[Samba] machine accounts mapped to non-unique uid (was
make_server_info_info3: pdb_init_sam failed!)
Tom Robinson
trobinson at intelligentspace.com
Tue Jan 30 12:19:19 GMT 2007
Hi,
Well I partially fixed the problem myself but I'm still having trouble connecting.
On the PDC I had to adjust the LDAP acl's to allow the DMS read access to the
ldap databases.
On the DMS I used system-config-authentication to adjust /etc/nsswitch.conf, the
pam settings and /etc/ldap.conf so that nss_ldap is now called to retrieve
remote ldap information from the PDC.
Previous to the above changes pdbedit -L showed all users having the same uid
(4294967295). After the change, users have the correct and unique uid's but all
the machine accounts still show the strange uid of 4294967295.
Is this still an LDAP acl problem or is it a samba configuration error?
client connects still fail with:
# smbclient //DMS/share -U DOMAIN/validuser
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
tree connect failed: NT_STATUS_NO_SUCH_USER
---8<---
logging with log level set at passdb:4 and auth:4 shows:
[2007/01/30 11:30:43, 4] passdb/secrets.c:secrets_fetch_trust_account_password(290)
Using cleartext machine password
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(219)
check_ntlm_password: Checking password for unmapped user
[DOMAIN]\[validuser]@[DMS] with the new password interface
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(222)
check_ntlm_password: mapped user is: [DOMAIN]\[validuser]@[DMS]
[2007/01/30 11:30:43, 4] passdb/secrets.c:secrets_fetch_trust_account_password(290)
Using cleartext machine password
[2007/01/30 11:30:43, 4] passdb/secrets.c:secrets_fetch_trust_account_password(290)
Using cleartext machine password
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(268)
check_ntlm_password: winbind authentication for user [validuser] succeeded
[2007/01/30 11:30:43, 2] auth/auth.c:check_ntlm_password(305)
check_ntlm_password: authentication for user [validuser] -> [validuser] ->
[validuser] succeeded
---8<---
Also, when smbd starts up I see this in the logs:
---8<---
[2007/01/30 11:30:16, 0] smbd/server.c:main(760)
smbd version 3.0.10-1.4E.9.ispl started.
Copyright Andrew Tridgell and the Samba Team 1992-2004
[2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1382)
ldapsam_getsampwsid: Unable to locate SID
[S-1-5-21-712055757-3001861959-2674381142-501] count=0
[2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
ldapsam_getgroup: Did not find group
---8<---
Any help appreciated!
Thanks in advance,
Tom
DMS LDAP Changes for nss_ldap:
/etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
protocols: files ldap
services: files ldap
netgroup: files ldap
automount: files ldap
/etc/ldap.conf
host PDC
base dc=somedomain,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl no
pam_password md5
/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
DMS smb.conf
[global]
server string = %h :-D
netbios name = DMS
workgroup = DOMAIN
security = domain
password server = PDC
encrypt passwords = Yes
null passwords = yes
guest ok = no
wins support = no
wins proxy = no
wins server = xxx.xxx.xxx.xxx
domain master = no
local master = no
preferred master = no
os level = 10
log level = 0 passdb:4 auth:4
log file = /var/log/samba/%m.log
max log size = 0
bind interfaces only = yes
interfaces = xxx.xxx.xxx.xxx
smb ports = 139
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
ldap suffix = dc=somedomain,dc=com
ldap server = pdc.somedomain.com
ldap admin dn = uid=cyrus,dc=somedomain,dc=com
ldap filter = (&(uid=%u)(objectclass=sambaAccount))
ldap ssl = off
ldap delete dn = no
Tom Robinson wrote:
> Hi,
>
> We have a linux/samba only domain serving files to about 16-18 Windows
> clients (mostly XP, a few W2K).
>
> PDC:
> SuSE OpenXchange 4.4
> samba 2.2.8a
> openldap 2.1.4
>
> Domain Member Server (DMS)
> CentOS 4.4
> samba 3.0.10
>
> I set the Domain Member Server up using the default passdb backend
> (/etc/samba/smbpasswd) to start with and that all worked fine.
>
> I would like to use LDAP for centralised authentication and have
> re-compiled using --with-ldapsam because the PDC uses the older (Version
> 2) of the Samba LDAP schema. (see smb.conf below for params).
>
> I've joined the DOMAIN with:
> # net rpc join
> Join to 'DOMAIN' is OK
>
> I've set the ldap_bind_password in secrets.tdb with:
> # smbpasswd -w <secret>
> Setting stored password for "uid=root,dc=somedomain,dc=com" in secrets.tdb
>
> # smbclient -L DMS -N
>
> gives the following error in the host log:
> ---8<---
> auth/auth_domain.c:domain_client_validate(199)
> domain_client_validate: unable to validate password for user root in
> domain DOMAIN to Domain controller \\PDC. Error was
> NT_STATUS_WRONG_PASSWORD.
> ---8<---
>
> and when I try to connect to a share I get this:
> # smbclient //DMS/share -U validuser
> ---8<---
> auth/auth_util.c:make_server_info_info3(1177)
> make_server_info_info3: pdb_init_sam failed!
> ---8<---
>
> Connections directly to the PDC from the DMS work fine:
> # smbclient //PDC/someshare -U validuser
> Password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.8a-UL]
> smb: \> quit
>
> Can anyone please help with these errors? I can't seem to crack it open
> myself
>
> Thanks in advance,
>
> Tom
>
> ---8<---
> [global]
> server string = %h :-D
> netbios name = dms
> workgroup = DOMAIN
>
> security = domain
> password server = PDC
> encrypt passwords = Yes
> null passwords = yes
>
> guest ok = no
>
> wins support = no
> wins proxy = no
> wins server = xxx.xxx.xxx.xxx
>
> domain master = no
> local master = no
> preferred master = no
> os level = 0
>
> log level = 0
> log file = /var/log/samba/%m.log
> max log size = 0
>
> bind interfaces only = yes
> interfaces = xxx.xxx.xxx.xxx
> smb ports = 139
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
> ldap suffix = dc=somedomain,dc=com
> ldap port = 389
> ldap server = pdc.somedomain.com
> ldap admin dn = uid=root,dc=somedomain,dc=com
> ldap filter = (&(uid=%u)(objectclass=sambaAccount))
> ldap ssl = no
> ---8<---
>
More information about the samba
mailing list