[Samba] Local account login failed when samba join to LDAP

Wed Apr 2 05:45:09 MDT 2014

On 02/04/14 10:42, Johnson Cheng wrote:
> Dear Min Wai,
>
> I am sorry that I didn't describe it more clearly.
> My local passwd file means samba password(passdb.tdb & secrets.tdb), not /etc/passwd.
>
> I think I really don't understand what wrong is.
>
> AD case:
> When my samba3 join AD, I don't need to set "passdb backend" parameter in smb.conf (the default is tdbsam). "getent passwd" command will list all local and AD users.
> Therefore, AD will check to see if user exists on AD via winbind, if user doesn't exist on AD, then it will check local samba password.
WRONG: WRONG:
If your samba3 machine is joined to the AD domain, it is a domain
member, the ONLY place that will be checked to see if a user exists is
AD. A user can only exist in AD, they cannot also be local users.

>
> LDAP case:
> When my samba3 join LDAP, I set "passdb backend" parameter to ldapsam. "getent passwd" command will also list all local and AD users.
> BUT, if user doesn't exist on LDAP, it will not check local samba password anymore. It causes NO SUCH USER EXIST.

This is what an AD joined machine does, but with LDAP a user MUST be
also a local user.

>
> As everybody said, samba can only support a database(passdb backend). 
> Is any possible to let LDAP authentication behavior to the same as AD (Local account and domain account are co-exist)?
No, because you seem to have it backwards, samba can support several
different databases, but only one at once.

Rowland
>
> Regards,
> Johnson
>
> -----Original Message-----
> From: samba-bounces at lists.samba.org [mailto:samba-bounces at lists.samba.org] On Behalf Of Chan Min Wai
> Sent: Tuesday, April 01, 2014 8:41 PM
> To: Rowland Penny
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] Local account login failed when samba join to LDAP
>
> Dear Jason,
>
>
> I think you are taking the idea wrong. 
> 1. If you remember, you need to do a smb user conversation before you can use samba. 
> So this is the catch. 
> Samba never, never support local /etc/passwd authentication. 
>
> Then we come samba PDC with LDAP. 
> You need to configure the password and users info in LDAP. 
> BUT, your Linux need to know the LDAP info for it use like home and shell and etc. 
> And you have a tools call smbldap-tools which do password sync if you change password from samba or from local unix. 
>
> Again, samba never auth with local. 
>
> So I guess that all you need to know..
>
> Regards, 
> Chan Min Wai 
>
>> Rowland Penny <rowlandpenny at googlemail.com> 於 01/04/2014 7:09 PTG 寫道：
>>
>>> On 01/04/14 11:44, Johnson Cheng wrote:
>>> Dear Rowland,
>>>
>>> That's a point.
>>> AD will check to see if the user exists, it the user does not exist, the local passwd file is checked.
>>> I just don't understand why LDAP doesn't follow this behavior. LDAP doesn't check local passwd file if user does not exist on LDAP server.
>>>
>>> Regards,
>>> Johnson
>> You seem to be missing the point here, AD doesn't check anything, just like LDAP doesn't check anything. They, along with /etc/passwd, are a form of database and THEY are checked for a user.
>>
>> If you run samba3 as a NT4 PDC, and connect to it with smbclient, then all that gets checked is whatever database you tell samba to use, be it tdbsam or ldapsam etc, it does not check local users, this is why any local users on a machine that you want to be samba users also have to exist in LDAP etc.
>>
>> Rowland
>> -- 
>> To unsubscribe from this list go to the following URL and read the
>> instructions:  https://lists.samba.org/mailman/options/samba