[Samba] ldap backend failing

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jun 10 12:51:09 MDT 2011 

It looks like this is configured as a BDC - (domain logons= yes, domain 
master=no.)

How is the underlying unix account created?  Do you manually create 
them, or does a script create them?    If you don't actually create a 
unix account, then you need to make sure winbindd is allocating a uid.  
Either way "getent passwd" should show you the unix user name or uid.

If you use winbindd to allocate unix uid's  , then /etc/nsswitch.conf 
would need an entry like
     passwd: files ldap winbind






On 06/10/2011 12:45 PM, Dermot wrote:
> Hi,
>
> I have an ldap provider and consumer that appear to work correctly,
> EG, new users are sync'ed and a search on either server (ldapsearch -x
> -b 'dc=example,dc=com' '(cn=djohn)') returns an oject. However when an
> XP user attempt to connect to the consumer server the authentication
> fails:
>
>
> [2011/06/10 16:11:21,  0] lib/util_sock.c:write_data(1059)
> [2011/06/10 16:11:21,  0] lib/util_sock.c:get_peer_addr_internal(1607)
>    getpeername failed. Error was Transport endpoint is not connected
>    write_data: write failure in writing to client 0.0.0.0. Error
> Connection reset by peer
> [2011/06/10 16:11:21,  0] smbd/process.c:srv_send_smb(74)
>    Error writing 4 bytes to client. -1. (Transport endpoint is not connected)
> [2011/06/10 16:11:21,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>    pdb_get_group_sid: Failed to find Unix account for djohn
> [2011/06/10 16:11:21,  1] auth/auth_util.c:make_server_info_sam(562)
>    User djohn in passdb, but getpwnam() fails!
> [2011/06/10 16:11:21,  0] auth/auth_sam.c:check_sam_security(355)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2011/06/10 16:11:21,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>    pdb_get_group_sid: Failed to find Unix account for djohn
> [2011/06/10 16:11:21,  1] auth/auth_util.c:make_server_info_sam(562)
>    User djohn in passdb, but getpwnam() fails!
> [2011/06/10 16:11:21,  0] auth/auth_sam.c:check_sam_security(355)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
>
> The XP user is prompted with a login dialogue box.
>
>
> I can see requests being made from the smb consumer server to the ldap provider
>
> Jun 10 15:54:43 provider slapd[11306]: conn=70 fd=19 ACCEPT from
> IP=162.128.168.137:49339 (IP=0.0.0.0:389)
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=0 RESULT tag=97 err=0 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SRCH base=""
> scope=0 deref=0 filter="(objectClass=*)"
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SRCH attr=supportedControl
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=2 SRCH
> base="sambaDomainName=LDNSPL,sambaDomainName=LDNSPL,dc=example,dc=com"
> scope=2 deref=0
> filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=LDNSPL))"
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=2 SEARCH RESULT
> tag=101 err=32 nentries=0 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SRCH
> base="dc=example,dc=com" scope=2 deref=0
> filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn diLDNSPLayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=3 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SRCH
> base="sambaDomainName=LDNSPL,dc=example,dc=com" scope=0 deref=0
> filter="(objectClass=*)"
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SRCH
> attr=sambaPwdHistoryLength
> Jun 10 15:54:43 provider slapd[11306]: conn=70 op=4 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=70 fd=19 closed (connection lost)
> Jun 10 15:54:43 provider slapd[11306]: conn=71 fd=19 ACCEPT from
> IP=162.128.168.137:49340 (IP=0.0.0.0:389)
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 BIND
> dn="cn=admin,dc=example,dc=com" method=128
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 BIND
> dn="cn=admin,dc=example,dc=com" mech=SIMPLE ssf=0
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=0 RESULT tag=97 err=0 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SRCH base=""
> scope=0 deref=0 filter="(objectClass=*)"
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SRCH attr=supportedControl
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=1 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=2 SRCH
> base="sambaDomainName=LDNSPL,sambaDomainName=LDNSPL,dc=example,dc=com"
> scope=2 deref=0
> filter="(&(objectClass=sambaTrustedDomainPassword)(sambaDomainName=LDNSPL))"
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=2 SEARCH RESULT
> tag=101 err=32 nentries=0 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SRCH
> base="dc=example,dc=com" scope=2 deref=0
> filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn diLDNSPLayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber
> Jun 10 15:54:43 provider slapd[11306]: conn=71 op=3 SEARCH RESULT
> tag=101 err=0 nentries=1 text=
> Jun 10 15:54:43 provider slapd[11306]: conn=71 fd=19 closed (connection lost)
>
> I see an error 32 here and I also some see nentries=1 that I'm
> guessing matched responses.
>
> If I do  ldapsearch -x -b "sambaDomainName=LDNSPL,dc=example,dc=com", I get
>
> # extended LDIF
> #
> # LDAPv3
> # base<sambaDomainName=LDNSPL,dc=example,dc=com>  with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # LDNSPL, example.com
> dn: sambaDomainName=LDNSPL,dc=example,dc=com
> objectClass: top
> objectClass: sambaDomain
> objectClass: sambaUnixIdPool
> sambaDomainName: LDNSPL
> sambaSID: S-1-5-21-1979685110-1467996072-351907979
> gidNumber: 1000
> sambaPwdHistoryLength: 0
> sambaMaxPwdAge: -1
> sambaMinPwdAge: 0
> sambaLockoutThreshold: 0
> sambaRefuseMachinePwdChange: 0
> sambaMinPwdLength: 5
> sambaLogonToChgPwd: 0
> sambaNextRid: 1001
> sambaForceLogoff: -1
> uidNumber: 1116
>
>
> The same query with cn=djohn returns nothing:
>
> ...
> # filter: cn=djohn
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 0 Success
>
>
> So some parts of my configuration look to be working but something is
> not right but I can't figure out where the problems is. The smb config
> for the consumer is below. Can any one help track down where the
> problem lies?
> Thanks in advance,
> Dermot.
>
>
>
>
>
> ### SMB.CONF ###
>
> [global]
>     unix charset = LOCALE
>     workgroup = LDNSPL
>     server string = Test Server
>     netbios name = docstore
> #   security = domain
>
>     load printers = no
> ;   printcap name = /etc/printcap
> ;   printcap name = lpstat
> ;   printing = cups
> cups options = raw
> ;  guest account = pcguest
>     log file = /var/log/samba/%m.log
>     log level = 1
>     syslog = 0
>     max log size = 50
>     name resolve order = wins bcast hosts
>     printcap name = CUPS
>     show add printer wizard = no
>     passdb backend = ldapsam:"ldap://provider.example.com"
> #   passdb backend = ldapsam:"ldap://consumer.example.com
> ldap://provider.example.com"
>     domain logons = yes
>     os level = 63
>     domain master = no
>     logon script = login.bat
>     logon path =
>     wins server = provider.example.com
>     ldap suffix = dc=example,dc=com
>     ldap machine suffix = ou=Computers, ou=Users
>     ldap user suffix = ou=People
>     ldap group suffix = ou=Group
>     ldap idmap suffix = ou=idmap
>     ldap admin dn = cn=admin,dc=example,dc=com
>     utmp = Yes
>     idmap backend = ldap://provider.example.com
>     idmap uid = 15000-20000
>     idmap gid = 15000-20000

More information about the samba mailing list