[Samba] Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in passdb, but getpwnam() fails!

Vincent Farget farget at olfac.univ-lyon1.fr
Wed Dec 6 15:54:12 GMT 2006

Hi everybody,

I have one SAMBA server (with PDC configuration) which is configure to 
use an OpenLDAP server (on the same local server) where users and 
computers account are store (I want to have the two Unix/Linux and Samba 
account attributes stored to use Name Service Switch and Pluggable 
Authentication Module).

My problem is as follow :
If I don't put the following line :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
in the '/etc/passwd' file, for a user, or :
-> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
for a computer, I can't connect and I have the following error in the 
'/var/log/samba/log.pc046' log file :
[2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
     User farget in passdb, but getpwnam() fails!
[2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
     check_sam_security: make_server_info_sam() failed with

however, on my local server, if I type 'getent passwd|grep
user1', I have/can see the following :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
and an 'ldapsearch -x -LLL' show me all my directory without any 
problems !!!!

I show several other mails from people who have the same 'getpwnam() 
fails!' error, but I didn't succeed in found the solution !!!

   So I want to know severals things :

1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
function ? One or severals specials OpenLDAP attributes ?

2.) In the file '/etc/ldap/slapd.conf', what is 'index' used for ?
Actually I have the following index :
# Indexing options for database #1
index           objectClass,uidNumber,gidNumber                eq
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
Is these indexes Ok ?

I see that if I add the following line :
-> index           uid           eq
the 'ldapsearch -x -LLL' output is EMPTY !!!!

Here is my Debian Sarge server files configuration :
-> 'slapd' (OpenLDAP) v2.2.23-8,
-> 'samba' v3.0.14a-3sarge2,
-> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools' v0.8.7,
-> 'libnss-ldap' v238-1,

===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
allow bind_v2
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/MozillaOrgPerson.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        264
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=serveur,dc=domaine,dc=fr"
rootdn          "cn=chef,dc=serveur,dc=domaine,dc=fr"
rootpw          {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
directory       "/var/lib/ldap"
index           objectClass,uidNumber,gidNumber                eq
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
lastmod         on
access to attrs=userPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to attrs=sambaLMPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to attrs=sambaNTPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous read
          by self write
          by * read
access to dn.base="" by * read
access to *
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by * read
===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====

===== SAMBA CONF FILE : /etc/samba/smb.conf =====
         workgroup = DOM
         netbios name = PDC
         server string = Serveur Intranet (domaine Domaine)
         dns proxy = No
         log file = /var/log/samba/log.%m
         max log size = 1000
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         security = user
         time server = Yes
         encrypt passwords = Yes
         passdb backend = ldapsam:ldap://localhost/
         obey pam restrictions = No
         ldap passwd sync = Yes
         ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
         ldap ssl = Off
         ldap suffix = dc=serveur,dc=domaine,dc=fr
         ldap user suffix = ou=Users
         ldap group suffix = ou=Groups
         ldap machine suffix = ou=Computers
         ldap delete dn = Yes
         ldapsam:trusted = Yes
         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
         add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
         add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
"%u" "%g"
         delete user from group script = 
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
         set primary group script = /usr/local/sbin/smbldap-usermod -g 
"%g" "%u"
         load printers = Yes
         printing = cups
         printcap name = cups
         printer admin = root
         show add printer wizard = Yes
         dos charset = 850
         unix charset = ISO8859-15
         preserve case = Yes
         short preserve case = Yes
         case sensitive = No
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         domain master = Yes
         local master = Yes
         domain logons = Yes
         logon drive = u:
         logon script = %U.bat
         logon path = \\%N\%U\profile
         logon home = \\%N\%U
         hosts allow =
         comment = Partage service NetLogon (batch de connexion)
         path = /netlogon
         available = Yes
         writeable = No
         browseable = No
         comment = Partage perso (disque U)
         available = Yes
         writeable = Yes
         create mask = 0700
         directory mask = 0700
         browseable = Yes
         comment = Partage driver Imprimantes reseaux
         path = /etc/samba/new-drivers-imp
         admin users = root
         valid users = @lp
         available = Yes
         read only = Yes
         write list = root
         force user = root
         force group = lp
         create mask = 0750
         directory mask = 0750
         browseable = Yes
..... ect .....
===== END of SAMBA CONF FILE : /etc/samba/smb.conf =====

===== NSS CONF FILE : /etc/libnss-ldap.conf =====
base dc=serveur,dc=domaine,dc=fr
ldap_version 3
port 389
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password crypt
nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
===== END of NSS CONF FILE : /etc/libnss-ldap.conf =====

===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====


=====  /etc/pam.d/common-account =====
account required        pam_unix.so
account sufficient      pam_ldap.so
===== END of : /etc/pam.d/common-account =====

=====  /etc/pam.d/common-auth =====
auth    required        pam_unix.so nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
===== END of : /etc/pam.d/common-auth =====

=====  /etc/pam.d/common-password =====
password   required   pam_unix.so nullok obscure min=4 max=8 md5
password   sufficient pam_ldap.so use_authtok
===== END of : /etc/pam.d/common-password =====

=====  /etc/pam.d/common-session =====
session required        pam_unix.so
session optional        pam_ldap.so
===== END of : /etc/pam.d/common-session =====

Thanks in advance for your help,
Best regards.
M. FARGET Vincent
IGE - Administrateur Systèmes / Informaticien de Laboratoire
UMR 5020 - Laboratoire des Neurosciences et Systemes Sensoriels
Universite Claude Bernard LYON 1 - CNRS
50, avenue Tony Garnier
69366 LYON Cedex 07
## Ce message est signé par un certificat CNRS ##
# Pour que la signature soit valide, vous devrez
#  récupérer préalablement le certificat de
#  l'autorité de certification CNRS-Plus en
#  cliquant sur le lien ci dessous :

More information about the samba mailing list