[Samba] samba 3.0.14a works with ldapsam backend but not 3.5.10-125.el6

Qing Chang qchang at sri.utoronto.ca
Mon Aug 20 11:23:17 MDT 2012 

On 20/08/2012 11:13 AM, Qing Chang wrote:
> we are migrating our standalone Samba sever (3.0.14a) on a Solaris 10 box to
> an RHEL 6.3 box.
>
> Testing shows that on Solaris 3.0.14a works with both the OpenLDAP server
> we are currently using and the IPA2.2 server as LDAP backend. But 3.5.10-125.el6
> on  a RHEL 6.3 box does not work with either.
>
> I can still map a share with 3.5 as owner of the shared directory, but secondary
> group ownership does not appear to resolve properly. Below is an excerpt of
> log.smbd, removed many noisy lines:
> ===== log.smbd for samba 3.5 =====
> [2012/08/16 12:47:39.499996,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
>   init_sam_from_ldap: Entry found for user: qchang
> [2012/08/16 12:47:39.528627,  3] passdb/pdb_ldap.c:5215(ldapsam_gid_to_sid)
>   ERROR: Got 0 entries for gid 201, expected one
> [2012/08/16 12:47:39.822830,  4] auth/auth_sam.c:180(sam_account_ok)
>   sam_account_ok: Checking SMB password for user qchang
> [2012/08/16 12:47:39.822931,  5] auth/auth_sam.c:162(logon_hours_ok)
>   logon_hours_ok: user qchang allowed to logon at this time (Thu Aug 16 16:47:39 2012 )
> [2012/08/16 12:47:39.839645,  3] passdb/pdb_ldap.c:3057(ldapsam_enum_group_memberships)
>   primary group of [qchang] not found
> [2012/08/16 12:47:39.840098,  5] auth/auth_util.c:649(make_server_info_sam)
>   make_server_info_sam: made server info for user qchang -> qchang
> [2012/08/16 12:47:39.840196,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
>   pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
> [2012/08/16 12:47:39.840284,  3] auth/auth.c:265(check_ntlm_password)
>   check_ntlm_password: sam authentication for user [QChang] succeeded
> [2012/08/16 12:47:39.840916,  5] auth/auth.c:291(check_ntlm_password)
>   check_ntlm_password:  PAM Account for user [qchang] succeeded
> [2012/08/16 12:47:39.840994,  2] auth/auth.c:304(check_ntlm_password)
>   check_ntlm_password:  authentication for user [QChang] -> [QChang] -> [qchang] succeeded
> [2012/08/16 12:47:39.841072,  5] auth/auth_util.c:2119(free_user_info)
>   attempting to free (and zero) a user_info structure
> [2012/08/16 12:47:39.841148, 10] auth/auth_util.c:2123(free_user_info)
>   structure was created for QChang
> [2012/08/16 12:47:39.846308,  4] passdb/pdb_ldap.c:2562(ldapsam_getgroup)
>   ldapsam_getgroup: Did not find group, filter was 
> (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
> [2012/08/16 12:47:39.852131,  3] auth/token_util.c:467(create_local_nt_token)
>   Failed to fetch domain sid for RESEARCH
> [2012/08/16 12:47:39.875509, 10] auth/token_util.c:531(debug_nt_user_token)
>   NT user token of user S-1-5-21-3516781642-1962875130-3438800523-41232
>   contains 5 SIDs
>   SID[  0]: S-1-5-21-3516781642-1962875130-3438800523-41232
>   SID[  1]: S-1-1-0
>   SID[  2]: S-1-5-2
>   SID[  3]: S-1-5-11
>   SID[  4]: S-1-22-1-20117
>   SE_PRIV  0x0 0x0 0x0 0x0
> [2012/08/16 12:47:39.876009, 10] auth/token_util.c:551(debug_unix_user_token)
>   UNIX token of user 20117
>   Primary group is 201 and contains 0 supplementary groups
> [2012/08/16 12:47:39.876370,  3] smbd/password.c:282(register_existing_vuid)
>   register_existing_vuid: User name: qchang     Real name: Qing Chang
> [2012/08/16 12:47:39.876457,  3] smbd/password.c:292(register_existing_vuid)
>   register_existing_vuid: UNIX uid 20117 is UNIX user qchang, and will be vuid 100
> [2012/08/16 12:47:39.877319,  3] smbd/password.c:223(register_homes_share)
>   Adding homes service for user 'qchang' using home directory: '/home2/qchang'
> [2012/08/16 12:47:40.614903,  3] smbd/service.c:1070(make_connection_snum)
>   ws62203 connect to service IPC$ initially as user qchang (uid=20117, gid=201) (pid 6951)
> =====
>
> pdbedit -L has different output:
>
> ===== 3.0.14a =====
> Trying to load: ldapsam:ldap://ipa1.sri.utoronto.ca
> Attempting to find an passdb backend to match ldapsam:ldap://ipa1.sri.utoronto.ca (ldapsam)
> Found pdb backend ldapsam
> Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=OCTANE))]
> smbldap_open_connection: connection opened
> ldap_connect_system: succesful connection to the LDAP server
> ldap_connect_system: LDAP server does support paged results
> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
> Attempting to find an passdb backend to match guest (guest)
> Found pdb backend guest
> pdb backend guest has a valid init
> ldapsam_setsampwent: 1507 entries in the base dc=sri,dc=utoronto,dc=ca
> init_sam_from_ldap: Entry found for user: qchang
> =====
>
> ===== 3.5.10-125.el6 =====
> smbldap_open_connection: connection opened
> ldap_connect_system: successful connection to the LDAP server
> pdb backend ldapsam:ldap://ipa1.sri.utoronto.ca has a valid init
> smbldap_search_paged: base => [dc=sri,dc=utoronto,dc=ca], filter => 
> [(&(uid=*)(objectclass=sambaSamAccount))],scope => [2], pagesize => [1024]
> smbldap_search_paged: search was successful
> sid S-1-5-21-3516781642-1962875130-3438800523-41232 does not belong to our domain
> Skipping entry uid=qchang,cn=users,cn=accounts,dc=sri,dc=utoronto,dc=ca
> =====
>
> Here is the smb.conf related to LDAP for both 3.0.14a and 3.5.10-125.el6:
> =====
>         security = user
>         ldap admin dn = "cn=Directory Manager"
>         ldap ssl = off
>         passdb backend = ldapsam:ldap://ipa1.sri.utoronto.ca
>         ldap delete dn = no
>         ldap user suffix = cn=users,cn=accounts
>         ldap group suffix = cn=groups,cn=accounts
>         ldap suffix = dc=sri,dc=utoronto,dc=ca
>         ldap passwd sync = Yes
> =====
>
> It appears to me that 3.5 tries to be a domain controller be default? Your advice is greatly 
> appreciated.
>
> Qing Chang
>
I thought these may help clarifying the situation a bit more:

===== pdbedit -L -v qchang output for samba3.0.14 =====
init_sam_from_ldap: Entry found for user: qchang
Opening cache file at /usr/local/samba3014/var/locks/login_cache.tdb
Unix username:        qchang
NT username:          qchang
Account Flags:        [U          ]
User SID:             S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID:    S-1-5-21-1197990898-71428884-4196996049-513
Full Name:            Qing Chang
Home Directory:       \\octane\qchang
HomeDir Drive:
Logon Script:
Profile Path:         \\octane\qchang\profile
Domain:               OCTANE
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 22:14:07 EST
Kickoff time:         Mon, 18 Jan 2038 22:14:07 EST
Password last set:    Tue, 14 Aug 2012 11:10:08 EST
Password can change:  Thu, 03 Nov 2011 10:55:32 EST
Password must change: Mon, 18 Jan 2038 22:14:07 EST
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====

===== pdb -L -v qchang output for samba 3.5 =====
init_sam_from_ldap: Entry found for user: qchang
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
ERROR: Got 0 entries for gid 201, expected one
Opening cache file at /var/lib/samba/login_cache.tdb
Unix username:        qchang
NT username:          qchang
Account Flags:        [U          ]
User SID:             S-1-5-21-3516781642-1962875130-3438800523-41232
Primary Group SID:    S-1-5-21-2087785539-322754622-381919433-513
Full Name:            Qing Chang
Home Directory:       \\smb2\qchang
HomeDir Drive:
Logon Script:
Profile Path:         \\smb2\qchang\profile
Domain:               SMB2
Account desc:
Workstations:
Munged dial:
Logon time:           0
Logoff time:          never
Kickoff time:         never
Password last set:    Tue, 14 Aug 2012 11:10:08 EDT
Password can change:  Tue, 14 Aug 2012 11:10:08 EDT
Password must change: never
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
=====

More information about the samba mailing list