[Samba] BDC and ldap set-up problem

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 15 11:56:42 MDT 2011 

The smb.conf looks correct

On the BDC, does "pdbedit -L" show you all your domain users?
On the BDC, does "getent passwd" show you all your users?


I use ldap for both samba and unix backends, so "pbedit -Lv" and "getent 
passwd" show me the same output for my domain users and local unix 
users.    I don't need to use winbind/idmap to keep unix uid's and gid's 
consistent.


On the BDC, did you ever join the domain?  ("net join....")

On 06/15/2011 01:09 PM, Dermot wrote:
> Hi,
>
> I could use some confirmation on my approach to configuring my BDC. I
> want the user to be able to access shares on the BDC and have their
> domain credentials stamped on any files they create. I do not want to
> add domain users to the /etc/passwd file. At the moment users can
> authenticate onto the domain but once they try and access a share on
> the BDC, these XP users get a dialogue box asking for a login. The log
> for the machine reads:
>
> [2011/06/15 17:07:11.827697,  1] auth/auth_util.c:580(make_server_info_sam)
>    User djohn in passdb, but getpwnam() fails!
> [2011/06/15 17:07:11.827841,  0] auth/auth_sam.c:493(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> [2011/06/15 17:07:11.834014,  1] auth/auth_util.c:580(make_server_info_sam)
>    User djohn in passdb, but getpwnam() fails!
> [2011/06/15 17:07:11.834088,  0] auth/auth_sam.c:493(check_sam_security)
>    check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
>
> At the same time on the ldap master (PDC) I see a search request
> arrive for the same user and a successful response:
>
> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH
> base="dc=example,dc=com" scope=2 deref=0
> filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid
> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
> sambaProfilePath description sambaUserWorkstations sambaSID
> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
> sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory
> loginShell gecos
> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101
> err=0 nentries=1 text=
> Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost)
>
> The odd thing is this BDC is also in a replication system with the PDC
> so if shouldn't need to forward the query.
>
> I thought that if I had added ldap to the nsswitch.conf for the passwd
> and group items, then ldap would be used when the domain users failed
> to be retrieved from the passwd file.
>
> The bigger confusion is around the configuration. Should I be able to
> use an ldap backend and get the domain user's credentials when the
> access a share?
>
> I have tried to follow the instructions from
> http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The
> PAM section doesn't match my distro and I ain't see any mention of
> ldap in /etc/security/*
>
> Can anyone help iron out some of the creases in my set-up?
> Thanks,
> Dermot.
>
>
>
> ==== BDC conf =====
>
> [global]
>     unix charset = LOCALE
>     workgroup = MINE
>     server string = SMB Server
>     netbios name = antares
>     security = user  # tried this as domain but it still fails
> #  hosts allow =
>
>     load printers = no
> ;   printcap name = /etc/printcap
> ;   printcap name = lpstat
> ;   printing = cups
> cups options = raw
> ;  guest account = pcguest
>     log file = /var/log/samba/%m.log
>     log level = 1
>     syslog = 0
>     max log size = 50
>     name resolve order = wins bcast hosts
>     printcap name = CUPS
>     show add printer wizard = no
>     domain master = no
>   #  passdb backend = ldapsam:ldap://127.0.0.1
>     passdb backend = ldapsam:"ldap://127.0.0.1:389 ldap://rigel.example.com:389"
>     ldap passwd sync = yes
>     ldapsam:trusted = yes
>     ldapsam:editposix = yes
>     domain logons = yes
>     os level = 63
>     logon script = login.bat
>     logon path =
>     wins server = rigel.example.com
>     ldap ssl = off
>     client ldap sasl wrapping = plain
>     ldap suffix = dc=example,dc=com
>     ldap machine suffix = ou=Computers, ou=Users
>     ldap user suffix = ou=Users
>     ldap group suffix = ou=Group
>     ldap idmap suffix = ou=idmap
>     ldap admin dn = cn=admin,dc=example,dc=com
>     utmp = Yes
>     idmap backend = ldap://rigel.example.com
>     idmap uid = 15000-20000
>     idmap gid = 15000-20000

More information about the samba mailing list