SAMBA 3.0.x OpenLDAP - wrong Container for DomainName
William Jojo
jojowil at hvcc.edu
Fri Nov 12 13:09:01 GMT 2004
On Fri, 12 Nov 2004, schmieder, holger wrote:
> Hallo all,
>
> i got the following problem an hope someone knows a solution for that
>
> -Installed: 2 Samba server, both with OpenLDAP, replicated by slurpd.
> -Managing of objects through LAM
> -localSID's and domain SID are all the same.
>
> On the first server the domain ist ready an working. The SambaDomainName ist
> stored in the ou=domains,dc=xxx,dc=intra.
> (SambaDomainName=DOM01,ou=domains,dc=xxx,dc=intra)
>
> After typing in "smbpasswd -w xxx" on second server, a new domain was
> created in LDAP with the DN=SambaDomainName=DOM01,dc=xxx,dc=intra
>
actually Samba does do a search in the subtree value supplied in "ldap
suffix" before creating any new values for domain entries. perhaps
permissions on ou=domains subtree are too tight for samba to "see" it.
> I believe because of that, some things for example usrmgr.exe won't work
> corectly.
>
> Can someone tell me how to tell smbpasswd to use an existing domain with the
> SID stored in ou=domains ?
>
There presently is no way to do it as there is no specific suffix value
option for that. Samba will always create the domain entry in "ldap
suffix" if you do not create the domain entry yourself. I've just created
the entry myself in the DIT prior to starting any new samba servers and
that has worked fine for me. It may seem inconvenient, but you only have
to do it once - I can live with that ;-)
Again make sure your permission on subtree values are not too restrictive.
Also a log level 10 will help you determine what requests Samba is making
against the DIT.
I've included a snippet of indexes and permissions that I've glom'ed from
Samba How-To and LDAP-System Admin. and various google-ing's for OpenLDAP
2.2.x (which is what my permissions are based on)
My machines are in the ou=people section as there is still controversy
over whether machines whould be separated or not and it was easier to just
"lump" them.
index objectClass eq
index cn pres,eq,sub
index sn pres,eq,sub
index mail pres,eq,sub
index uid pres,eq,sub
index memberUid eq
index uidNumber eq
index gidNumber eq
index sambaSID eq
index sambaDomainName eq
index sambaPrimaryGroupSID eq
index default sub,eq
access to dn.subtree="ou=hvccdir,dc=domain,dc=edu"
by domain=".*\.domain\.edu" read
by anonymous read
by dn="cn=root,dc=domain,dc=edu" write
by * none
access to dn.subtree="ou=People,dc=domain,dc=edu" attrs=userPassword
by self write
by dn="cn=root,dc=domain,dc=edu" write
by * auth
access to dn.subtree="ou=People,dc=domain,dc=edu" attrs=sambaLMPassword,sambaNTPassword
by dn="cn=root,dc=domain,dc=edu" write
by * none
access to dn.subtree="ou=People,dc=domain,dc=edu"
by dn="cn=root,dc=domain,dc=edu" write
by * read
access to dn.subtree="ou=Groups,dc=domain,dc=edu"
by dn="cn=root,dc=domain,dc=edu" write
by * read
access to dn.subtree="ou=Idmap,dc=domain,dc=edu"
by dn="cn=root,dc=domain,dc=edu" write
by * read
access to dn.subtree="ou=Domains,dc=domain,dc=edu"
by dn="cn=root,dc=domain,dc=edu" write
by * read
access to dn.subtree="dc=domain,dc=edu"
by dn="cn=root,dc=domain,dc=edu" write
by * read
> Thanks for every good idea.
>
> Holger
>
>
Best of luck to you!
More information about the samba-technical
mailing list