The smb.conf looks correct
On the BDC, does "pdbedit -L" show you all your domain users?
On the BDC, does "getent passwd" show you all your users?
I use ldap for both samba and unix backends, so "pbedit -Lv" and "getent
passwd" show me the same output for my domain users and local unix
users. I don't need to use winbind/idmap to keep unix uid's and gid's
consistent.
On the BDC, did you ever join the domain? ("net join....")
On 06/15/2011 01:09 PM, Dermot wrote:
Hi,
I could use some confirmation on my approach to configuring my BDC. I
want the user to be able to access shares on the BDC and have their
domain credentials stamped on any files they create. I do not want to
add domain users to the /etc/passwd file. At the moment users can
authenticate onto the domain but once they try and access a share on
the BDC, these XP users get a dialogue box asking for a login. The log
for the machine reads:
[2011/06/15 17:07:11.827697, 1] auth/auth_util.c:580(make_server_info_sam)
User djohn in passdb, but getpwnam() fails!
[2011/06/15 17:07:11.827841, 0] auth/auth_sam.c:493(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
[2011/06/15 17:07:11.834014, 1] auth/auth_util.c:580(make_server_info_sam)
User djohn in passdb, but getpwnam() fails!
[2011/06/15 17:07:11.834088, 0] auth/auth_sam.c:493(check_sam_security)
check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
At the same time on the ldap master (PDC) I see a search request
arrive for the same user and a successful response:
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=3 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH
base="dc=example,dc=com" scope=2 deref=0
filter="(&(uid=djohn)(objectClass=sambaSamAccount))"
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SRCH attr=uid
uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange
sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn
sn displayName sambaHomeDrive sambaHomePath sambaLogonScript
sambaProfilePath description sambaUserWorkstations sambaSID
sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName
objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount
sambaBadPasswordTime sambaPasswordHistory modifyTimestamp
sambaLogonHours modifyTimestamp uidNumber gidNumber homeDirectory
loginShell gecos
Jun 15 17:04:03 rigel slapd[648]: conn=2838 op=4 SEARCH RESULT tag=101
err=0 nentries=1 text=
Jun 15 17:04:03 rigel slapd[648]: conn=2838 fd=18 closed (connection lost)
The odd thing is this BDC is also in a replication system with the PDC
so if shouldn't need to forward the query.
I thought that if I had added ldap to the nsswitch.conf for the passwd
and group items, then ldap would be used when the domain users failed
to be retrieved from the passwd file.
The bigger confusion is around the configuration. Should I be able to
use an ldap backend and get the domain user's credentials when the
access a share?
I have tried to follow the instructions from
http://wiki.samba.org/index.php/Samba_%26_LDAP#Let_Samba_use_LDAP The
PAM section doesn't match my distro and I ain't see any mention of
ldap in /etc/security/*
Can anyone help iron out some of the creases in my set-up?
Thanks,
Dermot.
==== BDC conf =====
[global]
unix charset = LOCALE
workgroup = MINE
server string = SMB Server
netbios name = antares
security = user # tried this as domain but it still fails
# hosts allow =
load printers = no
; printcap name = /etc/printcap
; printcap name = lpstat
; printing = cups
cups options = raw
; guest account = pcguest
log file = /var/log/samba/%m.log
log level = 1
syslog = 0
max log size = 50
name resolve order = wins bcast hosts
printcap name = CUPS
show add printer wizard = no
domain master = no
# passdb backend = ldapsam:ldap://127.0.0.1
passdb backend = ldapsam:"ldap://127.0.0.1:389 ldap://rigel.example.com:389";
ldap passwd sync = yes
ldapsam:trusted = yes
ldapsam:editposix = yes
domain logons = yes
os level = 63
logon script = login.bat
logon path =
wins server = rigel.example.com
ldap ssl = off
client ldap sasl wrapping = plain
ldap suffix = dc=example,dc=com
ldap machine suffix = ou=Computers, ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Group
ldap idmap suffix = ou=idmap
ldap admin dn = cn=admin,dc=example,dc=com
utmp = Yes
idmap backend = ldap://rigel.example.com
idmap uid = 15000-20000
idmap gid = 15000-20000
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
