[Samba] BDC and ldap set-up problem

Dermot paikkos at googlemail.com
Wed Jun 15 11:09:41 MDT 2011 

Hi,

I could use some confirmation on my approach to configuring my BDC. I
want the user to be able to access shares on the BDC and have their
domain credentials stamped on any files they create. I do not want to
add domain users to the /etc/passwd file. At the moment users can
authenticate onto the domain but once they try and access a share on
the BDC, these XP users get a dialogue box asking for a login. The log
for the machine reads:

[2011/06/15 17:07:11.827697,  1] auth/auth_util.c:580(make_server_info_sam)
  User djohn in passdb, but getpwnam() fails!
[2011/06/15 17:07:11.827841,  0] auth/auth_sam.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2011/06/15 17:07:11.834014,  1] auth/auth_util.c:580(make_server_info_sam)
  User djohn in passdb, but getpwnam() fails!
[2011/06/15 17:07:11.834088,  0] auth/auth_sam.c:493(check_sam_security)
  check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'

At the same time on the ldap master (PDC) I see a search request
arrive for the same user and a successful response:

Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory
loginShell gecos
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost)

The odd thing is this BDC is also in a replication system with the PDC
so if shouldn't need to forward the query.

I thought that if I had added ldap to the nsswitch.conf for the passwd
and group items, then ldap would be used when the domain users failed
to be retrieved from the passwd file.

The bigger confusion is around the configuration. Should I be able to
use an ldap backend and get the domain user's credentials when the
access a share?

I have tried to follow the instructions from
http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The
PAM section doesn't match my distro and I ain't see any mention of
ldap in /etc/security/*

Can anyone help iron out some of the creases in my set-up?
Thanks,
Dermot.



==== BDC conf =====

[global]
   unix charset = LOCALE
   workgroup = MINE
   server string = SMB Server
   netbios name = antares
   security = user  # tried this as domain but it still fails
#  hosts allow =

   load printers = no
;   printcap name = /etc/printcap
;   printcap name = lpstat
;   printing = cups
cups options = raw
;  guest account = pcguest
   log file = /var/log/samba/%m.log
   log level = 1
   syslog = 0
   max log size = 50
   name resolve order = wins bcast hosts
   printcap name = CUPS
   show add printer wizard = no
   domain master = no
 #  passdb backend = ldapsam:ldap://127.0.0.1
   passdb backend = ldapsam:"ldap://127.0.0.1:389 ldap://rigel.example.com:389"
   ldap passwd sync = yes
   ldapsam:trusted = yes
   ldapsam:editposix = yes
   domain logons = yes
   os level = 63
   logon script = login.bat
   logon path =
   wins server = rigel.example.com
   ldap ssl = off
   client ldap sasl wrapping = plain
   ldap suffix = dc=example,dc=com
   ldap machine suffix = ou=Computers, ou=Users
   ldap user suffix = ou=Users
   ldap group suffix = ou=Group
   ldap idmap suffix = ou=idmap
   ldap admin dn = cn=admin,dc=example,dc=com
   utmp = Yes
   idmap backend = ldap://rigel.example.com
   idmap uid = 15000-20000
   idmap gid = 15000-20000

More information about the samba mailing list