[Samba] Problems setting up Samba+LDAP PDC in Debian Sarge

Chema chema at interneta.org
Wed Oct 26 02:26:12 GMT 2005

Dear list,

I have been struggling to get working a PDC using Samba with LDAP
backend, in a fresh Debian Sarge install.

1. SeMachineAccountPrivilege

I'm reading IDEALX's Linux Samba-OpenLDAP Howto as guidance.  In my
last attempt, everything appeared to be fine until the very end, the
Integration test, when I added an admin user, got it on the "Domain
Admin" and then tried to grant such group the

dellj81:/# net -U root%MyUnixRootPass rpc rights grant 'CORENA\Domain
Admins' SeMachineAccountPrivilege
Failed to grant privileges for CORENA\Domain Admins

Seems I have some kind of account problem here, since I can't make this
to work using root nor Manager.

The Howto states:

<<To allow workstations to be joined to the domain, a root user must
exist and used (uid=0).

Such a user is created when initializing the directory whith the
smbldap-populate script.

 >From Samba 3.0.12, it is now possible for admin users to join computers
to the domain without using the "root" account."
In fact, the 'root' account is needed in the first place so that the
SeXXX privileges can be set.>>

The smbldap-tools didn't setup any root/uid=0 account in LDAP:

dellj81:/# slapcat | grep -i ^uid:
uid: Administrator
uid: nobody
uid: admin
uid: chema
dellj81:/# slapcat | grep -i uidnum
uidNumber: 1004
uidNumber: 998
uidNumber: 999
uidNumber: 1002
uidNumber: 1003

So maybee that's what I'm missing, or should a standard (/etc/passwd)
root suffice?

2. net getlocalsid

Anyway, after fiddling around looking for clues, I found that I no
longer can get my local sid:

[2005/10/25 11:20:25, 0] utils/net.c:net_getlocalsid(494)
  Can't fetch domain SID for name: SERVIDOR1-PDC

So maybee the problem is more deep.  Or there are several problems. =(

net getlocalsid worked when I did setup the smbldap-tools, which is the
last thing I configured, so I don't have an idea of what went wrong

I see on log.nmbd:

[2005/10/25 10:42:15, 0] nmbd/nmbd_logonnames.c:add_logon_names(163)
  Attempting to become logon server for workgroup CORENA on subnet
[2005/10/25 10:42:15, 0]
  Attempting to become domain master browser on workgroup CORENA,
[2005/10/25 10:42:15, 0]
  become_domain_master_browser_wins: querying WINS server from IP <> for domain master browser name CORENA<1b> 
on workgroup
[2005/10/25 10:42:15, 0]
  become_logon_server_success: Samba is now a logon server for
workgroup CORENA on subnet UNICAST_SUBNET
[2005/10/25 10:42:15, 0]
Is this "domain master browser name CORENA<1b>" normal?

3. passwd

I have also found some auth oddities and problems.

When I execute su, I get the Password: promt two times. The first
prompt appears to be ignored, I must only write the password on the

chema at dellj81:~$ su

When I try to change root's password, I get this:

dellj81:/home/chema# passwd
passwd: User not known to the underlying authentication module

But I should be able to "passwd" an /etc/passwd user, shouldn't I?

dellj81:/home/chema# id root
uid=0(root) gid=0(root) groups=0(root)

With my normal user, if I try to change the password:

chema at dellj81:~$ ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Internal (implementation specific) error
        additional info: SASL(-13): user not found: no secret in

This produces the following sldap output:

Oct 25 11:45:03 dellj81 slapd[2925]: SASL [conn=55] Error: unable to
open Berkeley db /etc/sasldb2: No such file or directory
Oct 25 11:45:03 dellj81 last message repeated 2 times
Oct 25 11:45:03 dellj81 slapd[2925]: SASL [conn=55] Failure: no secret
in database
Oct 25 11:45:03 dellj81 slapd[2925]: conn=55 op=2 RESULT tag=97 err=80
text=SASL(-13): user not found: no secret in database

I have yet to enable TLS, so slapd shoulnd't be using SASL, right?

So seems to me I must have several things to fix.  I'll appreciate any
suggestions, log and debug options pointers, and one click solutions.

More information about the samba mailing list