[Samba] password sync "Failed to open/create TDB passwd" - some progress

Gaiseric Vandal gaiseric.vandal at gmail.com
Fri Jan 11 22:23:55 GMT 2008 

I made a little progress.  It is partly a file permissions error.



If I change the permission of /usr/local/samba/private to 660.  Since
the unix Administrator (ie. Windows Domain Administrator) is in the
sysadmin group, this gives it read-write permissions to this file.
Under windows, as the Domain Administrator, I can now change account
properties such as "password never expires."    (these parameters are
apparently in tje account_policy.tdb
 file, which Administrator can't access anyway.)

I still can not change a user's password  from Windows (with password
sync enabled.)    However now I get the following error:

    The following error occured changing the properties of the user x
    Acess is denied

Previously I got

   The following error occured changing the properties of the user x
   A device attached to the system is not functioning


If I tail the log from the windows server as I try this.
     _samr_lookup_names: looking name on SID
S-the-side-of-the-administrator-account
...
  UNIX token of user 0

  Primary group is 0 and contains 0 supplementary groups

[2008/01/11 16:48:10, 5] smbd/uid.c:change_to_root_user(288)

  change_to_root_user: now uid=(0,0) gid=(0,0)



So it looks like Samba verifies that the Administrator account has the
right to read the password file but still makes changes as the root
account.

smbd is running as root.  There is no samba account for root.  I did
try adding Administrator to the root group to weed out any remaining
file permission issues.


Thanks







---------- Forwarded message ----------
From: Gaiseric Vandal <gaiseric.vandal at gmail.com>
Date: Jan 10, 2008 11:27 AM
Subject: password sync "Failed to open/create TDB passwd"
To: Samba <samba at lists.samba.org>


I am trying to enable unix password sync.  PDC is solaris 3.026a on Solaris 9.

my smb.conf file includes:

[global]
        workgroup = MYDOMAIN
        server string = myserver
        passdb backend = tdbsam

        passwd program =  /usr/bin/passwd %u
        passwd chat=*New\sPassword:\s%n\nRe-enter\snew\sPassword:\s%n\npasswd:\s
password\ssuccessfully\schanged*\n

        unix password sync = Yes
        passwd chat debug = yes
        passwd chat timeout = 10

        dos charset = UTF8
        unix charset = UTF8
        display charset = UTF8



Samba was compiled to /usr/local/samba-3.0.26a

# ls -l /usr/local/samba-3.0.26a/private/passdb.tdb
-rw-------   1 root     sysadmin   49152 Jan 10 08:05
/usr/local/samba-3.0.26a/private/passdb.tdb


Assuming password sync is disabled, password or account  changes with
smbpasswd, pdbedit, User Manager for Domains work fine.   If I enable
password sync, I can't change passwords as a user at a PC, or as an
administrator with User Manager for Domains.  (I also can't use User
Manager for Domains to change things like "password never expires."

The samba log file of the Windows server with UsrMgr shows the following:

[2008/01/10 10:50:14, 5] lib/username.c:Get_Pwnam_internals(108)

  Get_Pwnam_internals did find user [jsmith]
...
[2008/01/10 10:50:14, 2] lib/util_tdb.c:tdb_log(662)

  tdb(unnamed): tdb_open_ex: could not open file /usr/local/samba-3.0.26a/privat
e/passdb.tdb: Permission denied

[2008/01/10 10:50:14, 0] passdb/pdb_tdb.c:tdbsam_open(829)

  tdbsam_open: Failed to open/create TDB passwd [/usr/local/samba-3.0.26a/privat
e/passdb.tdb]




The passdb file does exist-  and samba is running as root.  I have a
separate unix/windows account for the Domain Admin.

More information about the samba mailing list