Bug 987 - passdb ldap backend and nss_ldap potentially conflict over computers container
Summary: passdb ldap backend and nss_ldap potentially conflict over computers container
Alias: None
Product: Samba 3.0
Classification: Unclassified
Component: net utility (show other bugs)
Version: 3.0.1
Hardware: All Linux
: P3 normal
Target Milestone: none
Assignee: Jim McDonough
QA Contact:
Depends on:
Reported: 2004-01-19 02:00 UTC by Yohann Fourteau
Modified: 2005-11-14 09:30 UTC (History)
0 users

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Yohann Fourteau 2004-01-19 02:00:04 UTC
If ldap machine suffix is differente from ldap user suffix, net rpc vampire
doesn't create machines when we use ldap backend.

I've looked at the source and found why :
In  net_rpc_samsync.c,the fetch_account_info function uses the Get_Pwnam
function to know if the posixaccount exists but for a machine, if the ldap
machine entry is not in the same container than users entries, the system (nss)
answers that the account doesn't exist.

The work arround is to configure nssldap user suffix to a suffix containing both
users and machines entries in its scope (but it's not very usefull...).
Comment 1 Jim McDonough 2004-03-12 08:47:03 UTC
Sorry, that's a simple enough workaround, and you're talking about a design
change which needs to be considered in a much broader sense than just "my add
machine script doesn't play nice with my nss-ldap config".  

I'm also changing the subject because the subject isn't really the issue.  net
rpc vampire creates machines just fine, but not with the configuration that you
would like.

This isn't a bug, it's a design discussion.  That's why I'm marking it for later.
Comment 2 Yohann Fourteau 2004-03-12 09:15:10 UTC
Well It's a big mistake not to consider host suffix which is in the
configuration file of samba (smb.conf) !

I don't care about my nss configuration. I'm just suprised about such a lack of
rigor in samba code.

Comment 3 Jim McDonough 2004-03-12 10:39:07 UTC
Perhaps I'm not understanding your problem.  For starters "host suffix" ?

We do add machine accounts, in vampire, through the "ldap machine suffix", and
we pass the machine name to "add machine script", which is what one would
generally use to put the nss_ldap entry in the correct container.  This part
works.   I've done it.   Are you finding bugs in this?
Comment 4 Yohann Fourteau 2004-03-13 06:31:03 UTC
My point of view :
Get_Pwnam is for user account not host account. If you want to know if an host
entry exists, you do an ldap query and not a system call. You have the ldap
machine suffix for that. It's not necessary to have machine account in the
passwd nss scope.

But for the moment, with the present design, you have to.
Comment 5 Jim McDonough 2004-03-13 07:33:01 UTC
Ah, but there is a legitimate reason for host accounts being effectively user
accounts: they are on windows.  That's part of the way windows works.  A machine
is an entity that can have access to a file or other object in the same way that
a user can.

There may be other ways to implement this, but this would definitely be a major
design discussion.

You are more than welcome to bring this up on the lists for discussion.
Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:30:02 UTC
database cleanup