pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount (samba: message 7 of 20)

John Allman samba.20.kaldorg at spamgourmet.com
Fri May 27 12:57:02 GMT 2005

John H Terpstra wrote:
> John,
> Does the execution of the following list the machine account?
> 	getent passwd zyphevm$
> If not, then you have a problem with NSS an perhaps your nss_ldap 
> configuration.
Well, as i say, this is not a linux system. There is no getent command.
There is however an id command which is comparable. I am positive that
our nss setup is correct and working.

After Stephane's advice i tried manually adding the appropriate samba
attributes to our posixaccount ldap entry and then when i tried to join
the domain it worked perfectly. I was then able to log into the domain
with samba users defined in the ldap database. This indicates that i was
right in my theory that the issue was samba failing to create the samba
attributes when the posixaccount existed in ldap.

> You are going through a lot of pain. Have you followed the example in
> 5 of the book "Samba-3 by Example" (aka. Samba-Guide)?
Yep - this is what we have been using as our guide and it nearly worked
perfectly for us. Since this is a bsd system, some of it was slightly
different. For example the caching daemon is lookupd instead of nscd and
we use the id command instead of the getent command

> You can obtain a copy from:
> I would appreciate feedback on that chapter, step-by-step. If any step
> not work then we have something to work from.

Well, i've been pretty explicit in my original mail and i think the fact
that manually adding the samba attributes made it work indicates we've
found the source of the problem. However i'm willing to help in any way
i can. I'll highlight the differences between our setup and the setup
described in that chapter.

We didn't get as far as setting up a BDC, we were only setting up a PDC.
 We have *not* set up pam for ldap on this machine however we are using
the ldap database for managing unix logins on other workstations.

Unless i misunderstand, we do not actually *need* users to be able to
log on to the unix machine - they merely need to exist on it. setting up
nss_ldap seems to work perfectly for this. Our users and groups exist on
the machine however only local users can log in. Again, the fact that,
once the samba attributes have been added for the machine, the machine
can join the domain and samba users can log on indicates that not having
pam enabled is not our issue.

Our slapd.conf is a little more complicated than the one in the chapter
as we have other services authenticating against ldap and acls relevant
to them. The user we are using for samba is the admin user who has
unlimited read and write access to every attribute. The idea was to get
it working like this then create a samba admin user with privileges
specific to samba.

We have a root user in our ldap database but this user does not have
samba attributes and i'd rather leave it this way. The documentation
seems to imply that samba no longer requires the root user (uid=0) to
have a samba account since 3.0.11. Certainly the fact that things work
once we add the samba attributes to the machine posixaccount would
indicate that this is true.

We do not have pbedit.

We did not add any additional groups. I can confirm that the basic
groups (such as Domain Admins) exist both in our ldap database and are
recognised as unix groups on our local machine. The net groupmap list
also returns the correct results.

Our first failure is at the net rpc join command. The error log
indicates that the reason this fails is exactly the same as the reason
that joining a workstation to the domain fails.

We can use shares via smbclient following the documentation. Again this
isn't a surprise given that once the machine is joined to the domain we
can log on.

We skipped the printer step as getting our users logged on was our top
priority. We'll fix up printers later. I can't see how it would affect
our situation.

Similarly, we skipped the BDC configuration.

We assigned user rights and privileges as per the documentation. This
was confirmed to have worked using the net rpc rights list again
following the documentation closely.

We implemented some of the profiles stuff and created the shares though
i admit that there appear to be permission issues when i log in - it is
unable to load my profile though it lets me log in with a temporary one.
Again, unless i am greatly mistaken, this won't affect machines joining
the domain, only users logging in.

> The smbldap-tools entries in smb.conf should handle ONLY the POSIX
> part, samba does the rest.

Samba appears to fail to do the rest in my setup at least. My first mail
was pretty explicit about the branch of code it was executing that led
it to fail. It attempts to *add* a whole new user even though the user
is already in the ldap database. Ldap unsurprisingly doesn't like this.
The problem appears to be that the code that should detect if the user
is already in the database is failing for some reason.

I'm not outright saying that this is a bug in samba - it could be a
configuration issue but it doesn't appear to be to me.

I am more than willing to do anything you like to help work out exactly
what is going on here. If it is a bug, it appears to be in samba for
quite a while and i'd like to get it fixed. If it is a misconfiguration,
i'd like to get it fixed instead of hacking smbldap-useradd to do more
than it's supposed to.


More information about the samba-technical mailing list