Computers in LDAP directory, pdb_get_group_sid
J.A. Gutierrez
spd at daphne.cps.unizar.es
Thu Mar 19 17:21:22 GMT 2009
Hello
I think I've found a design flaw in the way samba looks for
computer group SID when running as PDC.
I noticed sometimes, in my domain, clients could not find
the domain. It happened randomly, and after a while, the
client was able to login into the domain again.
I our logs there were plenty of messages like this one:
pdb_get_group_sid: Failed to find Unix account for XXXXXX$
but I was not sure it was related to our problem.
Anyway tracing down the problem, I found out how samba tries
to find the computer account, and it turns out that after some
steps [1], it ends calling getpwnam().
The problem is, if you are using LDAP for user accounts, usually
you want to have real users under "ou=People", and computers
under "ou=Computers", and with this setup, getpwnam() doesn't
know nothing about the later[2]...
In fact, in smb.conf, you can set "ldap machine suffix = ou=Computers"
as noted in the man page, but it seems samba doesn't use this setting...
[1]
pdb_get_group_sid (./passdb/pdb_get_set.c) ->
Get_Pwnam_alloc -> Get_Pwnam_internals (./lib/username.c) ->
getpwnam_alloc (./lib/util_pw.c) ->
sys_getpwnam (./lib/system.c) -> getpwnam
[2]
Yes, you can configure system's ldap client to look also under
"ou=Computers" for user accounts, but I don't think this is the
right approach...
--
PGP and other useless info at \
http://webdiis.unizar.es/~spd/ \
finger://daphne.cps.unizar.es/spd \ Timeo Danaos et dona ferentes
ftp://ivo.cps.unizar.es/pub/ \ (Virgilio)
More information about the samba-technical
mailing list