samba - Apr 2008 - Mis-behavior of ldap.conf regarding nss?

Hello all,

I run a samba 3.0.26a-1ubuntu2.3 on an Ubuntu 7.10 server with OpenLDAP 
both for samba and for posix accounts. Everything runs fine, except for 
one problem. I have a ou=People-inactive branch on my ldap server on 
wich I store (guess what?) inactive people. I don't want my system to 
recognize those entries as valid users, so I set my /etc/ldap.conf as 
follows:

root@mercurio:/etc# grep -v "^#\|^\s*$" ldap.conf
host 127.0.0.1 192.168.0.207
base dc=a1,dc=ind
ldap_version 3
nss_base_passwd         ou=People,dc=a1,dc=ind?one
nss_base_shadow         ou=People,dc=a1,dc=ind?one
nss_base_group          ou=Group,dc=a1,dc=ind?one
nss_base_hosts          ou=Hosts,dc=a1.dc=ind?one
nss_base_services       ou=Services,dc=a1,dc=ind?one
nss_base_networks       ou=Networks,dc=a1,dc=ind?one
nss_base_protocols      ou=Protocols,dc=a1,dc=ind?one
nss_base_rpc            ou=Rpc,dc=a1,dc=ind?one
nss_base_netmasks       ou=Networks,dc=a1,dc=ind?one
nss_base_aliases        ou=Aliases,dc=a1,dc=ind?one
nss_base_netgroup       ou=Netgroup,dc=a1,dc=ind?one
root@mercurio:/etc#

I use two servers on the "host" line due to this bug:

https://launchpad.net/ubuntu/+source/libnss-ldap/+bug/51315

The problem arose when I tried to add a new machine to the domain. The 
smbldap-useradd script is able to add the machine entry on ldap, but the 
whole process fails with "User not found" (translated from the 
Portuguese message) on the adding workstation. After googling for about 
3 hours without success, I found that if I just comment out the 
nss_base_* entries, everything works as expected and am able to join a 
machine to the domain.

The question:

Is that a samba, nss or smbldap-tools bug? Or is this not a bug, but a 
feature? ;) Or have I lost something?

Best regards and thanks in advance.

-- 
Marcio Merlone

> I run a samba 3.0.26a-1ubuntu2.3 on an Ubuntu 7.10 server with OpenLDAP 
> both for samba and for posix accounts. Everything runs fine, except for 
> one problem. I have a ou=People-inactive branch on my ldap server on 
> wich I store (guess what?) inactive people. I don't want my system to 
> recognize those entries as valid users, so I set my /etc/ldap.conf as 
> follows:
> nss_base_passwd         ou=People,dc=a1,dc=ind?one
> The problem arose when I tried to add a new machine to the domain. The 
> smbldap-useradd script is able to add the machine entry on ldap, but the 
> whole process fails with "User not found" (translated from the 
> Portuguese message) on the adding workstation. After googling for about 
> 3 hours without success, I found that if I just comment out the 
> nss_base_* entries, everything works as expected and am able to join a 
> machine to the domain.
Does your script create the machine account object in ou=People?  You've
verified the object is created at all and you can successfully "id
{machine}$"?
> Is that a samba, nss or smbldap-tools bug? Or is this not a bug, but a 
> feature? ;) Or have I lost something?
My guess would be it is bug in your configuration of smbldap-tools.

-- 
Adam Tauno Williams, Network & Systems Administrator
Consultant - http://www.whitemiceconsulting.com
Developer - http://www.opengroupware.org