[Samba] Users can't login on Samba+Ldap

dogbert dogbert at infinito.it
Thu May 28 13:12:53 GMT 2009

Hi again,

I've tested the configuration suggested and found some other problems.
After applying the changes to ldap.conf I obtained again that users could logon
only to workstation that already had their profile on it (i.e. pc where they
already logon in the past).
Also I discovered the following things:

If I use the command "wbinfo -u" i got the following answer:
"Error looking up domain users"

With "smbldap-userlist" i got only the user that I previuosly created with
"smbldap-useradd" and none of those imported with pdbedit.
The LDAP attributes of users of those two categories are quite different and I
think that this is the reason.

Users still must be present in /etc/passwd files to logon on network PC

Whit smbldap-useradd command I cannot add an user already imported with pdbedit
(obviously beacuse the username is already present in the ldap structure):
"failed to add entry: Already exists at /usr/sbin/smbldap-useradd line 354."
And also I cannot change password, delete or modify the same user.

If i change the password for a user (imported with pdbedit) with passwd command
it can't log on his PC with new or old password until I reset the password to
old value.

There's a linux file server defined as ROLE_STANDALONE and "joined" to the
domain where new users (create with smbldap-useradd) can't connect while older
ones (imported with pdbedit) can.
I've found on this server that a little difference in the smb.conf is that the
workgroup value is all UPPERCASE.

I think that this cover most of the problem that I cannot understand. Maybe they
are all generated by the same thing, but I don't know where to begin to
troubleshoot this problem.
Here you will find some configuration files from my linux PDC:

/etc/pam.conf is empty

# /etc/pam.d/samba
@include common-auth
@include common-account
@include common-session

# etc/pam.d/login
auth requisite pam_securetty.so
auth requisite pam_nologin.so
session required pam_selinux.so close
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
session required pam_selinux.so open

# /etc/nsswitch.conf
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis

ldap.conf contains the following directives:
nss_base_passwd        ou=Users,dc=domain,dc=it?one
nss_base_passwd        ou=Computers,dc=domain,dc=it?one
nss_base_shadow        ou=Users,dc=domain,dc=it?one
nss_base_group         ou=Groups,dc=domain,dc=it?one

If you want I can post also an extract from the slapcat output to show the
differences in ldap definitions between user created with smbldap-useradd and
those imported with pdbedit.


dogbert at infinito.it wrote:
> Miguel Medalha wrote:
>> Based on your smb.conf, you must have the following entries in 
>> /etc/ldap.conf
>> nss_base_passwd        ou=Users,dc=DOMAIN,dc=IT?one
>> nss_base_passwd        ou=Computers,dc=DOMAIN,dc=IT?one
>> nss_base_shadow        ou=Users,dc=DOMAIN,dc=IT?one
>> nss_base_group         ou=Groups,dc=DOMAIN,dc=IT?one
> Hi,
> I've tried this configuration and I still have some problems.
> Trying to connect with a user created only in LDAP (smbldap-useradd) I get
> the following error in samba log:
> [2009/05/19 10:59:30,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>   pdb_get_group_sid: Failed to find Unix account for utentest
> [2009/05/19 10:59:30,  0] auth/auth_sam.c:check_sam_security(355)
>   check_sam_security: make_server_info_sam() failed with
> [2009/05/19 10:59:30,  0] passdb/pdb_get_set.c:pdb_get_group_sid(210)
>   pdb_get_group_sid: Failed to find Unix account for utentest
> If I try to connect with a user that exist in both the LDAP and etc/passwd
> files I cannot get it to authenticate (error user is invalid or bad
> password) but I don't get any log in the samba files
> I can't understand what's wrong with this installation.

More information about the samba mailing list