[Samba] smbpasswd and RID/SID problems with LDAP

Soren Harward soren at pc172-115-242.et.byu.edu
Fri May 9 21:34:13 GMT 2003

Problem number one:

I'm running a few-hours-old CVS version of Samba 3.0 with LDAP as the
authentication backend, and I'm having some problems trying to set up
the LDAP accounts using "smbpasswd".  I build the structure of the
LDAP database by importing a couple of LDIF's, and then I import the
following user account to create an administrative account within samba:

dn: uid=smbadmin,ou=users,o=caedm,dc=gilliam
objectClass: person
objectClass: sambaAccount
objectClass: posixAccount
cn: smbadmin
sn: smbadmin
uid: smbadmin
rid: 500
#ntSid: 500
primaryGroupId: 512
uidNumber: 0
gidNumber: 0
homeDirectory: /dev/null
loginShell: /bin/false
description: SMB Administrative Account
gecos: SMB Administrative Account
pwdLastSet: 0
logonTime: 0
logoffTime: 0
kickoffTime: 0
pwdCanChange: 0
pwdMustChange: 0
smbHome: \\%N\
homeDrive: K:
profilePath: \\%N\profile
acctFlags: [UX      ]

If I do "finger smbadmin" then his proper information comes up, I can
set his system password with "passwd," and 'login' authenticates him
(though I don't get very far with home=/dev/null and shell=/bin/false)
so I know that my LDAP and NSS are working properly.  However, when I
run "smbpasswd -D 4 smbadmin" then I get the following error:

[...smbpasswd negotiates LDAP connection...]
Entry found for user: smbadmin
no rid or ntSid attribute found for this user smbadmin
ldapsam_getsampwnam: init_sam_from_ldap failed for user 'smbadmin'!
Failed to find entry for user smbadmin.
Failed to modify password entry for user smbadmin

With a more verbose error dump, I can confirm that it is finding the
smbadmin user's data, but that it isn't finding the attribute ntSid, and
thus is aborting.

However, the problem is that according to the samba LDAP schema, ntSid
is a valid attribute only for objectClass sambaGroupMapping.  It isn't a
valid attribute for objectClass sambaAccount, so OpenLDAP won't let me
create a sambaAccount object with an ntSid attribute.  If I add ntSid to
the objectClass sambaAccount in the samba.schema, restart OpenLDAP,
uncomment the ntSid line in the LDIF example I gave above, then I
can use smbpasswd to give smbadmin a password.  Evidently from the
smbpasswd debugging output, smbpasswd should check for the existence
of the rid attribute, and continue if either ntSid or rid are found.
But it doesn't check for rid, only ntSid, and aborts.

So I guess either the samba.schema or the code for smbpasswd has to be
changed.  I'm not really sure which.

Problem number two:

Running "smbpasswd -a soren" returns:

NO user RID specified on account soren, cannot add!
ldap_add_sam_account: init_ldap_from_sam failed!
Failed to add entry for user soren.
Failed to modify password entry for user soren

Perhaps it's an "undocumented feature" or just something I missed, but
I don't see a way to specify a RID when creating a new account.

Soren Harward
soren at byu.edu

More information about the samba mailing list