[Samba] Re: Good News, ou=computer works! :-)

Jérôme Fenal jerome.fenal at logicacmg.com
Fri Jan 16 09:39:44 GMT 2004

Vegeta wrote:
> Andrew Bartlett wrote:
>>On Thu, Jan 15, 2004 at 09:42:53AM -0400, Vegeta wrote:
>>>Beast wrote:
>>>>I'm just storing machine accounts under
>>>>ou=computer,ou=site,dc=domain,dc=com and it works.
>>>>Tested with W2K sp2 and W2K sp3, recreating from fresh ldif 2 times
>>>>were never failed. Im sure it is 'stable' right now :-)
>>>>'works' means it was able to add machine trust on-the-fly, or using
>>>>manual creation with smbpasswd command.
>>>>The key is in not to use 'objectclass=sambaSamAccount' in ldap filter.
>>>>Tks to everybody who helps...
>>>I did not use 'objectclass=sambaSamAccount' and 3.0.2pre1 still doesn't
>>>work for me using ou=computers
>>All LDAP searche (for account objects, anyway) are done under the
>>'ldap suffix'.  If you have that set so that it can 'see' both
>>ou=People and ou=Computers, it really should 'just work'.  The 'ldap
>>user suffix' and 'ldap machine suffix' was meant to control where
>>users and machines get put, if they don't already exist.  Due to
>>current requirments, you pretty much always have to run an add user
>>script, so more important issetting this in the ldap tools.
>>Andrew Bartlett
> No, the key is not the smb.conf file but the ldap.conf file. Samba seems to
> look for machine accounts among users returned by the Name Service Switch
> (what you get when you run the command 'getent passwd').
> Most people has the "nss_base_passwd" property in ldap.conf set as 
> "ou=People, dc=domain,dc=com" and the "scope" property set as "one".
> If ldap.conf is configured this way NSS only returns entries in the
> ou=People subtree.
> If "scope" is set to "sub" and "nss_base_passwd" is set to
> "dc=domain,dc=com" then NSS switch will return as users all entries in
> subtrees of "dc=domain,dc=com", including both the ou=Computers and the
> ou=People subtree.

For me, the key thing to make OU=Computers work, was to keep the 
standard RH9 /etc/ldap.conf :

base dc=domain,dc=com
ssl no
pam_password md5

No nss_base_passwd, no nothing. It just runs.
And accounts (either users' or computers') are not directly in OU=People 
(I had to user OU=People because of Solaris), but in sub OU's (towns for 
Computers, towns and services or administrative Samba accounts for users).



Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre
Groupe Expert & Managed Services - LogicaCMG France
http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>

More information about the samba mailing list