I very much appreciate the help thus far, but I think it has strayed a bit from the actual problem.
The problem is that when I join a system to the samba domain it creates /some/ but not all of the required attributes for the computer account. The process then fails as samba looks in the wrong part of my directory server. I would strongly prefer to put the workstation accounts in their own tree (ou=Computers). I added the relevant bits to the smb.conf for this to happen (ldap machine suffix = ou=Computers) and restarted samba. Yet the debug logs show me that, while it executes the machine add script just fine, it is still looking in ou=People. As a leap into absurdity I even rebooted the whole box (in case a shared memory segment was somehow hanging about), still the samba binary is convinced my computer accounts live in ou=People. The process becomes more odd when I can see in the debug log that the samba binary has successfully read in my machine suffix. I find this a bit unusual. Pat On Tue, 2008-02-26 at 09:03 -0800, Chuck Kollars wrote: > > ...Yet, if I search LDAP after the join attempt I > > find: dn: uid=testing$,ou=Computers,dc=iwu,dc=edu > > This convention of a "workstation" account being the > same as a "people" account except with a dollar sign > appended to the name is the way Windows works. > Weird?Yes. Looks wrong?Yes. Needs "fixing"?Maybe Not. > > > ...My LDAP logs show it is searching ou=People > > rather than ou=Computers to see if it was added > > successfully. What must I do to make it search > > ou=Computers? ... > > Unfortunately it's pretty easy and pretty common to > use LDAP in a way that doesn't match the "usual" human > definitions of some words. This isn't necessarily > wrong though. If an operation doesn't work, definitely > dig in. But if an operation "works" but appears to use > words differently than your definitions, it may not be > a problem. > > Every LDAP tool has its own settings. Change it for > one tool, and it will still behave the old way for > other tools. > > For `ldapsearch`, there are several settings, the > later of which override the earlier. One is "base" in > a file named something like /etc/openldap/ldap.conf. > This may be overridden by a command line parameter to > `ldapsearch`. > > For LDAP name service lookups (if enabled in > /etc/nsswitch.conf), again there's "base" but this > time in /etc/ldap.conf (a separate file but with a > name very similar to the first one). Sometimes you'll > also find "nss_base_hosts", which takes precedence if > it exists. There may also be a setting on pam_ldap.so. > > > etc. > > > Now the other half of the question, the part you > > didn't ask, which is not where to "search" but > > where to "store". (Obviously storing in one place > > but searching in the other won't work at all. > > Both storing and searching in the "wrong" place > > may work perfectly well for Samba, yet might be > > inconsistent with some of your other tools and > > procedures.) > > Unfortunately there are a gazillion different ways to > update an LDAP database and they all work differently > and are all configured differently. Are you using some > scripts, or a web application like 'phpldapadmin', or > the `ldapadd` command, or ...; and are you calling it > explicitly or letting it be called from within Samba > via the 'add machine' parameter? > > good luck! > > > -Chuck Kollars > > > > ____________________________________________________________________________________ > Looking for last minute shopping deals? > Find them fast with Yahoo! Search. > http://tools.search.yahoo.com/newsearch/category.php?category=shopping > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
