[Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed May 25 15:28:35 MDT 2011

"pdbedit -Lv username" shd show you the unix user id.

IF you create a new samba user (e.g. with "smbpasswd -a username"  or 
"pdbedit ....")
      AND the user does not already exist as a unix user (in ldap or 
     THEN smbpasswd (or pdbedit) should complain UNLESS samba is 
automatically allocating uid/gid's.

Does smb.conf define an idmap ou in ldap?

Did you try configuring /etc/nsswitch.conf as follows?

     passwd:     files ldap
     shadow:     files ldap
     group:      files ldap

I use Apache Directory Studio for an ldap browser/editor-   that (or a 
similar product) may help you poke around ldap and see what is being 
created.  I don't have any of the smbldap scripts installed on my 
servers.  What version of unix/linux are you using.

On 05/25/2011 04:49 PM, Sean Boran wrote:
> Hi,
> @Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account 
> details such as UID.
> (I can for example, login via ssh with the ldap accounts: which shows 
> that the unix account details are ok and nss works)
> Samba is somehow not seeing ldap unix accounts though.
> I've also now noticed that it is not seeing the group membership in 
> ldap either, although "getent groups" and "id" show the groups.
> @Takahashi: Log level 10 is interesting. But co-in cidentailly after 
> enabling it, and a a delay of one day, the logins are working fine, 
> even if the /etc/passwd entry is removed.
> I'm going to have to do more tests, thanks for the tips though.
> Sean
> On 24 May 2011 18:15, Gaiseric Vandal <gaiseric.vandal at gmail.com 
> <mailto:gaiseric.vandal at gmail.com>> wrote:
>     You still need a "unix" account to back the samba account-  this
>     can be done in several ways
>        -  have a local unix acct in /etc/passwd
>        -  have the LDAP entry for your samba user also include your
>     "unix" account info.
>        -  have winbind allocate unix uid's and gid's dynamically for
>     samba accounts in your local domain.
>     I use option 2 -  LDAP for both unix and samba authentication.  I
>     initially used nis for unix and TBD for samba, then moved both to
>     a consolidated LDAP backend.
>     If you don't need LDAP auth for unix level logins , it may be
>     sufficient to add uid and gid to the LDAP entry and skip the unix
>     password field.
>     I have not tried option 3.
>     On 05/23/2011 05:47 PM, Sean Boran wrote:
>         Hi,
>         I migrated a PDC to use an ldap backend and am having fun with
>         a few last
>         issues..
>         Existing user accounts and machine accounts were migrated, and
>         existing
>         users can authenticate.
>         Now I've added some new users and none of them can authenticate.
>         e.g. for the user "inktec".
>         The user can login via SSH, but not mount a share:
>         smbclient \\\\server3\\someshare -U=inktec mypassword
>         May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
>         passdb/pdb_get_set.c:211(pdb_get_group_sid)
>         May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid:
>         Failed to find Unix
>         account for inktec
>         May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
>         auth/auth_util.c:577(make_server_info_sam)
>         May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb,
>         but getpwnam()
>         fails!
>         May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
>         auth/auth_sam.c:355(check_sam_security)
>         May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
>         make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
>         Sama can see the users and groups.
>         The following find the user just fine:
>         ldapsearch  -x  '(uid=inktec)'
>         pdbedit -L -v inktec
>         getent passwd inktec
>         smbldap-usershow inktec
>         id inktec
>         uid=18664(inktec) gid=513(Domain Users) groups=513(Domain
>         Users),203(buser)
>         Users were added with the tool "smbldap-useradd -a", and also with
>         "ldapadmin"...
>         I also compared the ldap entries for users that work fine with
>         the new users
>         in ldap admin, they are basically the same.
>         Perhaps related is that on a  Windows XP client in the domain,
>         if inktec is
>         added to a User Groups such as Remote Desktop Users, windows
>         complains
>         "Information return for object picket for object inktec was
>         incomplete".
>         Then by chance I added the test user (inktec) to /etc/passwd
>         (but not to
>         shadow), just to see. It worked!
>         Its like the passwd line is nssswitch_conf is being ignored?
>         group:  compat ldap
>         passwd: compat ldap
>         shadow: compat ldap
>         But then why did "getent passwd inktec" work, and why would
>         SSH login work.
>         Before ldap I would add users with both "useradd" and
>         "smbpasswd -a", but
>         this should not be necessary with the ldap store?
>         Thanks in advance,
>         Sean
>     -- 
>     To unsubscribe from this list go to the following URL and read the
>     instructions: https://lists.samba.org/mailman/options/samba

More information about the samba mailing list