[Samba] Re: Re: Re: Good News, ou=computer works! :-)

Vegeta lord.vegeta at ica.luz.ve
Fri Jan 16 14:44:28 GMT 2004 

Beast wrote:

> On Thu, 15 Jan 2004 22:54:54 -0400
> Vegeta <lord.vegeta at ica.luz.ve> wrote:
>> 
>> No, the key is not the smb.conf file but the ldap.conf file. Samba seems
>> to look for machine accounts among users returned by the Name Service
>> Switch (what you get when you run the command 'getent passwd').
> 
> Thats why i ask whether id machinename$ work or not first, even it's work
> for me, samba still can't add machine in domain if ldap filter in smb.conf
> is default.
> 
>> 
>> Most people has the "nss_base_passwd" property in ldap.conf set as
>> "ou=People, dc=domain,dc=com" and the "scope" property set as "one".
>> If ldap.conf is configured this way NSS only returns entries in the
>> ou=People subtree.
> 
> Afaik, no. the default is commented, let me know your os if its not.
> Its there to speedup the queries, you can tweak it as you need but not by
> default. The value will overwrite any base and sub mentioned before.
> 
> Btw, setting this value correctly will *greatly* reduce the load of ldap
> server, esp. under heavy load and thousands entries in ldap. OL can lockup
> the machine under heavy load, so beware...
> 
>> 
>> If "scope" is set to "sub" and "nss_base_passwd" is set to
>> "dc=domain,dc=com" then NSS switch will return as users all entries in
>> subtrees of "dc=domain,dc=com", including both the ou=Computers and the
>> ou=People subtree.
>> 
> 
> If you did not set, default is sub (nss_ldap from padl)
> I've set it just to make it more readable.
> 
> So, the key is in ldap filter (smb.conf) until you can prove it was wrong
> :-)
> 
> 
> --beast
> 
The key is not ldap filter. If ldap filter includes
'objectclass=sambaSamAccount' you can only modify existing entries with
objectclass=sambaSamAccount.
You cannot add samba attributes to existing entries because they do not have
objectclass=sambaSamAccount.
The first time I could sucessfully use smbpasswd -a was when I removed
'objectclass=sambaSamAccount' from the ldap filter. At that time, I could
not add machines to ou=Computers.
If you don't believe me, try setting 'scope one' and 'nss_base_passwd
ou=People,...' in nsswitch.conf.


-- 
Fuera Chávez

More information about the samba mailing list