samba - Jun 2006 - multiple domains/ ldap /smbldap_search function/pdbedit/

Hi all,

I use samba 3.0.20

the ldap paramaters into the smb.conf are:
passdb backend = ldapsam:ldap://localhost smbpasswd guest
ldap suffix = dc=univ,dc=fr
ldap machine suffix = ou=Hosts
ldap user suffix = ou=People
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap

Into my ldap tree i've got 3 domains samba defined
some uid exists into 2 of 3 domains

(toto01 exists twice but into two differents domains)
If i use pdbedit -L -v -d 10 toto01 i've got the following thing:

smbldap_search_ext: base => [dc=univ,dc=fr], filter =>
[(&(uid=toto01)(objectclass=sambaSamAccount))], scope => [2]
ldapsam_getsampwnam: Duplicate entries for this user [toto01] Failing.
count=2

Why the smbldap_search_ext doesn't search uid only in the
ou=People,dc=univ,dc=fr branch

the filter returned by the smbldap_search_ext seems to be
[(&(uid=toto01)(objectclass=sambaSamAccount))

How to force smb to search only the uid into the branch defined by the
ldap parameters (ou=People,dc=univ,dc=fr) ?
thanks a lot

Didier Roques napisa?(a):
> Hi all,
>   
Hello,
> I use samba 3.0.20
>
> the ldap paramaters into the smb.conf are:
> passdb backend = ldapsam:ldap://localhost smbpasswd guest
> ldap suffix = dc=univ,dc=fr
> ldap machine suffix = ou=Hosts
> ldap user suffix = ou=People
> ldap group suffix = ou=Group
> ldap idmap suffix = ou=Idmap
>
> Into my ldap tree i've got 3 domains samba defined
> some uid exists into 2 of 3 domains
>   
I also have more than 3 domains in my LDAP ... but it works
great!!!
> (toto01 exists twice but into two differents domains)
> If i use pdbedit -L -v -d 10 toto01 i've got the following thing:
>
> smbldap_search_ext: base => [dc=univ,dc=fr], filter =>
> [(&(uid=toto01)(objectclass=sambaSamAccount))], scope => [2]
> ldapsam_getsampwnam: Duplicate entries for this user [toto01] Failing.
> count=2
>   
How are the domains organized? According to your information it seems 
that dc=univ,dc=fr is a base for all 3 domains - am I right? In such 
case the message you get is NORMAL. Shouldn't it be like this:
1) ou=People,ou=domain1,dc=univ,dc=fr
2) ou=People,ou=domain2,dc=univ,dc=fr
3) ou=People,ou=domain3,dc=univ,dc=fr?

But then your samba ldap suffix should be:

ldap suffix = ou=domainx,dc=univ,dc=fr


> Why the smbldap_search_ext doesn't search uid only in the
> ou=People,dc=univ,dc=fr branch
>
> the filter returned by the smbldap_search_ext seems to be
> [(&(uid=toto01)(objectclass=sambaSamAccount))
>
> How to force smb to search only the uid into the branch defined by the
> ldap parameters (ou=People,dc=univ,dc=fr) ?
> thanks a lot
>   
Hope this helps you ;)

Regards,
Marcin
>
>
>
>
>

>the organization is:
>1)ou=People,dc=univ,dc=fr  (the first domain)
>
>
And your answer is here! dc=univ,dc=fr includes EVERYTHING - domain2 and
domain3 and of course People,Groups from the top of LDAP tree.
>2)ou=People,ou=domain2,dc=univ,dc=fr
>
>
This for example consists ONLY with EVERYTHING in subtree:
ou=domain2,dc=univ,dc=fr - that's why if you try and change samba "ldap
suffix = ou=domain2,dc=univ,dc=fr - it will work OK. You will ONLY see
people,groups and whatever you have but from this particular subtree.
>3)ou=People,ou=domain3,dc=univ,dc=fr

Sorry i've made a mistake:
the three domains:
1)ou=People,dc=univ,dc=fr
2)ou=People,dc=domain2,dc=univ,dc=fr (dc and not ou)
2)ou=People,dc=domain3,dc=univ,dc=fr (dc and not ou)

and i thought samba search only into the People branch under the suffix
ldap mentioned into the smb.conf dc=univ,dc=fr and not under the other one
.