[Samba] Problems with NSCD, Solaris 10 and SAMBA 3.0.21b

Hoferer, Patrick K. Patrick.Hoferer at ngc.com
Fri Oct 6 21:57:15 GMT 2006 

I cannot kill nscd and allow SAMBA authentication to work. I continue
getting a NT_STATUS_LOGIN_FAILURE error message when I disable nscd
using the svcadm command. I am running the latest versions of Solaris 10
(06/06) with the recommended patches I downloaded last week from Sun. I
compiled SAMBA 3.0.21b, OpenLDAP 2-3-24, and Berkeley DB 4.4.20 using
Sun Studio 11 and Sun's make binary. 

I have been running SAMBA with an LDAP backend for roughly 3 years now
and have had little problems until switching from the LDAP protocol to
LDAPS in my smb.conf file. Since upgrading my system I cannot get the
group mappings from anywhere other than files. It seems that when I add
a user as a secondary member to a group in /etc/group and I kill nscd
(automatic restart courtesy of Solaris 10) I can log onto Windows as a
"Domain Admins" member. When I remove the entry from /etc/group and
leave the one in place within LDAP the group mapping to "Domain Admins"
doesn't work. 

I have attached my smb.conf and the outputs from the net and getent
commands. 

smb.conf

[global]
	workgroup = TESTB2
	netbios name = B2
	netbios alias = testshare
	server string = b2samba server
	null passwords = yes
	obey pam restrictions = Yes
	passwddb backend = "ldapsam:ldaps://ldapmaster.test.com
ldaps://ldapslave.test.com"
	passwd program = /dev/null %u 
	unix password sync = Yes 
	log level = 3 	
	log file = /usr/local/samba/var/%m.log 
	lpq cache time = 20 
	logon path = 
	logon home = 
	domain logons = Yes 
	os level = 99 
	preferred master = Yes 
	domain master = Yes 
	dns proxy = No 
	wins support = yes 
	ldap admin dn = "cn=sambaadmin,ou=profile,dc=test,dc=com"
	ldap group suffix = ou=Group 
	ldap idmap suffix = ou=Idmap 
	ldap machine suffix = ou=Computers 
	ldap suffix = dc=test,dc=com 
	ldap ssl = no 
	ldap user suffix = ou=People 
	idmap backend = "ldap:ldaps://ldapmaster.test.com
ldaps://ldapslave.test.com" 
	idmap uid = 1000-10000 
	idmap gid = 24-1000 
	use client driver = Yes

Getent group output

	# getent group domadins
	domadmins::601:pattest,meltest,hoferpa

Net command output

	# net groupmap list
	Domain Admins (S-1-5-21-3199061123-4087593925-1667135622-512) ->
domadmins
	Domain Users (S-1-5-21-3199061123-4087593925-1667135622-513) ->
domadmins
	Auditors (S-1-5-21-3199061123-4087593925-1667135622-2408) ->
auditors

	# net groupmap listmem
S-1-5-21-3199061123-4087593925-1667135622-512
	S-1-5-21-3199061123-4087593925-1667135622-14410
	S-1-5-21-3199061123-4087593925-1667135622-14610
	S-1-5-21-3199061123-4087593925-1667135622-15620

	# net groupmap memberships
S-1-5-21-3199061123-4087593925-1667135622-14410
	S-1-5-21-3199061123-4087593925-1667135622-512
	

Any insight of why this UNIX group mapping through an LDAP backend fails
or why NSCD is necessary on Solaris 10 in order for SAMBA to continue
authentications would be greatly appreciated. It seems that I've been
banging my head against books (and desk) for over a week now and still
am no closer to solving this mystery.

Thank you for your time.
Patrick Hoferer

More information about the samba mailing list