[Samba] Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in passdb, but getpwnam() fails!

Vincent Farget farget at olfac.univ-lyon1.fr
Thu Dec 7 08:55:23 GMT 2006

Hi Nathan,

Thank you for your help, but for the moment I do not use the PAM ('obey 
pam restrictions = No' in SAMBA configuration).

I try to test the changes you write, but it doesn't change anything.

In my OpenLDAP log file, I have the following informations :

  Dec  6 18:46:33 PDC slapd[4793]: daemon: activity on 1 descriptors
  Dec  6 18:46:33 PDC slapd[4793]: daemon: activity on:
  Dec  6 18:46:33 PDC slapd[4793]:  24r
  Dec  6 18:46:33 PDC slapd[4793]:
  Dec  6 18:46:33 PDC slapd[4793]: daemon: read activity on 24
  Dec  6 18:46:33 PDC slapd[4793]: daemon: select: listen=6
  active_threads=0 tvp=NULL
  Dec  6 18:46:33 PDC slapd[4793]: conn=3934 op=4 SRCH
  base="dc=serveur,dc=domaine,dc=fr" scope=2 deref=0
  Dec  6 18:46:33 PDC slapd[4793]: conn=3934 op=4 SRCH attr=uid uidNumber
  gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
  sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
  displayName sambaHomeDrive sambaHomePath sambaLogonScript
  sambaProfilePath description sambaUserWorkstations sambaSID
  sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
  objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
  sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
  sambaLogonHours modifyTimestamp
  Dec  6 18:46:33 PDC slapd[4793]: <= bdb_equality_candidates: (uid)
  index_param failed (18)
  Dec  6 18:46:33 PDC slapd[4793]: conn=3934 op=4 SEARCH RESULT tag=101
  err=0 nentries=1 text=

The 'bdb_equality_candidates: (uid) index_param failed (18)' line told 
me that thereis probably a problem with the 'index' OpenLDAP configuration.

What do you think of that ?

Best regards.

Nathan Vidican a écrit :
> Problem appears to be in your PAM config... you have pam_unix.so
> required before pam_ldap; and even then, you have pam_ldap as optional.
> You should have something to this effect:
> auth   sufficient   pam_ldap.so use_first_pass
> auth   required      pam_unix.so
> account   sufficient   pam_ldap.so
> account   required   pam_unix.so
> What you basically need to tell the system, is that IF auth succeeds
> from ldap - then it's sufficient, else auth must succeed from unix. What
> you were telling the system was that auth from unix MUST succeed, THEN
> auth from ldap is ok. It's really a simple fix, but you might want to
> read up a bit on your particular O/S's pam configuration.
> Also, not to be picky... but you did supply copies of your config files,
> (which is good), but it's generally a good idea to have obscured your
> passwords, and specific information.
> -- 
> Nathan Vidican
> nvidican at wmptl.com

M. FARGET Vincent
IGE - Administrateur Systèmes / Informaticien de Laboratoire
UMR 5020 - Laboratoire des Neurosciences et Systemes Sensoriels
Universite Claude Bernard LYON 1 - CNRS
50, avenue Tony Garnier
69366 LYON Cedex 07
## Ce message est signé par un certificat CNRS ##
# Pour que la signature soit valide, vous devrez
#  récupérer préalablement le certificat de
#  l'autorité de certification CNRS-Plus en
#  cliquant sur le lien ci dessous :

More information about the samba mailing list