[Samba] Problem with User and Group Ownership listing

Wes Modes wmodes at ucsc.edu
Thu Feb 14 19:27:35 MST 2013

I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools.  I've
previously installed a similar configuration on RHEL4 using smb 3.0 but
CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the
configurations cannot be moved straight across.

When I do a listing of a share directory that should have user and group
ownership determined by LDAP, I get the uidNumbers and gidNumbers rather
than the UIDs and GIDs.

    [root at edgar2 openldap]# ls -l /data/home | tail
    drwx------.  2  30634 30080 4096 Mar 18  2009 userdir1
    drwx------. 33  30548 30075 4096 Jan 29 15:20 userdir2
    drwx------.  3  30554 30075 4096 Jan 26  2009 userdir3
    drwx------. 12  30467 30075 4096 Jun 21  2012 userdir4
    drwx------.  4  30543 30075 4096 Oct 21  2008 userdir5
    drwx------.  8  30555 30075 4096 Oct 31 10:36 userdir5

Other details:  centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf,
/etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. 
And selinux is off.

I know the machine is successfully connecting to LDAP.  An ldapsearch
works from this machine, and I can even connect to a samba share with an
ldap login through smbclient.

Relevant parts of /etc/nsswitch:

    passwd:     files ldap
    shadow:     files ldap
    group:      files ldap
    #hosts:     db files nisplus nis dns
    hosts:      files dns
    bootparams: nisplus [NOTFOUND=return] files
    ethers:     files
    netmasks:   files
    networks:   files
    protocols:  files ldap
    rpc:        files
    services:   files ldap
    netgroup:   nisplus ldap
    #netgroup:   ldap
    publickey:  nisplus
    automount:  files nisplus ldap
    #automount:  files ldap
    aliases:    files nisplus

Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

    host dir1.ourdomain.com
    base dc=.ourdomain,dc=com
    #uri ldaps://dir1.ourdomain.com
    uri ldap://dir1.ourdomain.com
    # basic auth config
    binddn cn=admin,dc=ourdomain,dc=com
    rootbinddn cn=admin,dc=ourdomain,dc=com
    # random stuff
    #timelimit 120
    #bind_timelimit 120
    #bind_policy hard
    # brought these times down wmodes Aug 11, 2008
    timelimit 30
    bind_timelimit 30
    bind_policy soft
    idle_timelimit 3600
    nss_initgroups_ignoreusers root,ldap
    # pam config
    #pam_password md5
    pam_password md5
    # config for nss
    nss_base_passwd ou=people,dc=ourdomain,dc=com?one
    nss_base_shadow ou=people,dc=ourdomain,dc=com?one
    nss_base_group  ou=group,dc=ourdomain,dc=com?one
    # OpenLDAP SSL mechanism
    # start_tls mechanism uses the normal LDAP port, LDAPS typically 636
    ssl no
    # OpenLDAP SSL options
    # Require and verify server certificate (yes/no)
    #tls_checkpeer yes
    # CA certificates for server certificate verification
    tls_cacertfile /etc/openldap/cacerts/cacert.pem
    tls_cacertdir /etc/openldap/cacerts
    # Client certificate and key
    tls_cert /etc/openldap/cacerts/servercert.pem
    tls_key /etc/openldap/cacerts/serverkey.pem

Relevant parts of /etc/pam.d/system-auth:

    auth        required      pam_env.so
    auth        sufficient    pam_fprintd.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        required      pam_deny.so
    account     required      pam_unix.so
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     required      pam_permit.so
    password    requisite     pam_cracklib.so try_first_pass retry=3 type=
    password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_ldap.so
    session     optional      pam_mkhomedir.so skel=/etc/skel umask=077

And the only line in /etc/sysconfig/authconfig I changed was:


Any thoughts?  For those who are experienced with nis and pam, I'm sure
this is a no brainer, but I could sure use the little bit of your brain
that knows how to fix this.


Wes Modes
Systems Designer, Developer, and Administrator
University Library ITS
University of California, Santa Cruz

More information about the samba mailing list