[Samba] Unable to add machine accounts

Jeremy Allison jra at samba.org
Mon Mar 30 22:49:50 GMT 2009


On Mon, Mar 30, 2009 at 02:56:02PM -0500, Chris St. Pierre wrote:
> On Mon, 30 Mar 2009, John Drescher wrote:
>
>> Is that destructive to an existing setup? I have been using samba and
>> openldap for around 5 years.
>
> Looks that way.  I've also been using Samba + LDAP for about 5 years,
> and have 8000 users and 1000 machine accounts I'd kinda like to keep
> around.
>
> It also assumes that your Samba box is your OpenLDAP box.  I have two
> of the former and four of the latter, none of which share hardware.
> Not that that would matter for me anyway, since that script assumes
> you use OpenLDAP, and I use Fedora DS.  These are just the problems I
> found in about a 60-second perusal of the script.
>
> In other words, it looks fine if you're trying to get your shiny new
> Samba + LDAP setup working on your home server, but it's not exactly
> what I'd call enterprise quality software.
>
> That said, I figured out the problem -- kind of: nscd.  As far as I
> can tell, what happens is:
>
> 1.  In the process of creating a trust account, Samba checks to see if
> the account already exists.  nscd caches a negative answer.
>
> 2.  The account is created.
>
> 3.  Samba again checks for the account, but gets nscd's cached
> negative reply.
>
> Not using nscd isn't really a good option for us.
>
> I tried reducing the nscd negative TTL so it was below the -t (wait)
> argument to smbldap-useradd, but that didn't appear to work.
>
> My other option is to wrap smbldap-useradd in a script that
> invalidates the entire nscd cache, but that's also not a very good
> option, since it torches the entire cache, not just the entry that
> needs to be invalidated.  Admittedly, we don't add machine accounts
> that often, but it's not really my favorite solution.
>
> I'm sure other people must be running Samba + nscd.  What other
> solutions are there to this problem?

The winbindd code uses nscd_flush_cache() calls to avoid this.
I'd be happy with a patch to the Samba + LDAP code to do the
same thing.

Jeremy.


More information about the samba mailing list