[Samba] Cannot authenticate new ldap users (unless they are in /etc/passwd too)
Gaiseric Vandal
gaiseric.vandal at gmail.com
Wed May 25 15:28:35 MDT 2011
"pdbedit -Lv username" shd show you the unix user id.
IF you create a new samba user (e.g. with "smbpasswd -a username" or
"pdbedit ....")
AND the user does not already exist as a unix user (in ldap or
/etc/passwd)
THEN smbpasswd (or pdbedit) should complain UNLESS samba is
automatically allocating uid/gid's.
Does smb.conf define an idmap ou in ldap?
Did you try configuring /etc/nsswitch.conf as follows?
passwd: files ldap
shadow: files ldap
group: files ldap
I use Apache Directory Studio for an ldap browser/editor- that (or a
similar product) may help you poke around ldap and see what is being
created. I don't have any of the smbldap scripts installed on my
servers. What version of unix/linux are you using.
On 05/25/2011 04:49 PM, Sean Boran wrote:
> Hi,
>
> @Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account
> details such as UID.
> (I can for example, login via ssh with the ldap accounts: which shows
> that the unix account details are ok and nss works)
> Samba is somehow not seeing ldap unix accounts though.
> I've also now noticed that it is not seeing the group membership in
> ldap either, although "getent groups" and "id" show the groups.
>
> @Takahashi: Log level 10 is interesting. But co-in cidentailly after
> enabling it, and a a delay of one day, the logins are working fine,
> even if the /etc/passwd entry is removed.
>
> I'm going to have to do more tests, thanks for the tips though.
>
> Sean
>
> On 24 May 2011 18:15, Gaiseric Vandal <gaiseric.vandal at gmail.com
> <mailto:gaiseric.vandal at gmail.com>> wrote:
>
> You still need a "unix" account to back the samba account- this
> can be done in several ways
> - have a local unix acct in /etc/passwd
> - have the LDAP entry for your samba user also include your
> "unix" account info.
> - have winbind allocate unix uid's and gid's dynamically for
> samba accounts in your local domain.
>
>
> I use option 2 - LDAP for both unix and samba authentication. I
> initially used nis for unix and TBD for samba, then moved both to
> a consolidated LDAP backend.
>
> If you don't need LDAP auth for unix level logins , it may be
> sufficient to add uid and gid to the LDAP entry and skip the unix
> password field.
>
> I have not tried option 3.
>
>
>
> On 05/23/2011 05:47 PM, Sean Boran wrote:
>
> Hi,
>
> I migrated a PDC to use an ldap backend and am having fun with
> a few last
> issues..
> Existing user accounts and machine accounts were migrated, and
> existing
> users can authenticate.
>
> Now I've added some new users and none of them can authenticate.
> e.g. for the user "inktec".
>
> The user can login via SSH, but not mount a share:
> smbclient \\\\server3\\someshare -U=inktec mypassword
>
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
> passdb/pdb_get_set.c:211(pdb_get_group_sid)
> May 23 19:40:47 server3 smbd[7364]: pdb_get_group_sid:
> Failed to find Unix
> account for inktec
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 1]
> auth/auth_util.c:577(make_server_info_sam)
> May 23 19:40:47 server3 smbd[7364]: User inktec in passdb,
> but getpwnam()
> fails!
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
> auth/auth_sam.c:355(check_sam_security)
> May 23 19:40:47 server3 smbd[7364]: check_sam_security:
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
>
> Sama can see the users and groups.
> The following find the user just fine:
> ldapsearch -x '(uid=inktec)'
> pdbedit -L -v inktec
> getent passwd inktec
> smbldap-usershow inktec
>
> id inktec
> uid=18664(inktec) gid=513(Domain Users) groups=513(Domain
> Users),203(buser)
>
> Users were added with the tool "smbldap-useradd -a", and also with
> "ldapadmin"...
> I also compared the ldap entries for users that work fine with
> the new users
> in ldap admin, they are basically the same.
>
> Perhaps related is that on a Windows XP client in the domain,
> if inktec is
> added to a User Groups such as Remote Desktop Users, windows
> complains
> "Information return for object picket for object inktec was
> incomplete".
>
> Then by chance I added the test user (inktec) to /etc/passwd
> (but not to
> shadow), just to see. It worked!
> Its like the passwd line is nssswitch_conf is being ignored?
> group: compat ldap
> passwd: compat ldap
> shadow: compat ldap
> But then why did "getent passwd inktec" work, and why would
> SSH login work.
>
> Before ldap I would add users with both "useradd" and
> "smbpasswd -a", but
> this should not be necessary with the ldap store?
>
> Thanks in advance,
>
> Sean
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions: https://lists.samba.org/mailman/options/samba
>
>
More information about the samba
mailing list