[Samba] [3.0, LDAP] smbpasswd fails in adding new accounts

[Stefan Froehlich]

Hello,

I recently switched an environment from Samba 2.x to 3.0 without any
major problems. LDAP database was converted and everything worked fine,
_including_ chaning passwords with smbpasswd.

However, I now had to create a new account, which failed. I created an
LDAP entry first, because I use LDAP for Unix-Authentification as well.
Afterwards, I wanted to add the Samba-specific attributes (some unneeded
output skipped - please ask for it, if it _could_ be relevant):

| bertha:~# smbpasswd -D10 -s -a uschwarz xxxxxxxx
| [...]
| ldap_connect_system: succesful connection to the LDAP server
| The LDAP server is succesful connected
| [...]
| smbldap_search_suffix: searching
| for:[(&(&(uid=uschwarz)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]
| ldapsam_getsampwnam: Unable to locate user [uschwarz] count=0
| Finding user uschwarz
| Trying _Get_Pwnam(), username as lowercase is uschwarz
| Get_Pwnam_internals did find user [uschwarz]!
| pdb_set_username: setting username uschwarz, was 
| element 11 -> now SET
| [...]
| pdb_init_sam_new: no RID specified.  Generating one via old algorithm
| pdb_set_user_sid: setting user sid
| S-1-5-21-1494128589-2214280660-1490714134-3148
| element 17 -> now SET
| pdb_set_user_sid_from_rid:
|         setting user sid S-1-5-21-1494128589-2214280660-1490714134-3148
| from rid 3148
| account_policy_get: maximum password age:-1
| account_policy_get: minimum password age:0
| smbldap_search_suffix: searching
| for:[(&(&(uid=uschwarz)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]
| smbldap_search_suffix: searching
| for:[(&(sambaSID=S-1-5-21-1494128589-2214280660-1490714134-3148)(objectclass=sambaSamAccount))]
| smbldap_search_suffix: searching
| for:[(&(uid=uschwarz)(objectclass=sambaSamAccount))]
| smbldap_search_suffix: searching
| for:[(&(sambaSID=S-1-5-21-1494128589-2214280660-1490714134-3148)(|(objectClass=sambaIdmapEntry)(obje
| ctClass=sambaSidEntry)))]
| ldapsam_add_sam_account: Adding new user
| init_ldap_from_sam: Setting entry for user: uschwarz
| ldapsam_modify_entry: Failed to add user dn=
| uid=uschwarz,ou=People,dc=lise-meitner,dc=at with: Already exists
| 
| ldapsam_add_sam_account: failed to modify/add user with uid = uschwarz
| (dn = uid=uschwarz,ou=People,dc=lise-meitner,dc=at)
| Failed to add entry for user uschwarz.
| Failed to modify password entry for user uschwarz

The message "already exists" is clear, because this simply is true.
However, if I try to create a non-existing account, the result is not
much better:

| bertha:~# smbpasswd -D10 -s -a test xxxxx       
| [...]
| The LDAP server is succesful connected
| [...]
| smbldap_search_suffix: searching
| for:[(&(&(uid=test)(objectclass=sambaSamAccount))(objectclass=sambaSamAccount))]
| ldapsam_getsampwnam: Unable to locate user [test] count=0
| Finding user test
| Trying _Get_Pwnam(), username as lowercase is test
| Trying _Get_Pwnam(), username as uppercase is TEST
| Checking combinations of 0 uppercase letters in test
| Get_Pwnam_internals didn't find user [test]!
| Failed initialise SAM_ACCOUNT for user test.
| Failed to modify password entry for user test

So there must be something going wrong in the communication between
Samba and the LDAP server. It can't be the LDAP-permissions, because a)
changing the password of an existing account does work and b) the
response is the same even if I use

| access to * by * write

in the LDAP configuration.

Does anyone have a hint for me where and how I should start looking around?

Thanks and bye,

Stefan