Hallo William,

thanks for your fast answer. As you said, samba should not add a new =
entry
when the domain already exist - important that ldapsearch is able to =
find
that entry - right ?
I have double-checked my configurations now: I use the same =
Schema-files on
both LDAP servers an i use the same slapd.conf file, the only changes
regarding slurpd. I did an ldapsearch for ObjectClass=3DSambaDomain =
with the
same result on both servers.

Again:=20
- If there is an entry in LDAP for DOM01 samba should use that during
startup -right ?
- With cleared *.tdb's and samba comes up, i get the LDAP-Message "No
structuralObjectClass for entry =
(sambaDomainName=3DDOM01,dc=3Dxxx,dc=3Dintra) -
and thats not rigth, samba should search for
sambaDomainName=3DDOM01,ou=3Ddomains,dc=3Dxxx,dc=3 Dintra.
- after executing smbpasswd -w yxyxyx a new entry named
sambaDomainName=3DDOM01,dc=3Dxxx,dc=3Dintra, with the same SID than the =
other one,
exist an the most things are working.

What do you mean of changing ldap base in smb.conf ? I can't try out a =
lot
because thats production enviroment.

I will be pleased for some more ideas.

Thanks
Holger


-----Urspr=FCngliche Nachricht-----
Von: William Jojo [mailto:jojowil@hvcc.edu]
Gesendet: Freitag, 12. November 2004 14:09
An: schmieder, holger
Cc: 'samba-technical@lists.samba.org'
Betreff: Re: SAMBA 3.0.x OpenLDAP - wrong Container for DomainName




On Fri, 12 Nov 2004, schmieder, holger wrote:

> Hallo all,
>
> i got the following problem an hope someone knows a solution for that
>
> -Installed: 2 Samba server, both with OpenLDAP, replicated by slurpd.
> -Managing of objects through LAM
> -localSID's and domain SID are all the same.
>
> On the first server the domain ist ready an working. The =

SambaDomainName
ist
> stored in the ou=3Ddomains,dc=3Dxxx,dc=3Dintra.
> (SambaDomainName=3DDOM01,ou=3Ddomains,dc=3Dxxx,dc= 3Dintra)
>
> After typing in "smbpasswd -w xxx" on second server, a new domain was
> created in LDAP with the =

DN=3DSambaDomainName=3DDOM01,dc=3Dxxx,dc=3Dintra
>


actually Samba does do a search in the subtree value supplied in "ldap
suffix" before creating any new values for domain entries. perhaps
permissions on ou=3Ddomains subtree are too tight for samba to "see" =
it.

> I believe because of that, some things for example usrmgr.exe won't =

work
> corectly.
>
> Can someone tell me how to tell smbpasswd to use an existing domain =

with
the
> SID stored in ou=3Ddomains ?
>


There presently is no way to do it as there is no specific suffix value
option for that. Samba will always create the domain entry in "ldap
suffix" if you do not create the domain entry yourself. I've just =
created
the entry myself in the DIT prior to starting any new samba servers and
that has worked fine for me. It may seem inconvenient, but you only =
have
to do it once - I can live with that ;-)

Again make sure your permission on subtree values are not too =
restrictive.
Also a log level 10 will help you determine what requests Samba is =
making
against the DIT.

I've included a snippet of indexes and permissions that I've glom'ed =
from
Samba How-To and LDAP-System Admin. and various google-ing's for =
OpenLDAP
2.2.x (which is what my permissions are based on)

My machines are in the ou=3Dpeople section as there is still =
controversy
over whether machines whould be separated or not and it was easier to =
just
"lump" them.


index objectClass eq
index cn pres,eq,sub
index sn pres,eq,sub
index mail pres,eq,sub
index uid pres,eq,sub
index memberUid eq
index uidNumber eq
index gidNumber eq
index sambaSID eq
index sambaDomainName eq
index sambaPrimaryGroupSID eq
index default sub,eq

access to dn.subtree=3D"ou=3Dhvccdir,dc=3Ddomain,dc=3Dedu"
by domain=3D".*\.domain\.edu" read
by anonymous read
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * none

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu" =
attrs=3DuserPassword
by self write
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * auth

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu"
attrs=3DsambaLMPassword,sambaNTPassword
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * none

access to dn.subtree=3D"ou=3DPeople,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DGroups,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DIdmap,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"ou=3DDomains,dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read

access to dn.subtree=3D"dc=3Ddomain,dc=3Dedu"
by dn=3D"cn=3Droot,dc=3Ddomain,dc=3Dedu" write
by * read



> Thanks for every good idea.
>
> Holger
>
>



Best of luck to you!