[Samba] Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in passdb, but getpwnam() fails!

Nathan Vidican nathan at vidican.com
Wed Dec 6 18:58:49 GMT 2006


Vincent Farget wrote:
> Hi everybody,
>
>
> I have one SAMBA server (with PDC configuration) which is configure to 
> use an OpenLDAP server (on the same local server) where users and 
> computers account are store (I want to have the two Unix/Linux and 
> Samba account attributes stored to use Name Service Switch and 
> Pluggable Authentication Module).
>
>
>
> My problem is as follow :
> If I don't put the following line :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> in the '/etc/passwd' file, for a user, or :
> -> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
> for a computer, I can't connect and I have the following error in the 
> '/var/log/samba/log.pc046' log file :
> ..........
> [2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
>     User farget in passdb, but getpwnam() fails!
> [2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
>     check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> ..........
>
> however, on my local server, if I type 'getent passwd|grep
> user1', I have/can see the following :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> and an 'ldapsearch -x -LLL' show me all my directory without any 
> problems !!!!
>
>
> I show several other mails from people who have the same 'getpwnam() 
> fails!' error, but I didn't succeed in found the solution !!!
>
>
>   So I want to know severals things :
> --------------------------------------
>
> 1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
> function ? One or severals specials OpenLDAP attributes ?
>
> 2.) In the file '/etc/ldap/slapd.conf', what is 'index' used for ?
> Actually I have the following index :
> ..........
> # Indexing options for database #1
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> ..........
> Is these indexes Ok ?
>
> I see that if I add the following line :
> -> index           uid           eq
> the 'ldapsearch -x -LLL' output is EMPTY !!!!
>
>
>
>
> Here is my Debian Sarge server files configuration :
> -> 'slapd' (OpenLDAP) v2.2.23-8,
> -> 'samba' v3.0.14a-3sarge2,
> -> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools' v0.8.7,
> -> 'libnss-ldap' v238-1,
>
>
>
> ===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
> allow bind_v2
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/samba.schema
> include         /etc/ldap/schema/MozillaOrgPerson.schema
> schemacheck     on
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd.args
> loglevel        264
> modulepath      /usr/lib/ldap
> moduleload      back_bdb
> backend         bdb
> checkpoint 512 30
> database        bdb
> suffix          "dc=serveur,dc=domaine,dc=fr"
> rootdn          "cn=chef,dc=serveur,dc=domaine,dc=fr"
> rootpw          {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
> directory       "/var/lib/ldap"
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> lastmod         on
> access to attrs=userPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaLMPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaNTPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to
> attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode 
>
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous read
>          by self write
>          by * read
> access to dn.base="" by * read
> access to *
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by * read
> ===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf =====
>
> ===== SAMBA CONF FILE : /etc/samba/smb.conf =====
> [global]
>         workgroup = DOM
>         netbios name = PDC
>         server string = Serveur Intranet (domaine Domaine)
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         syslog = 0
>         panic action = /usr/share/samba/panic-action %d
>         security = user
>         time server = Yes
>         encrypt passwords = Yes
>         passdb backend = ldapsam:ldap://localhost/
>         obey pam restrictions = No
>         ldap passwd sync = Yes
>         ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
>         ldap ssl = Off
>         ldap suffix = dc=serveur,dc=domaine,dc=fr
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap machine suffix = ou=Computers
>         ldap delete dn = Yes
>         ldapsam:trusted = Yes
>         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>         add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
>         add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
> "%u" "%g"
>         delete user from group script = 
> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>         set primary group script = /usr/local/sbin/smbldap-usermod -g 
> "%g" "%u"
>         load printers = Yes
>         printing = cups
>         printcap name = cups
>         printer admin = root
>         show add printer wizard = Yes
>         dos charset = 850
>         unix charset = ISO8859-15
>         preserve case = Yes
>         short preserve case = Yes
>         case sensitive = No
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         domain master = Yes
>         local master = Yes
>         domain logons = Yes
>         logon drive = u:
>         logon script = %U.bat
>         logon path = \\%N\%U\profile
>         logon home = \\%N\%U
>         hosts allow = 192.168.0.0/255.255.255.0
> [netlogon]
>         comment = Partage service NetLogon (batch de connexion)
>         path = /netlogon
>         available = Yes
>         writeable = No
>         browseable = No
> [homes]
>         comment = Partage perso (disque U)
>         available = Yes
>         writeable = Yes
>         create mask = 0700
>         directory mask = 0700
>         browseable = Yes
> [print$]
>         comment = Partage driver Imprimantes reseaux
>         path = /etc/samba/new-drivers-imp
>         admin users = root
>         valid users = @lp
>         available = Yes
>         read only = Yes
>         write list = root
>         force user = root
>         force group = lp
>         create mask = 0750
>         directory mask = 0750
>         browseable = Yes
> ..... ect .....
> ===== END of SAMBA CONF FILE : /etc/samba/smb.conf =====
>
> ===== NSS CONF FILE : /etc/libnss-ldap.conf =====
> host 127.0.0.1
> base dc=serveur,dc=domaine,dc=fr
> ldap_version 3
> port 389
> scope one
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password crypt
> nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
> nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
> nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
> nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
> ===== END of NSS CONF FILE : /etc/libnss-ldap.conf =====
>
> ===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
> passwd:         files ldap
> group:          files ldap
> shadow:         files ldap
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> ===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf =====
>
>
>  'PAM' CONFIGURATION :
>
> =====  /etc/pam.d/common-account =====
> account required        pam_unix.so
> account sufficient      pam_ldap.so
> ===== END of : /etc/pam.d/common-account =====
>
> =====  /etc/pam.d/common-auth =====
> auth    required        pam_unix.so nullok_secure
> auth    sufficient      pam_ldap.so use_first_pass
> ===== END of : /etc/pam.d/common-auth =====
>
> =====  /etc/pam.d/common-password =====
> password   required   pam_unix.so nullok obscure min=4 max=8 md5
> password   sufficient pam_ldap.so use_authtok
> ===== END of : /etc/pam.d/common-password =====
>
> =====  /etc/pam.d/common-session =====
> session required        pam_unix.so
> session optional        pam_ldap.so
> ===== END of : /etc/pam.d/common-session =====
>
>
>
> Thanks in advance for your help,
> Best regards.
Problem appears to be in your PAM config... you have pam_unix.so 
required before pam_ldap; and even then, you have pam_ldap as optional. 
You should have something to this effect:

auth   sufficient   pam_ldap.so use_first_pass
auth   required      pam_unix.so

account   sufficient   pam_ldap.so
account   required   pam_unix.so

What you basically need to tell the system, is that IF auth succeeds 
from ldap - then it's sufficient, else auth must succeed from unix. What 
you were telling the system was that auth from unix MUST succeed, THEN 
auth from ldap is ok. It's really a simple fix, but you might want to 
read up a bit on your particular O/S's pam configuration.

Also, not to be picky... but you did supply copies of your config files, 
(which is good), but it's generally a good idea to have obscured your 
passwords, and specific information. You also never specified which O/S 
you are running from, which does matter in some cases, especially to do 
with PAM. Anyhow, hope this helps out.

--
Nathan Vidican
nvidican at wmptl.com


More information about the samba mailing list