[Samba] Problems with Samba after upgrading to v4 and changing LDAP-backend from OpenLDAP to 389

[Rowland Penny]

On 23/09/2022 11:31, Alexander Harm || ApfelQ via samba wrote:
> I couldn’t help myself but dig some more. I compared the ldif as suggested and they are identical. From what I gather, the results that LDAP returns are fine but the process fails at a non-LDAP stage:
> 
> The LDAP server is successfully connected
> pdb backend ldapsam:ldap://ldap1.example.com has a valid init
> smbldap_search_ext: base => [dc=example,dc=com], filter => [(&(uid=johndoe)(objectclass=sambaSamAccount))], scope => [2]
> init_sam_from_ldap: Entry found for user: johndoe
> pdb_set_username: setting username johndoe, was
> pdb_set_domain: setting domain EXAMPLE, was
> pdb_set_nt_username: setting nt username johndoe, was
> pdb_set_user_sid_from_string: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724
> pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724
> attribute sambaLogonTime does not exist
> attribute sambaLogoffTime does not exist
> attribute sambaPwdCanChange does not exist
> pdb_set_full_name: setting full name Doe, John, was
> pdb_set_dir_drive: setting dir drive E:, was NULL
> pdb_set_homedir: setting home dir \\univers\homes, was
> pdb_set_logon_script: setting logon script johndoe, was
> attribute sambaProfilePath does not exist
> pdb_set_profile_path: setting profile path , was
> attribute description does not exist
> attribute sambaUserWorkstations does not exist
> attribute sambaMungedDial does not exist
> attribute sambaLMPassword does not exist
> Opening cache file at /var/lib/samba/lock/gencache.tdb
> attribute sambaBadPasswordCount does not exist
> attribute sambaBadPasswordTime does not exist
> attribute sambaLogonHours does not exist
> Opening cache file at /var/lib/samba/login_cache.tdb
> Looking up login cache for user johndoe
> No cache entry found
> No cache entry, bad count = 0, bad time = 0
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> pdb_set_username: setting username johndoe, was
> pdb_set_domain: setting domain EXAMPLE, was
> pdb_set_nt_username: setting nt username johndoe, was
> pdb_set_full_name: setting full name Doe, John, was
> pdb_set_homedir: setting home dir \\univers\homes, was
> pdb_set_dir_drive: setting dir drive E:, was NULL
> pdb_set_logon_script: setting logon script johndoe, was
> pdb_set_profile_path: setting profile path , was
> pdb_set_workstations: setting workstations , was
> pdb_set_user_sid: setting user sid S-1-5-21-1926693724-44905045-1282156110-25724
> pdb_set_user_sid_from_rid:
> setting user sid S-1-5-21-1926693724-44905045-1282156110-25724 from rid 25724
> Unix username: johndoe
> NT username: johndoe
> Account Flags: [U ]
> User SID: S-1-5-21-1926693724-44905045-1282156110-25724
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> 
> So where the two differ are here:
> 
> Finding user johndoe
> Trying _Get_Pwnam(), username as lowercase is johndoe
> Trying _Get_Pwnam(), username as uppercase is JOHNDOE
> Checking combinations of 0 uppercase letters in johndoe
> Get_Pwnam_internals didn't find user [johndoe]!
> Failed to find a Unix account for johndoe
> 
> and on the old server it just returns the user straight away. Is that a problem of PAM configuration?

I take it that you are running winbind, but what is in /etc/nsswitch.conf ?

Rowland