"pdbedit -Lv username" shd show you the unix user id.
IF you create a new samba user (e.g. with "smbpasswd -a username" or
"pdbedit ....")
AND the user does not already exist as a unix user (in ldap or
/etc/passwd)
THEN smbpasswd (or pdbedit) should complain UNLESS samba is
automatically allocating uid/gid's.
Does smb.conf define an idmap ou in ldap?
Did you try configuring /etc/nsswitch.conf as follows?
passwd: files ldap
shadow: files ldap
group: files ldap
I use Apache Directory Studio for an ldap browser/editor- that (or a
similar product) may help you poke around ldap and see what is being
created. I don't have any of the smbldap scripts installed on my
servers. What version of unix/linux are you using.
On 05/25/2011 04:49 PM, Sean Boran wrote:
Hi,
@Gaiseric: Yes, I have option 2, the LDAP entries include UNIX account
details such as UID.
(I can for example, login via ssh with the ldap accounts: which shows
that the unix account details are ok and nss works)
Samba is somehow not seeing ldap unix accounts though.
I've also now noticed that it is not seeing the group membership in
ldap either, although "getent groups" and "id" show the groups.
@Takahashi: Log level 10 is interesting. But co-in cidentailly after
enabling it, and a a delay of one day, the logins are working fine,
even if the /etc/passwd entry is removed.
I'm going to have to do more tests, thanks for the tips though.
Sean
On 24 May 2011 18:15, Gaiseric Vandal <[email protected]
<mailto:[email protected]>> wrote:
You still need a "unix" account to back the samba account- this
can be done in several ways
- have a local unix acct in /etc/passwd
- have the LDAP entry for your samba user also include your
"unix" account info.
- have winbind allocate unix uid's and gid's dynamically for
samba accounts in your local domain.
I use option 2 - LDAP for both unix and samba authentication. I
initially used nis for unix and TBD for samba, then moved both to
a consolidated LDAP backend.
If you don't need LDAP auth for unix level logins , it may be
sufficient to add uid and gid to the LDAP entry and skip the unix
password field.
I have not tried option 3.
On 05/23/2011 05:47 PM, Sean Boran wrote:
Hi,
I migrated a PDC to use an ldap backend and am having fun with
a few last
issues..
Existing user accounts and machine accounts were migrated, and
existing
users can authenticate.
Now I've added some new users and none of them can authenticate.
e.g. for the user "inktec".
The user can login via SSH, but not mount a share:
smbclient \\\\server3\\someshare -U=inktec mypassword
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
passdb/pdb_get_set.c:211(pdb_get_group_sid)
May 23 19:40:47 server3 smbd[7364]: pdb_get_group_sid:
Failed to find Unix
account for inktec
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 1]
auth/auth_util.c:577(make_server_info_sam)
May 23 19:40:47 server3 smbd[7364]: User inktec in passdb,
but getpwnam()
fails!
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47, 0]
auth/auth_sam.c:355(check_sam_security)
May 23 19:40:47 server3 smbd[7364]: check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
Sama can see the users and groups.
The following find the user just fine:
ldapsearch -x '(uid=inktec)'
pdbedit -L -v inktec
getent passwd inktec
smbldap-usershow inktec
id inktec
uid=18664(inktec) gid=513(Domain Users) groups=513(Domain
Users),203(buser)
Users were added with the tool "smbldap-useradd -a", and also with
"ldapadmin"...
I also compared the ldap entries for users that work fine with
the new users
in ldap admin, they are basically the same.
Perhaps related is that on a Windows XP client in the domain,
if inktec is
added to a User Groups such as Remote Desktop Users, windows
complains
"Information return for object picket for object inktec was
incomplete".
Then by chance I added the test user (inktec) to /etc/passwd
(but not to
shadow), just to see. It worked!
Its like the passwd line is nssswitch_conf is being ignored?
group: compat ldap
passwd: compat ldap
shadow: compat ldap
But then why did "getent passwd inktec" work, and why would
SSH login work.
Before ldap I would add users with both "useradd" and
"smbpasswd -a", but
this should not be necessary with the ldap store?
Thanks in advance,
Sean
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
