[Samba] machine accounts mapped to non-unique uid (was
make_server_info_info3: pdb_init_sam failed!)
Tom Robinson
trobinson at intelligentspace.com
Wed Jan 31 20:55:33 GMT 2007
Hi,
It's the acl's in ldap again!
I've adjusted the acl's to allow the machine accounts to be visible on the DMS.
pdbedit -L shows the correct (and unique) uid's for both users and machine
accounts now.
Thanks Tom! ;-)
I'm still having trouble connecting though if anyone has any ideas? The logging
and error messages haven't changed from those below.
smbclient //DMS/share -U DOMAIN/validuser
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
tree connect failed: NT_STATUS_NO_SUCH_USER
Thanks in advance.
Tom
Tom Robinson wrote:
> Hi,
>
> Well I partially fixed the problem myself but I'm still having trouble
> connecting.
>
> On the PDC I had to adjust the LDAP acl's to allow the DMS read access
> to the ldap databases.
>
> On the DMS I used system-config-authentication to adjust
> /etc/nsswitch.conf, the pam settings and /etc/ldap.conf so that nss_ldap
> is now called to retrieve remote ldap information from the PDC.
>
> Previous to the above changes pdbedit -L showed all users having the
> same uid (4294967295). After the change, users have the correct and
> unique uid's but all the machine accounts still show the strange uid of
> 4294967295.
>
> Is this still an LDAP acl problem or is it a samba configuration error?
>
> client connects still fail with:
> # smbclient //DMS/share -U DOMAIN/validuser
> Password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
> tree connect failed: NT_STATUS_NO_SUCH_USER
>
> ---8<---
> logging with log level set at passdb:4 and auth:4 shows:
> [2007/01/30 11:30:43, 4]
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
> Using cleartext machine password
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(219)
> check_ntlm_password: Checking password for unmapped user
> [DOMAIN]\[validuser]@[DMS] with the new password interface
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(222)
> check_ntlm_password: mapped user is: [DOMAIN]\[validuser]@[DMS]
> [2007/01/30 11:30:43, 4]
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
> Using cleartext machine password
> [2007/01/30 11:30:43, 4]
> passdb/secrets.c:secrets_fetch_trust_account_password(290)
> Using cleartext machine password
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> [2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(268)
> check_ntlm_password: winbind authentication for user [validuser]
> succeeded
> [2007/01/30 11:30:43, 2] auth/auth.c:check_ntlm_password(305)
> check_ntlm_password: authentication for user [validuser] ->
> [validuser] -> [validuser] succeeded
> ---8<---
>
> Also, when smbd starts up I see this in the logs:
> ---8<---
> [2007/01/30 11:30:16, 0] smbd/server.c:main(760)
> smbd version 3.0.10-1.4E.9.ispl started.
> Copyright Andrew Tridgell and the Samba Team 1992-2004
> [2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1382)
> ldapsam_getsampwsid: Unable to locate SID
> [S-1-5-21-712055757-3001861959-2674381142-501] count=0
> [2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
> ldapsam_getgroup: Did not find group
> ---8<---
>
> Any help appreciated!
>
> Thanks in advance,
>
> Tom
>
> DMS LDAP Changes for nss_ldap:
> /etc/nsswitch.conf
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> protocols: files ldap
> services: files ldap
> netgroup: files ldap
> automount: files ldap
>
> /etc/ldap.conf
> host PDC
> base dc=somedomain,dc=com
> timelimit 120
> bind_timelimit 120
> idle_timelimit 3600
> ssl no
> pam_password md5
>
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
>
> DMS smb.conf
> [global]
> server string = %h :-D
> netbios name = DMS
> workgroup = DOMAIN
>
> security = domain
> password server = PDC
> encrypt passwords = Yes
> null passwords = yes
>
> guest ok = no
>
> wins support = no
> wins proxy = no
> wins server = xxx.xxx.xxx.xxx
>
> domain master = no
> local master = no
> preferred master = no
> os level = 10
>
> log level = 0 passdb:4 auth:4
> log file = /var/log/samba/%m.log
> max log size = 0
>
> bind interfaces only = yes
> interfaces = xxx.xxx.xxx.xxx
> smb ports = 139
> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>
> passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
> ldap suffix = dc=somedomain,dc=com
> ldap server = pdc.somedomain.com
> ldap admin dn = uid=cyrus,dc=somedomain,dc=com
> ldap filter = (&(uid=%u)(objectclass=sambaAccount))
> ldap ssl = off
> ldap delete dn = no
>
>
> Tom Robinson wrote:
>> Hi,
>>
>> We have a linux/samba only domain serving files to about 16-18 Windows
>> clients (mostly XP, a few W2K).
>>
>> PDC:
>> SuSE OpenXchange 4.4
>> samba 2.2.8a
>> openldap 2.1.4
>>
>> Domain Member Server (DMS)
>> CentOS 4.4
>> samba 3.0.10
>>
>> I set the Domain Member Server up using the default passdb backend
>> (/etc/samba/smbpasswd) to start with and that all worked fine.
>>
>> I would like to use LDAP for centralised authentication and have
>> re-compiled using --with-ldapsam because the PDC uses the older
>> (Version 2) of the Samba LDAP schema. (see smb.conf below for params).
>>
>> I've joined the DOMAIN with:
>> # net rpc join
>> Join to 'DOMAIN' is OK
>>
>> I've set the ldap_bind_password in secrets.tdb with:
>> # smbpasswd -w <secret>
>> Setting stored password for "uid=root,dc=somedomain,dc=com" in
>> secrets.tdb
>>
>> # smbclient -L DMS -N
>>
>> gives the following error in the host log:
>> ---8<---
>> auth/auth_domain.c:domain_client_validate(199)
>> domain_client_validate: unable to validate password for user root in
>> domain DOMAIN to Domain controller \\PDC. Error was
>> NT_STATUS_WRONG_PASSWORD.
>> ---8<---
>>
>> and when I try to connect to a share I get this:
>> # smbclient //DMS/share -U validuser
>> ---8<---
>> auth/auth_util.c:make_server_info_info3(1177)
>> make_server_info_info3: pdb_init_sam failed!
>> ---8<---
>>
>> Connections directly to the PDC from the DMS work fine:
>> # smbclient //PDC/someshare -U validuser
>> Password:
>> Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.8a-UL]
>> smb: \> quit
>>
>> Can anyone please help with these errors? I can't seem to crack it
>> open myself
>>
>> Thanks in advance,
>>
>> Tom
>>
>> ---8<---
>> [global]
>> server string = %h :-D
>> netbios name = dms
>> workgroup = DOMAIN
>>
>> security = domain
>> password server = PDC
>> encrypt passwords = Yes
>> null passwords = yes
>>
>> guest ok = no
>>
>> wins support = no
>> wins proxy = no
>> wins server = xxx.xxx.xxx.xxx
>>
>> domain master = no
>> local master = no
>> preferred master = no
>> os level = 0
>>
>> log level = 0
>> log file = /var/log/samba/%m.log
>> max log size = 0
>>
>> bind interfaces only = yes
>> interfaces = xxx.xxx.xxx.xxx
>> smb ports = 139
>> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>>
>> passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
>> ldap suffix = dc=somedomain,dc=com
>> ldap port = 389
>> ldap server = pdc.somedomain.com
>> ldap admin dn = uid=root,dc=somedomain,dc=com
>> ldap filter = (&(uid=%u)(objectclass=sambaAccount))
>> ldap ssl = no
>> ---8<---
>>
>
More information about the samba
mailing list