[Samba] Re: LDAP violation ?

Jerome Pramondon jpramondon at alicante.fr
Fri Apr 9 12:17:33 GMT 2004

Thanks for your help,
Please See below

Andrew Bartlett wrote:

>On Fri, Apr 09, 2004 at 12:56:35PM +0200, M. Vancl wrote:
>>"Jerome Pramondon" <jpramondon at alicante.fr> wrote:
>>>The problem is when I start addind users using the 'smbpasswd' command.
>>>I get an objectclass violation which says it cannot modify the
>>>'userPassword' attribute.
>>>After some searching, I noticed the 'userPassword' attribute was only
>>>defined in the 'PosixAccount' objectclass. If I use a LDAP browser to
>>>look what's in my directory, I see the user account, but he only has the
>>>'SambaSamAccount' objectclass.
>>>So it seems completly correct : if the 'PosixAccount' objectclass is not
>>>added, then how could the 'userPassword' attribute be used in that
>>>object ...
>>>Then why the command does not add that objectclass ?
>>I'm not sure, but I think smbpasswd is not useable for ldap backend and you
>>must use some more sofisticated program for it (e.g. IDEALX smbldap-tools
>No, smbpasswd will handle all of the Samba backends.  
Yes, I configured the users and groups management scripts in the 
smb.conf. That why smbpasswd is using smbldap-useradd in fact. Am I right ?

>The issue here is that the 'ldap password sync' option is being used (hint - always post your smb.conf), and the user entries do not permit the setting of an LDAP password.
Sorry, here it is :
# Samba config file created using SWAT
# from (
# Date: 2004/04/07 19:53:42

# Global parameters
    unix charset = ISO8859-1
    workgroup = INTRALICANTE.FR
    server string = Samba Server %v
    map to guest = Bad User
    passdb backend = ldapsam:ldap://
    log level = 2
    log file = /var/log/samba/log.%m
    max log size = 1000
    debug hires timestamp = Yes
    time server = Yes
    socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
    printcap name = cups
    add user script = /usr/bin/smbldap-useradd -m -a
    delete user script = /usr/bin/smbldap-userdel
    add group script = /usr/bin/smbldap-groupadd -p
    delete group script = /usr/bin/smbldap-groupdel
    add user to group script = /usr/bin/smbldap-groupmod -m
    delete user from group script = /usr/bin/smbldap-groupmod -x
    add machine script = /usr/bin/smbldap-useradd -w
    logon script = logon.bat
    logon path =
    logon home =
    domain logons = Yes
    os level = 65
    preferred master = Yes
    domain master = Yes
    dns proxy = No
    ldap suffix = ou=Samba,dc=Alicante,dc=fr
    ldap machine suffix = ou=computers
    ldap user suffix = ou=accounts
    ldap group suffix = ou=groups
    ldap admin dn = cn=Manager,dc=Alicante,dc=fr
    ldap ssl = no
    ldap passwd sync = Yes
    ldap delete dn = Yes
    printer admin = @adm
    printing = cups

    comment = All Printers
    path = /var/spool/samba
    create mask = 0700
    guest ok = Yes
    printable = Yes
    print command = lpr-cups -P %p -o raw %s -r   # using client side 
printer drivers.
    browseable = No

    path = /var/lib/samba/printers
    write list = @adm, root
    inherit permissions = Yes
    guest ok = Yes

    comment = PDF Generator (only valid users)
    path = /var/tmp
    printable = Yes
    print command = /usr/share/samba/scripts/print-pdf %s ~%u //%L/%u %m 
%I "%J" &

    valid users = %S
    read only = No
    browseable = No

    path = /home/netlogon
    browseable = No

    comment = R?épertoire Public
    path = /home/public
    read only = No
    guest ok = Yes

    comment = R?épertoire priv?é de %U
    path = /home/%U
    invalid users = nobody, guest
    read only = No

>(The exact requirements differ between directory servers, but for
>OpenLDAP, your uses must have a posixAccount or simpleSecurityObject
>objectclass, to allow userPassword to be set).
ok, I knew I could it this way (that suppose I already have users in the 
directory), but what if I want to have separate entries for users and 
samba account in the directory ?
something like :
dn: uid=jpramondon,ou=samba,dc=alicante,dc=fr
objectclass: account
objectclass: posixaccount
objectclass: sambSamAccount
uid: jpramondon
userpassword: ...


dn: cn=jérôme pramondon,ou=users,dc=alicante,dc=fr
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: jérôme pramondon

I saw something like that somewhere ...
Here's why I want to have it this way : this could prevent me to have 
too much administrative tasks by having only one command to add a user. 
(smbpasswd -a user)
Is smbpasswd able to add that kind of entry (the samba account one, not 
the user) with both sambaSamAccount and PosixAccount (in order to 
prevent from getting that objectclass violation error) ?

Could you help ?

Thanx so much


More information about the samba mailing list