[Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)

Sean Boran sean at boran.com
Mon May 23 15:47:41 MDT 2011


I migrated a PDC to use an ldap backend and am having fun with a few last
Existing user accounts and machine accounts were migrated, and existing
users can authenticate.

Now I've added some new users and none of them can authenticate.
e.g. for the user "inktec".

The user can login via SSH, but not mount a share:
smbclient \\\\server3\\someshare -U=inktec mypassword

May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid: Failed to find Unix
account for inktec
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but getpwnam()
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

Sama can see the users and groups.
The following find the user just fine:
ldapsearch  -x  '(uid=inktec)'
pdbedit -L -v inktec
getent passwd inktec
smbldap-usershow inktec

id inktec
uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser)

Users were added with the tool "smbldap-useradd -a", and also with
I also compared the ldap entries for users that work fine with the new users
in ldap admin, they are basically the same.

Perhaps related is that on a  Windows XP client in the domain, if inktec is
added to a User Groups such as Remote Desktop Users, windows complains
"Information return for object picket for object inktec was incomplete".

Then by chance I added the test user (inktec) to /etc/passwd (but not to
shadow), just to see. It worked!
Its like the passwd line is nssswitch_conf is being ignored?
group:  compat ldap
passwd: compat ldap
shadow: compat ldap
But then why did "getent passwd inktec" work, and why would SSH login work.

Before ldap I would add users with both "useradd" and "smbpasswd -a", but
this should not be necessary with the ldap store?

Thanks in advance,


More information about the samba mailing list