pdb_ldap.c, ldapsam_add_sam_account, existing poxisaccount (samba: message 7 of 20)

spu at corman.be spu at corman.be
Mon May 30 16:20:16 GMT 2005

Hi John,

1) your smbldap-tools is correctly configured ?
      smbldap-useradd -a toto work ?

2) have you specified a ldap filter parameter in your smb.conf ?
      if true, then try without ldap filter parameter or not use in filter
      Why : in code .. num_result =
ldap_count_entries(ldap_state->smbldap_state->ldap_struct, result);
      This line use ldap filter, if count line with sambaSAMAccount, smbd
find no line !

Stéphane PURNELLE                         stephane.purnelle at corman.be
Service Informatique       Corman S.A.           Tel : 00 32 087/342467

samba-technical-bounces+stephane.purnelle=corman.be at lists.samba.org a écrit
sur 27/05/2005 14:57:02 :

> John H Terpstra wrote:
> > John,
> >
> > Does the execution of the following list the machine account?
> >
> >    getent passwd zyphevm$
> >
> > If not, then you have a problem with NSS an perhaps your nss_ldap
> > configuration.
> >
> Well, as i say, this is not a linux system. There is no getent command.
> There is however an id command which is comparable. I am positive that
> our nss setup is correct and working.
> After Stephane's advice i tried manually adding the appropriate samba
> attributes to our posixaccount ldap entry and then when i tried to join
> the domain it worked perfectly. I was then able to log into the domain
> with samba users defined in the ldap database. This indicates that i was
> right in my theory that the issue was samba failing to create the samba
> attributes when the posixaccount existed in ldap.
> > You are going through a lot of pain. Have you followed the example in
> chapter
> > 5 of the book "Samba-3 by Example" (aka. Samba-Guide)?
> >
> Yep - this is what we have been using as our guide and it nearly worked
> perfectly for us. Since this is a bsd system, some of it was slightly
> different. For example the caching daemon is lookupd instead of nscd and
> we use the id command instead of the getent command
> > You can obtain a copy from:
> http://www.samba.org/samba/docs/Samba-Guide.pdf
> >
> > I would appreciate feedback on that chapter, step-by-step. If any step
> does
> > not work then we have something to work from.
> Well, i've been pretty explicit in my original mail and i think the fact
> that manually adding the samba attributes made it work indicates we've
> found the source of the problem. However i'm willing to help in any way
> i can. I'll highlight the differences between our setup and the setup
> described in that chapter.
> We didn't get as far as setting up a BDC, we were only setting up a PDC.
>  We have *not* set up pam for ldap on this machine however we are using
> the ldap database for managing unix logins on other workstations.
> Unless i misunderstand, we do not actually *need* users to be able to
> log on to the unix machine - they merely need to exist on it. setting up
> nss_ldap seems to work perfectly for this. Our users and groups exist on
> the machine however only local users can log in. Again, the fact that,
> once the samba attributes have been added for the machine, the machine
> can join the domain and samba users can log on indicates that not having
> pam enabled is not our issue.
> Our slapd.conf is a little more complicated than the one in the chapter
> as we have other services authenticating against ldap and acls relevant
> to them. The user we are using for samba is the admin user who has
> unlimited read and write access to every attribute. The idea was to get
> it working like this then create a samba admin user with privileges
> specific to samba.
> We have a root user in our ldap database but this user does not have
> samba attributes and i'd rather leave it this way. The documentation
> seems to imply that samba no longer requires the root user (uid=0) to
> have a samba account since 3.0.11. Certainly the fact that things work
> once we add the samba attributes to the machine posixaccount would
> indicate that this is true.
> We do not have pbedit.
> We did not add any additional groups. I can confirm that the basic
> groups (such as Domain Admins) exist both in our ldap database and are
> recognised as unix groups on our local machine. The net groupmap list
> also returns the correct results.
> Our first failure is at the net rpc join command. The error log
> indicates that the reason this fails is exactly the same as the reason
> that joining a workstation to the domain fails.
> We can use shares via smbclient following the documentation. Again this
> isn't a surprise given that once the machine is joined to the domain we
> can log on.
> We skipped the printer step as getting our users logged on was our top
> priority. We'll fix up printers later. I can't see how it would affect
> our situation.
> Similarly, we skipped the BDC configuration.
> We assigned user rights and privileges as per the documentation. This
> was confirmed to have worked using the net rpc rights list again
> following the documentation closely.
> We implemented some of the profiles stuff and created the shares though
> i admit that there appear to be permission issues when i log in - it is
> unable to load my profile though it lets me log in with a temporary one.
> Again, unless i am greatly mistaken, this won't affect machines joining
> the domain, only users logging in.
> >
> > The smbldap-tools entries in smb.conf should handle ONLY the POSIX
> account
> > part, samba does the rest.
> Samba appears to fail to do the rest in my setup at least. My first mail
> was pretty explicit about the branch of code it was executing that led
> it to fail. It attempts to *add* a whole new user even though the user
> is already in the ldap database. Ldap unsurprisingly doesn't like this.
> The problem appears to be that the code that should detect if the user
> is already in the database is failing for some reason.
> I'm not outright saying that this is a bug in samba - it could be a
> configuration issue but it doesn't appear to be to me.
> I am more than willing to do anything you like to help work out exactly
> what is going on here. If it is a bug, it appears to be in samba for
> quite a while and i'd like to get it fixed. If it is a misconfiguration,
> i'd like to get it fixed instead of hacking smbldap-useradd to do more
> than it's supposed to.
> John

More information about the samba-technical mailing list