[Samba] Unable to add machine accounts

[Chris St. Pierre]

On Mon, 30 Mar 2009, John Drescher wrote:

> Is that destructive to an existing setup? I have been using samba and
> openldap for around 5 years.

Looks that way.  I've also been using Samba + LDAP for about 5 years,
and have 8000 users and 1000 machine accounts I'd kinda like to keep
around.

It also assumes that your Samba box is your OpenLDAP box.  I have two
of the former and four of the latter, none of which share hardware.
Not that that would matter for me anyway, since that script assumes
you use OpenLDAP, and I use Fedora DS.  These are just the problems I
found in about a 60-second perusal of the script.

In other words, it looks fine if you're trying to get your shiny new
Samba + LDAP setup working on your home server, but it's not exactly
what I'd call enterprise quality software.

That said, I figured out the problem -- kind of: nscd.  As far as I
can tell, what happens is:

1.  In the process of creating a trust account, Samba checks to see if
the account already exists.  nscd caches a negative answer.

2.  The account is created.

3.  Samba again checks for the account, but gets nscd's cached
negative reply.

Not using nscd isn't really a good option for us.

I tried reducing the nscd negative TTL so it was below the -t (wait)
argument to smbldap-useradd, but that didn't appear to work.

My other option is to wrap smbldap-useradd in a script that
invalidates the entire nscd cache, but that's also not a very good
option, since it torches the entire cache, not just the entry that
needs to be invalidated.  Admittedly, we don't add machine accounts
that often, but it's not really my favorite solution.

I'm sure other people must be running Samba + nscd.  What other
solutions are there to this problem?

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University