Re: [Samba] [more info] getpwnam fails on ldap
El Viernes, 9 de Diciembre de 2005 00:46, tom burkart escribió: On Dec 8, Craig White wrote: if you can 'getent passwd|grep USER_NAME' then it works, if you can't, I can do that, yet it doesn't work on one of the servers. tom. Hi, are you using person or account as objectclass? Could it be the problem? PPablo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
On 12/6/05, tom burkart [EMAIL PROTECTED] wrote: Yet getent passwd | grep username returns the entry from the ldap directory. The only problem I have found is that getent shadow | grep username returns a username:x:::0 entry (ie cannot access shadow info). All these commands are run as root so this should not be an issue. But this seems to clear samba of being at fault and seems to point at nss_ldap. I am somewhat guessing so I could be wrong here. Did you make sure to set rootbinddn in /etc/ldap.conf and the root password in /etc/ldap.secret? Otherwise, getent shadow runs as an unprivileged user, even as root. Did you check permissions on /etc/ldap.secret (should be mode 0600)? Josh Kelley -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
El Jueves, 8 de Diciembre de 2005 15:53, Josh Kelley escribió: Did you make sure to set rootbinddn in /etc/ldap.conf and the root password in /etc/ldap.secret? Otherwise, getent shadow runs as an unprivileged user, even as root. Did you check permissions on /etc/ldap.secret (should be mode 0600)? Ooops, I had 0644 for /etc/ldap.secret. May it be the problem? I have to wait monday for having access to XP machines, now I only can get ssh access. I can not understand why, if I copy the user data to /etc/passwd from ldap, (not /etc/shadow ) the user can log in, and when I delete the user from /etc/passwd I get a getpwnam failure. But I can use usrmgr.exe and smbclient works with the user data in ldap only, with no warning. I have kerberos running and have a DNS sever (with AD zones) in the same linux machine. Thank you PPablo -- -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
On Thu, 2005-12-08 at 23:42 +0100, WebMaster wrote: El Jueves, 8 de Diciembre de 2005 15:53, Josh Kelley escribió: Did you make sure to set rootbinddn in /etc/ldap.conf and the root password in /etc/ldap.secret? Otherwise, getent shadow runs as an unprivileged user, even as root. Did you check permissions on /etc/ldap.secret (should be mode 0600)? Ooops, I had 0644 for /etc/ldap.secret. May it be the problem? No - as long as root can read the file, it's not a problem. It is however - REALLY BAD IDEA - to have /etc/ldap.secret anything other than 0600. It lets everyone one in the world read your rootbinddn password. I have to wait monday for having access to XP machines, now I only can get ssh access. I can not understand why, if I copy the user data to /etc/passwd from ldap, (not /etc/shadow ) the user can log in, and when I delete the user from /etc/passwd I get a getpwnam failure. But I can use usrmgr.exe and smbclient works with the user data in ldap only, with no warning. I have kerberos running and have a DNS sever (with AD zones) in the same linux machine. if you can 'getent passwd|grep USER_NAME' then it works, if you can't, then it doesn't work. When you add USER_NAME to /etc/passwd, it obviously works. You have to fix your nss/ldap.conf situation so it can get posix users from LDAP Craig -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
El Jueves, 8 de Diciembre de 2005 23:54, Craig White escribió: if you can 'getent passwd|grep USER_NAME' then it works, if you can't, then it doesn't work. When you add USER_NAME to /etc/passwd, it obviously works. You have to fix your nss/ldap.conf situation so it can get posix users from LDAP Craig Yes, but I can login with ldap only user on shell, imap,... but not a XP login into samba server. When I do wbinfo -u from a trusting domain PDC get the username, and I can do su -l DOMA+user on the other samba and ntlm_auth --username=user --password=mipass --domain=DOMA NT_STATUS_OK: Success (0x0) too. This user is not on files, only on ldap. I will go on looking for my bug. I think so, it must be nss_ldap (nss_ldap-234-5), /etc/ldap.conf or glibc (glibc-2.3.5-10.3) Thank you Ppablo -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
On Dec 8, Josh Kelley wrote: On 12/6/05, tom burkart [EMAIL PROTECTED] wrote: Yet getent passwd | grep username returns the entry from the ldap directory. The only problem I have found is that getent shadow | grep username returns a username:x:::0 entry (ie cannot access shadow info). All these commands are run as root so this should not be an Did you make sure to set rootbinddn in /etc/ldap.conf and the root password in /etc/ldap.secret? Otherwise, getent shadow runs as an unprivileged user, even as root. Did you check permissions on /etc/ldap.secret (should be mode 0600)? Yes, yes, correct, yes. What is more strange is that on both servers this is what gets returned, yet using samba, one works, the other doesn't. From my debugging so far: What is more interesting is that samba actually uses the rootbinddn for the machine login, then retrieves the user information (correctly). Then for some reason it switches to the proxyuser (as defined in ldap.conf) which has little privilege, and then does something else which then fails with the getpwnam error. I am in the process of making sure every binary on both machines are identical to see what happens... tom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
On Dec 8, Craig White wrote: if you can 'getent passwd|grep USER_NAME' then it works, if you can't, I can do that, yet it doesn't work on one of the servers. tom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
El Martes, 6 de Diciembre de 2005 09:35, tom burkart escribió: getent shadow Well, when I do getent shadow I get: moran:x:12037::9:7:::0 moran:x:13122:0:9:7::: (second from files) My temporal solution is to modify adduser script and add machine script to do something like: smbldap-useradd -m $1 UID=$(id -u $1) useradd -u $UID -g 513 $1 and similar for machines I will go on looking whats wrong. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
On Dec 7, WebMaster wrote: Well, when I do getent shadow I get: moran:x:12037::9:7:::0 moran:x:13122:0:9:7::: (second from files) Yours has the same problem. It does not return the encrypted password for some reason and that is why it fails. I guess the main search area is glibc and nss_ldap. tom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
Re: [Samba] [more info] getpwnam fails on ldap
Today, tom burkart wrote: I have noticed the same issue here, that only came to light as I started deleting user entries from the files (passwd, shadow, group) as part of the migration process. What is more frustrating is that the server that has the master ldap server works fine, but the slave instance is the one that has the problems described above, yet both run identical binaries (same RPMS installed). I have patched samba-3.0.14a/source/lib/util_pw.c:getpwnam_alloc(111) to return the actual errno that is set by sys_getpwnam() and it is 2 (no such file or directory). Yet getent passwd | grep username returns the entry from the ldap directory. The only problem I have found is that getent shadow | grep username returns a username:x:::0 entry (ie cannot access shadow info). All these commands are run as root so this should not be an issue. But this seems to clear samba of being at fault and seems to point at nss_ldap. I am somewhat guessing so I could be wrong here. Anyway, it is now after hours and I can run tests as required so I am calling for ideas as to what to test next. tom. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/listinfo/samba
