More LDAP and NT PDC questions

Kevin Myer kevin_myer at
Fri May 28 18:14:05 GMT 1999


Although I was able to successfully authenticate as a user again a SAMBA
server that was using LDAP for information, I could never manage to get
any of the domain features working yesterday.  As I had manually modified
my LDAP directory entires, based on log traces of what Samba was looking
for, I figured it was time to start afresh.

1) My first basic question - what is the status of LDAP in Samba? The
LDAP/Samba HOWTO is pretty vague and there doesn't appear to be any step
by step guide as to what you can place in the LDAP directory and what
configuration options you need to keep in /usr/local/samba/lib, etc.  
Unless I am doing something wrong (very possible), it appears it requires
quite a bit of manual attribute or object class creation.  For example,
smbpasswd doesn't appear to want to add just the necessary Samba
attributes to an already existing UNIX account.  If I narrow the base and
let it create a new account that only has a sambaAccount objectclass it
works.  Also, it appears that reliance on having an /etc/passwd isn't
going to go away.  I was hoping to use the nss_ldap module so I can have a
centralized UNIX and NT password and account repository but even with that
module running, Samba still looks for machine accounts in /etc/passwd -

2) My machines don't trust each other for some reason.  Just about
everything I try to access via User Manager or Server Manager fails
because the network password is incorrect.  I cranked logging up and found
what appears to be the problem - the machines aren't getting stored in the
Samba password hash table:

[1999/05/28 13:49:17, 2] smbd/reply.c:reply_special(140)
  netbios connect: name1=GNEISS           name2=VMNT4SER
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(233)
[1999/05/28 13:49:17, 3] lib/username.c:build_passwd_hash_table(83)
  Building passwd hash table
[1999/05/28 13:49:17, 3] lib/username.c:build_passwd_hash_table(95)
  Building passwd hash table for the first time
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(255)
  vmnt4ser not found
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(233)
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(255)
  vmnt4ser not found
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(233)
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(255)
  VMNT4SER not found
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(233)
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(255)
  Vmnt4ser not found
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(233)
[1999/05/28 13:49:17, 5] lib/username.c:hashed_getpwnam(255)
  vmnt4seR not found

This could entirely come from a misconfiguration on my end but I went
through the steps of adding the machines to the domain (smbpasswd -a -m
Machinename).  And my LDAP logs show period searches for machine names but
I either get that the network password is incorrect or that the RPC
failed (of course with no explanation in NT).  Am I missing LDAP
attributes or entires?  I am thinking this almost can't be the case
because my LDAP logs show no connections for the past 10+ minutes, yet
I've tried to connect to my Samba server from my NT box several times in
just the past few minutes.

3)  The NT domain FAQ states that the PDC features, etc. are in the HEAD
CVS code, which is different from the main code release.  I downloaded out
of CVS the samba directory about a week ago but I am now wondering if this
is the HEAD CVS code.  The CVS web page makes no mention of the HEAD code
but browsing CVS doesn't seem to turn up anything out of the ordinary -
just samba, and sambaold.  I would love to get this mostly working so I
can deploy it this summer but if I can't get the LDAP stuff to work
easily, it doesn't make my life any easier to maintain yet another set of
flat flat config files.  So I guess that ties with question 1 in how
closely can Samba be married to an LDAP database for everything, including
the traditional /etc/passwd reliance?  Will that dependency ever go away
and be replaced by something like the nss_ldap module?

Thanks much to all that have responded to my probably simple questions
over the past few days.  I have a definite better grasp on what is going
on now but I still don't understand everything that is going on.  Thank
goodness Monday is a holiday here in the States.


     ~        Kevin M. Myer
    . .       Network/System Administrator
    /V\       ELANCO School District
   // \
  /(   )\

More information about the samba-ntdom mailing list