The Samba-Bugzilla – Bug 987
passdb ldap backend and nss_ldap potentially conflict over computers container
Last modified: 2005-11-14 09:30:02 UTC
If ldap machine suffix is differente from ldap user suffix, net rpc vampire
doesn't create machines when we use ldap backend.
I've looked at the source and found why :
In net_rpc_samsync.c,the fetch_account_info function uses the Get_Pwnam
function to know if the posixaccount exists but for a machine, if the ldap
machine entry is not in the same container than users entries, the system (nss)
answers that the account doesn't exist.
The work arround is to configure nssldap user suffix to a suffix containing both
users and machines entries in its scope (but it's not very usefull...).
Sorry, that's a simple enough workaround, and you're talking about a design
change which needs to be considered in a much broader sense than just "my add
machine script doesn't play nice with my nss-ldap config".
I'm also changing the subject because the subject isn't really the issue. net
rpc vampire creates machines just fine, but not with the configuration that you
This isn't a bug, it's a design discussion. That's why I'm marking it for later.
Well It's a big mistake not to consider host suffix which is in the
configuration file of samba (smb.conf) !
I don't care about my nss configuration. I'm just suprised about such a lack of
rigor in samba code.
Perhaps I'm not understanding your problem. For starters "host suffix" ?
We do add machine accounts, in vampire, through the "ldap machine suffix", and
we pass the machine name to "add machine script", which is what one would
generally use to put the nss_ldap entry in the correct container. This part
works. I've done it. Are you finding bugs in this?
My point of view :
Get_Pwnam is for user account not host account. If you want to know if an host
entry exists, you do an ldap query and not a system call. You have the ldap
machine suffix for that. It's not necessary to have machine account in the
passwd nss scope.
But for the moment, with the present design, you have to.
Ah, but there is a legitimate reason for host accounts being effectively user
accounts: they are on windows. That's part of the way windows works. A machine
is an entity that can have access to a file or other object in the same way that
a user can.
There may be other ways to implement this, but this would definitely be a major
You are more than welcome to bring this up on the lists for discussion.