need clarification of the use of:
ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix
smb.conf.5 indicates you should have a fully qualified suffix such as:
ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom
as demonstrated by:
Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org
and
Example: ldap group suffix =
ou=Groups,dc=samba,ou=Groups
(which, btw, is a not a good example)
However, it appears from a log level 5 that this happens:
[2005/08/17 11:05:57, 5] (980)
smbldap_search_ext: base =[ou=Groups,dc=blah,dc=com,dc=blah,dc=com],
filter
=[(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope =[2]
It combines two suffixes. Which is the correct behavior?
I see utils/net_rpc_samsync.c seems to think the prior is true.
This behavior is consistent all the way back to 3.0.11.
Cheers,
Bill

PGP SIGNED MESSAGE
Hash: SHA1

William Jojo wrote:

need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

The man page is wrong. You can use a fully DN only if
'ldap suffix' is an empty string.

cheers, jerry
PGP SIGNATURE
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

8WkxQg2zAzTtyEmyXdE/uDU=
=LG
PGP SIGNATURE

Wed, 17 Aug 2005, Gerald (Jerry) Carter wrote:

PGP SIGNED MESSAGE
Hash: SHA1

William Jojo wrote:
--
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

The man page is wrong. You can use a fully DN only if
'ldap suffix' is an empty string.
--

Should 'ldap suffix' ever be empty? Where would Samba put sambaDomain
objects if this were empty? It seems to me this should never be empty. :-)

Cheers,

Bill


>
>
>
>
cheers, jerry
PGP SIGNATURE
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

8WkxQg2zAzTtyEmyXdE/uDU=
=LG
PGP SIGNATURE

Wed, 17 Aug 2005, John H Terpstra wrote:

Wednesday 17 August 2005 09:15, William Jojo wrote:
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded correctly.
For example the 'ldap user suffix' will be expanded to:

Thanks, John. I failed to indicate that this is how I currently use it. I
wanted to clear up the confusion as I know you like documentation to be
very clear and concise. :-) :-)

Cheers,

Bill

ldap machine suffix = ou=Computers,dc=foobar,dc=biz

- John T.
--
as demonstrated by:

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org

and

Example: ldap group suffix =
ou=Groups,dc=samba,ou=Groups

(which, btw, is a not a good example)
--
However, it appears from a log level 5 that this happens:

[2005/08/17 11:05:57, 5] (980)
smbldap_search_ext: base =[ou=Groups,dc=blah,dc=com,dc=blah,dc=com],
filter
=[(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope =[2]

It combines two suffixes. Which is the correct behavior?

I see utils/net_rpc_samsync.c seems to think the prior is true.
--
This behavior is consistent all the way back to 3.0.11.
--
Cheers,
--
Bill

Wed, 17 Aug 2005, John H Terpstra wrote:

Wednesday 17 August 2005 09:15, William Jojo wrote:
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded correctly.
For example the 'ldap user suffix' will be expanded to:

Thanks, John. I failed to indicate that this is how I currently use it. I
wanted to clear up the confusion as I know you like documentation to be
very clear and concise. :-) :-)

Cheers,

Bill

ldap machine suffix = ou=Computers,dc=foobar,dc=biz

- John T.
--
as demonstrated by:

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org

and

Example: ldap group suffix =
ou=Groups,dc=samba,ou=Groups

(which, btw, is a not a good example)
--
However, it appears from a log level 5 that this happens:

[2005/08/17 11:05:57, 5] (980)
smbldap_search_ext: base =[ou=Groups,dc=blah,dc=com,dc=blah,dc=com],
filter
=[(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope =[2]

It combines two suffixes. Which is the correct behavior?

I see utils/net_rpc_samsync.c seems to think the prior is true.
--
This behavior is consistent all the way back to 3.0.11.
--
Cheers,
--
Bill

Wednesday 17 August 2005 09:15, William Jojo wrote:
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded correctly.
For example the 'ldap user suffix' will be expanded to:

ldap machine suffix = ou=Computers,dc=foobar,dc=biz
- John T.

as demonstrated by:

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org

and

Example: ldap group suffix =
ou=Groups,dc=samba,ou=Groups

(which, btw, is a not a good example)
--
However, it appears from a log level 5 that this happens:

[2005/08/17 11:05:57, 5] (980)
smbldap_search_ext: base =[ou=Groups,dc=blah,dc=com,dc=blah,dc=com],
filter
=[(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope =[2]

It combines two suffixes. Which is the correct behavior?

I see utils/net_rpc_samsync.c seems to think the prior is true.
--
This behavior is consistent all the way back to 3.0.11.
--
Cheers,
--
Bill

Wednesday 17 August 2005 09:15, William Jojo wrote:
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded correctly.
For example the 'ldap user suffix' will be expanded to:

ldap machine suffix = ou=Computers,dc=foobar,dc=biz
- John T.

as demonstrated by:

Example: ldap idmap suffix = ou=Idmap,dc=samba,dc=org

and

Example: ldap group suffix =
ou=Groups,dc=samba,ou=Groups

(which, btw, is a not a good example)
--
However, it appears from a log level 5 that this happens:

[2005/08/17 11:05:57, 5] (980)
smbldap_search_ext: base =[ou=Groups,dc=blah,dc=com,dc=blah,dc=com],
filter
=[(&(objectClass=sambaGroupMapping)(gidNumber=-2))], scope =[2]

It combines two suffixes. Which is the correct behavior?

I see utils/net_rpc_samsync.c seems to think the prior is true.
--
This behavior is consistent all the way back to 3.0.11.
--
Cheers,
--
Bill

Wednesday 17 August 2005 09:25, Gerald (Jerry) Carter wrote:
William Jojo wrote:
need clarification of the use of:

ldap suffix
ldap machine suffix
ldap user suffix
ldap idmap suffix

smb.conf.5 indicates you should have a fully qualified suffix such as:

ldap suffix = dc=blah,dc=com
ldap machine suffix = ou=People,dc=blah,dc=com
ldap user suffix = ou=People,dc=blah,dc=com
ldap group suffix = ou=Groups,dc=blah,dc=com
ldap idmap suffix = ou=Idmap,dc=blah,dc=dom

The man page is wrong. You can use a fully DN only if
'ldap suffix' is an empty string.

I had not caught that. Will fix it now.
- John T.

PGP SIGNED MESSAGE
Hash: SHA1

William Jojo wrote:

Wed, 17 Aug 2005, Gerald (Jerry) Carter wrote:

William Jojo wrote:

>>need clarification of the use of:

>>ldap suffix
>>ldap machine suffix
>>ldap user suffix
>>ldap idmap suffix

>>smb.conf.5 indicates you should have a fully qualified suffix such as:

>ldap suffix = dc=blah,dc=com
>ldap machine suffix = ou=People,dc=blah,dc=com
>ldap user suffix = ou=People,dc=blah,dc=com
>ldap group suffix = ou=Groups,dc=blah,dc=com
>ldap idmap suffix = ou=Idmap,dc=blah,dc=dom
The man page is wrong. You can use a fully DN only if
'ldap suffix' is an empty string.


>Should 'ldap suffix' ever be empty? Where would
Samba put sambaDomain objects if this were empty? It seems to
me this should never be empty. :-)

True. Can't really write the rootDSE now can you.
+1 for you.

cheers, jerry

PGP SIGNATURE
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

X04BbWkomLpoynmxfm0N8qo=
=dlSI
PGP SIGNATURE

Wed, Aug 17, 2005 at 09:30:31AM -0600, John H Terpstra wrote:
It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded correctly.
For example the 'ldap user suffix' will be expanded to:

ldap machine suffix = ou=Computers,dc=foobar,dc=biz

here I have a dead tree copy of Samba-3 by Example
which says on in Chapter 6, paragraph 3.5
LDAP Initialization and Creation of User Group Accounts

NTE

By placing all machine accounts in the People
container, we were able to side-step this bug.

So it seems the bug, that prevents samba from being able to search the LDAP
database for computer accounts if they are placed in the Computers
container, is gone.

My questions:

* the version with the bug, did they work with

ldap suffix = dc=foobar,dc=biz
ldap user suffix = ou=People
ldap machine suffix = ou=Computers,ou=People

in smb.conf succesfull?

* In which version was the bug fixed?

Cheers
Geert Stappers

Wednesday 17 August 2005 10:05, Geert Stappers wrote:
Wed, Aug 17, 2005 at 09:30:31AM -0600, John H Terpstra wrote:
It is sufficient to specify:

ldap suffix = dc=foobar,dc=biz
ldap machine suffix = ou=Computers
ldap user suffix = ou=People
ldap group suffix = ou=Groups
ldap idmap suffix = ou=Idmap

Samba will take care of the catenation. These will all be expanded
correctly. For example the 'ldap user suffix' will be expanded to:

ldap machine suffix = ou=Computers,dc=foobar,dc=biz

here I have a dead tree copy of Samba-3 by Example
which says on in Chapter 6, paragraph 3.5
LDAP Initialization and Creation of User Group Accounts
--
NTE

By placing all machine accounts in the People
container, we were able to side-step this bug.

This note has been significantly expanded in the second edition of this book.
It is now in Chapter 5, section 5.4.5. The more detailed explanation in the
second edition demonstrates the fact that this was not a bug in Samba, but
rather an identity resolution issue involving NSS.

So it seems the bug, that prevents samba from being able to search the LDAP
database for computer accounts if they are placed in the Computers
container, is gone.

The problem is one of the ability to find the computer account via NSS.

My questions:

* the version with the bug, did they work with

ldap suffix = dc=foobar,dc=biz
ldap user suffix = ou=People
ldap machine suffix = ou=Computers,ou=People

in smb.conf succesfull?
--
* In which version was the bug fixed?

This was not a Samba bug as explained above.

PS: Suggest you refer to chapter 5, section 5.3.1.7, of the current
Samba3-ByExample book. You can obtain it on-line from:

This book will become available in computer stores by mid-September.

Cheers,
John T.

Wed, Aug 17, 2005 at 10:56:39AM -0600, John H Terpstra wrote:
Wednesday 17 August 2005 10:05, Geert Stappers wrote:
<snip/
The problem is one of the ability to find the computer account via NSS.

My questions:

* the version with the bug, did they work with

ldap suffix = dc=foobar,dc=biz
ldap user suffix = ou=People
ldap machine suffix = ou=Computers,ou=People

in smb.conf succesfull?
--
* In which version was the bug fixed?

This was not a Samba bug as explained above.

PS: Suggest you refer to chapter 5, section 5.3.1.7, of the current
Samba3-ByExample book. You can obtain it on-line from:

This book will become available in computer stores by mid-September.

In chapter 5 I found

. ldap suffix [dc=abmas,dc=biz]
. ldap group suffix [ou=Groups]
. ldap user suffix [ou=People,ou=Users]
. ldap machine suffix [ou=Computers,ou=Users]
. Idmap suffix [ou=Idmap]

That makes this LDAP tree(beard)

dc=abmas,dc=bz
/|\
/ | \
/ | \
ou=Groups | ou=Idmap
|
ou=Users
/ \
/ \
/ \
ou=People ou=Computers

That allows a nss_base_passwd ou=Users,dc=abmas,dc=biz?one

Shouldn't /etc/samba/smb.conf contain

ldap user suffix = ou=People,ou=Users
ldap machine suffix = ou=Computers,ou=Users

or

ldap user suffix = ou=Users
ldap machine suffix = ou=Users

instead of the current

ldap machine suffix = ou=People
ldap user suffix = ou=People

that is now in Example 5.7. LDAP Based smb.conf File, Server: MASSIVE
global Section: Part B at
?

Cheers
Geert Stappers

Wednesday 17 August 2005 15:57, Geert Stappers wrote:
Wed, Aug 17, 2005 at 10:56:39AM -0600, John H Terpstra wrote:
Wednesday 17 August 2005 10:05, Geert Stappers wrote:

<snip/>

The problem is one of the ability to find the computer account via NSS.

My questions:

* the version with the bug, did they work with

ldap suffix = dc=foobar,dc=biz
ldap user suffix = ou=People
ldap machine suffix = ou=Computers,ou=People

in smb.conf succesfull?
--
* In which version was the bug fixed?

This was not a Samba bug as explained above.

PS: Suggest you refer to chapter 5, section 5.3.1.7, of the current
Samba3-ByExample book. You can obtain it on-line from:

This book will become available in computer stores by mid-September.

In chapter 5 I found

. ldap suffix [dc=abmas,dc=biz] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=People,ou=Users] >
. ldap machine suffix [ou=Computers,ou=Users] >
. Idmap suffix [ou=Idmap] >
--
That makes this LDAP tree(beard)
--
dc=abmas,dc=bz
/|\
/ | \
/ | \
ou=Groups | ou=Idmap

ou=Users
/ \
/ \
/ \
ou=People ou=Computers
--
That allows a nss_base_passwd ou=Users,dc=abmas,dc=biz?one

No, if you want to perform a single search in nss_ldap you need:

nss_base_passwdou=Users,dc=abmas,dc=biz?sub

Note: sub not one

--
Shouldn't /etc/samba/smb.conf contain

ldap user suffix = ou=People,ou=Users
ldap machine suffix = ou=Computers,ou=Users

Correct.

or

ldap user suffix = ou=Users
ldap machine suffix = ou=Users

No, that expects all the accounts to be in the ou=Users container.

instead of the current

ldap machine suffix = ou=People
ldap user suffix = ou=People

That expects all user and machine accounts in the ou=People container.

that is now in Example 5.7. LDAP Based smb.conf File, Server: MASSIVE
global Section: Part B at
?

The example puts both user and machine accounts into the ou=People container.
The diagnostic section explains how they CAN be separated.

Cheers,
John T. (Jan, de man die niet alles kan).

Wed, Aug 17, 2005 at 04:35:05PM -0600, John H Terpstra wrote:
Wednesday 17 August 2005 15:57, Geert Stappers wrote:
<snip/>
. ldap suffix [dc=abmas,dc=biz] >
. ldap group suffix [ou=Groups] >
. ldap user suffix [ou=People,ou=Users] >
. ldap machine suffix [ou=Computers,ou=Users] >
. Idmap suffix [ou=Idmap] >

That makes this LDAP tree(beard)

dc=abmas,dc=bz
/|\
/ | \
/ | \
ou=Groups | ou=Idmap

ou=Users
/ \
/ \
/ \
ou=People ou=Computers

That allows a nss_base_passwd ou=Users,dc=abmas,dc=biz?one

No, if you want to perform a single search in nss_ldap you need:

nss_base_passwdou=Users,dc=abmas,dc=biz?sub

Note: sub not one

, noticed

Shouldn't /etc/samba/smb.conf contain

ldap user suffix = ou=People,ou=Users
ldap machine suffix = ou=Computers,ou=Users

Correct.

or

ldap user suffix = ou=Users
ldap machine suffix = ou=Users

No, that expects all the accounts to be in the ou=Users container.

instead of the current

ldap machine suffix = ou=People
ldap user suffix = ou=People

That expects all user and machine accounts in the ou=People container.

that is now in Example 5.7. LDAP Based smb.conf File, Server: MASSIVE
global Section: Part B at
?

The example puts both user and machine accounts into the ou=People container.
The diagnostic section explains how they CAN be separated.

Now I get it, I did see a strange single trail, but it are several trails.
( s/trail/configuration/ )

Cheers,
John T. (Jan, de man die niet alles kan).

Het was een aangename verrassing om van jou nederlands te lezen.
Ik schoot zelfs in de lach. Wat kan een mens toch op het verkeerde been
staan.

In English:
It was a plesant surprise to read Dutch from. It did made my laugh.
Man can be tricked by his assumptions.

Cheers
Geert Stappers

Thursday 18 August 2005 01:18, Geert Stappers wrote:
Het was een aangename verrassing om van jou nederlands te lezen.
Ik schoot zelfs in de lach. Wat kan een mens toch op het verkeerde been
staan.

Ik ben een Nederlander die voor meer dan 45 jaar al het land uit is.
Mijn Nederlands is tog wel gebruikbaar, maar dan ook niet te wel underhouden.
ik Engels speekt als een Engelsman word ik aangenomen als een Engelsman,
maar in het haart van maijn haart blijf ik een Nederlander. Het is het land
van mijn voorvaders.

In English:
It was a plesant surprise to read Dutch from. It did made my laugh.
Man can be tricked by his assumptions.

Ik neem het je niet kwaalijk hor. :-) Ik zou denken dat jou Engels beeter zou
zijn dan mijn Nederlands.

Tot weerder hooren.

Dag.
- Jan