[Samba] Re: A little help with nss_ldap - User xxx in passdb, but getpwnam() fails!

Robert Silvia coolhand1977 at comcast.net
Fri Nov 26 14:37:41 GMT 2004


I just tested your settings and they seem to be working.

The auth takes much longer now, maybe because it is working.

When checking shares the getpwnam does not even get called any more.

I noticed many SMB_VFS, NT_STATUS_NO_SUCH_OBJECT in the log, I guess 
that let's me know VFS was complied in my binary.

How is the ldap.conf in the /etc/ directory different then the one found 
in /etc/openldap/

When I check the MAN page only /etc/openldap/ldap.conf comes up, I'm 
curious about the other options I am seeing in the other ldap.conf 
located in the /etc/ directory.

Most of the I can make an educated guess as to their function, but it 
would be nice to have a verified definition of some of these parameters.


Anyway thanks for your help it is greatly appreciated.


> Robert Silvia wrote:
>> Here's my configuration:
>> My system auth looks like:
>> auth        required      /lib/security/pam_env.so
>> auth        sufficient    /lib/security/pam_unix.so likeauth nullok
>> auth        sufficient    /lib/security/pam_ldap.so use_first_pass
>> auth        required      /lib/security/pam_deny.so
>> account     required      /lib/security/pam_unix.so
>> account     sufficient    /lib/security/pam_ldap.so
>> password    required      /lib/security/pam_cracklib.so retry=3 type=
>> password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
>> md5 shadow
>> password    sufficient    /lib/security/pam_ldap.so use_authtok
>> password    required      /lib/security/pam_deny.so
>> session     required      /lib/security/pam_limits.so
>> session     required      /lib/security/pam_unix.so
>> session     optional      /lib/security/pam_ldap.so
>> My /etc/ldap.conf is setup as (world readable):
>> base dc=pds-support,dc=net
>> rootbinddn cn=nssldap,ou=DSA,dc=pds-support,dc=net
>> nss_base_passwd         dc=pds-support,dc=net?sub
>> nss_base_shadow         dc=pds-support,dc=net?sub
>> nss_base_group          ou=Groups,dc=pds-support,dc=net?one
>> ssl no
>> pam_password md5
>> and my /etc/nsswitch.conf (world readable)
>> passwd:     files ldap
>> shadow:     files ldap
>> group:      files ldap
>> I have /etc/ldap.secret
>> set to world readable atm moment with the password (I plan on changing 
>> this once I have it working)
> Yeah setting Samba to work with LDAP properly can be really painful.
> Could you try setting /etc/ldap.conf like below (witout ldap.secret file):
> SIZELIMIT       200
> TIMELIMIT       15
> DEREF           never
> host
> base dc=magista,dc=de
> binddn cn=Manager,dc=magista,dc=de
> bindpw secret-password-in-plain
> pam_password exop
> nss_base_passwd         dc=magista,dc=de?sub
> nss_base_shadow         dc=magista,dc=de?sub
> nss_base_group          ou=Groups,dc=magista,dc=de?one
> Tomek

More information about the samba mailing list