[Samba] Re: Re: Good News, ou=computer works! :-)

[Vegeta]

Andrew Bartlett wrote:

> On Thu, Jan 15, 2004 at 09:42:53AM -0400, Vegeta wrote:
>> Beast wrote:
>> 
>> > 
>> > I'm just storing machine accounts under
>> > ou=computer,ou=site,dc=domain,dc=com and it works.
>> > 
>> > Tested with W2K sp2 and W2K sp3, recreating from fresh ldif 2 times
>> > were never failed. Im sure it is 'stable' right now :-)
>> > 
>> > 'works' means it was able to add machine trust on-the-fly, or using
>> > manual creation with smbpasswd command.
>> > 
>> > The key is in not to use 'objectclass=sambaSamAccount' in ldap filter.
>> > 
>> > Tks to everybody who helps...
>> > 
>> > --beast
>> > 
>> I did not use 'objectclass=sambaSamAccount' and 3.0.2pre1 still doesn't
>> work for me using ou=computers
> 
> All LDAP searche (for account objects, anyway) are done under the
> 'ldap suffix'.  If you have that set so that it can 'see' both
> ou=People and ou=Computers, it really should 'just work'.  The 'ldap
> user suffix' and 'ldap machine suffix' was meant to control where
> users and machines get put, if they don't already exist.  Due to
> current requirments, you pretty much always have to run an add user
> script, so more important issetting this in the ldap tools.
> 
> Andrew Bartlett

No, the key is not the smb.conf file but the ldap.conf file. Samba seems to
look for machine accounts among users returned by the Name Service Switch
(what you get when you run the command 'getent passwd').

Most people has the "nss_base_passwd" property in ldap.conf set as 
"ou=People, dc=domain,dc=com" and the "scope" property set as "one".
If ldap.conf is configured this way NSS only returns entries in the
ou=People subtree.

If "scope" is set to "sub" and "nss_base_passwd" is set to
"dc=domain,dc=com" then NSS switch will return as users all entries in
subtrees of "dc=domain,dc=com", including both the ou=Computers and the
ou=People subtree.

Vegeta