[Samba] smbpasswd and RID/SID problems with LDAP
soren at pc172-115-242.et.byu.edu
Fri May 9 21:34:13 GMT 2003
Problem number one:
I'm running a few-hours-old CVS version of Samba 3.0 with LDAP as the
authentication backend, and I'm having some problems trying to set up
the LDAP accounts using "smbpasswd". I build the structure of the
LDAP database by importing a couple of LDIF's, and then I import the
following user account to create an administrative account within samba:
description: SMB Administrative Account
gecos: SMB Administrative Account
acctFlags: [UX ]
If I do "finger smbadmin" then his proper information comes up, I can
set his system password with "passwd," and 'login' authenticates him
(though I don't get very far with home=/dev/null and shell=/bin/false)
so I know that my LDAP and NSS are working properly. However, when I
run "smbpasswd -D 4 smbadmin" then I get the following error:
[...smbpasswd negotiates LDAP connection...]
Entry found for user: smbadmin
no rid or ntSid attribute found for this user smbadmin
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'smbadmin'!
Failed to find entry for user smbadmin.
Failed to modify password entry for user smbadmin
With a more verbose error dump, I can confirm that it is finding the
smbadmin user's data, but that it isn't finding the attribute ntSid, and
thus is aborting.
However, the problem is that according to the samba LDAP schema, ntSid
is a valid attribute only for objectClass sambaGroupMapping. It isn't a
valid attribute for objectClass sambaAccount, so OpenLDAP won't let me
create a sambaAccount object with an ntSid attribute. If I add ntSid to
the objectClass sambaAccount in the samba.schema, restart OpenLDAP,
uncomment the ntSid line in the LDIF example I gave above, then I
can use smbpasswd to give smbadmin a password. Evidently from the
smbpasswd debugging output, smbpasswd should check for the existence
of the rid attribute, and continue if either ntSid or rid are found.
But it doesn't check for rid, only ntSid, and aborts.
So I guess either the samba.schema or the code for smbpasswd has to be
changed. I'm not really sure which.
Problem number two:
Running "smbpasswd -a soren" returns:
NO user RID specified on account soren, cannot add!
ldap_add_sam_account: init_ldap_from_sam failed!
Failed to add entry for user soren.
Failed to modify password entry for user soren
Perhaps it's an "undocumented feature" or just something I missed, but
I don't see a way to specify a RID when creating a new account.
soren at byu.edu
More information about the samba