[Samba] 'ldap passwd sync' not working

Tony Earnshaw tonye at billy.demon.nl
Mon Feb 7 16:29:52 GMT 2005

Adam Tauno Williams:


>> Oh yes - regular (existing or new) Posix group users can be anywhere in
>>  your DSA,
> I think you mean "anywhere in your Dit";  "anywhere in your DSA" doesn't
> make much sense,


>> in any group (though it makes sense to put computer trusts under
>> ou=smb).
> I think you mean "in any container".

Nope, Posix group - though it can also be a container, I guess. However,
leaves in that "container" may have other primary groups than that of the
"container" itself - in which Openldap is more flexible than, f.ex.
Novell's eDirectory.

> And you're wrong, they need to be below the search base used by NSS for
> the appropriate object type - groups, person, etc...  You can only put
> them
> anywhere if you are using the root of the Dit as your search base which is
> generally inadvisable for a number of reasons.

I can only tell you what works for me (remember I write that I hate the
word HOWTO and all it implies). What I meant was, that users don't have to
be in the smb tree/hierarchy - they may be in any hierarchy in the DIT.

>> Simply run smbpasswd or pdbedit (can be done from a script) on each one
>> to add them to the domain. Personally I don't use the IDEALX scripts, I
>> write my own awk and shell scripts.
> Same, we've written .NET (Mono) 'scripts' for doing this.


mail: tonye at billy.demon.nl

More information about the samba mailing list