SambaSAMAccount and IBM Domino

Andrew Bartlett abartlet at
Thu Oct 29 04:20:05 MDT 2009

On Thu, 2009-10-29 at 14:35 +1100, Michael Lucchese wrote:
> Here is an example of the problem:
> We already have added the SambaSAMAccount objectclass and
> its related OIDs into the Domino LDAP Schema
> When smbpasswd is executed to add the SambaSAMAccount attributes to a
> POSIX account it will add the objectclass SambaSAMAccount together with
> several of the SambaSAMAccount attributes.  This is followed by an
> ldapsearch for "(objectclass=SambaSAMAccount)" which fails because even
> though the SambaSAMAccount attributes were added to the DIT, the
> objectclass SambaSAMAccount does not persist in the DIT entry. Because
> this validation fails, the process of adding the SambaSAMAccount
> attributes fails in total.
> When we add a DIT entry via an LDIF file that does specify the
> objectclass SambaSAMAccount, the SambaSAMAccount attributes are added to
> the DIT, but again the objectclass SambaSAMAccount is not persistent in
> the DIT.  As a result, ldap searches performed by Samba which seeks to
> locate the SambaSAMAccount objectclass fails, and again the process
> terminates in failure.

This would seem to be a very fundamental flaw in Domino, and you will
have a very hard time making Samba work with such a broken LDAP server.

Perhaps find out how to make the objectclass persist, then use local
scripts to get provision the users in the 'right' way.  I don't see how
Samba can really help, but if you manage to work it out, we will
certainly look at any patches or example scripts you come up with. 

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Cisco Inc.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <>

More information about the samba-technical mailing list