Noah Dain
2006-Sep-11 16:24 UTC
[Samba] samba ldap pdc w/unix accounts: local unix and ldap unix users can't resolve uids to names on the server
* distro: ubuntu breezy ( 6.06 ) * samba version: shipped version with updates ( 3.0.22-1ubuntu3.1 ) * no ssl * openLDAP is running on the same machine as samba, and referenced as localhost/127.0.0.1 where applicable ( 2.2.26-5ubuntu2.1 ) * nscd is not installed, much less running I've set up a samba pdc with ldap by following the Samba Guide very closely, adapting it to Ubuntu/Debian where it seemed applicable, and I've had mostly success. Windows clients work fine: they can join the domain, roaming profiles work, read/write to their respective shares. However, when logged into the samba/ldap server, local users other than root cannot resolve names in ldap. No ldap accounts show up for 'getent passwd' or 'getent group'. I can login to the system with an ldap user account, but when I do so I get: NOTE: 'ndain' is a local account. 'dainn' is an ldap account. ndain@sambapdc:~$ su dainn Password: id: cannot find name for group ID 513 id: cannot find name for group ID 512 I have no name!@sambapdc:/home/ndain$ /var/log/syslog records: Sep 11 11:32:49 sambapdc bash: nss_ldap: could not search LDAP server - Operations error Sep 11 11:32:49 sambapdc id: nss_ldap: could not search LDAP server - Operations error However, if I set /etc/libnss-ldap.conf permissions to 644, everything works. Obviously, this is less than optimal as it has the "root" ldap account password in plaintext. ### nothing below but config files ### ## file: /etc/nsswitch.conf ## edited to incorporate changes from #3: ##http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss02 passwd: files ldap group: files ldap shadow: files ldap #hosts: files dns hosts: files dns wins networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis # end /etc/nsswitch.conf ## file: /etc/libnss-ldap.conf ## ripped from: http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss01 host 127.0.0.1 #base dc=abmas,dc=biz base dc=sysgenmedia,dc=com ldap_version 3 binddn cn=manager,dc=sysgenmedia,dc=com bindpw MyPassWord timelimit 50 bind_timelimit 50 bind_policy hard idle_timelimit 3600 pam_password exop #nss_base_passwd ou=People,dc=abmas,dc=biz?one #nss_base_shadow ou=People,dc=abmas,dc=biz?one #nss_base_group ou=Groups,dc=abmas,dc=biz?one nss_base_passwd ou=People,dc=sysgenmedia,dc=com?one nss_base_shadow ou=People,dc=sysgenmedia,dc=com?one nss_base_group ou=Groups,dc=sysgenmedia,dc=com?one ssl off ## end file: /etc/nsswitch.conf -- Noah Dain "I don't want to make toys, I want to be a dentist!"
Noah Dain
2006-Sep-12 14:20 UTC
[Samba] samba ldap pdc w/unix accounts: local unix and ldap unix users can't resolve uids to names on the server
On 9/11/06, Cleber P. de Souza <cleberps@gmail.com> wrote:> You'll need setup and start the nscd service on your machine. > This solve your problem.well, windbind and nscd don't get along together, as winbind does it's own caching. reference: http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#id2544165> On 9/11/06, Noah Dain <noahdain@gmail.com> wrote: > > * distro: ubuntu breezy ( 6.06 ) > > * samba version: shipped version with updates ( 3.0.22-1ubuntu3.1 ) > > * no ssl > > * openLDAP is running on the same machine as samba, and referenced as > > localhost/127.0.0.1 where applicable ( 2.2.26-5ubuntu2.1 ) > > * nscd is not installed, much less running > > > > I've set up a samba pdc with ldap by following the Samba Guide very > > closely, adapting it to Ubuntu/Debian where it seemed applicable, and > > I've had mostly success. > > > > Windows clients work fine: they can join the domain, roaming profiles > > work, read/write to their respective shares. > > > > However, when logged into the samba/ldap server, local users other > > than root cannot resolve names in ldap. No ldap accounts show up for > > 'getent passwd' or 'getent group'. > > > > I can login to the system with an ldap user account, but when I do so I get: > > NOTE: 'ndain' is a local account. 'dainn' is an ldap account. > > > > ndain@sambapdc:~$ su dainn > > Password: > > id: cannot find name for group ID 513 > > id: cannot find name for group ID 512 > > I have no name!@sambapdc:/home/ndain$ > > > > /var/log/syslog records: > > Sep 11 11:32:49 sambapdc bash: nss_ldap: could not search LDAP server > > - Operations error > > Sep 11 11:32:49 sambapdc id: nss_ldap: could not search LDAP server - > > Operations error > > > > > > However, if I set /etc/libnss-ldap.conf permissions to 644, everything > > works. Obviously, this is less than optimal as it has the "root" ldap > > account password in plaintext. > > > > > > ### nothing below but config files ### > > > > ## file: /etc/nsswitch.conf > > ## edited to incorporate changes from #3: > > ##http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss02 > > passwd: files ldap > > group: files ldap > > shadow: files ldap > > #hosts: files dns > > hosts: files dns wins > > networks: files > > protocols: db files > > services: db files > > ethers: db files > > rpc: db files > > netgroup: nis > > # end /etc/nsswitch.conf > > > > ## file: /etc/libnss-ldap.conf > > ## ripped from: > > http://us4.samba.org/samba/docs/man/Samba-Guide/happy.html#sbehap-nss01 > > host 127.0.0.1 > > #base dc=abmas,dc=biz > > base dc=sysgenmedia,dc=com > > ldap_version 3 > > binddn cn=manager,dc=sysgenmedia,dc=com > > bindpw MyPassWord > > timelimit 50 > > bind_timelimit 50 > > bind_policy hard > > idle_timelimit 3600 > > pam_password exop > > #nss_base_passwd ou=People,dc=abmas,dc=biz?one > > #nss_base_shadow ou=People,dc=abmas,dc=biz?one > > #nss_base_group ou=Groups,dc=abmas,dc=biz?one > > nss_base_passwd ou=People,dc=sysgenmedia,dc=com?one > > nss_base_shadow ou=People,dc=sysgenmedia,dc=com?one > > nss_base_group ou=Groups,dc=sysgenmedia,dc=com?one > > ssl off > > ## end file: /etc/nsswitch.conf > > > > > > > > -- > > Noah Dain > > "I don't want to make toys, I want to be a dentist!" > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/listinfo/samba > > > > > -- > *** > Cleber P. de Souza >-- Noah Dain "I don't want to make toys, I want to be a dentist!"