Andrew Bartlett wrote:
On Thu, Jan 15, 2004 at 09:42:53AM -0400, Vegeta wrote:
Beast wrote:
I'm just storing machine accounts under ou=computer,ou=site,dc=domain,dc=com and it works.
Tested with W2K sp2 and W2K sp3, recreating from fresh ldif 2 times were never failed. Im sure it is 'stable' right now :-)
'works' means it was able to add machine trust on-the-fly, or using manual creation with smbpasswd command.
The key is in not to use 'objectclass=sambaSamAccount' in ldap filter.
Tks to everybody who helps...
--beast
I did not use 'objectclass=sambaSamAccount' and 3.0.2pre1 still doesn't work for me using ou=computers
All LDAP searche (for account objects, anyway) are done under the 'ldap suffix'. If you have that set so that it can 'see' both ou=People and ou=Computers, it really should 'just work'. The 'ldap user suffix' and 'ldap machine suffix' was meant to control where users and machines get put, if they don't already exist. Due to current requirments, you pretty much always have to run an add user script, so more important issetting this in the ldap tools.
Andrew Bartlett
No, the key is not the smb.conf file but the ldap.conf file. Samba seems to look for machine accounts among users returned by the Name Service Switch (what you get when you run the command 'getent passwd').
Most people has the "nss_base_passwd" property in ldap.conf set as "ou=People, dc=domain,dc=com" and the "scope" property set as "one".
If ldap.conf is configured this way NSS only returns entries in the
ou=People subtree.
If "scope" is set to "sub" and "nss_base_passwd" is set to "dc=domain,dc=com" then NSS switch will return as users all entries in subtrees of "dc=domain,dc=com", including both the ou=Computers and the ou=People subtree.
For me, the key thing to make OU=Computers work, was to keep the standard RH9 /etc/ldap.conf :
host 127.0.0.1 base dc=domain,dc=com ssl no pam_password md5
No nss_base_passwd, no nothing. It just runs.
And accounts (either users' or computers') are not directly in OU=People (I had to user OU=People because of Solaris), but in sub OU's (towns for Computers, towns and services or administrative Samba accounts for users).
Regards,
Jérôme
-- Jérôme Fenal - Consultant Unix/SAN/Logiciel Libre Groupe Expert & Managed Services - LogicaCMG France http://www.logicacmg.com/fr/ - <mailto:jerome.fenal AT logicacmg.com>
-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
