Hallo William,

thanks for your fast answer. As you said, samba should not add a new =
when the domain already exist - important that ldapsearch is able to =
that entry - right ?
I have double-checked my configurations now: I use the same =
Schema-files on
both LDAP servers an i use the same slapd.conf file, the only changes
regarding slurpd. I did an ldapsearch for ObjectClass=3DSambaDomain =
with the
same result on both servers.

- If there is an entry in LDAP for DOM01 samba should use that during
startup -right ?
- With cleared *.tdb's and samba comes up, i get the LDAP-Message "No
structuralObjectClass for entry =
(sambaDomainName=3DDOM01,dc=3Dxxx,dc=3Dintra) -
and thats not rigth, samba should search for
sambaDomainName=3DDOM01,ou=3Ddomains,dc=3Dxxx,dc=3 Dintra.
- after executing smbpasswd -w yxyxyx a new entry named
sambaDomainName=3DDOM01,dc=3Dxxx,dc=3Dintra, with the same SID than the =
other one,
exist an the most things are working.

What do you mean of changing ldap base in smb.conf ? I can't try out a =
because thats production enviroment.

I will be pleased for some more ideas.


-----Urspr=FCngliche Nachricht-----
Von: William Jojo [mailto:jojowil@hvcc.edu]
Gesendet: Freitag, 12. November 2004 14:09
An: schmieder, holger
Cc: 'samba-technical@lists.samba.org'
Betreff: Re: SAMBA 3.0.x OpenLDAP - wrong Container for DomainName

On Fri, 12 Nov 2004, schmieder, holger wrote:

> Hallo all,
> i got the following problem an hope someone knows a solution for that
> -Installed: 2 Samba server, both with OpenLDAP, replicated by slurpd.
> -Managing of objects through LAM
> -localSID's and domain SID are all the same.
> On the first server the domain ist ready an working. The =

> stored in the ou=3Ddomains,dc=3Dxxx,dc=3Dintra.
> (SambaDomainName=3DDOM01,ou=3Ddomains,dc=3Dxxx,dc= 3Dintra)
> After typing in "smbpasswd -w xxx" on second server, a new domain was
> created in LDAP with the =


actually Samba does do a search in the subtree value supplied in "ldap
suffix" before creating any new values for domain entries. perhaps
permissions on ou=3Ddomains subtree are too tight for samba to "see" =

> I believe because of that, some things for example usrmgr.exe won't =

> corectly.
> Can someone tell me how to tell smbpasswd to use an existing domain =

> SID stored in ou=3Ddomains ?

There presently is no way to do it as there is no specific suffix value
option for that. Samba will always create the domain entry in "ldap
suffix" if you do not create the domain entry yourself. I've just =
the entry myself in the DIT prior to starting any new samba servers and
that has worked fine for me. It may seem inconvenient, but you only =
to do it once - I can live with that ;-)

Again make sure your permission on subtree values are not too =
Also a log level 10 will help you determine what requests Samba is =
against the DIT.

I've included a snippet of indexes and permissions that I've glom'ed =
Samba How-To and LDAP-System Admin. and various google-ing's for =
2.2.x (which is what my permissions are based on)

My machines are in the ou=3Dpeople section as there is still =
over whether machines whould be separated or not and it was easier to =
"lump" them.

index objectClass eq
index cn pres,eq,sub
index sn pres,eq,sub
index mail pres,eq,sub
index uid pres,eq,sub
index memberUid eq
index uidNumber eq
index gidNumber eq
index sambaSID eq
index sambaDomainName eq
index sambaPrimaryGroupSID eq
index default sub,eq

access to dn.subtree=3D"ou=3Dhvccdir,dc=3Ddomain,dc=3Dedu"
by domain=3D".*\.domain\.edu" read
by anonymous read
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * none

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu" =
by self write
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * auth

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * none

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DGroups,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DIdmap,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DDomains,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

> Thanks for every good idea.
> Holger

Best of luck to you!