[Samba] smb.conf ignores "ldap user suffix"

Tri Tu ttu at sunext.com
Sat Oct 14 18:40:40 GMT 2006

Hi Volker,

Thank you very much for responding to my question.

I understand that there must be a reason that samba doesn't read the 
"ldap user suffix".  However, it doesn't make sense to include the 
parameters in the configure file because it's not true that this option 
is going to work.  It's confusing when reading or understanding the 
settings.  Also, it makes you feel that you are doing something wrong 
with its settings so that why it doesn't work since the man page says 
that it's the way it's going to work.

       ldap user suffix (G)
              This  parameter  specifies where users are added to the 
tree. If
              this parameter is unset, the value of ldap suffix will  
be  used
              instead.  The  suffix  string  is  pre-pended to the ldap 
              string so use a partial DN.

              Default: ldap user suffix =

              Example: ldap user suffix = ou=people

and the release notice says:

LDAP Changes

If "ldap user suffix" or "ldap machine suffix" are defined in
smb.conf, all user-accounts must reside below the user suffix,
and all machine and inter-domain trust-accounts must be located 
below the machine suffix.  Previous Samba releases would fall 
back to searching the 'ldap suffix' in some cases.

So when you explain to the team that it's being ignored from the 
configuration with "ldap_xx_suffix", others will think ... uhmmmm... 
what is wrong here since the document says it's the option to set it to 

I see that it does reads "ldap group suffix" to get the groups 
privilege.  There must be a way to fix this bug.  If not, it would be 
better to remove it out from the configuration as well as the 
documents.  The old version didn't have it and only use 'ldap suffix' 
which is make sense since it's true that is the only option to make it work.


Volker Lendecke wrote:
> On Fri, Oct 13, 2006 at 02:30:23PM -0700, Tri Tu wrote:
>> Seems like there is a bug in samba configuration with the version 3.0.22 
>> or later that it doesn't read the configuration variable within the 
>> smb.conf for ldap settings
>> ldap user suffix =
> We are not consistent here, true. In what sense does it
> really cause a problem for you instead of being a bit
> inconvenent in the log file?
> My general idea with the ldap_xx_suffix parameters would in
> general be to use them only when we create new objects and
> when searching do subtree level searches starting from 'ldap
> suffix' always. The inconsistent search behaviour has caused
> quite a number of bugs already, in particular with idmap and
> group mapping.
> So would anybody object if we changed the use of the
> ldap_xx_suffix parameters to be only used when creating
> objects?
> Thanks,
> Volker

More information about the samba mailing list