Menu
▾
▴
Re: [webmin-l] Users and Groups module - Problem with Samba "Machine Trust Accounts"
|
From: William A. <waa...@re...> - 2005-12-07 02:43:19
|
Craig White wrote: > On Tue, 2005-12-06 at 19:43 -0500, William Arlofski wrote: > >>BTW, as always, I feel the need to thank you Jamie - and everyone who >>has contributed - for Webmin and all associated modules. >> >>OK, Now that the buttering up is done with... :) >> >>Just kidding - The compliments are sincere. >> >> >> >>Recently, it has come to my attention that, at two of my clients running >>Samba on Linux with Webmin as their "admin" interface they can no longer >>add XP machines to their domains. >> >>Well, this is not entirely true... They are able to _ADD_ XP machines to >>the domain the way they always have using Webmin's Users and Groups >>module - and they are able to successfully _JOIN_ the machine to the >>domain just like before. >> >>BUT, after the machine successfully joins the domain and gets the >>"Welcome to the XYZ domain" message, they are not able to log onto the >>domain and are told that the domain controller may not be available, or >>that the machine may not exist in the domain. >> >>After doing some research I have found that when they create a machine >>trust account as they always have in Webmin's Users and Groups module: >> >>- Create new user >>- Username is the machine name with a $ appended to it: eg xpmachine$ >>- Password is irrelavent >>- Home dir is not important so we use /home/machines/machinename$ >> >>...I see that the user (machine) account is created fine in the >>/etc/passwd file and the home directory is created, BUT on inspecting >>Samba's smbpasswd file (yeah... I know... moving to LDAP soon) the >>account's FLAGS are: >> >>[U ] ---> A User Account >> >>when they SHOULD be >> >>[W ] ---> A Workstation Trust Account >> >> >>As I stated above, even with the User Account flag in the smbpasswd file >>instead of a Workstation Trust Account flag, the XP machine successfully >>JOINS the domain, but is unable to log in. >> >> >>Further testing shows that if I add a machine trust account by using >>these two simple command at a shell prompt everything works fine: >> >># useradd -d /home/machines/xpmachine$ -s /bin/false -c "machine trust \ >>account via cmdline" -g machines -m xpmachine$ >> >># smbpasswd -a -m xpmachine$ >> >>The machine joins, and users are able to log into the domain. One thing >>I noticed about this manually added user (machine trust account) though: >> >>In the Webmin Users and Groups module, the xpmachine$ account is >>ITALLICISED in the listing while all other users (created with webmin) >>are normal text. >> >>Any thoughts, comments, questions? I'd LOVE to get this fixed so that >>my clients are able to once again administer their own XP workstations >>with Webmin. >> > > ---- > man smb.conf ( presumption is samba > 3.0.0 ) Hi Craig... That machine is currently running 3.0.2a an oldie, but goodie. > add machine > Example: add machine script = /usr/sbin/adduser -n -g machines -c \ > Machine -d /dev/null -s /bin/false %u Dammit! All the docs I have seen show "add user script = ...." Never could get that to work 'on the fly'. Now I THINK I know why. :) man smb.conf on that machine shows NO "add machine script"... But I think I ALSO know why. The smb.conf.5 man pages for this install are under /usr/local/samba/man/man5/smb.conf.5 (which DOES include the add machine script info) so there must be a leftover smb.conf.5 manpage in the manpath from a previous rpm install... Sigh... > Why would you just use a script and add machines on the fly? Because all previous attempts failed. :( That server is slated for an upgrade (the whole thing, not just Samba - it is a RH 6.2 server) but it is difficult trying to coordinate a "good time" (tm) with the client to take their main server offline. > Why would you use a real home directory for a user that clearly would > never need one? (-d /dev/null) Umm, because it really doesn't matter. Most times I used -d /dev/null - Probably should have said that in my post as well. Thanks for the quick reply. I'm going to implement the add MACHINE script ASAP. I seriously can not believe that I missed that. I always wondered how others were getting that to work with the "add USER script = " that I saw posted all over the place. Thanks again - Bill Arlofski Reverse Polarity 860-824-2433 email: waa...@re... jabber: wa...@ja... |
