[Samba] Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in
passdb, but getpwnam() fails!
Vincent Farget
farget at olfac.univ-lyon1.fr
Wed Dec 6 15:54:12 GMT 2006
Hi everybody,
I have one SAMBA server (with PDC configuration) which is configure to
use an OpenLDAP server (on the same local server) where users and
computers account are store (I want to have the two Unix/Linux and Samba
account attributes stored to use Name Service Switch and Pluggable
Authentication Module).
My problem is as follow :
If I don't put the following line :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
in the '/etc/passwd' file, for a user, or :
-> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
for a computer, I can't connect and I have the following error in the
'/var/log/samba/log.pc046' log file :
..........
[2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
User farget in passdb, but getpwnam() fails!
[2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
..........
however, on my local server, if I type 'getent passwd|grep
user1', I have/can see the following :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
and an 'ldapsearch -x -LLL' show me all my directory without any
problems !!!!
I show several other mails from people who have the same 'getpwnam()
fails!' error, but I didn't succeed in found the solution !!!
So I want to know severals things :
--------------------------------------
1.) What seeks SAMBA precisely when it executes the 'getpwnam()'
function ? One or severals specials OpenLDAP attributes ?
2.) In the file '/etc/ldap/slapd.conf', what is 'index' used for ?
Actually I have the following index :
..........
# Indexing options for database #1
index objectClass,uidNumber,gidNumber eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
..........
Is these indexes Ok ?
I see that if I add the following line :
-> index uid eq
the 'ldapsearch -x -LLL' output is EMPTY !!!!
Here is my Debian Sarge server files configuration :
-> 'slapd' (OpenLDAP) v2.2.23-8,
-> 'samba' v3.0.14a-3sarge2,
-> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools' v0.8.7,
-> 'libnss-ldap' v238-1,
===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
allow bind_v2
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/samba.schema
include /etc/ldap/schema/MozillaOrgPerson.schema
schemacheck on
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd.args
loglevel 264
modulepath /usr/lib/ldap
moduleload back_bdb
backend bdb
checkpoint 512 30
database bdb
suffix "dc=serveur,dc=domaine,dc=fr"
rootdn "cn=chef,dc=serveur,dc=domaine,dc=fr"
rootpw {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
directory "/var/lib/ldap"
index objectClass,uidNumber,gidNumber eq
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
lastmod on
access to attrs=userPassword
by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
by anonymous auth
by self write
by * none
access to attrs=sambaLMPassword
by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
by anonymous auth
by self write
by * none
access to attrs=sambaNTPassword
by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
by anonymous auth
by self write
by * none
access to
attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode
by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
by anonymous read
by self write
by * read
access to dn.base="" by * read
access to *
by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
by * read
===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
===== SAMBA CONF FILE : /etc/samba/smb.conf =====
[global]
workgroup = DOM
netbios name = PDC
server string = Serveur Intranet (domaine Domaine)
dns proxy = No
log file = /var/log/samba/log.%m
max log size = 1000
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
time server = Yes
encrypt passwords = Yes
passdb backend = ldapsam:ldap://localhost/
obey pam restrictions = No
ldap passwd sync = Yes
ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
ldap ssl = Off
ldap suffix = dc=serveur,dc=domaine,dc=fr
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
ldap delete dn = Yes
ldapsam:trusted = Yes
add user script = /usr/local/sbin/smbldap-useradd -m "%u"
add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
add user to group script = /usr/local/sbin/smbldap-groupmod -m
"%u" "%g"
delete user from group script =
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
set primary group script = /usr/local/sbin/smbldap-usermod -g
"%g" "%u"
load printers = Yes
printing = cups
printcap name = cups
printer admin = root
show add printer wizard = Yes
dos charset = 850
unix charset = ISO8859-15
preserve case = Yes
short preserve case = Yes
case sensitive = No
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
domain master = Yes
local master = Yes
domain logons = Yes
logon drive = u:
logon script = %U.bat
logon path = \\%N\%U\profile
logon home = \\%N\%U
hosts allow = 192.168.0.0/255.255.255.0
[netlogon]
comment = Partage service NetLogon (batch de connexion)
path = /netlogon
available = Yes
writeable = No
browseable = No
[homes]
comment = Partage perso (disque U)
available = Yes
writeable = Yes
create mask = 0700
directory mask = 0700
browseable = Yes
[print$]
comment = Partage driver Imprimantes reseaux
path = /etc/samba/new-drivers-imp
admin users = root
valid users = @lp
available = Yes
read only = Yes
write list = root
force user = root
force group = lp
create mask = 0750
directory mask = 0750
browseable = Yes
..... ect .....
===== END of SAMBA CONF FILE : /etc/samba/smb.conf =====
===== NSS CONF FILE : /etc/libnss-ldap.conf =====
host 127.0.0.1
base dc=serveur,dc=domaine,dc=fr
ldap_version 3
port 389
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password crypt
nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
===== END of NSS CONF FILE : /etc/libnss-ldap.conf =====
===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
'PAM' CONFIGURATION :
===== /etc/pam.d/common-account =====
account required pam_unix.so
account sufficient pam_ldap.so
===== END of : /etc/pam.d/common-account =====
===== /etc/pam.d/common-auth =====
auth required pam_unix.so nullok_secure
auth sufficient pam_ldap.so use_first_pass
===== END of : /etc/pam.d/common-auth =====
===== /etc/pam.d/common-password =====
password required pam_unix.so nullok obscure min=4 max=8 md5
password sufficient pam_ldap.so use_authtok
===== END of : /etc/pam.d/common-password =====
===== /etc/pam.d/common-session =====
session required pam_unix.so
session optional pam_ldap.so
===== END of : /etc/pam.d/common-session =====
Thanks in advance for your help,
Best regards.
--
M. FARGET Vincent
IGE - Administrateur Systèmes / Informaticien de Laboratoire
UMR 5020 - Laboratoire des Neurosciences et Systemes Sensoriels
Universite Claude Bernard LYON 1 - CNRS
50, avenue Tony Garnier
69366 LYON Cedex 07
## Ce message est signé par un certificat CNRS ##
http://igc.services.cnrs.fr/Doc/General/trust.html
http://www.urec.cnrs.fr/igc/Certifs_CNRS.html
#####
# Pour que la signature soit valide, vous devrez
# récupérer préalablement le certificat de
# l'autorité de certification CNRS-Plus en
# cliquant sur le lien ci dessous :
http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=load&CA=CNRS-Plus&ca=CNRS-Plus
More information about the samba
mailing list