[Samba] Problem adding new users after upgrade to 3.4.0

Gaiseric Vandal gaiseric.vandal at gmail.com
Thu Jul 14 15:52:18 MDT 2011 

On 07/14/2011 04:31 PM, Ben Sigman wrote:
> On Jul 14, 2011, at 7:13 AM, Gaiseric Vandal wrote:
>
>> On 07/14/2011 01:21 AM, Ben Sigman wrote:
>>> After upgrading to 3.4.0, I can no longer add new users. Any users 
>>> that were added beforehand work fine. Any users that I attempt to 
>>> create cannot login (error: NT_STATUS_LOGON_FAILURE). I was able to 
>>> get one new user account to work (see below), but I cannot add any 
>>> new users.
>>>
>>> The server is Ubuntu 9.10 running Samba 3.4.0.
>>>
>>> I am using:
>>>
>>> security = user
>>> pam password change = yes
>>>
>>> Updating passwords for existing users using passwd successfully 
>>> updates on smbpass (auth.log):
>>>
>>> Jul 13 21:19:05 server passwd[3026]: pam_smbpass(passwd:chauthtok): 
>>> password for (smbuser/1001) changed by (root/0)
>>>
>>> ...And authentication over smb works (auth.log):
>>>
>>> Jul 13 21:42:53 server smbd[3684]: pam_unix(samba:session): session 
>>> opened for user ben by (uid=0)
>>>
>>> ...In samba.log:
>>>
>>> [2011/07/13 21:42:53,  4] auth/auth_sam.c:137(sam_account_ok)
>>>   sam_account_ok: Checking SMB password for user smbuser
>>> [2011/07/13 21:42:53,  5] auth/auth.c:297(check_ntlm_password)
>>>   check_ntlm_password:  PAM Account for user [ben] succeeded
>>>
>>> However, if I do:
>>>
>>> smbpasswd -x user
>>> Failed to find entry for user smbuser.
>>>
>>> If I add a new user using:
>>>
>>> useradd newuser
>>> passwd newuser
>>> smbpasswd -a newuser
>>>
>>> This appears in auth.log:
>>> Jul 13 21:20:07 server passwd[3033]: pam_smbpass(passwd:chauthtok): 
>>> Failed to find entry for user newuser.
>>>
>>> And if I attempt to authenticate (samba.log):
>>>
>>> [2011/07/13 21:50:11,  3] auth/auth_sam.c:282(check_sam_security)
>>>   check_sam_security: Couldn't find user 'newuser' in passdb.
>>> [2011/07/13 21:50:11,  5] auth/auth.c:274(check_ntlm_password)
>>>   check_ntlm_password: sam authentication for user [newuser] FAILED 
>>> with error NT_STATUS_NO_SUCH_USER
>>> [2011/07/13 21:50:11,  2] auth/auth.c:320(check_ntlm_password)
>>>   check_ntlm_password:  Authentication for user [newuser] -> 
>>>  [newuser] FAILED with error NT_STATUS_NO_SUCH_USER
>>>
>>> Now... Here's where it gets interesting. At this point, I converted 
>>> my smbpasswd containing newuser to tdb...:
>>> pdbedit -i smbpasswd -e tdbsam
>>> ...the account newuser now authenticate over SMB. However, adding 
>>> any other new users is still not working.
>>>
>>> I have attempted to repeat the steps described above for adding a 
>>> user and then converting smbpasswd to tdb again, but to no avail.
>>>
>>> I have not defined passdb backend in smb.conf.
>>>
>>> Anyone know what could be causing this?
>>>
>>>
>> Did you check the output of "testparm -v" to make sure the password 
>> backend and password file is where you expect it to be?
>>
>> Did you try adding a user with "pdbedit" instead?
>>
>> Can you type "which smbpasswd" "which pdbedit" etc -  I suspect you 
>> are using "smbpasswd" command from the "old" version of samba.
>>
>
> Thanks for the reply. You're right, the documentation I had read said 
> that smbpasswd would work with the new tdb backend. Can I not use it?
>
> For now, here are the outputs you requested:
>
> From testparm:
>
> passdb backend = tdbsam
> idmap backend = tdb
> idmap alloc backend =
>
>
> From which:
>
> /usr/bin/pdbedit
> /usr/bin/smbpasswd
>
>
> Maybe this will help, smbuser is a new user on my system who cannot 
> authenticate over SMB. When I try to use smbpasswd  -a -D10 smbuser I 
> get an error in the middle of the output that says:
>
>     Get_Pwnam_internals did find user [smbuser]!
>
>
> Here is the full output:
>
>     [root at server:/]# smbpasswd -a -D10 smbuser                        
>                                                                      
>                                                                      
>           (07-14 13:26)
>     Netbios name list:-
>     my_netbios_names[0]="SERVER"
>     Attempting to register passdb backend ldapsam
>     Successfully added passdb backend 'ldapsam'
>     Attempting to register passdb backend ldapsam_compat
>     Successfully added passdb backend 'ldapsam_compat'
>     Attempting to register passdb backend NDS_ldapsam
>     Successfully added passdb backend 'NDS_ldapsam'
>     Attempting to register passdb backend NDS_ldapsam_compat
>     Successfully added passdb backend 'NDS_ldapsam_compat'
>     Attempting to register passdb backend smbpasswd
>     Successfully added passdb backend 'smbpasswd'
>     Attempting to register passdb backend tdbsam
>     Successfully added passdb backend 'tdbsam'
>     Attempting to register passdb backend wbc_sam
>     Successfully added passdb backend 'wbc_sam'
>     Attempting to find a passdb backend to match tdbsam (tdbsam)
>     Found pdb backend tdbsam
>     pdb backend tdbsam has a valid init
>     New SMB password:
>     Retype new SMB password:
>     tdbsam_open: successfully opened /etc/samba/passdb.tdb
>     pdb_set_username: setting username smbuser, was
>     pdb_set_domain: setting domain SERVER, was
>     pdb_set_nt_username: setting nt username , was
>     pdb_set_full_name: setting full name , was
>     pdb_set_homedir: setting home dir \\server\homes\%u
>     <smb://server/homes/%u>, was
>     pdb_set_dir_drive: setting dir drive m:, was NULL
>     Finding user smbuser
>     Trying _Get_Pwnam(), username as lowercase is smbuser
>     Get_Pwnam_internals did find user [smbuser]!
>     pdb_set_logon_script: setting logon script users.bat, was
>     pdb_set_profile_path: setting profile path \\server\profiles\%u
>     <smb://server/profiles/%u>, was
>     pdb_set_workstations: setting workstations , was
>     account_policy_get: name: password history, val: 0
>     pdb_set_user_sid: setting user sid
>     S-1-5-21-115255976-287349760-2125325791-1011
>     pdb_set_user_sid_from_rid:
>     setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from
>     rid 1011
>     account_policy_get: name: maximum password age, val: -1
>     Finding user smbuser
>     Trying _Get_Pwnam(), username as lowercase is smbuser
>     Get_Pwnam_internals did find user [smbuser]!
>     account_policy_get: name: password history, val: 0
>     pdb_set_username: setting username smbuser, was
>     pdb_set_domain: setting domain SERVER, was
>     pdb_set_nt_username: setting nt username , was
>     pdb_set_full_name: setting full name , was
>     pdb_set_homedir: setting home dir \\server\homes\%u
>     <smb://server/homes/%u>, was
>     pdb_set_dir_drive: setting dir drive m:, was NULL
>     Finding user smbuser
>     Trying _Get_Pwnam(), username as lowercase is smbuser
>     Get_Pwnam_internals did find user [smbuser]!
>     pdb_set_logon_script: setting logon script users.bat, was
>     pdb_set_profile_path: setting profile path \\server\profiles\%u
>     <smb://server/profiles/%u>, was
>     pdb_set_workstations: setting workstations , was
>     account_policy_get: name: password history, val: 0
>     pdb_set_user_sid: setting user sid
>     S-1-5-21-115255976-287349760-2125325791-1011
>     pdb_set_user_sid_from_rid:
>     setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from
>     rid 1011
>     account_policy_get: name: password history, val: 0
>     pdb_set_username: setting username smbuser, was
>     pdb_set_domain: setting domain SERVER, was
>     pdb_set_nt_username: setting nt username , was
>     pdb_set_full_name: setting full name , was
>     pdb_set_homedir: setting home dir \\server\homes\%u
>     <smb://server/homes/%u>, was
>     pdb_set_dir_drive: setting dir drive m:, was NULL
>     Finding user smbuser
>     Trying _Get_Pwnam(), username as lowercase is smbuser
>     Get_Pwnam_internals did find user [smbuser]!
>     pdb_set_logon_script: setting logon script users.bat, was
>     pdb_set_profile_path: setting profile path \\server\profiles\%u
>     <smb://server/profiles/%u>, was
>     pdb_set_workstations: setting workstations , was
>     account_policy_get: name: password history, val: 0
>     pdb_set_user_sid: setting user sid
>     S-1-5-21-115255976-287349760-2125325791-1011
>     pdb_set_user_sid_from_rid:
>     setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from
>     rid 1011
>     account_policy_get: name: maximum password age, val: -1
>     account_policy_get: name: password history, val: 0
>     Storing account smbuser with RID 1011
>     Locking key 555345525F736D627573
>     Allocated locked data 0x0x28ea050
>     Unlocking key 555345525F736D627573
>     tdb_update_sam: Updating key for RID 1011
>     Locking key 5249445F303030303033
>     Allocated locked data 0x0x28e6ad0
>     Unlocking key 5249445F303030303033
>
>

"testparm -v" should verify that samba is also using 
"/etc/samba/passdb.tdb" for the password file.    You can use "tdbdump" 
to view the contents of that file.

Did you create the unix user first?  Does that user exist in 
/etc/passwd?   (assuming you are not using winbind to automatically 
create unix uid's in an idmap tbd file.)  Does "getent passwd" show the 
unix user?

More information about the samba mailing list