[Samba] multiple domains/ ldap /smbldap_search function/pdbedit/

Marcin Giedz marcin.giedz at altvision.pl
Tue Jun 27 12:32:11 GMT 2006 

Didier Roques napisał(a):
>> Didier Roques napisał(a):
>>     
>>> Hi all,
>>>
>>>       
>> Hello,
>>     
>>> I use samba 3.0.20
>>>
>>> the ldap paramaters into the smb.conf are:
>>> passdb backend = ldapsam:ldap://localhost smbpasswd guest
>>> ldap suffix = dc=univ,dc=fr
>>> ldap machine suffix = ou=Hosts
>>> ldap user suffix = ou=People
>>> ldap group suffix = ou=Group
>>> ldap idmap suffix = ou=Idmap
>>>
>>> Into my ldap tree i've got 3 domains samba defined
>>> some uid exists into 2 of 3 domains
>>>
>>>       
>> I also have more than 3 domains in my LDAP ... but it works great!!!
>>     
>>> (toto01 exists twice but into two differents domains)
>>> If i use pdbedit -L -v -d 10 toto01 i've got the following thing:
>>>
>>> smbldap_search_ext: base => [dc=univ,dc=fr], filter =>
>>> [(&(uid=toto01)(objectclass=sambaSamAccount))], scope => [2]
>>> ldapsam_getsampwnam: Duplicate entries for this user [toto01] Failing.
>>> count=2
>>>
>>>       
>> How are the domains organized? According to your information it seems
>> that dc=univ,dc=fr is a base for all 3 domains - am I right? In such
>> case the message you get is NORMAL. Shouldn't it be like this:
>> 1) ou=People,ou=domain1,dc=univ,dc=fr
>> 2) ou=People,ou=domain2,dc=univ,dc=fr
>> 3) ou=People,ou=domain3,dc=univ,dc=fr?
>>
>> But then your samba ldap suffix should be:
>>
>> ldap suffix = ou=domainx,dc=univ,dc=fr
>>
>>     
>
> the organization is:
> 1)ou=People,dc=univ,dc=fr  (the first domain)
>   
And your answer is here! dc=univ,dc=fr includes EVERYTHING - domain2 and 
domain3 and of course People,Groups from the top of LDAP tree.
> 2)ou=People,ou=domain2,dc=univ,dc=fr
>   
This for example consists ONLY with EVERYTHING in subtree: 
ou=domain2,dc=univ,dc=fr - that's why if you try and change samba "ldap 
suffix = ou=domain2,dc=univ,dc=fr - it will work OK. You will ONLY see 
people,groups and whatever you have but from this particular subtree.
> 3)ou=People,ou=domain3,dc=univ,dc=fr
>
> the three domains are not at the same level into the ldap tree !
>
> I think the solution you give is a nice one (i thought to use it before).
> But i'd like to know why the function smbldap_search_ext doesn't search
> into the right branch given by the ldap parameters of smb.conf? is it a
> bug or normal ?
>
> thanks a lot about your response
>   
BR,
Marcin
>

More information about the samba mailing list