[Samba] Samba 3 + PDC + LDAP machine accounts

Markus Amersdorfer markus.amersdorfer at aon.at
Tue Aug 5 07:25:33 GMT 2003

On Tue, 5 Aug 2003 17:38:15 +1200
System_Administrator at koppersarch.co.nz wrote:


> (eg had machines in ou=Machines,dc=domain,dc=com
> and people in ou=People,dc=domain,dc=com)?
> If so, how did you add machines?
> I've tried smbpasswd -a -m MACHINE
> and with debugging, it shows that it tries to find a posix account for
> MACHINE$ first, which obviously doesn't exist.

As you probably know: you have to create a Linux-User first which
resides in ou=Machines.
In order to have the system find it when doing the lookup, you'll need
to tell your NSS to also search in the Machines-tree for users:
In /etc/ldap.conf (e.g. Mandrake) or /etc/libnss-ldap.conf (Debian),
change as follows:

  # nss_base_passwd ou=People,dc=domain,dc=net
  nss_base_passwd dc=domain,dc=net?sub

> The actual fault is, after determining that a sambaSamAccount object
> doesn't exist, it goes back to getpwnam to try and find an account.
> Obviously if I am putting machines in a different tree, pam_ldap, etc
> aren't going to find them there.

Right. Just that it's not pam_ldap but lib-nss. (PAM does the
authentication-stuff while NSS does the user-lookups.)
(At least Samba 2.2.x relies on NSS too.)

The problem I had while trying this with Debian's 2.2.3a yesterday was
that I _could_ get the system (and Samba) to find the Linux user, but
"smbpasswd -m -a " created an entry in "ou=People" nevertheless.
This means, I got two entries for one machine: the Linux-User
"machine$" in ou=Machines, and the Samba-part in ou=People.

Any idea how to fix this?

(I move machines to ou=People now, but I'd also rather see them in


The first time any man's freedom is trodden on, we're all damaged.
                       <Cpt. Picard, "The Drumhead", StarTrek TNG>


More information about the samba mailing list