[Samba] Users can't login on Samba+Ldap

Mon May 11 19:10:21 GMT 2009

Riccardo,

I use Debian, so setup should be similar to Ubuntu.  Do you have 
libnss-ldap and libpam-ldap installed?  They were necessary for 
Samba/ldap to work.
Have you modified nsswitch.conf and pam.d to use ldap?  Note: Although 
others have mentioned the possibility, I did not have to modify 
ldap.conf at all for this to work.
Here are two different approaches to making this work.  They might 
possibly fill in some of the blanks.
https://help.ubuntu.com/community/OpenLDAP-SambaPDC-OrgInfo-Posix
http://wiki.makethemove.net/index.php?title=LDAP-Samba

Dale

dogbert wrote:
> I've found somewhere (I'm looking again for the document) that from a 
> certain version it doesn't need anymore the file 
> libnss_ldap.conf/secret because it's all configured from 
> ldap.conf/secret (and I don't have libnss_ldap files).
>
> Anyway I checked with the getent command and I obtain only entries 
> from /etc/passwd end group files.
>
> I'd like to store all the windows user and workstation informations on 
> LDAP limiting only the administrative user to passwd.
>
> François Legal wrote:
>> To be honest, I don't know very well all the ldap client configuration
>> stuff. Anyway, nss is not (AFAIK) configured in /etc/ldap.conf.
>>
>> You should have a libnss_ldap.conf/secret files containing the ldap
>> configuration (bind DN/pwd suffix for users, suffix for groups...) so 
>> that
>> NSS can successfully lookup the directory when it has to find user/group
>> information.
>>
>> You can see if it is configured properly by doing getent group and 
>> getent
>> passwd
>> These commands shall display all the groups and user found on the 
>> system.
>> That is each user and group present in /etc/passwd /etc/group plus each
>> user contained in maybe ou=Users,dc=yourcompany,dc=com and
>> ou=Groups,dc=yourcompany,dc=com and (that one is important too)
>> ou=Machines,dc=yourcompany,dc=com from your directory.
>>
>> Note that if you plan to only use ldap to store user information, you
>> should no more have real users/groups in /etc/passwd and /etc/group
>>
>> François
>>
>> On Mon, 11 May 2009 16:51:47 +0200, dogbert at infinito.it wrote:
>>> I'm checking /etc/ldap.conf and it seems that at the end of this 
>>> file it
>>> was
>>> added a line with the following directive:
>>> nss_initgroups_ignoreusers
>>>
>>> that included more or less every single entry contained in my 
>>> /etc/passwd
>>> file at the time of the ldap configuration.
>>>
>>> is that normal behaviour ?
>>>
>>> Thanks,
>>> Riccardo
>>>
>>>> did you properly configure nssldap ?
>>>>
>>>> On Mon, 11 May 2009 14:25:05 +0200, dogbert at infinito.it wrote:
>>>>> Hi,
>>>>>
>>>>> I've migrated from an old samba installation (Samba as PDC) that
>>>> used
>>> TDB
>>>>> backend for password.
>>>>>
>>>>> I've setup a box with ubuntu and samba 3 + ldap and I imported the
>>> old
>>>>> users.
>>>>> Old users works fine.
>>>>>
>>>>> I have problems with new users and machines.
>>>>>
>>>>> Old users works but they don't show up with smbldap-usershow command
>>> and
>>>>> I've problem in changing their passwords. If I check the ldap db I
>>> can
>>>> find
>>>>> them (with both ldapsearch and slapcat).
>>>>>
>>>>> New users created with smbldap-useradd can be seen with
>>> smbldap-usershow
>>>>> command but can't make a logon on workstation
>>>>>
>>>>> If I join a workstation (directly by the workstation) it is added to
>>> ldap
>>>>> db
>>>>> but it doesn't see the domain until I manually add an entry for it
>>>> in
>>>>> /etc/passwd
>>>>>
>>>>> Checking the user entry for two users I can find the following
>>>> differences.
>>>>> BERENICE is an user imported from the old system and is working
>>>> fine:
>>>>> dn: uid=berenice,ou=Users,dc=DOMAIN,dc=IT
>>>>> uid: berenice
>>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-2018
>>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>>> displayName: berenice
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 4294967295
>>>>> sambaKickoffTime: 4294967295
>>>>> sambaPwdCanChange: 1161193814
>>>>> sambaPwdMustChange: 4294967295
>>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>> sambaPasswordHistory:
>>>>> 0000000000000000000000000000000000000000000000000000000000000000
>>>>> sambaPwdLastSet: 1161193814
>>>>> sambaLogonHours: FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
>>>>> sambaAcctFlags: [U          ]
>>>>> sambaBadPasswordCount: 0
>>>>> sambaBadPasswordTime: 0
>>>>> objectClass: sambaSamAccount
>>>>> objectClass: account
>>>>> structuralObjectClass: account
>>>>> entryUUID: af11fe14-8e7a-102d-9b4e-27169ab1b87f
>>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>>> createTimestamp: 20090214003220Z
>>>>> entryCSN: 20090214003220.132569Z#000000#000#000000
>>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>>> modifyTimestamp: 20090214003220Z
>>>>>
>>>>> ADAM is a fresly created user and can't logon to workstation:
>>>>> dn: uid=adam,ou=Users,dc=DOMAIN,dc=IT
>>>>> objectClass: top
>>>>> objectClass: person
>>>>> objectClass: organizationalPerson
>>>>> objectClass: inetOrgPerson
>>>>> objectClass: posixAccount
>>>>> objectClass: shadowAccount
>>>>> objectClass: sambaSamAccount
>>>>> cn: adam
>>>>> sn: adam
>>>>> givenName: adam
>>>>> uid: adam
>>>>> uidNumber: 1004
>>>>> gidNumber: 513
>>>>> homeDirectory: /home/adam
>>>>> loginShell: /bin/bash
>>>>> gecos: System User
>>>>> structuralObjectClass: inetOrgPerson
>>>>> entryUUID: f9326600-8e7a-102d-9bb5-27169ab1b87f
>>>>> creatorsName: cn=admin,dc=DOMAIN,dc=IT
>>>>> createTimestamp: 20090214003424Z
>>>>> sambaLogonTime: 0
>>>>> sambaLogoffTime: 2147483647
>>>>> sambaKickoffTime: 2147483647
>>>>> sambaPwdCanChange: 0
>>>>> displayName: adam
>>>>> sambaSID: S-1-5-21-1234567890-123456789-123456789-3008
>>>>> sambaPrimaryGroupSID: S-1-5-21-1234567890-123456789-123456789-513
>>>>> sambaLogonScript: logon.bat
>>>>> sambaProfilePath: serverprofilesadam
>>>>> sambaHomePath: serveradam
>>>>> sambaHomeDrive: C:
>>>>> sambaLMPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>> sambaAcctFlags: [U]
>>>>> sambaNTPassword: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>>>>> sambaPwdLastSet: 1234571674
>>>>> sambaPwdMustChange: 1238459674
>>>>> userPassword:: e1NTSEF9SStEUWVhay9tV2ROTGtOZy9QSlRqTDIrdmM1d1V6ZE4=
>>>>> shadowLastChange: 14289
>>>>> shadowMax: 45
>>>>> entryCSN: 20090214003434.475223Z#000000#000#000000
>>>>> modifiersName: cn=admin,dc=DOMAIN,dc=IT
>>>>> modifyTimestamp: 20090214003434Z
>>>>>
>>>>>
>>>>> Any help would be appreciated.
>>>>> Thanks,
>>>>> Riccardo
>>
>