Re: [Samba] add machine script not running
- Date: Fri, 17 Nov 2017 09:30:08 +0000
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] add machine script not running
On Fri, 17 Nov 2017 09:03:25 +0100
Daniel Berteaud via samba <samba@xxxxxxxxxxxxxxx> wrote:
> Le 16/11/2017 à 19:30, Andrew Bartlett via samba a écrit :
> >> But unlike nss-ldap, sssd does provide some caching mecanism that's
> >> why I think it's this part which breaks something.
> >> Switching to nss-ldap+pam-ldap instead of sssd makes everything
> >> working. I just don't understand why. How can this makes samba
> >> ignore "add machine script" and instead try to create the entry
> >> directly ?
> > This is executed when the posix account doesn't exist, so it
> > depends on the return value of getpwnam(), which in turn makes nss
> > calls.
> It's still not very clear to me. When the posix account does not
> exist, samba should call the "add machine script". But in my case,
> the account didn't existed, but instead of calling add machine
> script, samba tried to create directly the user in the LDAP tree, not
> through my custom script. It's this part that I don't understand.
I think the problem was that you were using sssd (which has
nothing to do with Samba), it is quite possible that this tried to
create the machine account and couldn't (did you read the sssd logs ?).
It is also quite possible that sssd stopped smbd creating the machine
account, so when (possibly) sssd tried and and failed, further code in
Samba realised the machine account didn't exist and tried to create it
and couldn't because of your ACLs.
nss-ldap is a much simpler program than sssd and probably doesn't have
any code to create anything, just read from ldap.
There have been a lot of question on here asking about problems when
using sssd with Samba, most of which have fixed by the simple means of
stopping using sssd.
The only place I would consider using sssd is on a DC and this only
because there is an open bug report about winbind not obtaining the
full rfc2307 attributes from AD. This hasn't been fixed yet because the
main devs are fixing other, more urgent, problems.
To unsubscribe from this list go to the following URL and read the