[Samba] smb.conf ignores "ldap user suffix"
ttu at sunext.com
Sat Oct 14 18:40:40 GMT 2006
Thank you very much for responding to my question.
I understand that there must be a reason that samba doesn't read the
"ldap user suffix". However, it doesn't make sense to include the
parameters in the configure file because it's not true that this option
is going to work. It's confusing when reading or understanding the
settings. Also, it makes you feel that you are doing something wrong
with its settings so that why it doesn't work since the man page says
that it's the way it's going to work.
ldap user suffix (G)
This parameter specifies where users are added to the
this parameter is unset, the value of ldap suffix will
instead. The suffix string is pre-pended to the ldap
string so use a partial DN.
Default: ldap user suffix =
Example: ldap user suffix = ou=people
and the release notice says:
If "ldap user suffix" or "ldap machine suffix" are defined in
smb.conf, all user-accounts must reside below the user suffix,
and all machine and inter-domain trust-accounts must be located
below the machine suffix. Previous Samba releases would fall
back to searching the 'ldap suffix' in some cases.
So when you explain to the team that it's being ignored from the
configuration with "ldap_xx_suffix", others will think ... uhmmmm...
what is wrong here since the document says it's the option to set it to
I see that it does reads "ldap group suffix" to get the groups
privilege. There must be a way to fix this bug. If not, it would be
better to remove it out from the configuration as well as the
documents. The old version didn't have it and only use 'ldap suffix'
which is make sense since it's true that is the only option to make it work.
Volker Lendecke wrote:
> On Fri, Oct 13, 2006 at 02:30:23PM -0700, Tri Tu wrote:
>> Seems like there is a bug in samba configuration with the version 3.0.22
>> or later that it doesn't read the configuration variable within the
>> smb.conf for ldap settings
>> ldap user suffix =
> We are not consistent here, true. In what sense does it
> really cause a problem for you instead of being a bit
> inconvenent in the log file?
> My general idea with the ldap_xx_suffix parameters would in
> general be to use them only when we create new objects and
> when searching do subtree level searches starting from 'ldap
> suffix' always. The inconsistent search behaviour has caused
> quite a number of bugs already, in particular with idmap and
> group mapping.
> So would anybody object if we changed the use of the
> ldap_xx_suffix parameters to be only used when creating
More information about the samba-technical