[Samba] Users can't login on Samba+Ldap

Mon May 11 17:16:57 GMT 2009

I've found somewhere (I'm looking again for the document) that from a certain 
version it doesn't need anymore the file libnss_ldap.conf/secret because it's 
all configured from ldap.conf/secret (and I don't have libnss_ldap files).

Anyway I checked with the getent command and I obtain only entries from 
/etc/passwd end group files.

I'd like to store all the windows user and workstation informations on LDAP 
limiting only the administrative user to passwd.

François Legal wrote:
> To be honest, I don't know very well all the ldap client configuration
> stuff. Anyway, nss is not (AFAIK) configured in /etc/ldap.conf.
> 
> You should have a libnss_ldap.conf/secret files containing the ldap
> configuration (bind DN/pwd suffix for users, suffix for groups...) so that
> NSS can successfully lookup the directory when it has to find user/group
> information.
> 
> You can see if it is configured properly by doing getent group and getent
> passwd
> These commands shall display all the groups and user found on the system.
> That is each user and group present in /etc/passwd /etc/group plus each
> user contained in maybe ou=Users,dc=yourcompany,dc=com and
> ou=Groups,dc=yourcompany,dc=com and (that one is important too)
> ou=Machines,dc=yourcompany,dc=com from your directory.
> 
> Note that if you plan to only use ldap to store user information, you
> should no more have real users/groups in /etc/passwd and /etc/group
> 
> François
> 
> On Mon, 11 May 2009 16:51:47 +0200, dogbert at infinito.it wrote:
>> I'm checking /etc/ldap.conf and it seems that at the end of this file it
>> was
>> added a line with the following directive:
>> nss_initgroups_ignoreusers
>>
>> that included more or less every single entry contained in my /etc/passwd
>> file at the time of the ldap configuration.
>>
>> is that normal behaviour ?
>>
>> Thanks,
>> Riccardo
>>
>>> did you properly configure nssldap ?
>>>
>>> On Mon, 11 May 2009 14:25:05 +0200, dogbert at infinito.it wrote:
>>>> Hi,
>>>>
>>>> I've migrated from an old samba installation (Samba as PDC) that
>>> used
>> TDB
>>>> backend for password.
>>>>
>>>> I've setup a box with ubuntu and samba 3 + ldap and I imported the
>> old
>>>> users.
>>>> Old users works fine.
>>>>
>>>> I have problems with new users and machines.
>>>>
>>>> Old users works but they don't show up with smbldap-usershow command
>> and
>>>> I've problem in changing their passwords. If I check the ldap db I
>> can
>>> find
>>>> them (with both ldapsearch and slapcat).
>>>>
>>>> New users created with smbldap-useradd can be seen with
>> smbldap-usershow
>>>> command but can't make a logon on workstation
>>>>
>>>> If I join a workstation (directly by the workstation) it is added to
>> ldap
>>>> db
>>>> but it doesn't see the domain until I manually add an entry for it
>>> in
>>>> /etc/passwd
>>>>
>>>> Checking the user entry for two users I can find the following
>>> differences.
>>>> BERENICE is an user imported from the old system and is working
>>> fine:
>>>> dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT
>>>> uid: berenice
>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-2018
>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>> displayName: berenice
>>>> sambaLogonTime: 0
>>>> sambaLogoffTime: 4294967295
>>>> sambaKickoffTime: 4294967295
>>>> sambaPwdCanChange: 1161193814
>>>> sambaPwdMustChange: 4294967295
>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> sambaPasswordHistory:
>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>> sambaPwdLastSet: 1161193814
>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>> sambaAcctFlags: [U          ]
>>>> sambaBadPasswordCount: 0
>>>> sambaBadPasswordTime: 0
>>>> objectClass: sambaSamAccount
>>>> objectClass: account
>>>> structuralObjectClass: account
>>>> entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f
>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>> createTimestamp: 20090214003220Z
>>>> entryCSN: 20090214003220.132569Z#000000#000#000000
>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>> modifyTimestamp: 20090214003220Z
>>>>
>>>> ADAM is a fresly created user and can't logon to workstation:
>>>> dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT
>>>> objectClass: top
>>>> objectClass: person
>>>> objectClass: organizationalPerson
>>>> objectClass: inetOrgPerson
>>>> objectClass: posixAccount
>>>> objectClass: shadowAccount
>>>> objectClass: sambaSamAccount
>>>> cn: adam
>>>> sn: adam
>>>> givenName: adam
>>>> uid: adam
>>>> uidNumber: 1004
>>>> gidNumber: 513
>>>> homeDirectory: /home/adam
>>>> loginShell: /bin/bash
>>>> gecos: System User
>>>> structuralObjectClass: inetOrgPerson
>>>> entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f
>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>> createTimestamp: 20090214003424Z
>>>> sambaLogonTime: 0
>>>> sambaLogoffTime: 2147483647
>>>> sambaKickoffTime: 2147483647
>>>> sambaPwdCanChange: 0
>>>> displayName: adam
>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-3008
>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>> sambaLogonScript: logon.bat
>>>> sambaProfilePath: serverprofilesadam
>>>> sambaHomePath: serveradam
>>>> sambaHomeDrive: C:
>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> sambaAcctFlags: [U]
>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>> sambaPwdLastSet: 1234571674
>>>> sambaPwdMustChange: 1238459674
>>>> userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4=
>>>> shadowLastChange: 14289
>>>> shadowMax: 45
>>>> entryCSN: 20090214003434.475223Z#000000#000#000000
>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>> modifyTimestamp: 20090214003434Z
>>>>
>>>>
>>>> Any help would be appreciated.
>>>> Thanks,
>>>> Riccardo
> 