[Samba] vampire fails because of Debian smbldap-tools problem

John H Terpstra jht at Samba.Org
Thu Nov 25 00:16:27 GMT 2004

On Wednesday 24 November 2004 16:44, Alex Satrapa wrote:
> On 25 Nov 2004, at 10:09, John H Terpstra wrote:
> > On Wednesday 24 November 2004 15:30, tom burkart wrote:
> >> The other really useful thing I found while looking for the above
> >> reference is in the Samba-Guide/happy.html#id2536161 where in the
> >> note it
> >> says that having separate containers for users and computers does not
> >> yet
> >> work, yet examples appear to use this (hence I got the crazy idea it
> >> should just work and it didn't).
> >
> > Smile. :) It can be made to work by moving the basedn up the tree. The
> > performance impact works against that.
> Another option is to add a new ou into the tree - I can't remember
> where I read this idea:
>   dc=example,dc=com
>    + ou=Accounts
>       + ou=People
>       + ou=Computers
> That way you can limit the search to ou=Account,dc=example,dc=com, and
> still separate Computer accounts from People accounts.

Precisely how does this help? What is the benefit? 

You still need to be able to resolve BOTH machine accounts AND user accounts 
via NSS. There is only one vehicle that is the mechanism for user account 
resolution - the NSS entry for passwd. This is achieved through ldap.conf by 
specifying the nss_base_passwd entry.

No matter how you cut your cake with this, the machine accounts _AND_ the user 
accounts must be listed by: getent passwd

So - why separate them? What is the gain?

- John T.
John H Terpstra
Samba-Team Member
Phone: +1 (650) 580-8668

The Official Samba-3 HOWTO & Reference Guide, ISBN: 0131453556
Samba-3 by Example, ISBN: 0131472216
Hardening Linux, ISBN: 0072254971
Other books in production.

More information about the samba mailing list