[Samba] simple LDAP question

Bruno Gimenes Pereti pereti at ump.edu.br
Thu Aug 29 08:57:01 GMT 2002

Thank´s IOhannes and Adam.

 First of all, sorry for the html e-mail I sent.

Now I´ll try to show my situation. I work on a small Univerity that is
growing. Now I have 2 samba servers running independently, the students
don´t have account, the theachers uses one server in their classes and the
employers uses the other one.
The server are now running with the default smbpasswd file.
I intend to autenticate students, teachers and employers in samba with LDAP,
and teachers and employers would autenticate in other services like pop.

With that I can explain what I did til now. I´m trying OpenLDAP and NDS for
Linux (novell). All the work I did was over the LDAP installed with NDS. I
have the extended classes posixAccount, posixGroup and shadowAccount in my
schema (I don´t have the samba schema yet). My /etc/ldap.conf is:

base o=Local
pam_member_attribute member
pam_password nds
ssl no

What I understood of the pam files is that all them call the system-auth
(/lib/security/pam_stack.so service=system-auth). I edited this file
(/etc/pam.d/system-auth) like this:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_ldap.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_ldap.so
account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_ldap.so
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     sufficient    /lib/security/pam_ldap.so
session     required      /lib/security/pam_unix.so

And this is the part of /etc/nsswitch.conf I edited:

passwd:     files ldap
shadow:     files ldap
group:      files ldap

With this user in LDAP:

[root at test /]# ldapsearch -x uid=bruno
version: 2

# filter: uid=bruno
# requesting: ALL

# bruno,Local
dn: cn=bruno,o=Local
uid: bruno
sn: bruno
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: ndsLoginProperties
objectClass: top
objectClass: posixAccount
objectClass: posixGroup
objectClass: shadowAccount

I tried to login in the console but I got this error in /var/log/messages:

Aug 29 14:39:44 test login(pam_unix)[893]: session opened for user bruno by
Aug 29 14:39:44 test login[893]: Cannot make/remove an entry for the
specified session

When I created the user in linux it started to work, with the password
stored in the LDAP.

Well, this is my situation...
What should I do now to make it work without the local user?


> Bruno Gimenes Pereti wrote:
> > Hi,
> hi you !
> >
> > I´m new to LDAP and pam. Do I need to the user in /etc/passwd and
> > /etc/shadow to autenticate a user in the sistem or in the PDC?
> weird, what do you intend to use LDAP for ?
> this question seems to me like "i am new to guns. do i need a club to
> kill someone?"
> no, you don't need /etc/passwd and /etc/shadow when using LDAP (you
> might even want to throw it away, but rather not. if your ldap-server
> fails, against whom do you want to authenticate then ?)
> mfg.cds.adr
> peaceloving IOhannes

More information about the samba mailing list