[Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)

Gaiseric Vandal gaiseric.vandal at gmail.com
Tue May 24 10:15:44 MDT 2011

You still need a "unix" account to back the samba account-  this can be 
done in several ways
     -  have a local unix acct in /etc/passwd
     -  have the LDAP entry for your samba user also include your "unix" 
account info.
     -  have winbind allocate unix uid's and gid's dynamically for samba 
accounts in your local domain.

I use option 2 -  LDAP for both unix and samba authentication.  I 
initially used nis for unix and TBD for samba, then moved both to a 
consolidated LDAP backend.

If you don't need LDAP auth for unix level logins , it may be sufficient 
to add uid and gid to the LDAP entry and skip the unix password field.

I have not tried option 3.

On 05/23/2011 05:47 PM, Sean Boran wrote:
> Hi,
> I migrated a PDC to use an ldap backend and am having fun with a few last
> issues..
> Existing user accounts and machine accounts were migrated, and existing
> users can authenticate.
> Now I've added some new users and none of them can authenticate.
> e.g. for the user "inktec".
> The user can login via SSH, but not mount a share:
> smbclient \\\\server3\\someshare -U=inktec mypassword
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
> passdb/pdb_get_set.c:211(pdb_get_group_sid)
> May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid: Failed to find Unix
> account for inktec
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
> auth/auth_util.c:577(make_server_info_sam)
> May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but getpwnam()
> fails!
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
> auth/auth_sam.c:355(check_sam_security)
> May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
> Sama can see the users and groups.
> The following find the user just fine:
> ldapsearch  -x  '(uid=inktec)'
> pdbedit -L -v inktec
> getent passwd inktec
> smbldap-usershow inktec
> id inktec
> uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser)
> Users were added with the tool "smbldap-useradd -a", and also with
> "ldapadmin"...
> I also compared the ldap entries for users that work fine with the new users
> in ldap admin, they are basically the same.
> Perhaps related is that on a  Windows XP client in the domain, if inktec is
> added to a User Groups such as Remote Desktop Users, windows complains
> "Information return for object picket for object inktec was incomplete".
> Then by chance I added the test user (inktec) to /etc/passwd (but not to
> shadow), just to see. It worked!
> Its like the passwd line is nssswitch_conf is being ignored?
> group:  compat ldap
> passwd: compat ldap
> shadow: compat ldap
> But then why did "getent passwd inktec" work, and why would SSH login work.
> Before ldap I would add users with both "useradd" and "smbpasswd -a", but
> this should not be necessary with the ldap store?
> Thanks in advance,
> Sean

More information about the samba mailing list