987 – passdb ldap backend and nss_ldap potentially conflict over computers container

Bug 987 - passdb ldap backend and nss_ldap potentially conflict over computers container

Summary: passdb ldap backend and nss_ldap potentially conflict over computers container

Status:	RESOLVED LATER

Alias:	None

Product:	Samba 3.0
Classification:	Unclassified
Component:	net utility (show other bugs)
Version:	3.0.1
Hardware:	All Linux

Importance:	P3 normal
Target Milestone:	none
Assignee:	Jim McDonough
QA Contact:

URL:
Keywords:

Depends on:
Blocks:

Reported:	2004-01-19 02:00 UTC by Yohann Fourteau
Modified:	2005-11-14 09:30 UTC (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Yohann Fourteau 2004-01-19 02:00:04 UTC

If ldap machine suffix is differente from ldap user suffix, net rpc vampire
doesn't create machines when we use ldap backend.

I've looked at the source and found why :
In  net_rpc_samsync.c,the fetch_account_info function uses the Get_Pwnam
function to know if the posixaccount exists but for a machine, if the ldap
machine entry is not in the same container than users entries, the system (nss)
answers that the account doesn't exist.

The work arround is to configure nssldap user suffix to a suffix containing both
users and machines entries in its scope (but it's not very usefull...).

Comment 1 Jim McDonough 2004-03-12 08:47:03 UTC

Sorry, that's a simple enough workaround, and you're talking about a design
change which needs to be considered in a much broader sense than just "my add
machine script doesn't play nice with my nss-ldap config".  

I'm also changing the subject because the subject isn't really the issue.  net
rpc vampire creates machines just fine, but not with the configuration that you
would like.

This isn't a bug, it's a design discussion.  That's why I'm marking it for later.

Comment 2 Yohann Fourteau 2004-03-12 09:15:10 UTC

Well It's a big mistake not to consider host suffix which is in the
configuration file of samba (smb.conf) !

I don't care about my nss configuration. I'm just suprised about such a lack of
rigor in samba code.

Comment 3 Jim McDonough 2004-03-12 10:39:07 UTC

Perhaps I'm not understanding your problem.  For starters "host suffix" ?

We do add machine accounts, in vampire, through the "ldap machine suffix", and
we pass the machine name to "add machine script", which is what one would
generally use to put the nss_ldap entry in the correct container.  This part
works.   I've done it.   Are you finding bugs in this?

Comment 4 Yohann Fourteau 2004-03-13 06:31:03 UTC

My point of view :
Get_Pwnam is for user account not host account. If you want to know if an host
entry exists, you do an ldap query and not a system call. You have the ldap
machine suffix for that. It's not necessary to have machine account in the
passwd nss scope.

But for the moment, with the present design, you have to.

Comment 5 Jim McDonough 2004-03-13 07:33:01 UTC

Ah, but there is a legitimate reason for host accounts being effectively user
accounts: they are on windows.  That's part of the way windows works.  A machine
is an entity that can have access to a file or other object in the same way that
a user can.

There may be other ways to implement this, but this would definitely be a major
design discussion.

You are more than welcome to bring this up on the lists for discussion.

Comment 6 Gerald (Jerry) Carter (dead mail address) 2005-11-14 09:30:02 UTC

database cleanup