[Samba] machine accounts mapped to non-unique uid (was make_server_info_info3: pdb_init_sam failed!)

Tom Robinson trobinson at intelligentspace.com
Wed Jan 31 20:55:33 GMT 2007


Hi,

It's the acl's in ldap again!

I've adjusted the acl's to allow the machine accounts to be visible on the DMS. 
pdbedit -L shows the correct (and unique) uid's for both users and machine 
accounts now.

Thanks Tom! ;-)

I'm still having trouble connecting though if anyone has any ideas? The logging 
and error messages haven't changed from those below.

smbclient //DMS/share -U DOMAIN/validuser
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
tree connect failed: NT_STATUS_NO_SUCH_USER

Thanks in advance.

Tom

Tom Robinson wrote:
> Hi,
> 
> Well I partially fixed the problem myself but I'm still having trouble 
> connecting.
> 
> On the PDC I had to adjust the LDAP acl's to allow the DMS read access 
> to the ldap databases.
> 
> On the DMS I used system-config-authentication to adjust 
> /etc/nsswitch.conf, the pam settings and /etc/ldap.conf so that nss_ldap 
> is now called to retrieve remote ldap information from the PDC.
> 
> Previous to the above changes pdbedit -L showed all users having the 
> same uid (4294967295). After the change, users have the correct and 
> unique uid's but all the machine accounts still show the strange uid of 
> 4294967295.
> 
> Is this still an LDAP acl problem or is it a samba configuration error?
> 
> client connects still fail with:
> #  smbclient //DMS/share -U DOMAIN/validuser
> Password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
> tree connect failed: NT_STATUS_NO_SUCH_USER
> 
> ---8<---
> logging with log level set at passdb:4 and auth:4 shows:
> [2007/01/30 11:30:43, 4] 
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
>   Using cleartext machine password
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(219)
>   check_ntlm_password:  Checking password for unmapped user 
> [DOMAIN]\[validuser]@[DMS] with the new password interface
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(222)
>   check_ntlm_password:  mapped user is: [DOMAIN]\[validuser]@[DMS]
> [2007/01/30 11:30:43, 4] 
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
>   Using cleartext machine password
> [2007/01/30 11:30:43, 4] 
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
>   Using cleartext machine password
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(268)
>   check_ntlm_password: winbind authentication for user [validuser] 
> succeeded
> [2007/01/30 11:30:43, 2] auth/auth.c:check_ntlm_password(305)
>   check_ntlm_password:  authentication for user [validuser] -> 
> [validuser] -> [validuser] succeeded
> ---8<---
> 
> Also, when smbd starts up I see this in the logs:
> ---8<---
> [2007/01/30 11:30:16, 0] smbd/server.c:main(760)
>   smbd version 3.0.10-1.4E.9.ispl started.
>   Copyright Andrew Tridgell and the Samba Team 1992-2004
> [2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1382)
>   ldapsam_getsampwsid: Unable to locate SID 
> [S-1-5-21-712055757-3001861959-2674381142-501] count=0
> [2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
>   ldapsam_getgroup: Did not find group
> ---8<---
> 
> Any help appreciated!
> 
> Thanks in advance,
> 
> Tom
> 
> DMS LDAP Changes for nss_ldap:
> /etc/nsswitch.conf
> passwd:     files ldap
> shadow:     files ldap
> group:      files ldap
> protocols:  files ldap
> services:   files ldap
> netgroup:   files ldap
> automount:  files ldap
> 
> /etc/ldap.conf
> host PDC
> base dc=somedomain,dc=com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> ssl no
> pam_password md5
> 
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> 
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 
> quiet
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_ldap.so
> account     required      /lib/security/$ISA/pam_permit.so
> 
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> 
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> 
> DMS smb.conf
> [global]
>         server string = %h :-D
>         netbios name = DMS
>         workgroup = DOMAIN
> 
>         security = domain
>         password server = PDC
>         encrypt passwords = Yes
>         null passwords = yes
> 
>         guest ok = no
> 
>         wins support = no
>         wins proxy = no
>         wins server = xxx.xxx.xxx.xxx
> 
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 10
> 
>         log level = 0 passdb:4 auth:4
>         log file = /var/log/samba/%m.log
>         max log size = 0
> 
>         bind interfaces only = yes
>         interfaces = xxx.xxx.xxx.xxx
>         smb ports = 139
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>         passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
>         ldap suffix = dc=somedomain,dc=com
>         ldap server = pdc.somedomain.com
>         ldap admin dn = uid=cyrus,dc=somedomain,dc=com
>         ldap filter = (&(uid=%u)(objectclass=sambaAccount))
>         ldap ssl = off
>         ldap delete dn = no
> 
> 
> Tom Robinson wrote:
>> Hi,
>>
>> We have a linux/samba only domain serving files to about 16-18 Windows 
>> clients (mostly XP, a few W2K).
>>
>> PDC:
>> SuSE OpenXchange 4.4
>> samba 2.2.8a
>> openldap 2.1.4
>>
>> Domain Member Server (DMS)
>> CentOS 4.4
>> samba 3.0.10
>>
>> I set the Domain Member Server up using the default passdb backend 
>> (/etc/samba/smbpasswd) to start with and that all worked fine.
>>
>> I would like to use LDAP for centralised authentication and have 
>> re-compiled using --with-ldapsam because the PDC uses the older 
>> (Version 2) of the Samba LDAP schema. (see smb.conf below for params).
>>
>> I've joined the DOMAIN with:
>> # net rpc join
>> Join to 'DOMAIN' is OK
>>
>> I've set the ldap_bind_password in secrets.tdb with:
>> # smbpasswd -w <secret>
>> Setting stored password for "uid=root,dc=somedomain,dc=com" in 
>> secrets.tdb
>>
>> # smbclient -L DMS -N
>>
>> gives the following error in the host log:
>> ---8<---
>> auth/auth_domain.c:domain_client_validate(199)
>>   domain_client_validate: unable to validate password for user root in 
>> domain DOMAIN to Domain controller \\PDC. Error was 
>> NT_STATUS_WRONG_PASSWORD.
>> ---8<---
>>
>> and when I try to connect to a share I get this:
>> # smbclient //DMS/share -U validuser
>> ---8<---
>> auth/auth_util.c:make_server_info_info3(1177)
>>   make_server_info_info3: pdb_init_sam failed!
>> ---8<---
>>
>> Connections directly to the PDC from the DMS work fine:
>> # smbclient //PDC/someshare -U validuser
>> Password:
>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.8a-UL]
>> smb: \> quit
>>
>> Can anyone please help with these errors? I can't seem to crack it 
>> open myself
>>
>> Thanks in advance,
>>
>> Tom
>>
>> ---8<---
>> [global]
>>         server string = %h :-D
>>         netbios name = dms
>>         workgroup = DOMAIN
>>
>>         security = domain
>>         password server = PDC
>>         encrypt passwords = Yes
>>         null passwords = yes
>>
>>         guest ok = no
>>
>>         wins support = no
>>         wins proxy = no
>>         wins server = xxx.xxx.xxx.xxx
>>
>>         domain master = no
>>         local master = no
>>         preferred master = no
>>         os level = 0
>>
>>         log level = 0
>>         log file = /var/log/samba/%m.log
>>         max log size = 0
>>
>>         bind interfaces only = yes
>>         interfaces = xxx.xxx.xxx.xxx
>>         smb ports = 139
>>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>>         passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
>>         ldap suffix = dc=somedomain,dc=com
>>         ldap port = 389
>>         ldap server = pdc.somedomain.com
>>         ldap admin dn = uid=root,dc=somedomain,dc=com
>>         ldap filter = (&(uid=%u)(objectclass=sambaAccount))
>>         ldap ssl = no
>> ---8<---
>>
> 



More information about the samba mailing list