samba - Feb 2005 - PDC with NSVSD/smbpasswd ok, but MySQL backend not quite

Hi Folks,

Samba-3.0.11.

. Using /etc/passwd, /etc/group, smbpasswd - everything in the PDC world 
seems fine.

. Using /etc/passwd, /etc/group, MySQL backend - I can join the domain 
but get an error about not being able to find a domain controller when I 
try to login to the domain with an mysql user. Logging in as root is ok, 
but likely that is because I use both mysql and smbpasswd backends.

. Using the new NSS http://fssos.sourceforge.net/ works ok if I use 
smbpasswd.

. Once I switch to NSVS(NSS) and MySQL, I can not log any new users in, 
but, if I log in as user who originally got in by being in smbpasswd but 
has since been deleted from smbpasswd, I can continue to login 
successfully if they exist in the MySQL.

. net rpc group info <smbpasswd user>  gives all group info from
/etc/group.
. net rpc group info <mysql only user>  shows none of the groups they 
belong to regardless of there existance in /etc/passwd

Long story short... I can only get a new user logged into a PC via the 
domain for their first time if they have an entry in smbpasswd. After 
that, being in the MySQL backend appears to be enough.

I can pass along configs if needed, but since it works accept for the 
mysql change I didn't want to confuse the problem. I don't see the 
NSS/NSVS being any influence, but wanted to show how the solution was 
meant to fit together :).

Is this a known limitation in the MySQL backend or more likely, am I 
setting something up incorrectly?

thanks,
JES

James MacLean wrote:
> Hi Folks,
>
> Samba-3.0.11.
>
> . Using /etc/passwd, /etc/group, smbpasswd - everything in the PDC 
> world seems fine.
>
> . Using /etc/passwd, /etc/group, MySQL backend - I can join the domain 
> but get an error about not being able to find a domain controller when 
> I try to login to the domain with an mysql user. Logging in as root is 
> ok, but likely that is because I use both mysql and smbpasswd backends.
>
> . Using the new NSS http://fssos.sourceforge.net/ works ok if I use 
> smbpasswd.
>
> . Once I switch to NSVS(NSS) and MySQL, I can not log any new users 
> in, but, if I log in as user who originally got in by being in 
> smbpasswd but has since been deleted from smbpasswd, I can continue to 
> login successfully if they exist in the MySQL.
>
> . net rpc group info <smbpasswd user>  gives all group info from 
> /etc/group.
> . net rpc group info <mysql only user>  shows none of the groups they
> belong to regardless of there existance in /etc/passwd
>
> Long story short... I can only get a new user logged into a PC via the 
> domain for their first time if they have an entry in smbpasswd. After 
> that, being in the MySQL backend appears to be enough.
>
> I can pass along configs if needed, but since it works accept for the 
> mysql change I didn't want to confuse the problem. I don't see the 
> NSS/NSVS being any influence, but wanted to show how the solution was 
> meant to fit together :).
>
> Is this a known limitation in the MySQL backend or more likely, am I 
> setting something up incorrectly?
>
> thanks,
> JES
I am getting there :). I now have :

. The MySQL user table from examples/pdb/mysql/mysql.dump loaded from a 
file of users/passwords.
. The new NSS (FSSOS-NSVS) uses it to get the UID.
. Samba uses it for the MySQL backend - no smbpasswd backend.
. Using "net rpc rights" I was able to have a non-root user used to
join
a computer to a domain
. Log into the domain with users from the MySQL database.

The gotcha that was occurring above was that the SIDs I had been 
importing were not constructed from this Samba's local SID :
net getlocalsid

I then in haste had the wrong domain in the domain field, so one has to 
remember that :).

To change my localsid I did some drastic things :

1. rm /etc/samba/secrets.tdb
2. rm -f /var/lock/samba
3. mkdir /var/lock/samba
4. net setlocalsid <newsid>
5. Check they are ok with "net groupmap list"

But 'twas a new install so I did not mind.

I also added the administrator account -500 as described at the bottom 
of http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/rights.html
and mapped "Domain Users/Domain Admins/Domain guests/Administrators"
to
local unix accounts, which I verified with "net rpc user info
<someone>"
in the groups.

But I now see that the NT tool usrmgr has a problem looking that user 
accounts. The users all show up, but when I try to expand any I get :

The following error occurred accessing the properties of the user <user>
The stub received bad data.
The user properties can not be viewed or edited at this time.

Any advice :)?

JES