[Samba] Problems with NSCD, Solaris 10 and SAMBA 3.0.21b
Hoferer, Patrick K.
Patrick.Hoferer at ngc.com
Fri Oct 6 21:57:15 GMT 2006
I cannot kill nscd and allow SAMBA authentication to work. I continue
getting a NT_STATUS_LOGIN_FAILURE error message when I disable nscd
using the svcadm command. I am running the latest versions of Solaris 10
(06/06) with the recommended patches I downloaded last week from Sun. I
compiled SAMBA 3.0.21b, OpenLDAP 2-3-24, and Berkeley DB 4.4.20 using
Sun Studio 11 and Sun's make binary.
I have been running SAMBA with an LDAP backend for roughly 3 years now
and have had little problems until switching from the LDAP protocol to
LDAPS in my smb.conf file. Since upgrading my system I cannot get the
group mappings from anywhere other than files. It seems that when I add
a user as a secondary member to a group in /etc/group and I kill nscd
(automatic restart courtesy of Solaris 10) I can log onto Windows as a
"Domain Admins" member. When I remove the entry from /etc/group and
leave the one in place within LDAP the group mapping to "Domain Admins"
doesn't work.
I have attached my smb.conf and the outputs from the net and getent
commands.
smb.conf
[global]
workgroup = TESTB2
netbios name = B2
netbios alias = testshare
server string = b2samba server
null passwords = yes
obey pam restrictions = Yes
passwddb backend = "ldapsam:ldaps://ldapmaster.test.com
ldaps://ldapslave.test.com"
passwd program = /dev/null %u
unix password sync = Yes
log level = 3
log file = /usr/local/samba/var/%m.log
lpq cache time = 20
logon path =
logon home =
domain logons = Yes
os level = 99
preferred master = Yes
domain master = Yes
dns proxy = No
wins support = yes
ldap admin dn = "cn=sambaadmin,ou=profile,dc=test,dc=com"
ldap group suffix = ou=Group
ldap idmap suffix = ou=Idmap
ldap machine suffix = ou=Computers
ldap suffix = dc=test,dc=com
ldap ssl = no
ldap user suffix = ou=People
idmap backend = "ldap:ldaps://ldapmaster.test.com
ldaps://ldapslave.test.com"
idmap uid = 1000-10000
idmap gid = 24-1000
use client driver = Yes
Getent group output
# getent group domadins
domadmins::601:pattest,meltest,hoferpa
Net command output
# net groupmap list
Domain Admins (S-1-5-21-3199061123-4087593925-1667135622-512) ->
domadmins
Domain Users (S-1-5-21-3199061123-4087593925-1667135622-513) ->
domadmins
Auditors (S-1-5-21-3199061123-4087593925-1667135622-2408) ->
auditors
# net groupmap listmem
S-1-5-21-3199061123-4087593925-1667135622-512
S-1-5-21-3199061123-4087593925-1667135622-14410
S-1-5-21-3199061123-4087593925-1667135622-14610
S-1-5-21-3199061123-4087593925-1667135622-15620
# net groupmap memberships
S-1-5-21-3199061123-4087593925-1667135622-14410
S-1-5-21-3199061123-4087593925-1667135622-512
Any insight of why this UNIX group mapping through an LDAP backend fails
or why NSCD is necessary on Solaris 10 in order for SAMBA to continue
authentications would be greatly appreciated. It seems that I've been
banging my head against books (and desk) for over a week now and still
am no closer to solving this mystery.
Thank you for your time.
Patrick Hoferer
More information about the samba
mailing list