SAMBA 3.0.x OpenLDAP - wrong Container for DomainName

William Jojo jojowil at hvcc.edu
Fri Nov 12 13:09:01 GMT 2004 


On Fri, 12 Nov 2004, schmieder, holger wrote:

> Hallo all,
>
> i got the following problem an hope someone knows a solution for that
>
> -Installed: 2 Samba server, both with OpenLDAP, replicated by slurpd.
> -Managing of objects through LAM
> -localSID's and domain SID are all the same.
>
> On the first server the domain ist ready an working. The SambaDomainName ist
> stored in the ou=domains,dc=xxx,dc=intra.
> (SambaDomainName=DOM01,ou=domains,dc=xxx,dc=intra)
>
> After typing in "smbpasswd -w xxx" on second server, a new domain was
> created in LDAP with the DN=SambaDomainName=DOM01,dc=xxx,dc=intra
>

actually Samba does do a search in the subtree value supplied in "ldap
suffix" before creating any new values for domain entries. perhaps
permissions on ou=domains subtree are too tight for samba to "see" it.

> I believe because of that, some things for example usrmgr.exe won't work
> corectly.
>
> Can someone tell me how to tell smbpasswd to use an existing domain with the
> SID stored in ou=domains ?
>

There presently is no way to do it as there is no specific suffix value
option for that. Samba will always create the domain entry in "ldap
suffix" if you do not create the domain entry yourself. I've just created
the entry myself in the DIT prior to starting any new samba servers and
that has worked fine for me. It may seem inconvenient, but you only have
to do it once - I can live with that ;-)

Again make sure your permission on subtree values are not too restrictive.
Also a log level 10 will help you determine what requests Samba is making
against the DIT.

I've included a snippet of indexes and permissions that I've glom'ed from
Samba How-To and LDAP-System Admin. and various google-ing's for OpenLDAP
2.2.x (which is what my permissions are based on)

My machines are in the ou=people section as there is still controversy
over whether machines whould be separated or not and it was easier to just
"lump" them.


index   objectClass     eq
index   cn      pres,eq,sub
index   sn      pres,eq,sub
index   mail    pres,eq,sub
index   uid     pres,eq,sub
index   memberUid       eq
index   uidNumber       eq
index   gidNumber       eq
index   sambaSID        eq
index   sambaDomainName eq
index   sambaPrimaryGroupSID    eq
index   default sub,eq

access to dn.subtree="ou=hvccdir,dc=domain,dc=edu"
  by domain=".*\.domain\.edu" read
  by anonymous read
  by dn="cn=root,dc=domain,dc=edu" write
  by * none

access to dn.subtree="ou=People,dc=domain,dc=edu" attrs=userPassword
  by self write
  by dn="cn=root,dc=domain,dc=edu" write
  by * auth

access to dn.subtree="ou=People,dc=domain,dc=edu" attrs=sambaLMPassword,sambaNTPassword
  by dn="cn=root,dc=domain,dc=edu" write
  by * none

access to dn.subtree="ou=People,dc=domain,dc=edu"
  by dn="cn=root,dc=domain,dc=edu" write
  by * read

access to dn.subtree="ou=Groups,dc=domain,dc=edu"
  by dn="cn=root,dc=domain,dc=edu" write
  by * read

access to dn.subtree="ou=Idmap,dc=domain,dc=edu"
  by dn="cn=root,dc=domain,dc=edu" write
  by * read

access to dn.subtree="ou=Domains,dc=domain,dc=edu"
  by dn="cn=root,dc=domain,dc=edu" write
  by * read

access to dn.subtree="dc=domain,dc=edu"
  by dn="cn=root,dc=domain,dc=edu" write
  by * read



> Thanks for every good idea.
>
> Holger
>
>


Best of luck to you!

More information about the samba-technical mailing list