Re [Samba] LDAP adding workstation accounts fails (but not really???)

Pat Riehecky prieheck at
Tue Feb 26 20:27:15 GMT 2008

I very much appreciate the help thus far, but I think it has strayed a
bit from the actual problem.

The problem is that when I join a system to the samba domain it
creates /some/ but not all of the required attributes for the computer
account.  The process then fails as samba looks in the wrong part of my
directory server.  I would strongly prefer to put the workstation
accounts in their own tree (ou=Computers).  I added the relevant bits to
the smb.conf for this to happen (ldap machine suffix = ou=Computers) and
restarted samba.  Yet the debug logs show me that, while it executes the
machine add script just fine, it is still looking in ou=People.  As a
leap into absurdity I even rebooted the whole box (in case a shared
memory segment was somehow hanging about), still the samba binary is
convinced my computer accounts live in ou=People.  The process becomes
more odd when I can see in the debug log that the samba binary has
successfully read in my machine suffix.

I find this a bit unusual.

On Tue, 2008-02-26 at 09:03 -0800, Chuck Kollars wrote:
> > ...Yet, if I search LDAP after the join attempt I 
> > find: dn: uid=testing$,ou=Computers,dc=iwu,dc=edu
> This convention of a "workstation" account being the
> same as a "people" account except with a dollar sign
> appended to the name is the way Windows works.
> Weird?Yes. Looks wrong?Yes. Needs "fixing"?Maybe Not. 
> >   ...My LDAP logs show it is searching ou=People 
> > rather than ou=Computers to see if it was added 
> > successfully.  What must I do to make it search
> > ou=Computers? ...
> Unfortunately it's pretty easy and pretty common to
> use LDAP in a way that doesn't match the "usual" human
> definitions of some words. This isn't necessarily
> wrong though. If an operation doesn't work, definitely
> dig in. But if an operation "works" but appears to use
> words differently than your definitions, it may not be
> a problem. 
> Every LDAP tool has its own settings. Change it for
> one tool, and it will still behave the old way for
> other tools. 
> For `ldapsearch`, there are several settings, the
> later of which override the earlier. One is "base" in
> a file named something like /etc/openldap/ldap.conf.
> This may be overridden by a command line parameter to
> `ldapsearch`. 
> For LDAP name service lookups (if enabled in
> /etc/nsswitch.conf), again there's "base" but this
> time in /etc/ldap.conf (a separate file but with a
> name very similar to the first one). Sometimes you'll
> also find "nss_base_hosts", which takes precedence if
> it exists. There may also be a setting on
> etc.
> > Now the other half of the question, the part you 
> > didn't ask, which is not where to "search" but 
> > where to "store". (Obviously storing in one place 
> > but searching in the other won't work at all. 
> > Both storing and searching in the "wrong" place 
> > may work perfectly well for Samba, yet might be
> > inconsistent with some of your other tools and
> > procedures.)
> Unfortunately there are a gazillion different ways to
> update an LDAP database and they all work differently
> and are all configured differently. Are you using some
> scripts, or a web application like 'phpldapadmin', or
> the `ldapadd` command, or ...; and are you calling it
> explicitly or letting it be called from within Samba
> via the 'add machine' parameter?
> good luck!
> -Chuck Kollars
>       ____________________________________________________________________________________
> Looking for last minute shopping deals?  
> Find them fast with Yahoo! Search.

More information about the samba mailing list