AW: Ldap machine suffix

[Guus Leeuw jr.]

> -----Ursprüngliche Nachricht-----
> Von: 
> samba-technical-bounces+guus-leeuw=gmx.de at lists.samba.org 
> [mailto:samba-technical-bounces+guus-leeuw=gmx.de at lists.samba.
> org] Im Auftrag von John H Terpstra
> 
> On Sunday 31 October 2004 08:51, Guus Leeuw jr. wrote:
> > Folks,
> >
> > I´ve been setting up Samba 3.0.7 on a test network to play since I 
> > heard that Samba outperforms Windows as a File Server. Anyways, I 
> > tried to do the PDC stuff (Happy users chapter in Terstra´s 
> Samba by 
> > Example).
> >
> > Anyways, all works fine up to the point where you join the 
> PDC to the 
> > domain. Neither LDAP nor samba really complain about anything. The 
> > only odd thing was that samba tried to look up the computer 
> name under 
> > ou=Users all the time, and not finding data, allthough the computer 
> > account had been created under ou=Computers. Hence, I could 
> not join 
> > my domain.
> 
> Please point me to the errors I made in the chapter you took 
> this from so I 
> can fix it. I really do apologize for leading you astray if 
> in any place I 
> recommended using the ou=Computers in the Samba-3 by Example 
> (Samba-Guide) 
> book.

Ah... You mention

$computersou = q(People);
$computersdn = "ou=$computersou,$suffix";

For the smbldap_conf.pm, and later when you show the output
For smbldap-populate.pl it says:

Adding new entry: ou=Computers,dc=abmas,dc=biz

And this line probably ticked me off.

So in the end, your documentation is correct...

Further, it is only a test network, and I do have a weekend off (1st
of November) so it is more like playing around from my side.

> It is well known that Samba-3 with LDAP requires the use of 
> nss_ldap to 
> resolve UIDs and GIDs for machine accounts as well as for 
> users and groups. There are two solutions to being able to 
> resolve them correctly. The first is 
> to put all machine accounts in ou=Users (that is the simple 
> and efficient 
> solution), the other is to set the search path for 
> nss_base_passwd and 
> nss_base_shadow to point to the level of your directory from 
> which both Users 
> and Machines can be found by recursively searching the 
> directory. In this 
> case you must also use the "?sub" parameter in place of the 
> "?one" parameter.
> 
> >
> > Now, after telling samba that ldap machine suffix: ou=Users, it all 
> > works fine.
> 
> As it should. Again, apologies if I misled you in any way. 
> Please point me to 
> the section in Chapter 6 where the errors are so I can fix them.
> 
> PS: If you would care to suggest better wording please give me your 
> documentation patch - I really do appreciate contributions. :)

See above. Zou might as well stress the point that computers and users
Should go in the same subtree.

> >
> > Looking at the code, I see ldapsam_getsampwnam initializes 
> attr_list 
> > from get_userattr_list, and is looking through 
> > ldapsam_search_suffix_by_name apparently in the ldap user suffix 
> > branch. Now while this works for normal users, it may not work if 
> > machines are on a different branch.
> 
> Correct.
> 
> >
> > Is this a known issue, and is somebody already working on 
> it? If not, 
> > what would be the best solution?
> 
> This is a VERY well known issue.

What if we have ldapsam_getsampwnam not only look at the user_attr but
at others as well, and return on the first hit? Would this be feasible?

Thanks, John.

Regards,
Guus

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.784 / Virus Database: 530 - Release Date: 27/10/2004