[Samba] Problem adding new users after upgrade to 3.4.0
Ben Sigman
ben at rentageekla.com
Thu Jul 14 17:34:00 MDT 2011
On Jul 14, 2011, at 2:52 PM, Gaiseric Vandal wrote:
> On 07/14/2011 04:31 PM, Ben Sigman wrote:
>>
>> On Jul 14, 2011, at 7:13 AM, Gaiseric Vandal wrote:
>>
>>> On 07/14/2011 01:21 AM, Ben Sigman wrote:
>>>> After upgrading to 3.4.0, I can no longer add new users. Any users that were added beforehand work fine. Any users that I attempt to create cannot login (error: NT_STATUS_LOGON_FAILURE). I was able to get one new user account to work (see below), but I cannot add any new users.
>>>>
>>>> The server is Ubuntu 9.10 running Samba 3.4.0.
>>>>
>>>> I am using:
>>>>
>>>> security = user
>>>> pam password change = yes
>>>>
>>>> Updating passwords for existing users using passwd successfully updates on smbpass (auth.log):
>>>>
>>>> Jul 13 21:19:05 server passwd[3026]: pam_smbpass(passwd:chauthtok): password for (smbuser/1001) changed by (root/0)
>>>>
>>>> ...And authentication over smb works (auth.log):
>>>>
>>>> Jul 13 21:42:53 server smbd[3684]: pam_unix(samba:session): session opened for user ben by (uid=0)
>>>>
>>>> ...In samba.log:
>>>>
>>>> [2011/07/13 21:42:53, 4] auth/auth_sam.c:137(sam_account_ok)
>>>> sam_account_ok: Checking SMB password for user smbuser
>>>> [2011/07/13 21:42:53, 5] auth/auth.c:297(check_ntlm_password)
>>>> check_ntlm_password: PAM Account for user [ben] succeeded
>>>>
>>>> However, if I do:
>>>>
>>>> smbpasswd -x user
>>>> Failed to find entry for user smbuser.
>>>>
>>>> If I add a new user using:
>>>>
>>>> useradd newuser
>>>> passwd newuser
>>>> smbpasswd -a newuser
>>>>
>>>> This appears in auth.log:
>>>> Jul 13 21:20:07 server passwd[3033]: pam_smbpass(passwd:chauthtok): Failed to find entry for user newuser.
>>>>
>>>> And if I attempt to authenticate (samba.log):
>>>>
>>>> [2011/07/13 21:50:11, 3] auth/auth_sam.c:282(check_sam_security)
>>>> check_sam_security: Couldn't find user 'newuser' in passdb.
>>>> [2011/07/13 21:50:11, 5] auth/auth.c:274(check_ntlm_password)
>>>> check_ntlm_password: sam authentication for user [newuser] FAILED with error NT_STATUS_NO_SUCH_USER
>>>> [2011/07/13 21:50:11, 2] auth/auth.c:320(check_ntlm_password)
>>>> check_ntlm_password: Authentication for user [newuser] -> [newuser] FAILED with error NT_STATUS_NO_SUCH_USER
>>>>
>>>> Now... Here's where it gets interesting. At this point, I converted my smbpasswd containing newuser to tdb...:
>>>> pdbedit -i smbpasswd -e tdbsam
>>>> ...the account newuser now authenticate over SMB. However, adding any other new users is still not working.
>>>>
>>>> I have attempted to repeat the steps described above for adding a user and then converting smbpasswd to tdb again, but to no avail.
>>>>
>>>> I have not defined passdb backend in smb.conf.
>>>>
>>>> Anyone know what could be causing this?
>>>>
>>>>
>>> Did you check the output of "testparm -v" to make sure the password backend and password file is where you expect it to be?
>>>
>>> Did you try adding a user with "pdbedit" instead?
>>>
>>> Can you type "which smbpasswd" "which pdbedit" etc - I suspect you are using "smbpasswd" command from the "old" version of samba.
>>>
>>
>> Thanks for the reply. You're right, the documentation I had read said that smbpasswd would work with the new tdb backend. Can I not use it?
>>
>> For now, here are the outputs you requested:
>>
>> From testparm:
>>
>> passdb backend = tdbsam
>> idmap backend = tdb
>> idmap alloc backend =
>>
>>
>> From which:
>>
>> /usr/bin/pdbedit
>> /usr/bin/smbpasswd
>>
>>
>> Maybe this will help, smbuser is a new user on my system who cannot authenticate over SMB. When I try to use smbpasswd -a -D10 smbuser I get an error in the middle of the output that says:
>>
>> Get_Pwnam_internals did find user [smbuser]!
>>
>> Here is the full output:
>>
>> [root at server:/]# smbpasswd -a -D10 smbuser (07-14 13:26)
>> Netbios name list:-
>> my_netbios_names[0]="SERVER"
>> Attempting to register passdb backend ldapsam
>> Successfully added passdb backend 'ldapsam'
>> Attempting to register passdb backend ldapsam_compat
>> Successfully added passdb backend 'ldapsam_compat'
>> Attempting to register passdb backend NDS_ldapsam
>> Successfully added passdb backend 'NDS_ldapsam'
>> Attempting to register passdb backend NDS_ldapsam_compat
>> Successfully added passdb backend 'NDS_ldapsam_compat'
>> Attempting to register passdb backend smbpasswd
>> Successfully added passdb backend 'smbpasswd'
>> Attempting to register passdb backend tdbsam
>> Successfully added passdb backend 'tdbsam'
>> Attempting to register passdb backend wbc_sam
>> Successfully added passdb backend 'wbc_sam'
>> Attempting to find a passdb backend to match tdbsam (tdbsam)
>> Found pdb backend tdbsam
>> pdb backend tdbsam has a valid init
>> New SMB password:
>> Retype new SMB password:
>> tdbsam_open: successfully opened /etc/samba/passdb.tdb
>> pdb_set_username: setting username smbuser, was
>> pdb_set_domain: setting domain SERVER, was
>> pdb_set_nt_username: setting nt username , was
>> pdb_set_full_name: setting full name , was
>> pdb_set_homedir: setting home dir \\server\homes\%u, was
>> pdb_set_dir_drive: setting dir drive m:, was NULL
>> Finding user smbuser
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>> Get_Pwnam_internals did find user [smbuser]!
>> pdb_set_logon_script: setting logon script users.bat, was
>> pdb_set_profile_path: setting profile path \\server\profiles\%u, was
>> pdb_set_workstations: setting workstations , was
>> account_policy_get: name: password history, val: 0
>> pdb_set_user_sid: setting user sid S-1-5-21-115255976-287349760-2125325791-1011
>> pdb_set_user_sid_from_rid:
>>
>>
>> setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from rid 1011
>> account_policy_get: name: maximum password age, val: -1
>> Finding user smbuser
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>> Get_Pwnam_internals did find user [smbuser]!
>> account_policy_get: name: password history, val: 0
>> pdb_set_username: setting username smbuser, was
>> pdb_set_domain: setting domain SERVER, was
>> pdb_set_nt_username: setting nt username , was
>> pdb_set_full_name: setting full name , was
>> pdb_set_homedir: setting home dir \\server\homes\%u, was
>> pdb_set_dir_drive: setting dir drive m:, was NULL
>> Finding user smbuser
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>> Get_Pwnam_internals did find user [smbuser]!
>> pdb_set_logon_script: setting logon script users.bat, was
>> pdb_set_profile_path: setting profile path \\server\profiles\%u, was
>> pdb_set_workstations: setting workstations , was
>> account_policy_get: name: password history, val: 0
>> pdb_set_user_sid: setting user sid S-1-5-21-115255976-287349760-2125325791-1011
>> pdb_set_user_sid_from_rid:
>>
>>
>> setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from rid 1011
>> account_policy_get: name: password history, val: 0
>> pdb_set_username: setting username smbuser, was
>> pdb_set_domain: setting domain SERVER, was
>> pdb_set_nt_username: setting nt username , was
>> pdb_set_full_name: setting full name , was
>> pdb_set_homedir: setting home dir \\server\homes\%u, was
>> pdb_set_dir_drive: setting dir drive m:, was NULL
>> Finding user smbuser
>> Trying _Get_Pwnam(), username as lowercase is smbuser
>> Get_Pwnam_internals did find user [smbuser]!
>> pdb_set_logon_script: setting logon script users.bat, was
>> pdb_set_profile_path: setting profile path \\server\profiles\%u, was
>> pdb_set_workstations: setting workstations , was
>> account_policy_get: name: password history, val: 0
>> pdb_set_user_sid: setting user sid S-1-5-21-115255976-287349760-2125325791-1011
>> pdb_set_user_sid_from_rid:
>>
>>
>> setting user sid S-1-5-21-115255976-287349760-2125325791-1011 from rid 1011
>> account_policy_get: name: maximum password age, val: -1
>> account_policy_get: name: password history, val: 0
>> Storing account smbuser with RID 1011
>> Locking key 555345525F736D627573
>> Allocated locked data 0x0x28ea050
>> Unlocking key 555345525F736D627573
>> tdb_update_sam: Updating key for RID 1011
>> Locking key 5249445F303030303033
>> Allocated locked data 0x0x28e6ad0
>> Unlocking key 5249445F303030303033
>>
>
> "testparm -v" should verify that samba is also using "/etc/samba/passdb.tdb" for the password file. You can use "tdbdump" to view the contents of that file.
>
> Did you create the unix user first? Does that user exist in /etc/passwd? (assuming you are not using winbind to automatically create unix uid's in an idmap tbd file.) Does "getent passwd" show the unix user?
>
You might be on to something!
testparm -v|grep pass:
encrypt passwords = Yes
null passwords = No
password server = *
smb passwd file = /etc/samba/smbpasswd
passdb backend = tdbsam
pam password change = Yes
passwd program = /usr/bin/passwd '%u'
passwd chat = *New*password* %n\n *ReType*new*password* %n\n *passwd*changed*\n
passwd chat debug = Yes
passwd chat timeout = 120
check password script =
password level = 20
unix password sync = Yes
machine password timeout = 120
ldap passwd sync = no
passdb expand explicit = No
tdbdump of passdb contains the user:
key(13) = "USER_smbuser\00"
data(186) = "\00\00\00\00\FF\FF\FF\7F\FF\FF\FF\7F\00\00\00\007Q\1FN\00\00\00\00\FF\FF\FF\7F\08\00\00\00smbuser\00\07\00\00\00SERVER\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\01\00\00\00\00\01\00\00\00\00\00\00\00\00\01\00\00\00\00\F3\03\00\00\01\02\00\00\00\00\00\00\10\00\00\00- \D2R\A4y\F4\85\CD\F5\E1q\D99\85\BF\00\00\00\00\10\00\00\00\A8\00\15\00\00\00 \00\00\00\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\FF\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\EC\04\00\00"
}
{
key(13) = "INFO/version\00"
data(4) = "\04\00\00\00"
}
{
key(13) = "RID_000003f3\00"
data(8) = "smbuser\00"
}
Yes, the user is in /etc/passwd and I do add linux user first getent passwd shows:
smbuser:x:1020:100::/home/smbuser:/bin/sh
More information about the samba
mailing list