> >>> Did ldap machine suffix ever get fixed so that it can be in a sperate > >>> container from ldap user suffix? > >> Is there any problem to be fix on samba side? I've been using separate > >> container for machine without any problem ( almost 8 months now) > > Yes, there was a problem, and maybe still is. > > You are using separate containers for users and machines, because you > > probably search for them in the whole LDAP tree. > Yes. I did not specify filter on pam/nss_ldap. However the limitation is > coming from nss_ldap not samba.
Ah, I can see that. We met this limitation a long time ago (NSS only supports a single search base per object type, which actually seems reasonable. We simply structured the Dit in a different way - dc.. dc..,ou=SAM dc..,ou=SAM,ou=Groups dc..,ou=SAM,ou=Entities dc..,ou=SAM,ou=Entities,ou=People dc..,ou=SAM,ou=Entities,ou=System Accounts dc..,ou=SAM,ou=ipServices etc... NSS's account search base can be set to "dc..,ou=SAM,ou=Entities" for account objects and will see both; applications like Samba can be split. There is no need to search the 'whole LDAP tree', as that would be bad since it also contains things like - dc..,ou=Customers dc..,ou=Access Control etc... - and may be huge. If you insist on having a traditional dc..,ou=People that is simple enough with a subordinate back-ldap backend that rewrites ou=SAM,ou=Entities,ou=People to ou=People DN's. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba