[Samba] Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in
passdb, but getpwnam() fails!
Nathan Vidican
nvidican at wmptl.com
Wed Dec 6 19:01:13 GMT 2006
Vincent Farget wrote:
> Hi everybody,
>
>
> I have one SAMBA server (with PDC configuration) which is configure to
> use an OpenLDAP server (on the same local server) where users and
> computers account are store (I want to have the two Unix/Linux and
> Samba account attributes stored to use Name Service Switch and
> Pluggable Authentication Module).
>
>
>
> My problem is as follow :
> If I don't put the following line :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> in the '/etc/passwd' file, for a user, or :
> -> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
> for a computer, I can't connect and I have the following error in the
> '/var/log/samba/log.pc046' log file :
> ..........
> [2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
> User farget in passdb, but getpwnam() fails!
> [2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
> check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> ..........
>
> however, on my local server, if I type 'getent passwd|grep
> user1', I have/can see the following :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> and an 'ldapsearch -x -LLL' show me all my directory without any
> problems !!!!
>
>
> I show several other mails from people who have the same 'getpwnam()
> fails!' error, but I didn't succeed in found the solution !!!
>
>
> So I want to know severals things :
> --------------------------------------
>
> 1.) What seeks SAMBA precisely when it executes the 'getpwnam()'
> function ? One or severals specials OpenLDAP attributes ?
>
> 2.) In the file '/etc/ldap/slapd.conf', what is 'index' used for ?
> Actually I have the following index :
> ..........
> # Indexing options for database #1
> index objectClass,uidNumber,gidNumber eq
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> ..........
> Is these indexes Ok ?
>
> I see that if I add the following line :
> -> index uid eq
> the 'ldapsearch -x -LLL' output is EMPTY !!!!
>
>
>
>
> Here is my Debian Sarge server files configuration :
> -> 'slapd' (OpenLDAP) v2.2.23-8,
> -> 'samba' v3.0.14a-3sarge2,
> -> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools' v0.8.7,
> -> 'libnss-ldap' v238-1,
>
>
>
> ===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
> allow bind_v2
> include /etc/ldap/schema/core.schema
> include /etc/ldap/schema/cosine.schema
> include /etc/ldap/schema/nis.schema
> include /etc/ldap/schema/inetorgperson.schema
> include /etc/ldap/schema/samba.schema
> include /etc/ldap/schema/MozillaOrgPerson.schema
> schemacheck on
> pidfile /var/run/slapd/slapd.pid
> argsfile /var/run/slapd.args
> loglevel 264
> modulepath /usr/lib/ldap
> moduleload back_bdb
> backend bdb
> checkpoint 512 30
> database bdb
> suffix "dc=serveur,dc=domaine,dc=fr"
> rootdn "cn=chef,dc=serveur,dc=domaine,dc=fr"
> rootpw {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
> directory "/var/lib/ldap"
> index objectClass,uidNumber,gidNumber eq
> index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
> lastmod on
> access to attrs=userPassword
> by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
> by anonymous auth
> by self write
> by * none
> access to attrs=sambaLMPassword
> by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
> by anonymous auth
> by self write
> by * none
> access to attrs=sambaNTPassword
> by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
> by anonymous auth
> by self write
> by * none
> access to
> attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode
>
> by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
> by anonymous read
> by self write
> by * read
> access to dn.base="" by * read
> access to *
> by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
> by * read
> ===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
>
> ===== SAMBA CONF FILE : /etc/samba/smb.conf =====
> [global]
> workgroup = DOM
> netbios name = PDC
> server string = Serveur Intranet (domaine Domaine)
> dns proxy = No
> log file = /var/log/samba/log.%m
> max log size = 1000
> syslog = 0
> panic action = /usr/share/samba/panic-action %d
> security = user
> time server = Yes
> encrypt passwords = Yes
> passdb backend = ldapsam:ldap://localhost/
> obey pam restrictions = No
> ldap passwd sync = Yes
> ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
> ldap ssl = Off
> ldap suffix = dc=serveur,dc=domaine,dc=fr
> ldap user suffix = ou=Users
> ldap group suffix = ou=Groups
> ldap machine suffix = ou=Computers
> ldap delete dn = Yes
> ldapsam:trusted = Yes
> add user script = /usr/local/sbin/smbldap-useradd -m "%u"
> add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
> add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
> add user to group script = /usr/local/sbin/smbldap-groupmod -m
> "%u" "%g"
> delete user from group script =
> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
> set primary group script = /usr/local/sbin/smbldap-usermod -g
> "%g" "%u"
> load printers = Yes
> printing = cups
> printcap name = cups
> printer admin = root
> show add printer wizard = Yes
> dos charset = 850
> unix charset = ISO8859-15
> preserve case = Yes
> short preserve case = Yes
> case sensitive = No
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> domain master = Yes
> local master = Yes
> domain logons = Yes
> logon drive = u:
> logon script = %U.bat
> logon path = \\%N\%U\profile
> logon home = \\%N\%U
> hosts allow = 192.168.0.0/255.255.255.0
> [netlogon]
> comment = Partage service NetLogon (batch de connexion)
> path = /netlogon
> available = Yes
> writeable = No
> browseable = No
> [homes]
> comment = Partage perso (disque U)
> available = Yes
> writeable = Yes
> create mask = 0700
> directory mask = 0700
> browseable = Yes
> [print$]
> comment = Partage driver Imprimantes reseaux
> path = /etc/samba/new-drivers-imp
> admin users = root
> valid users = @lp
> available = Yes
> read only = Yes
> write list = root
> force user = root
> force group = lp
> create mask = 0750
> directory mask = 0750
> browseable = Yes
> ..... ect .....
> ===== END of SAMBA CONF FILE : /etc/samba/smb.conf =====
>
> ===== NSS CONF FILE : /etc/libnss-ldap.conf =====
> host 127.0.0.1
> base dc=serveur,dc=domaine,dc=fr
> ldap_version 3
> port 389
> scope one
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password crypt
> nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
> nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
> nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
> nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
> ===== END of NSS CONF FILE : /etc/libnss-ldap.conf =====
>
> ===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
> passwd: files ldap
> group: files ldap
> shadow: files ldap
> hosts: files dns
> networks: files
> protocols: db files
> services: db files
> ethers: db files
> rpc: db files
> netgroup: nis
> ===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
>
>
> 'PAM' CONFIGURATION :
>
> ===== /etc/pam.d/common-account =====
> account required pam_unix.so
> account sufficient pam_ldap.so
> ===== END of : /etc/pam.d/common-account =====
>
> ===== /etc/pam.d/common-auth =====
> auth required pam_unix.so nullok_secure
> auth sufficient pam_ldap.so use_first_pass
> ===== END of : /etc/pam.d/common-auth =====
>
> ===== /etc/pam.d/common-password =====
> password required pam_unix.so nullok obscure min=4 max=8 md5
> password sufficient pam_ldap.so use_authtok
> ===== END of : /etc/pam.d/common-password =====
>
> ===== /etc/pam.d/common-session =====
> session required pam_unix.so
> session optional pam_ldap.so
> ===== END of : /etc/pam.d/common-session =====
>
>
>
> Thanks in advance for your help,
> Best regards.
Problem appears to be in your PAM config... you have pam_unix.so
required before pam_ldap; and even then, you have pam_ldap as optional.
You should have something to this effect:
auth sufficient pam_ldap.so use_first_pass
auth required pam_unix.so
account sufficient pam_ldap.so
account required pam_unix.so
What you basically need to tell the system, is that IF auth succeeds
from ldap - then it's sufficient, else auth must succeed from unix. What
you were telling the system was that auth from unix MUST succeed, THEN
auth from ldap is ok. It's really a simple fix, but you might want to
read up a bit on your particular O/S's pam configuration.
Also, not to be picky... but you did supply copies of your config files,
(which is good), but it's generally a good idea to have obscured your
passwords, and specific information.
--
Nathan Vidican
nvidican at wmptl.com
More information about the samba
mailing list