[Samba] Samba PDC With LDAP Backend, Failed to initialise SAM_ACCOUNT for user

Cybionet cybionet at videotron.ca
Wed Jul 12 04:43:35 GMT 2006 

Greating Zach,

Samba 3 with LDAP backend work perfectly without problem (For Windows and Linux client). But be sure that your configuration are OK. With the log, I can suppose that you can’t reach your LDAP directory entry and the Aries computer don’t exist in the LDAP directory.

Here some input. First, make some modifications to your smb.conf. 

 [global]
  # Change the next line, you can’t possess .com.
  workgroup = mktec
  netbios name = MKTEC
  server string = %h server (Samba %v)
  wins support = yes
  # Did your Samba is a DNS proxy?? Remove it.
  ; dns proxy = yes
  # Not usefull. The default value is ok.
  ; name resolve order = wins lmhosts host bcast
  log file = /var/log/samba/log.%m
  max log size = 1000
  syslog = 0
  security = user
  encrypt passwords = true

  # Change the next line like this, you don’t want to use Samba2.
  passdb backend = ldapsam:ldap://127.0.0.1

  ldap admin dn = cn=admin,dc=mktec,dc=com
  ldap suffix = dc=mktec,dc=com

  # The following lines are not necessary. You will specify these entries in the 
  # /etc/openldap/ldap.conf.
  ; ldap group suffix= ou=Groups
  ; ldap user suffix = ou=Users
  ; ldap machine suffix = ou=Users
  ; ldap idmap suffix = ou=Users

  # Don’t need to specify, it’s by default.
  ; ldap ssl = no

  # Here you using idealix scripts I can’t help you. I think using phpLDAPAdmin is better…but it’s only a opinion.
  # #################################################################
  passwd program = /usr/sbin/smbldap-passwd %u
  passwd chat = ****New*password** %n\n ****Retype*new*password** %n\n ****all*authentication*tokens*updated**

  add user script = /usr/sbin/smbldap-useradd -m "%u"
  ldap delete dn = Yes
  delete user script = /usr/sbin/smbldap-userdel "%u"
  add machine script = /usr/sbin/smbldap-useradd -w "%u"
  add group script = /usr/sbin/smbldap-groupadd -p "%g"
  delete group script = /usr/sbin/smbldap-groupdel "%g"
  add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
  delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
  set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
  enable privileges = yes
  # ################################################################

  domain logons = yes
  domain master = yes
  preferred master = yes
  local master = yes
  # Add this line to be sure that your server was DMB and LMB.
  os level = 65

  # Very necessary to be specified?
  ; load printers = no
  socket options = TCP_NODELAY

 [netlogon]
  comment = Network Logon Service
  path = /var/lib/samba/netlogon
  # Just use.
  browseable = no
  read only = yes
  ; guest ok = yes
  ; read only = yes
  # The next line have incomplete syntax.
  ; write list
  ; writable = no
  ; share modes = no

 [profiles]
  comment = Users profiles
  path = /var/lib/samba/profiles
  read only = no
  # Not realy necessairy if you don’t use roaming profile.
  ; guest ok = no
  ; browseable = no
  ; create mask = 0600
  ; directory mask = 0700


 After that, be sure that you have done this command. Samba need it to access LDAP. It’s the cn=admin,dc=mktec,dc=com password.

   smbpasswd -w password

 Also check that the ldap.conf in /etc/openldap/ldap.conf is OK. He must be like that.

 BASE dc= mktec,dc=com
 URI ldap://127.0.0.1

 rootbinddn cn=admin,dc=mktec,dc=com
 scope one
 ldap_version 3
 pam_filter objectclass=posixAccount
 pam_login_attribute uid
 pam_member_attribute memberuid
 pam_password exop

 #Base parameters.
 nss_base_passwd dc=mktec,dc=com
 nss_base_shadow dc=mktec,dc=com

 # Advanced parameters.
 nss_base_passwd ou=Users,dc=mktec,dc=com?sub
 nss_base_shadow ou=Users,dc=mktec,dc=com?sub
 nss_base_group ou=Groups,dc=mktec,dc=com?sub

 # Why don’t use Computers in your DIT?
 # nss_base_hosts ou=Computers,dc=mktec,dc=com
 nss_base_hosts ou=Users,dc=mktec,dc=com

 Did your Samba server can ping yourservername.mkteck.com? If not, ajust your resolv.conf (if you use BIND) or/and add the map in the hosts file. 
And at last, be sure the mktec.com, the computer Aries$ and cn=admin,dc=mktec,dc=com exist in LDAP directory.


Hope that can help!

Robert

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>I have seen this problem posted several times and the common answer doesn't seem to be doing it for me.
>
>Here's the error:
>
>Trying to load: ldapsam_compat:ldap://127.0.0.1/
>Attempting to register passdb backend ldapsam
>Successfully added passdb backend 'ldapsam'
>Attempting to register passdb backend ldapsam_compat
>Successfully added passdb backend 'ldapsam_compat'
>Attempting to register passdb backend NDS_ldapsam
>Successfully added passdb backend 'NDS_ldapsam'
>Attempting to register passdb backend NDS_ldapsam_compat
>Successfully added passdb backend 'NDS_ldapsam_compat'
>Attempting to register passdb backend smbpasswd
>Successfully added passdb backend 'smbpasswd'
>Attempting to register passdb backend tdbsam
>Successfully added passdb backend 'tdbsam'
>Attempting to register passdb backend guest
>Successfully added passdb backend 'guest'
>Attempting to find an passdb backend to match ldapsam_compat:ldap://127.0.0.1/ (ldapsam_compat)
>Found pdb backend ldapsam_compat
>pdb backend ldapsam_compat:ldap://127.0.0.1/ has a valid init
>Attempting to find an passdb backend to match guest (guest)
>Found pdb backend guest
>pdb backend guest has a valid init
>smbldap_search_ext: base => [dc=mktec,dc=com], filter => [(&(uid=Aries$)(objectclass=sambaAccount))], scope => [2]
>The connection to the LDAP server was closed
>smb_ldap_setup_connection: ldap://127.0.0.1/
>smbldap_open_connection: connection opened
>ldap_connect_system: Binding to ldap server ldap://127.0.0.1/ as "cn=admin,dc=mktec,dc=com"
>ldap_connect_system: succesful connection to the LDAP server
>Failed to initialise SAM_ACCOUNT for user Aries$. Does this user exist in the UNIX password database ?
>Failed to modify password entry for user Aries$
>ldap_connect_system: LDAP server does support paged results
>The LDAP server is succesfully connected
>ldapsam_getsampwnam: Unable to locate user [Aries$] count=0
>Finding user Aries$
>Trying _Get_Pwnam(), username as lowercase is aries$
>Trying _Get_Pwnam(), username as given is Aries$
>Trying _Get_Pwnam(), username as uppercase is ARIES$
>Checking combinations of 0 uppercase letters in aries$
>Get_Pwnam_internals didn't find user [Aries$]!
>
>
>Here is the configuration:
>
>- -----------START CONFIGURATION-------------------
>[global]
>workgroup = mktec.com
>netbios name = MKTEC
>server string = %h server (Samba %v)
>wins support = yes
>dns proxy = yes
>name resolve order = wins lmhosts host bcast
>log file = /var/log/samba/log.%m
>max log size = 1000
>syslog = 0
>panic action = /usr/share/samba/panic-action %d
>security = user
>encrypt passwords = true
>
>passdb backend = ldapsam_compat:ldap://127.0.0.1/
>obey pam restrictions = no
>invalid users = root
>
>ldap admin dn = cn=admin,dc=mktec,dc=com
>ldap suffix = dc=mktec,dc=com
>ldap group suffix= ou=Groups
>ldap user suffix = ou=Users
>ldap machine suffix = ou=Users
>ldap idmap suffix = ou=Users
>ldap ssl = no
>
>passwd program = /usr/sbin/smbldap-passwd %u
>passwd chat = *New*password* %n\n *Retype*new*password* %n\n *all*authentication*tokens*updated*
>
>add user script = /usr/sbin/smbldap-useradd -m "%u"
>
>ldap delete dn = Yes
>delete user script = /usr/sbin/smbldap-userdel "%u"
>add machine script = /usr/sbin/smbldap-useradd -w "%u"
>add group script = /usr/sbin/smbldap-groupadd -p "%g"
>delete group script = /usr/sbin/smbldap-groupdel "%g"
>add user to group script = /usr/sbin/smbldap-groupmod -m "%u" "%g"
>delete user from group script = /usr/sbin/smbldap-groupmod -x "%u" "%g"
>set primary group script = /usr/sbin/smbldap-usermod -g "%g" "%u"
>enable privileges = yes
>
>domain logons = yes
>domain master = yes
>preferred master = yes
>local master = yes
>
>load printers = no
>socket options = TCP_NODELAY
>
>[netlogon]
>   comment = Network Logon Service
>   path = /var/lib/samba/netlogon
>   guest ok = yes
>   read only = yes
>   write list
>   writable = no
>   share modes = no
>
>[profiles]
>   comment = Users profiles
>   path = /var/lib/samba/profiles
>   read only = no
>   guest ok = no
>   browseable = no
>   create mask = 0600
>   directory mask = 0700
>- -----------END CONFIGURATION-------------------
>
>I mapped the ldap machine suffix to ou=Users rather then ou=Computers because of previous message on the mailing list which
>suggested there was a bug in Samba3. It doesn't seem to work either way, as it results in the exact same error message. My LDAP
>directory layed out with the basic Users, Computers, Groups organizational units in existance.
>
>I am running on a Ubuntu Dapper server:
>  samba 3.0.22-1
>  openldap (slapd) 2.2.26-5
>
>Any input or help is greatly appreciated. Thanks,
>
>Zach
>
>
>
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.4.1 (GNU/Linux)
>Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
>
>iD8DBQFEs+FgMyx0fW1d8G0RAmfwAJ0YSw/9CW+hJ0fvwbO/GozZsRN5ZQCfVCM/
>MkuJjeCo+bjRZFXZM7TSUY0=
>=Eyju
>-----END PGP SIGNATURE-----
>  
>

More information about the samba mailing list