[Samba] Re: SuSE 9.3 + Samba 3 + LDAP

David Krider david at davidkrider.com
Thu Aug 11 04:36:37 GMT 2005 

On Wed, 2005-08-10 at 22:48 -0500, David Krider wrote:
> As someone replied to me, the latest version of Samba no longer needs
> the "ldap filter" configuration setting. I think this is too bad,
> because it looks like the relevant line in the IDEALX Howto -- which is
> commented out in the docs -- does *EXACTLY* what I think needs to be
> done. Like I'm implying here, I think this is a bug in the Samba code. I
> guess this means I ought to enter a bug in Samba's bugzilla?

Holy crap! On a lark, I added "ldap filter =
(&(objectClass=sambaSamAccount)(uid=%u))" to my smb.conf file -- like
the IDEALX script _used_ to say (but was commented out), and which the
LDAP logs suggested I needed -- and, lo and behold, IT WORKED!!! I got a
machine added to the domain.

Notes:
* I changed the gid of the "root" LDAP user to 512. It seemed to choke
on the fact that there was no group with an id of 0.
* I had to re-add all the "%u"'s to the various script lines in my
smb.conf file. Apparently, SWAT wiped them off.
* There's still some problem with the "ldap filter" parameter in logging
into the domain. Samba still wants to only search on
'objectClass=sambaSamAccount'. The filter parameter causes this to be
redundant (which doesn't hurt anything), but it's the (uid=%u) that's
saving the day. Now that I think about it, the filter ought to have just
been (uid=%u) -- or maybe (&(uid=&u)), depending -- I'll have to test
this further on the next machine join.
* The IDEALX smbldap-useradd script example in their smb.conf file is a
little misleading. You'll need a `-a' to get it to add a sambaSamAccount
object-classed account.
* phpldapadmin is fantastic. I highly recommend it.

It looks to me like the Samba people need to revoke the
ldap-filter-isn't-needed-any-more line, and the IDEALX people need to
address the fact that you don't need a uid 0 account to add machines to
the domain any more. (Or is this also not NOT true now?)

The bottom line here, Horst, is that I think you need this in your
smb.conf file:

	ldap filter = (uid=%u)

Please let us know how you get on.

Regards,
dk

More information about the samba mailing list