samba - Oct 2004 - Issue with two domains in one LDAP tree

Hi,

I've just moved a second Samba domain to LDAP -- it works great!  However,
the
first domain is now dead in the water.  It refuses to autenticate, and from 
the logs it looks like it's not find the SambaDomainName entry in the LDAP 
tree.  Here is a diagram of how my LDAP tree is set up.

dc=mycompany,dc=com
|___ ou=computers
|___ ou=people
|___ ou=groups
|___ sambaDomain=domain1
|___ ou=domain2
	|___ ou=computers
	|___ ou=people
	|___ ou=groups
	|___ sambaDomain=domain2

In domain1's smb.conf, I have:
ldap suffix = dc=mydomain,dc=com

In domain2's smb.conf, I have: 
ldap suffix = ou=domain2,dc=mydomain,dc=com

Domain2 is working flawlessly.  Domain1, however, is not.  When I do a simple 
'smbclient -L localhost' as root, I get the following log from slapd at 
loglevel 256:

Oct 29 09:03:23 oink slapd[5290]: conn=88 fd=16 ACCEPT from IP=127.0.0.1:32841 
(IP=0.0.0.0:389) 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=0 BIND 
dn="cn=Manager,dc=borkholder,dc=com" method=128 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=0 BIND 
dn="cn=Manager,dc=borkholder,dc=com" mech=SIMPLE ssf=0 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=0 RESULT tag=97 err=0 text= 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=1 SRCH 
base="dc=borkholder,dc=com" scope=2 deref=0 
filter="(&(objectClass=sambaDomain)(sambaDomainName=corp1))" 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=1 SRCH attr=sambaDomainName 
sambaNextRid sambaNextUserRid sambaNextGroupRid sambaSID 
sambaAlgorithmicRidBase objectClass 
Oct 29 09:03:23 oink slapd[5290]: <= bdb_equality_candidates: 
(sambaDomainName) index_param failed (18) 
Oct 29 09:03:23 oink slapd[5290]: conn=88 op=1 SEARCH RESULT tag=101 err=0 
nentries=1 text= 
Oct 29 09:03:26 oink slapd[5290]: conn=88 op=2 SRCH 
base="dc=borkholder,dc=com" scope=2 deref=0
filter="(&(uid=root)
(objectClass=sambaSamAccount))" 
Oct 29 09:03:26 oink slapd[5290]: conn=88 op=2 SRCH attr=uid uidNumber 
gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange 
sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive 
sambaHomePath sambaLogonScript sambaProfilePath description 
sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword 
sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial 
sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory 
modifyTimestamp sambaLogonHours modifyTimestamp 
Oct 29 09:03:26 oink slapd[5290]: <= bdb_equality_candidates: (uid) 
index_param failed(18) 
Oct 29 09:03:26 oink slapd[5290]: conn=88 op=2 SEARCH RESULT tag=101 err=0 
nentries=2 text= 
Oct 29 09:03:26 oink slapd[5290]: conn=88 fd=16 closed 
Oct 29 09:03:27 oink slapd[5290]: conn=24 fd=18 closed 
 
I also want to say that the reason I have domain2 off in its own subtree is 
that it is going to eventually control its portion of the tree and take 
referrals from the main LDAP tree.  It's over a T1 from the main office and
I
want to keep bandwidth down.  I could put domain1 in its own subtree as well, 
but it seems a little overkill if I can avoid it since there will be about 50 
users of domain1 and only about 10 of domain2.

Thanks for any help you can give,
Misty

On Friday 29 October 2004 09:18, Misty Stanley-Jones
wrote:
> Hi,
>
> I've just moved a second Samba domain to LDAP -- it works great! 
However,
> the first domain is now dead in the water.  It refuses to autenticate, and
> from the logs it looks like it's not find the SambaDomainName entry in
the
> LDAP tree.  Here is a diagram of how my LDAP tree is set up.
>
> dc=mycompany,dc=com
>
> |___ ou=computers
> |___ ou=people
> |___ ou=groups
> |___ sambaDomain=domain1
> |___ ou=domain2
> |
> 	|___ ou=computers
> 	|___ ou=people
> 	|___ ou=groups
> 	|___ sambaDomain=domain2
>
> In domain1's smb.conf, I have:
> ldap suffix = dc=mydomain,dc=com
>
> In domain2's smb.conf, I have:
> ldap suffix = ou=domain2,dc=mydomain,dc=com
>
> Domain2 is working flawlessly.  Domain1, however, is not.  When I do a
> simple 'smbclient -L localhost' as root, I get the following log
from slapd
<snip>
> Misty
I resolved this by putting DOMAIN1 into its own OU.  In the future it might be 
nice to be able to tweak the search scopes with a little more granularity in 
smb.conf.  But I think this way is actually cleaner in the long run.

Thanks again,
Misty

On Sat, 2004-10-30 at 00:18, Misty Stanley-Jones wrote:
> Hi,
> 
> I've just moved a second Samba domain to LDAP -- it works great! 
However, the
> first domain is now dead in the water.  It refuses to autenticate, and from
> the logs it looks like it's not find the SambaDomainName entry in the
LDAP
> tree.  Here is a diagram of how my LDAP tree is set up.
> 
> dc=mycompany,dc=com
> |___ ou=computers
> |___ ou=people
> |___ ou=groups
> |___ sambaDomain=domain1
> |___ ou=domain2
> 	|___ ou=computers
> 	|___ ou=people
> 	|___ ou=groups
> 	|___ sambaDomain=domain2
> I also want to say that the reason I have domain2 off in its own subtree is
> that it is going to eventually control its portion of the tree and take 
> referrals from the main LDAP tree.  It's over a T1 from the main office
and I
> want to keep bandwidth down.  I could put domain1 in its own subtree as
well,
> but it seems a little overkill if I can avoid it since there will be about
50
> users of domain1 and only about 10 of domain2.
At 50 and 10 users, then you really should just have one domain.  LDAP
replication is a very small amount of traffic, and you will see more
benefits in having a single domain than splitting them.

Even if it was that 50,000 and 10,000 I would suggest keeping them in
one domain.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet@samba.org
Authentication Developer, Samba Team            http://samba.org
Student Network Administrator, Hawker College   abartlet@hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :
http://lists.samba.org/archive/samba/attachments/20041102/0de58bfe/attachment.bin