samba - Oct 2005 - 3.0.20b seems to ignore "ldap user suffix"

Excerpts from smb.conf:   
    
 passdb backend = ldapsam:ldap://localhost   
 ldap admin dn = cn=admin,dc=arch,dc=uni-karlsruhe,dc=de   
 ldap group suffix = ou=groups   
 ldap machine suffix = ou=computer   
 ldap suffix = o=archipool,dc=arch,dc=uni-karlsruhe,dc=de   
 ldap ssl = no   
 ldap user suffix = ou=aktiv,ou=Accounts   
    
 The system wide ldap suffix is a different one   
 (ou=accounts,o=archipool,dc=arch,dc=uni-karlsruhe,dc=de). Samba, however,   
 should only search for users in the specified user suffix, since not all   
 system users are supposed to be able to use samba.    
 
slapd.log:   
 
 Oct 28 12:17:30 far-poolserver64 slapd[9499]: SRCH   
 "o=archipool,dc=arch,dc=uni-karlsruhe,dc=de" 2 3   
 [debug output snipped]   
 Oct 28 12:17:30 far-poolserver64 slapd[9499]:     filter: (&(uid=dummy)  
 (objectClass=sambaSamAccount))   
    
 Should I file a bug report, does anybody spot a config error or is more info 
needed?   
    
 Regards,   
  Jonas Jochum   
  archIT - Faculty of Architecture

On Fri, 2005-10-28 at 13:36 +0200, Jonas Jochum wrote:
> Excerpts from smb.conf:   
>     
>  passdb backend = ldapsam:ldap://localhost   
>  ldap admin dn = cn=admin,dc=arch,dc=uni-karlsruhe,dc=de   
>  ldap group suffix = ou=groups   
>  ldap machine suffix = ou=computer   
>  ldap suffix = o=archipool,dc=arch,dc=uni-karlsruhe,dc=de   
>  ldap ssl = no   
>  ldap user suffix = ou=aktiv,ou=Accounts   
>     
>  The system wide ldap suffix is a different one   
>  (ou=accounts,o=archipool,dc=arch,dc=uni-karlsruhe,dc=de). Samba, however,
>  should only search for users in the specified user suffix, since not all
>  system users are supposed to be able to use samba.    
>  
> slapd.log:   
>  
>  Oct 28 12:17:30 far-poolserver64 slapd[9499]: SRCH   
>  "o=archipool,dc=arch,dc=uni-karlsruhe,dc=de" 2 3   
>  [debug output snipped]   
>  Oct 28 12:17:30 far-poolserver64 slapd[9499]:     filter:
(&(uid=dummy)
>  (objectClass=sambaSamAccount))   
>     
>  Should I file a bug report, does anybody spot a config error or is more
info
> needed?   
----
does this match what is in padl's ldap.conf ?

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Am Friday 28 October 2005 16:00 schrieb Craig White:
> does this match what is in padl's ldap.conf ?
Do you mean pam_ldap.conf?
No, it doesn't:

base ou=aktiv,ou=accounts,o=archipool,dc=arch,dc=uni-karlsruhe,dc=de

libnss-ldap.conf uses
base o=archipool,dc=arch,dc=uni-karlsruhe,dc=de

The reason for this is that we're temporarily moving disabled accounts to
ou=inakt,ou=accounts,o=archipool,dc=arch,dc=uni-karlsruhe,dc=de.
Due to samba using the wrong search base, they're still able to log in
(don't
tell me to use sambaAcctFlags - I know they can be used for accomplishing the
same thing).

Bye,
 Jonas