[Samba] LDAP suffixes

John H Terpstra jht at samba.org
Wed Aug 17 22:35:05 GMT 2005 

On Wednesday 17 August 2005 15:57, Geert Stappers wrote:
> On Wed, Aug 17, 2005 at 10:56:39AM -0600, John H Terpstra wrote:
> > On Wednesday 17 August 2005 10:05, Geert Stappers wrote:
>
>        <snip/>
>
> > The problem is one of the ability to find the computer account via NSS.
> >
> > > My questions:
> > >
> > > * the version with the bug, did they work with
> > >
> > >  	ldap suffix = dc=foobar,dc=biz
> > >  	ldap user suffix = ou=People
> > >  	ldap machine suffix = ou=Computers,ou=People
> > >
> > > in smb.conf succesfull?
> > >
> > >
> > > * In which version was the bug fixed?
> >
> > This was not a Samba bug as explained above.
> >
> > PS: Suggest you refer to chapter 5, section 5.3.1.7, of the current
> > Samba3-ByExample book. You can obtain it on-line from:
> >
> > http://www.samba.org/samba/docs/Samba3-ByExample.pdf
> >
> > This book will become available in computer stores by mid-September.
>
> In chapter 5 I found
>
> . ldap suffix [dc=abmas,dc=biz] >
> . ldap group suffix [ou=Groups] >
> . ldap user suffix [ou=People,ou=Users] >
> . ldap machine suffix [ou=Computers,ou=Users] >
> . Idmap suffix [ou=Idmap] >
>
>
> That makes this LDAP  tree(beard)
>
>
>                              dc=abmas,dc=bz
>                                   /|\
>                                  / | \
>                                 /  |  \
>                         ou=Groups  | ou=Idmap
>
>                                 ou=Users
>                                   / \
>                                  /   \
>                                 /     \
>                         ou=People    ou=Computers
>
>
> That allows a   nss_base_passwd   ou=Users,dc=abmas,dc=biz?one

No, if you want to perform a single search in nss_ldap you need:

nss_base_passwd	ou=Users,dc=abmas,dc=biz?sub

Note: sub not one

>
>
> Shouldn't  /etc/samba/smb.conf contain
>
>     ldap user suffix = ou=People,ou=Users
>     ldap machine suffix = ou=Computers,ou=Users

Correct.

>
> or
>
>     ldap user suffix = ou=Users
>     ldap machine suffix = ou=Users

No, that expects all the accounts to be in the ou=Users container.

>
> instead of the current
>
>     ldap machine suffix = ou=People
>     ldap user suffix = ou=People

That expects all user and machine accounts in the ou=People container.

>
> that is now in Example 5.7. LDAP Based smb.conf File, Server: MASSIVE
> global Section: Part B at
> http://us2.samba.org/samba/docs/man/Samba3-ByExample/happy.html ?

The example puts both user and machine accounts into the ou=People container. 
The diagnostic section explains how they CAN be separated.

Cheers,
John T. (Jan, de man die niet alles kan).

More information about the samba mailing list