[Samba] BDC and ldap set-up problem

Dermot paikkos at googlemail.com
Wed Jun 15 15:31:02 MDT 2011 

Hi,

On 15 June 2011 18:56, Gaiseric Vandal <gaiseric.vandal at gmail.com> wrote:
> On the BDC, does "pdbedit -L" show you all your domain users?
> On the BDC, does "getent passwd" show you all your users?

The output from pdbedit shows all the domain users but getent passwd
only shows the user in passwd.

>
> I use ldap for both samba and unix backends, so "pbedit -Lv" and "getent
> passwd" show me the same output for my domain users and local unix users.
>  I don't need to use winbind/idmap to keep unix uid's and gid's consistent.

I installed winbind but have turn if off.

>
>
> On the BDC, did you ever join the domain?  ("net join....")

Yes, several times.

Do you have any ideas why the `getent` isn't working? The
nsswitch.conf is below.
Thanks,
Dermot



passwd:     ldap files
group:      ldap files
shadow:     files

#hosts:     db files nisplus nis dns
hosts:      files dns

bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus




>
> On 06/15/2011 01:09 PM, Dermot wrote:
>>
>> Hi,
>>
>> I could use some confirmation on my approach to configuring my BDC. I
>> want the user to be able to access shares on the BDC and have their
>> domain credentials stamped on any files they create. I do not want to
>> add domain users to the /etc/passwd file. At the moment users can
>> authenticate onto the domain but once they try and access a share on
>> the BDC, these XP users get a dialogue box asking for a login. The log
>> for the machine reads:
>>
>> [2011/06/15 17:07:11.827697,  1]
>> auth/auth_util.c:580(make_server_info_sam)
>>   User djohn in passdb, but getpwnam() fails!
>> [2011/06/15 17:07:11.827841,  0] auth/auth_sam.c:493(check_sam_security)
>>   check_sam_security: make_server_info_sam() failed with
>> 'NT_STATUS_NO_SUCH_USER'
>> [2011/06/15 17:07:11.834014,  1]
>> auth/auth_util.c:580(make_server_info_sam)
>>   User djohn in passdb, but getpwnam() fails!
>> [2011/06/15 17:07:11.834088,  0] auth/auth_sam.c:493(check_sam_security)
>>   check_sam_security: make_server_info_sam() failed with
>> 'NT_STATUS_NO_SUCH_USER'
>>
>> At the same time on the ldap master (PDC) I see a search request
>> arrive for the same user and a successful response:
>>
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH
>> base="dc=example,dc=com" scope=2 deref=0
>> filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid
>> uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
>> sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
>> sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
>> sambaProfilePath description sambaUserWorkstations sambaSID
>> sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
>> objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
>> sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
>> sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory
>> loginShell gecos
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101
>> err=0 nentries=1 text=
>> Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost)
>>
>> The odd thing is this BDC is also in a replication system with the PDC
>> so if shouldn't need to forward the query.
>>
>> I thought that if I had added ldap to the nsswitch.conf for the passwd
>> and group items, then ldap would be used when the domain users failed
>> to be retrieved from the passwd file.
>>
>> The bigger confusion is around the configuration. Should I be able to
>> use an ldap backend and get the domain user's credentials when the
>> access a share?
>>
>> I have tried to follow the instructions from
>> http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The
>> PAM section doesn't match my distro and I ain't see any mention of
>> ldap in /etc/security/*
>>
>> Can anyone help iron out some of the creases in my set-up?
>> Thanks,
>> Dermot.
>>
>>
>>
>> ==== BDC conf =====
>>
>> [global]
>>    unix charset = LOCALE
>>    workgroup = MINE
>>    server string = SMB Server
>>    netbios name = antares
>>    security = user  # tried this as domain but it still fails
>> #  hosts allow =
>>
>>    load printers = no
>> ;   printcap name = /etc/printcap
>> ;   printcap name = lpstat
>> ;   printing = cups
>> cups options = raw
>> ;  guest account = pcguest
>>    log file = /var/log/samba/%m.log
>>    log level = 1
>>    syslog = 0
>>    max log size = 50
>>    name resolve order = wins bcast hosts
>>    printcap name = CUPS
>>    show add printer wizard = no
>>    domain master = no
>>  #  passdb backend = ldapsam:ldap://127.0.0.1
>>    passdb backend = ldapsam:"ldap://127.0.0.1:389
>> ldap://rigel.example.com:389"
>>    ldap passwd sync = yes
>>    ldapsam:trusted = yes
>>    ldapsam:editposix = yes
>>    domain logons = yes
>>    os level = 63
>>    logon script = login.bat
>>    logon path =
>>    wins server = rigel.example.com
>>    ldap ssl = off
>>    client ldap sasl wrapping = plain
>>    ldap suffix = dc=example,dc=com
>>    ldap machine suffix = ou=Computers, ou=Users
>>    ldap user suffix = ou=Users
>>    ldap group suffix = ou=Group
>>    ldap idmap suffix = ou=idmap
>>    ldap admin dn = cn=admin,dc=example,dc=com
>>    utmp = Yes
>>    idmap backend = ldap://rigel.example.com
>>    idmap uid = 15000-20000
>>    idmap gid = 15000-20000
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list