[Samba] Users can't login on Samba+Ldap

Miguel Medalha miguelmedalha at sapo.pt
Tue May 19 18:54:25 GMT 2009

> or are you  saying "nss_base_hosts        
> ou=Computers,dc=DOMAIN,dc=IT?one" is wrong?

I don't know about NFS, but from the point of view of a Samba PDC the 
above is wrong. Computers are also domain users and as such they must be 
referred to the "nss_base_passwd" directive.

Quoting from "Samba 3 by Example, Chapter 5. Making Happy Users" which 
is dedicated to configuration of a LDAP PDC:


If the container for computer accounts is not the same as that for users 
(see the |smb.conf| file entry for |ldap machine suffix|), it may be 
necessary to set the following DIT dn in the |/etc/ldap.conf| file:

nss_base_passwd dc=abmas,dc=biz?sub

This instructs LDAP to search for machine as well as user entries from 
the top of the DIT down. This is inefficient, but at least should work. 
Note: It is possible to specify multiple |nss_base_passwd| entries in 
the |/etc/ldap.conf| file; they will be evaluated sequentially. Let us 
consider an example of use where the following DIT has been implemented:

- User accounts are stored under the DIT: ou=Users, dc=abmas, dc=biz

- User login accounts are under the DIT: ou=People, ou-Users, dc=abmas, 

- Computer accounts are under the DIT: ou=Computers, ou=Users, dc=abmas, 

The appropriate multiple entry for the |nss_base_passwd| directive in 
the |/etc/ldap.conf| file may be:

nss_base_passwd ou=People,ou=Users,dc=abmas,dc=org?one
nss_base_passwd ou=Computers,ou=Users,dc=abmas,dc=org?one


More information about the samba mailing list