[Samba] Configuring RHEL6 Samba4 DC for local accounts

[Michael Brown]

I've configured a new RHEL DC with sernet samba 4.1.4 and a domain just 
upgraded from classic with an LDAP backend.

I need to configure the DC with user accounts and since:
* I can't use winbind on a DC
* I can't use SSSD with the sernet packages

it looks like the best thing to use is LDAP. I've configured it with:

authconfig --enableldap --enableldapauth 
--ldapserver=ldap://ad.example.com --ldapbasedn=dc=ad,dc=example,dc=com 
--enablerfc2307bis --enablekrb5 --update

(I get "error reading information on service winbind: No such file or 
directory" but I just ignore it as it looks like it configured LDAP)

and added entries to /etc/pam_ldap.conf so it ends up looking like this:

base dc=ad,dc=example,dc=com
binddn "CN=Unix LDAP,OU=Service Accounts,DC=ad,DC=example,DC=com"
bindpw "penguin5t0ry"
pam_password md5
uri ldap://ad.example.com
ssl no
tls_cacertdir /etc/openldap/cacerts
tls_checkpeer no

Doing a search from the command line works:

$ ldapsearch -x -H ldap://ad.example.com -D 'CN=Unix LDAP,OU=Service 
Accounts,DC=ad,DC=example,DC=com' -W cn=netdirect uidNumber gidNumber cn 
unixHomeDirectory
Enter LDAP Password:
# netdirect, Staff, ad.example.com
dn: CN=netdirect,OU=Staff,DC=ad,DC=example,DC=com
cn: netdirect
uidNumber: 500
unixHomeDirectory: /net/server1/home/netdirect
gidNumber: 500

but things just aren't working - PAM isn't looking up any entries. I 
tried enabling debugging by adding 'debug' to all of the pam_ldap lines 
in /etc/pam.d and capturing *.debug in syslog, but it didn't show anything.

Help?

M.

-- 
Michael Brown               | `One of the main causes of the fall of
Systems Consultant          | the Roman Empire was that, lacking zero,
Net Direct Inc.             | they had no way to indicate successful
☎: +1 519 883 1172 x5106    | termination of their C programs.' - Firth