[Samba] smbldap-tools not playing nice w/ samba ?

Fri Apr 8 22:42:26 GMT 2005

fre, 08.04.2005 kl. 18.46 skrev Ben Davis:

> >>I tried this and it still did not work.  The problem as far as I can 
> >>tell is that samba is not even attempting to search for the user after 
> >>it adds it.  The very last operations in my slapd.log after the error 
> >>occured,  were:
> >>    
> >>
> >This is not so:
> >
> >>onn=20539 op=1 SRCH base="dc=pca-wichita,dc=com" scope=2 
> >>filter="(&(objectClass=posixAccount)(uid=melisa$))"
> >>    
> >>
> >This is a search, scope sub, for
> >(&(objectClass=posixAccount)(uid=melisa$))
> >
> >>onn=20539 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
> >>conn=20539 op=2 SRCH 
> >>    
> >>
> >This is the log entry that says that no object is found. I.e., there is
> >either no combination of objectClass=posixAccount and uid=melisa$, or
> >the LDAP ACL prohibits it being read.
> >
> Right,  but that is only the FIRST operation for that connection. Read 
> that log again.

Did it. You're right.

>  The LAST operation is where it adds the entry.  
> Therefore it is my understanding that samba (or the idealx script) is 
> searching for the entry which doesn't exist (as expected, because this 
> is the first time the machine has joined) and then adding it...   My 
> point was that the very LAST thing that happened is the machine user 
> gets added, and then nothing else (so searches or anything) happens 
> after that.
> 
> My question is why isn't samba doing anything _after_ the user gets 
> added to LDAP?

I can't use the idealx scripts at all, since they'd not be able to cope
with a DIT that I had *long* before I started using Samba, with several
user group containers spread through the base DIT.

The idealx scripts could not cope wiyh these, they couldn't cope with my
Computer DN, such as I've defined it and they couldn't cope with my
group definitions. Nor could LAM, nor could anything else written as
off-the-cuff panaceas.

I write my own scripts (pure awk) for adding Posix accounts for 5
different groups, I write my own scripts (shell/awk/sed/OpenLDAP tools)
for adding groups and computers/Windows workstations, I'm an OpenLDAP
person (was long before I started with Samba).

I incorporate the Samba tools (mostly smbpasswd) into my scripts as
necessary and they always work. I've looked through and even tried to
change the idealx stuff to do what I want and what I do, but that's
useless, since the idealx scripts are not capable of doing what i do
(multiple user groups, user-defined object classes and attributes from
given first-middle-last-name lists), converting these into Samba/Windows
users, etc.

My scripts are utterly disjointed and not fit to publish, so I won't
even offer them. They were written one by one until each did what I
wanted. There are at least 10, disjointed, shit scripts. All I can say
is, that there's a hell of a lot of difference between the Samba tools
(smbpasswd, smbd, pdbedit, etc) and the idealx scripts. The latter are
intended for kindergarten-standard OpenLDAP administrators who don't
know arse from tit and the former are written for Unix system
administrators.

I have a site running 75+ Windows 2000 workstations with 1150+ potential
single-login Samba 3.0.11 users that also use OpenLDAP for Linux
Terminal Server Project, smtp and IMAP e-mail, Pykota print quota stuff,
etc. purposes. I couldn't possibly have done the Samba bit using the
idealx scripts or any other off-the-cuff scripts.

So my advice would be for you to be more critical to the idealx scripts
and parse each one. If you find out why they are not working, you won't
need to post here for help on why. As I wrote above, they're useless for
me, so I write my own.

--Tonni

Nothing sucksseeds like a pigeon without a beak ...

mail: tonye at billy.demon.nl
http://www.billy.demon.nl

They love us, don't they, They feed us, won't they ...