U"
    userHome="/home/%U"
    
    # Default mode used for user homeDirectory
    userHomeDirectoryMode="700"
    
    # Gecos
    userGecos="System User"
    
    # Default User (POSIX and Samba) GID
    defaultUserGid="513"
    
    # Default Computer (Samba) GID
    defaultComputerGid="515"
    
    # Skel dir
    skeletonDir="/etc/skel"
    
    # Default password validation time (time in days) Comment the next line if
    # you don't want password to be enable for defaultMaxPasswordAge days (be
    # careful to the sambaPwdMustChange attribute's value)
    defaultMaxPasswordAge="45"
    
    ##############################################################################
    #
    # SAMBA Configuration
    #
    ##############################################################################
    
    # The UNC path to home drives location (%U username substitution)
    # Just set it to a null string if you want to use the smb.conf 'logon home'
    # directive and/or disable roaming profiles
    # Ex: userSmbHome="\\PDC-SMB3\%U"
    userSmbHome="\\PDC\%U"
    
    # The UNC path to profiles locations (%U username substitution)
    # Just set it to a null string if you want to use the smb.conf 'logon path'
    # directive and/or disable roaming profiles
    # Ex: userProfile="\\PDC-SMB3\profiles\%U"
    userProfile="\\PDC\profiles\%U"
    
    # The default Home Drive Letter mapping
    # (will be automatically mapped at logon time if home directory exist)
    # Ex: userHomeDrive="H:"
    userHomeDrive="H:"
    
    # The default user netlogon script name (%U username substitution)
    # if not used, will be automatically username.cmd
    # make sure script file is edited under dos
    # Ex: userScript="startup.cmd" # make sure script file is edited under dos
    userScript="logon.bat"
    
    # Domain appended to the users "mail"-attribute
    # when smbldap-useradd -M is used
    # Ex: mailDomain="idealx.com"
    mailDomain="one2play.hr"
    
    ##############################################################################
    #
    # SMBLDAP-TOOLS Configuration (default are ok for a RedHat)
    #
    ##############################################################################
    
    # Allows not to use smbpasswd (if with_smbpasswd == 0 in smbldap_conf.pm) but
    # prefer Crypt::SmbHash library
    with_smbpasswd="0"
    smbpasswd="/usr/bin/smbpasswd"
    
    # Allows not to use slappasswd (if with_slappasswd == 0 in smbldap_conf.pm)
    # but prefer Crypt:: libraries
    with_slappasswd="0"
    slappasswd="/usr/sbin/slappasswd"
    
    # comment out the following line to get rid of the default banner
    # no_banner="1"
    So I guess either smbldap-tools have a bug or I failed in configuring it, although in that respect I can't see how...

Similar Threads

  1. QUE Failure
    By tbullock in forum Administrators
    Replies: 31
    Last Post: 07-30-2008, 12:17 PM
  2. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 12:11 PM
  3. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  4. port 7071 not listening OS X install
    By leeimber in forum Installation
    Replies: 7
    Last Post: 03-21-2006, 09:47 AM
  5. FC3 Install and no zimbra ?
    By aws in forum Installation
    Replies: 10
    Last Post: 10-09-2005, 04:19 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •