I have the same experience. IMHO problem is in access rights to password attributes on ldap (slapd). Recomended access to userPassword for anonymous is only auth (it's right policy). Recommended configuration of nss_ldap is to use anonymous bind for non-root processes (and it is also right policy). Then when getpwnam() is called by unprivileged process and nss_ldap try to read attribute userPassword among others from posixAccount, this must be unsuccessfull attempt (and it is right but wrong to me). What to do ? I think, it is mistake in nss_ldap behaviour. It must omit userPassword attribute from readed attributes when called by nonprivileged process. My solution is simple, but wrong - weaken of access restrictions to password attribute or bind to ldap as "manager" for all users.
M. Vancl -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
