Thomas Maschutznig
2006-May-09 15:55 UTC
[Samba] Joining Domain on Solaris, Get_Pwnam_internals didn't find user
Hi
I am running samba 3.0.22 on Solaris 10 x86, using a Sun Directory
Server as ldapsam backend. The samba schema used is the recent version
from .22, and I am using the IDEALX smbldap-tools 0.9.2.
I split users, computers and groups into 3 different OUs and configured
samba, smbldap-tools and Solaris ldapclient respectively.
smb.conf:
ldap suffix = dc=new10,dc=com
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap machine suffix = ou=Computers
add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u"
(I also tried -w "%m")
smbldap.conf:
suffix="dc=new10,dc=com"
usersdn="ou=Users,${suffix}"
computersdn="ou=Computers,${suffix}"
groupsdn="ou=Groups,${suffix}"
scope="sub"
ldapclient profile:
serviceSearchDescriptor: group:ou=Groups,dc=new10,dc=com?sub
serviceSearchDescriptor:
passwd:ou=Users,dc=new10,dc=com?sub;ou=Computers,dc=new10,dc=com?sub
nsswitch points to files and ldap for group and passwd.
When I try to join a Win2k SP3 or WinXP SP2 to the Domain, it says it
"The username could not be found" - in smbd.log I see
"Get_Pwnam_internals didn't find user [sambaclient$]!"
However, getent and id do find the user right after this failed join:
# getent passwd|grep -i sambaclient
sambaclient$:x:2018:515:Computer:/dev/null:/bin/false
# id -a sambaclient$
uid=2018(sambaclient$) gid=515(Domain Computers) groups=515(Domain
Computers)
and there is indeed a posixAccount entry in ou=Computers, lacking
sambaSamAccount:
http://kaneda.flakcannon.org/samba3/sambaclient_first.ldif
If I try to join the same PC a second time, it succeeds and the entry in
ou=Computers gets sambaSamAccount. Domain users can login fine on the PC
then:
http://kaneda.flakcannon.org/samba3/sambaclient_second.ldif
I can add the machine by running "smbldap-useradd -t 0 -w sambaclient"
fine without any error.
I have logged at level 10, the log files can be found here:
http://kaneda.flakcannon.org/samba3/smbd.log
http://kaneda.flakcannon.org/samba3/sambaclient.log
From the sambaclient.log it looks like the search right after running
smbldap-useradd fails. I checked the LDAP server access log and I cannot
find any search after the "ADD DN", see the access log here:
http://kaneda.flakcannon.org/samba3/sun_ldap_access.log
I am a bit clueless why the first join always fails because of not
finding the computer account which seems to have just been added.
Did I miss something?
cheers,
thomas
Thomas Maschutznig
2006-May-11 11:00 UTC
[Samba] Re: Joining Domain on Solaris, Get_Pwnam_internals didn't find user
Hi, Well, I figured it out myself. The Samba configuration was basically ok, so was the config of the smbldap-tools and nsswitch. The mistake was, that on Solaris 10 nscd is running by default and performing 5 seconds "negative" caching for group, passwd, hosts etc.: nscd.conf: negative-time-to-live passwd 5 negative-time-to-live group 5 negative-time-to-live hosts 5 Together with my smb.conf... add machine script = /opt/IDEALX/sbin/smbldap-useradd -t 0 -w "%u" ...this produced the strange LDAP log without any SEARCH after ADD DN - as well as the error that samba couldn't find the user as samba's first search correctly returned "not found" and after ADD DN, the second "not found" came directly from nscd's cache. Any combination of a "negative-time-to-live passwd" in nscd.conf with a greater-than-that "-t" parameter in smb.conf works fine for me. I have lowered the nscd TTL to 3s and -t is set to 8s; turning negative caching off will most likely have performance implications so I decided not to but YMMV. Maybe this should be pointed out in the Samba HOWTO/examples and/or IDEALX installation guide as a hint for Solaris users as 5s in nscd and "-t 0" are the default settings. cheers, thomas