If ldap machine suffix is differente from ldap user suffix, net rpc vampire doesn't create machines when we use ldap backend. I've looked at the source and found why : In net_rpc_samsync.c,the fetch_account_info function uses the Get_Pwnam function to know if the posixaccount exists but for a machine, if the ldap machine entry is not in the same container than users entries, the system (nss) answers that the account doesn't exist. The work arround is to configure nssldap user suffix to a suffix containing both users and machines entries in its scope (but it's not very usefull...).
Sorry, that's a simple enough workaround, and you're talking about a design change which needs to be considered in a much broader sense than just "my add machine script doesn't play nice with my nss-ldap config". I'm also changing the subject because the subject isn't really the issue. net rpc vampire creates machines just fine, but not with the configuration that you would like. This isn't a bug, it's a design discussion. That's why I'm marking it for later.
Well It's a big mistake not to consider host suffix which is in the configuration file of samba (smb.conf) ! I don't care about my nss configuration. I'm just suprised about such a lack of rigor in samba code.
Perhaps I'm not understanding your problem. For starters "host suffix" ? We do add machine accounts, in vampire, through the "ldap machine suffix", and we pass the machine name to "add machine script", which is what one would generally use to put the nss_ldap entry in the correct container. This part works. I've done it. Are you finding bugs in this?
My point of view : Get_Pwnam is for user account not host account. If you want to know if an host entry exists, you do an ldap query and not a system call. You have the ldap machine suffix for that. It's not necessary to have machine account in the passwd nss scope. But for the moment, with the present design, you have to.
Ah, but there is a legitimate reason for host accounts being effectively user accounts: they are on windows. That's part of the way windows works. A machine is an entity that can have access to a file or other object in the same way that a user can. There may be other ways to implement this, but this would definitely be a major design discussion. You are more than welcome to bring this up on the lists for discussion.
database cleanup