Ldap machine suffix

John H Terpstra jht at PrimaStasys.Com
Sun Oct 31 17:08:39 GMT 2004

On Sunday 31 October 2004 08:51, Guus Leeuw jr. wrote:
> Folks,
> I´ve been setting up Samba 3.0.7 on a test network to play since I heard
> that Samba outperforms Windows as a File Server. Anyways, I tried to do the
> PDC stuff (Happy users chapter in Terstra´s Samba by Example).
> Anyways, all works fine up to the point where you join the PDC to the
> domain. Neither LDAP nor samba really complain about anything. The only odd
> thing was that samba tried to look up the computer name under ou=Users all
> the time, and not finding data, allthough the computer account had been
> created under ou=Computers. Hence, I could not join my domain.

Please point me to the errors I made in the chapter you took this from so I 
can fix it. I really do apologize for leading you astray if in any place I 
recommended using the ou=Computers in the Samba-3 by Example (Samba-Guide) 

It is well known that Samba-3 with LDAP requires the use of nss_ldap to 
resolve UIDs and GIDs for machine accounts as well as for users and groups.
There are two solutions to being able to resolve them correctly. The first is 
to put all machine accounts in ou=Users (that is the simple and efficient 
solution), the other is to set the search path for nss_base_passwd and 
nss_base_shadow to point to the level of your directory from which both Users 
and Machines can be found by recursively searching the directory. In this 
case you must also use the "?sub" parameter in place of the "?one" parameter.

> Now, after telling samba that ldap machine suffix: ou=Users, it all works
> fine.

As it should. Again, apologies if I misled you in any way. Please point me to 
the section in Chapter 6 where the errors are so I can fix them.

PS: If you would care to suggest better wording please give me your 
documentation patch - I really do appreciate contributions. :)

> Looking at the code, I see ldapsam_getsampwnam initializes attr_list from
> get_userattr_list, and is looking through ldapsam_search_suffix_by_name
> apparently in the ldap user suffix branch. Now while this works for normal
> users, it may not work if machines are on a different branch.


> Is this a known issue, and is somebody already working on it? If not, what
> would be the best solution?

This is a VERY well known issue.

John T.
John H Terpstra, CTO
PrimaStasys Inc.
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba-technical mailing list