You still need a "unix" account to back the samba account- this can be
done in several ways
- have a local unix acct in /etc/passwd
- have the LDAP entry for your samba user also include your "unix"
account info.
- have winbind allocate unix uid's and gid's dynamically for samba
accounts in your local domain.
I use option 2 - LDAP for both unix and samba authentication. I
initially used nis for unix and TBD for samba, then moved both to a
consolidated LDAP backend.
If you don't need LDAP auth for unix level logins , it may be sufficient
to add uid and gid to the LDAP entry and skip the unix password field.
I have not tried option 3.
On 05/23/2011 05:47 PM, Sean Boran wrote:
Hi,
I migrated a PDC to use an ldap backend and am having fun with a few last
issues..
Existing user accounts and machine accounts were migrated, and existing
users can authenticate.
Now I've added some new users and none of them can authenticate.
e.g. for the user "inktec".
The user can login via SSH, but not mount a share:
smbclient \\\\server3\\someshare -U=inktec mypassword
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
passdb/pdb_get_set.c:211(pdb_get_group_sid)
May 23 19:40:47 server3 smbd[7364]: pdb_get_group_sid: Failed to find Unix
account for inktec
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 1]
auth/auth_util.c:577(make_server_info_sam)
May 23 19:40:47 server3 smbd[7364]: User inktec in passdb, but getpwnam()
fails!
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
auth/auth_sam.c:355(check_sam_security)
May 23 19:40:47 server3 smbd[7364]: check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Sama can see the users and groups.
The following find the user just fine:
ldapsearch -x '(uid=inktec)'
pdbedit -L -v inktec
getent passwd inktec
smbldap-usershow inktec
id inktec
uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser)
Users were added with the tool "smbldap-useradd -a", and also with
"ldapadmin"...
I also compared the ldap entries for users that work fine with the new users
in ldap admin, they are basically the same.
Perhaps related is that on a Windows XP client in the domain, if inktec is
added to a User Groups such as Remote Desktop Users, windows complains
"Information return for object picket for object inktec was incomplete".
Then by chance I added the test user (inktec) to /etc/passwd (but not to
shadow), just to see. It worked!
Its like the passwd line is nssswitch_conf is being ignored?
group: compat ldap
passwd: compat ldap
shadow: compat ldap
But then why did "getent passwd inktec" work, and why would SSH login work.
Before ldap I would add users with both "useradd" and "smbpasswd -a", but
this should not be necessary with the ldap store?
Thanks in advance,
Sean
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
