samba - Jun 2005 - Solution to smbldap-tools not adding sambaSAMAccount

Well I finally managed to get my machines added to my ldap/samba domain.

The problem was that I had defined an ou each for Computers and Users.  ie

dc=base,dc=org
	|	
	------	ou = Users
	|	
	------ ou = Computers	

Now the problem was that the nss_ldap library was searching in Users only,  
and apparently the samba server needs to be able to resolve the Computers 
tree aswell to add the sambaSAMAccount objectclass.

Not wanting to have a mess of computer and user accounts in one tree,  I added 
a ou for Computers under Users.  So now it looks like

dc=base,dc=org
	|	
	----- ou = Users
		|
		------- ou = Computers


After making that addition and changing the smb.conf entry

ldap machine suffix = ou=Computers,ou=Users

and the smbldap.conf entry 

computersdn="ou=Computers,ou=Users,${suffix}"

and lastly changing the search scope for nss_ldap by changing libnss-ldap.conf 
(debian)   (not 100% sure how each search scope works but this worked for me)

scope sub

And then just make sure that getent passwd is resolving all the way down the 
Computers branch by copying an account into there just to make sure.  If you 
see the account when you run getent passwd you should be ok.  Restart samba 
aswell.

Many thanks to John H Terpstra for the excellent sidebar in Ch 5 of Samba3 by 
example stating the nss_ldap resolving issue.

Ryan Braun
(Now my new problem to follow in the next message :P )

ons, 15.06.2005 kl. 21.53 skrev Ryan Braun:
> Now the problem was that the nss_ldap library was searching in Users only,
> and apparently the samba server needs to be able to resolve the Computers 
> tree aswell to add the sambaSAMAccount objectclass.
<rant>
I don't want to upset you unduly, but nss has nothing to do with this
and it's not necessary to have the computers dn under the users dn to
make things work. It's all those "/&@?{# idealx scripts and
peoples'
basic ignorance of how LDAP works at all that fsck up the otherwise
brilliant Samba daemon, ldapsam and command line utilities.How on earth
something so banal as the idealx scripts can have been packaged together
with these brilliant utilities stupefies me.

At my site (3.0.14a) I have masses (5) of different user dns in
different places in my tree, goodness knows how many group dns and a
single computers dn way down deep in the tree, far apart from the users.
The basic Samba utilities (smbd, ldapsam, smbpasswd, pdbedit) can cope
with all of these just fine. But I don't use the idealx scripts, I use
my own awk script to make the initial custom posixAccounts (have to have
masses of special stuff that the idealx scripts have never heard of) and
shell scripts for administering the rest of the Samba stuff.

It's the way the Samba people treat LDAP, as if it were a breeding
ground for morons. LDAP is a never-empty Pandora's box, that is there
for a totally different purpose than that to which the samba people
allude. It is the basis of a network-wide authentication system that
should be installed and understood long before one has even begun to
think about Samba or any other service whatsoever. I realize that the
Samba people have attempted to, and largely attained, the aim of
supplying an out-of-the box solution for averagely intelligent
Windows-minded people (the Samba people have written this themselves),
but it would perhaps be as well if they drew peoples' attention to the
importance of, and wealth of possibilities of, LDAP as a basic sovereign
multi-OS, multi-vendor service on which Samba is dependent, rather than
the idea they convey at the moment that it is some kind of an add-on
purely present to satisfy samba's needs.
</rant>
> (Now my new problem to follow in the next message :P )
Well, that was my problem.

Best,

--Tonni

-- 
mail: tonye@billy.demon.nl
http://www.billy.demon.nl

Tony Earnshaw wrote:
> ons, 15.06.2005 kl. 21.53 skrev Ryan Braun:
> 
>> Now the problem was that the nss_ldap library was searching in Users
>> only, and apparently the samba server needs to be able to resolve the
>> Computers tree aswell to add the sambaSAMAccount objectclass.
> 
> <rant>
> I don't want to upset you unduly, but nss has nothing to do with this
> and it's not necessary to have the computers dn under the users dn to
> make things work. It's all those "/&@?{# idealx scripts and
peoples'
> basic ignorance of how LDAP works at all that fsck up the otherwise
> brilliant Samba daemon, ldapsam and command line utilities.How on
> earth something so banal as the idealx scripts can have been packaged
> together with these brilliant utilities stupefies me.   
>
Bullshit Tony.  Utter bullshit.  You spread FUD about the smbldap tools.
The smbldap tools now handle user accounts (which includes computer
accounts)  in multiple ou's  but nss has to know where the base starts
that's the problem.  The solution supplied by Ryan is fine.
> At my site (3.0.14a) I have masses (5) of different user dns in
> different places in my tree, 
And how have you configured nss?  Do you point it at a common root for those
accounts?
> goodness knows how many group dns and a
> single computers dn way down deep in the tree, far apart from the
> users.   
So does Adam Tuano Williams.  But we don't hear him ranting on this list
every five seconds about how crap the smbldap tools scripts are.  He has
designed his own schema for morrison industries.  Written his own scripts.
He is more competant than you, yet we don't hear him cramming his own
opinion down other peoples throats.  In fact I've noticed traffic on this
list go down since you came onto it.  If you want to know anything about how
cyrus, or xfs, or quite a few other useful things work you can find it on
Adam's site.

Not everyone gets an erection about how good GQ is either.  Even if it is
that good.
     
> 
> It's the way the Samba people treat LDAP, as if it were a breeding
> ground for morons. LDAP is a never-empty Pandora's box,
It is if you are only using it for samba.  
> It is the basis of a network-wide authentication system that
> should be installed and understood long before one has even begun to
> think about Samba or any other service whatsoever. 
And who has time to do that?
> I realize that the
> Samba people have attempted to, and largely attained, the aim of
> supplying an out-of-the box solution for averagely intelligent
> Windows-minded people (the Samba people have written this
> themselves), but it would perhaps be as well if they drew peoples'
> attention to the importance of, and wealth of possibilities of, LDAP
> as a basic sovereign multi-OS, multi-vendor service on which Samba is
> dependent, rather than the idea they convey at the moment that it is
> some kind of an add-on purely present to satisfy samba's needs.
> </rant>             
> 
Yudda, yudda, yudda.  So it goes every fortnight.  Smbldap tools are crap.
You are far more intelligent than anyone else.  Yet have we seen you post an
alternative toolset?  Nope.  When you are challenged to do something about
your claims you withdraw and say things about how disjointed your user
management scripts are, and that you wouldn't post them onto the web.  Etc,
etc

I for one, am sick and tired of it.  Please stop it.

Geoff