samba - Dec 2006 - Problem with OpenLDAP/Samba/NSS -> ERROR : User xxx in passdb, but getpwnam() fails!

Hi everybody,


I have one SAMBA server (with PDC configuration) which is configure to 
use an OpenLDAP server (on the same local server) where users and 
computers account are store (I want to have the two Unix/Linux and Samba 
account attributes stored to use Name Service Switch and Pluggable 
Authentication Module).



My problem is as follow :
If I don't put the following line :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
in the '/etc/passwd' file, for a user, or :
-> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
for a computer, I can't connect and I have the following error in the 
'/var/log/samba/log.pc046' log file :
..........
[2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
     User farget in passdb, but getpwnam() fails!
[2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
     check_sam_security: make_server_info_sam() failed with
'NT_STATUS_NO_SUCH_USER'
..........

however, on my local server, if I type 'getent passwd|grep
user1', I have/can see the following :
-> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
and an 'ldapsearch -x -LLL' show me all my directory without any 
problems !!!!


I show several other mails from people who have the same 'getpwnam() 
fails!' error, but I didn't succeed in found the solution !!!


   So I want to know severals things :
--------------------------------------

1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
function ? One or severals specials OpenLDAP attributes ?

2.) In the file '/etc/ldap/slapd.conf', what is 'index' used for
?
Actually I have the following index :
..........
# Indexing options for database #1
index           objectClass,uidNumber,gidNumber                eq
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
..........
Is these indexes Ok ?

I see that if I add the following line :
-> index           uid           eq
the 'ldapsearch -x -LLL' output is EMPTY !!!!




Here is my Debian Sarge server files configuration :
-> 'slapd' (OpenLDAP) v2.2.23-8,
-> 'samba' v3.0.14a-3sarge2,
-> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools' v0.8.7,
-> 'libnss-ldap' v238-1,



===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====allow bind_v2
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/MozillaOrgPerson.schema
schemacheck     on
pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd.args
loglevel        264
modulepath      /usr/lib/ldap
moduleload      back_bdb
backend         bdb
checkpoint 512 30
database        bdb
suffix          "dc=serveur,dc=domaine,dc=fr"
rootdn          "cn=chef,dc=serveur,dc=domaine,dc=fr"
rootpw          {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
directory       "/var/lib/ldap"
index           objectClass,uidNumber,gidNumber                eq
index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
lastmod         on
access to attrs=userPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to attrs=sambaLMPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to attrs=sambaNTPassword
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous auth
          by self write
          by * none
access to
attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by anonymous read
          by self write
          by * read
access to dn.base="" by * read
access to *
          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
          by * read
===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====
===== SAMBA CONF FILE : /etc/samba/smb.conf ====[global]
         workgroup = DOM
         netbios name = PDC
         server string = Serveur Intranet (domaine Domaine)
         dns proxy = No
         log file = /var/log/samba/log.%m
         max log size = 1000
         syslog = 0
         panic action = /usr/share/samba/panic-action %d
         security = user
         time server = Yes
         encrypt passwords = Yes
         passdb backend = ldapsam:ldap://localhost/
         obey pam restrictions = No
         ldap passwd sync = Yes
         ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
         ldap ssl = Off
         ldap suffix = dc=serveur,dc=domaine,dc=fr
         ldap user suffix = ou=Users
         ldap group suffix = ou=Groups
         ldap machine suffix = ou=Computers
         ldap delete dn = Yes
         ldapsam:trusted = Yes
         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
         add machine script = /usr/local/sbin/smbldap-useradd -w "%u"
         add group script = /usr/local/sbin/smbldap-groupadd -p "%g"
         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
"%u" "%g"
         delete user from group script = 
/usr/local/sbin/smbldap-groupmod -x "%u" "%g"
         set primary group script = /usr/local/sbin/smbldap-usermod -g 
"%g" "%u"
         load printers = Yes
         printing = cups
         printcap name = cups
         printer admin = root
         show add printer wizard = Yes
         dos charset = 850
         unix charset = ISO8859-15
         preserve case = Yes
         short preserve case = Yes
         case sensitive = No
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         domain master = Yes
         local master = Yes
         domain logons = Yes
         logon drive = u:
         logon script = %U.bat
         logon path = \\%N\%U\profile
         logon home = \\%N\%U
         hosts allow = 192.168.0.0/255.255.255.0
[netlogon]
         comment = Partage service NetLogon (batch de connexion)
         path = /netlogon
         available = Yes
         writeable = No
         browseable = No
[homes]
         comment = Partage perso (disque U)
         available = Yes
         writeable = Yes
         create mask = 0700
         directory mask = 0700
         browseable = Yes
[print$]
         comment = Partage driver Imprimantes reseaux
         path = /etc/samba/new-drivers-imp
         admin users = root
         valid users = @lp
         available = Yes
         read only = Yes
         write list = root
         force user = root
         force group = lp
         create mask = 0750
         directory mask = 0750
         browseable = Yes
..... ect .....
===== END of SAMBA CONF FILE : /etc/samba/smb.conf ====
===== NSS CONF FILE : /etc/libnss-ldap.conf ====host 127.0.0.1
base dc=serveur,dc=domaine,dc=fr
ldap_version 3
port 389
scope one
pam_filter objectclass=posixAccount
pam_login_attribute uid
pam_member_attribute gid
pam_password crypt
nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
===== END of NSS CONF FILE : /etc/libnss-ldap.conf ====
===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====passwd:         files ldap
group:          files ldap
shadow:         files ldap
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis
===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====

  'PAM' CONFIGURATION :

=====  /etc/pam.d/common-account ====account required        pam_unix.so
account sufficient      pam_ldap.so
===== END of : /etc/pam.d/common-account ====
=====  /etc/pam.d/common-auth ====auth    required        pam_unix.so
nullok_secure
auth    sufficient      pam_ldap.so use_first_pass
===== END of : /etc/pam.d/common-auth ====
=====  /etc/pam.d/common-password ====password   required   pam_unix.so nullok
obscure min=4 max=8 md5
password   sufficient pam_ldap.so use_authtok
===== END of : /etc/pam.d/common-password ====
=====  /etc/pam.d/common-session ====session required        pam_unix.so
session optional        pam_ldap.so
===== END of : /etc/pam.d/common-session ====


Thanks in advance for your help,
Best regards.
-- 
M. FARGET Vincent
IGE - Administrateur Syst?mes / Informaticien de Laboratoire
UMR 5020 - Laboratoire des Neurosciences et Systemes Sensoriels
Universite Claude Bernard LYON 1 - CNRS
50, avenue Tony Garnier
69366 LYON Cedex 07
## Ce message est sign? par un certificat CNRS ##
http://igc.services.cnrs.fr/Doc/General/trust.html
http://www.urec.cnrs.fr/igc/Certifs_CNRS.html
#####
# Pour que la signature soit valide, vous devrez
#  r?cup?rer pr?alablement le certificat de
#  l'autorit? de certification CNRS-Plus en
#  cliquant sur le lien ci dessous :
http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=load&CA=CNRS-Plus&ca=CNRS-Plus

Vincent Farget wrote:
> Hi everybody,
>
>
> I have one SAMBA server (with PDC configuration) which is configure to 
> use an OpenLDAP server (on the same local server) where users and 
> computers account are store (I want to have the two Unix/Linux and 
> Samba account attributes stored to use Name Service Switch and 
> Pluggable Authentication Module).
>
>
>
> My problem is as follow :
> If I don't put the following line :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> in the '/etc/passwd' file, for a user, or :
> -> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
> for a computer, I can't connect and I have the following error in the 
> '/var/log/samba/log.pc046' log file :
> ..........
> [2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
>     User farget in passdb, but getpwnam() fails!
> [2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
>     check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> ..........
>
> however, on my local server, if I type 'getent passwd|grep
> user1', I have/can see the following :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> and an 'ldapsearch -x -LLL' show me all my directory without any 
> problems !!!!
>
>
> I show several other mails from people who have the same 'getpwnam() 
> fails!' error, but I didn't succeed in found the solution !!!
>
>
>   So I want to know severals things :
> --------------------------------------
>
> 1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
> function ? One or severals specials OpenLDAP attributes ?
>
> 2.) In the file '/etc/ldap/slapd.conf', what is 'index'
used for ?
> Actually I have the following index :
> ..........
> # Indexing options for database #1
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> ..........
> Is these indexes Ok ?
>
> I see that if I add the following line :
> -> index           uid           eq
> the 'ldapsearch -x -LLL' output is EMPTY !!!!
>
>
>
>
> Here is my Debian Sarge server files configuration :
> -> 'slapd' (OpenLDAP) v2.2.23-8,
> -> 'samba' v3.0.14a-3sarge2,
> -> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools'
v0.8.7,
> -> 'libnss-ldap' v238-1,
>
>
>
> ===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====> allow bind_v2
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/samba.schema
> include         /etc/ldap/schema/MozillaOrgPerson.schema
> schemacheck     on
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd.args
> loglevel        264
> modulepath      /usr/lib/ldap
> moduleload      back_bdb
> backend         bdb
> checkpoint 512 30
> database        bdb
> suffix          "dc=serveur,dc=domaine,dc=fr"
> rootdn          "cn=chef,dc=serveur,dc=domaine,dc=fr"
> rootpw          {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
> directory       "/var/lib/ldap"
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> lastmod         on
> access to attrs=userPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaLMPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaNTPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to
>
attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode
>
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous read
>          by self write
>          by * read
> access to dn.base="" by * read
> access to *
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by * read
> ===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====>
> ===== SAMBA CONF FILE : /etc/samba/smb.conf ====> [global]
>         workgroup = DOM
>         netbios name = PDC
>         server string = Serveur Intranet (domaine Domaine)
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         syslog = 0
>         panic action = /usr/share/samba/panic-action %d
>         security = user
>         time server = Yes
>         encrypt passwords = Yes
>         passdb backend = ldapsam:ldap://localhost/
>         obey pam restrictions = No
>         ldap passwd sync = Yes
>         ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
>         ldap ssl = Off
>         ldap suffix = dc=serveur,dc=domaine,dc=fr
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap machine suffix = ou=Computers
>         ldap delete dn = Yes
>         ldapsam:trusted = Yes
>         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>         add machine script = /usr/local/sbin/smbldap-useradd -w
"%u"
>         add group script = /usr/local/sbin/smbldap-groupadd -p
"%g"
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
> "%u" "%g"
>         delete user from group script = 
> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>         set primary group script = /usr/local/sbin/smbldap-usermod -g 
> "%g" "%u"
>         load printers = Yes
>         printing = cups
>         printcap name = cups
>         printer admin = root
>         show add printer wizard = Yes
>         dos charset = 850
>         unix charset = ISO8859-15
>         preserve case = Yes
>         short preserve case = Yes
>         case sensitive = No
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         domain master = Yes
>         local master = Yes
>         domain logons = Yes
>         logon drive = u:
>         logon script = %U.bat
>         logon path = \\%N\%U\profile
>         logon home = \\%N\%U
>         hosts allow = 192.168.0.0/255.255.255.0
> [netlogon]
>         comment = Partage service NetLogon (batch de connexion)
>         path = /netlogon
>         available = Yes
>         writeable = No
>         browseable = No
> [homes]
>         comment = Partage perso (disque U)
>         available = Yes
>         writeable = Yes
>         create mask = 0700
>         directory mask = 0700
>         browseable = Yes
> [print$]
>         comment = Partage driver Imprimantes reseaux
>         path = /etc/samba/new-drivers-imp
>         admin users = root
>         valid users = @lp
>         available = Yes
>         read only = Yes
>         write list = root
>         force user = root
>         force group = lp
>         create mask = 0750
>         directory mask = 0750
>         browseable = Yes
> ..... ect .....
> ===== END of SAMBA CONF FILE : /etc/samba/smb.conf ====>
> ===== NSS CONF FILE : /etc/libnss-ldap.conf ====> host 127.0.0.1
> base dc=serveur,dc=domaine,dc=fr
> ldap_version 3
> port 389
> scope one
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password crypt
> nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
> nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
> nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
> nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
> ===== END of NSS CONF FILE : /etc/libnss-ldap.conf ====>
> ===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====> passwd:        
files ldap
> group:          files ldap
> shadow:         files ldap
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> ===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====>
>
>  'PAM' CONFIGURATION :
>
> =====  /etc/pam.d/common-account ====> account required       
pam_unix.so
> account sufficient      pam_ldap.so
> ===== END of : /etc/pam.d/common-account ====>
> =====  /etc/pam.d/common-auth ====> auth    required        pam_unix.so
nullok_secure
> auth    sufficient      pam_ldap.so use_first_pass
> ===== END of : /etc/pam.d/common-auth ====>
> =====  /etc/pam.d/common-password ====> password   required  
pam_unix.so nullok obscure min=4 max=8 md5
> password   sufficient pam_ldap.so use_authtok
> ===== END of : /etc/pam.d/common-password ====>
> =====  /etc/pam.d/common-session ====> session required       
pam_unix.so
> session optional        pam_ldap.so
> ===== END of : /etc/pam.d/common-session ====>
>
>
> Thanks in advance for your help,
> Best regards.
Problem appears to be in your PAM config... you have pam_unix.so
required before pam_ldap; and even then, you have pam_ldap as optional.
You should have something to this effect:

auth   sufficient   pam_ldap.so use_first_pass
auth   required      pam_unix.so

account   sufficient   pam_ldap.so
account   required   pam_unix.so

What you basically need to tell the system, is that IF auth succeeds
from ldap - then it's sufficient, else auth must succeed from unix. What
you were telling the system was that auth from unix MUST succeed, THEN
auth from ldap is ok. It's really a simple fix, but you might want to
read up a bit on your particular O/S's pam configuration.

Also, not to be picky... but you did supply copies of your config files,
(which is good), but it's generally a good idea to have obscured your
passwords, and specific information.

--
Nathan Vidican
nvidican@wmptl.com

Hi,

I have solved my problem.

The two last modifications before it works was :


1.)
In the configuration file of the SAMBA server :
I HAVE ADD :
obey pam restrictions = Yes
ldapsam:trusted = Yes
with
encrypt passwords = Yes


2.)
In the configuratin file of the NSS :
I HAVE ADD :
rootbinddn cn=chef,dc=server,dc=domaine,dc=fr

without forgotten the '/etc/ldap.secret' file with the password of the 
'rootbinddn'.


Thanks again.
Bye.
-



Vincent Farget a ?crit :
> Hi everybody,
> 
> 
> I have one SAMBA server (with PDC configuration) which is configure to 
> use an OpenLDAP server (on the same local server) where users and 
> computers account are store (I want to have the two Unix/Linux and Samba 
> account attributes stored to use Name Service Switch and Pluggable 
> Authentication Module).
> 
> 
> 
> My problem is as follow :
> If I don't put the following line :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> in the '/etc/passwd' file, for a user, or :
> -> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
> for a computer, I can't connect and I have the following error in the 
> '/var/log/samba/log.pc046' log file :
> ..........
> [2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
>     User farget in passdb, but getpwnam() fails!
> [2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
>     check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> ..........
> 
> however, on my local server, if I type 'getent passwd|grep
> user1', I have/can see the following :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> and an 'ldapsearch -x -LLL' show me all my directory without any 
> problems !!!!
> 
> 
> I show several other mails from people who have the same 'getpwnam() 
> fails!' error, but I didn't succeed in found the solution !!!
> 
> 
>   So I want to know severals things :
> --------------------------------------
> 
> 1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
> function ? One or severals specials OpenLDAP attributes ?
> 
> 2.) In the file '/etc/ldap/slapd.conf', what is 'index'
used for ?
> Actually I have the following index :
> ..........
> # Indexing options for database #1
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> ..........
> Is these indexes Ok ?
> 
> I see that if I add the following line :
> -> index           uid           eq
> the 'ldapsearch -x -LLL' output is EMPTY !!!!
> 
> 
> 
> 
> Here is my Debian Sarge server files configuration :
> -> 'slapd' (OpenLDAP) v2.2.23-8,
> -> 'samba' v3.0.14a-3sarge2,
> -> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools'
v0.8.7,
> -> 'libnss-ldap' v238-1,
> 
> 
> ...
> 
> Thanks in advance for your help,
> Best regards.
> 
-- 
M. FARGET Vincent
IGE - Administrateur Syst?mes / Informaticien de Laboratoire
UMR 5020 - Laboratoire des Neurosciences et Systemes Sensoriels
Universite Claude Bernard LYON 1 - CNRS
50, avenue Tony Garnier
69366 LYON Cedex 07
## Ce message est sign? par un certificat CNRS ##
http://igc.services.cnrs.fr/Doc/General/trust.html
http://www.urec.cnrs.fr/igc/Certifs_CNRS.html
#####
# Pour que la signature soit valide, vous devrez
#  r?cup?rer pr?alablement le certificat de
#  l'autorit? de certification CNRS-Plus en
#  cliquant sur le lien ci dessous :
http://igc.services.cnrs.fr/cgi-bin/viewca?cmd=load&CA=CNRS-Plus&ca=CNRS-Plus

Vincent Farget wrote:
> Hi everybody,
>
>
> I have one SAMBA server (with PDC configuration) which is configure to 
> use an OpenLDAP server (on the same local server) where users and 
> computers account are store (I want to have the two Unix/Linux and 
> Samba account attributes stored to use Name Service Switch and 
> Pluggable Authentication Module).
>
>
>
> My problem is as follow :
> If I don't put the following line :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> in the '/etc/passwd' file, for a user, or :
> -> pc046$:x:1110:582:Compte PC:/dev/null:/bin/false
> for a computer, I can't connect and I have the following error in the 
> '/var/log/samba/log.pc046' log file :
> ..........
> [2006/11/28 11:51:48, 1] auth/auth_util.c:make_server_info_sam(840)
>     User farget in passdb, but getpwnam() fails!
> [2006/11/28 11:51:48, 0] auth/auth_sam.c:check_sam_security(324)
>     check_sam_security: make_server_info_sam() failed with
> 'NT_STATUS_NO_SUCH_USER'
> ..........
>
> however, on my local server, if I type 'getent passwd|grep
> user1', I have/can see the following :
> -> user1:x:527:400:Utilisateur 1:/home/user1:/bin/bash
> and an 'ldapsearch -x -LLL' show me all my directory without any 
> problems !!!!
>
>
> I show several other mails from people who have the same 'getpwnam() 
> fails!' error, but I didn't succeed in found the solution !!!
>
>
>   So I want to know severals things :
> --------------------------------------
>
> 1.) What seeks SAMBA precisely when it executes the 'getpwnam()' 
> function ? One or severals specials OpenLDAP attributes ?
>
> 2.) In the file '/etc/ldap/slapd.conf', what is 'index'
used for ?
> Actually I have the following index :
> ..........
> # Indexing options for database #1
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> ..........
> Is these indexes Ok ?
>
> I see that if I add the following line :
> -> index           uid           eq
> the 'ldapsearch -x -LLL' output is EMPTY !!!!
>
>
>
>
> Here is my Debian Sarge server files configuration :
> -> 'slapd' (OpenLDAP) v2.2.23-8,
> -> 'samba' v3.0.14a-3sarge2,
> -> 'samba-doc' v3.0.14a-3sarge2 with 'smbldap-tools'
v0.8.7,
> -> 'libnss-ldap' v238-1,
>
>
>
> ===== OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====> allow bind_v2
> include         /etc/ldap/schema/core.schema
> include         /etc/ldap/schema/cosine.schema
> include         /etc/ldap/schema/nis.schema
> include         /etc/ldap/schema/inetorgperson.schema
> include         /etc/ldap/schema/samba.schema
> include         /etc/ldap/schema/MozillaOrgPerson.schema
> schemacheck     on
> pidfile         /var/run/slapd/slapd.pid
> argsfile        /var/run/slapd.args
> loglevel        264
> modulepath      /usr/lib/ldap
> moduleload      back_bdb
> backend         bdb
> checkpoint 512 30
> database        bdb
> suffix          "dc=serveur,dc=domaine,dc=fr"
> rootdn          "cn=chef,dc=serveur,dc=domaine,dc=fr"
> rootpw          {SSHA}xYauMQ5tPSq77v+pF79TJjR73NYBhQwP
> directory       "/var/lib/ldap"
> index           objectClass,uidNumber,gidNumber                eq
> index           sambaSID,sambaPrimaryGroupSID,sambaDomainName  eq
> lastmod         on
> access to attrs=userPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaLMPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to attrs=sambaNTPassword
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous auth
>          by self write
>          by * none
> access to
>
attrs=jpegPhoto,mobile,mobileTelephoneNumber,telephoneNumber,street,streetAddress,facsimileTelephoneNumber,fax,postalCode
>
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by anonymous read
>          by self write
>          by * read
> access to dn.base="" by * read
> access to *
>          by dn="cn=chef,dc=serveur,dc=domaine,dc=fr" write
>          by * read
> ===== END of OPENLDAP CONF FILE : /etc/ldap/slapd.conf ====>
> ===== SAMBA CONF FILE : /etc/samba/smb.conf ====> [global]
>         workgroup = DOM
>         netbios name = PDC
>         server string = Serveur Intranet (domaine Domaine)
>         dns proxy = No
>         log file = /var/log/samba/log.%m
>         max log size = 1000
>         syslog = 0
>         panic action = /usr/share/samba/panic-action %d
>         security = user
>         time server = Yes
>         encrypt passwords = Yes
>         passdb backend = ldapsam:ldap://localhost/
>         obey pam restrictions = No
>         ldap passwd sync = Yes
>         ldap admin dn = "cn=chef,dc=serveur,dc=domaine,dc=fr"
>         ldap ssl = Off
>         ldap suffix = dc=serveur,dc=domaine,dc=fr
>         ldap user suffix = ou=Users
>         ldap group suffix = ou=Groups
>         ldap machine suffix = ou=Computers
>         ldap delete dn = Yes
>         ldapsam:trusted = Yes
>         add user script = /usr/local/sbin/smbldap-useradd -m "%u"
>         add machine script = /usr/local/sbin/smbldap-useradd -w
"%u"
>         add group script = /usr/local/sbin/smbldap-groupadd -p
"%g"
>         add user to group script = /usr/local/sbin/smbldap-groupmod -m 
> "%u" "%g"
>         delete user from group script = 
> /usr/local/sbin/smbldap-groupmod -x "%u" "%g"
>         set primary group script = /usr/local/sbin/smbldap-usermod -g 
> "%g" "%u"
>         load printers = Yes
>         printing = cups
>         printcap name = cups
>         printer admin = root
>         show add printer wizard = Yes
>         dos charset = 850
>         unix charset = ISO8859-15
>         preserve case = Yes
>         short preserve case = Yes
>         case sensitive = No
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
>         domain master = Yes
>         local master = Yes
>         domain logons = Yes
>         logon drive = u:
>         logon script = %U.bat
>         logon path = \\%N\%U\profile
>         logon home = \\%N\%U
>         hosts allow = 192.168.0.0/255.255.255.0
> [netlogon]
>         comment = Partage service NetLogon (batch de connexion)
>         path = /netlogon
>         available = Yes
>         writeable = No
>         browseable = No
> [homes]
>         comment = Partage perso (disque U)
>         available = Yes
>         writeable = Yes
>         create mask = 0700
>         directory mask = 0700
>         browseable = Yes
> [print$]
>         comment = Partage driver Imprimantes reseaux
>         path = /etc/samba/new-drivers-imp
>         admin users = root
>         valid users = @lp
>         available = Yes
>         read only = Yes
>         write list = root
>         force user = root
>         force group = lp
>         create mask = 0750
>         directory mask = 0750
>         browseable = Yes
> ..... ect .....
> ===== END of SAMBA CONF FILE : /etc/samba/smb.conf ====>
> ===== NSS CONF FILE : /etc/libnss-ldap.conf ====> host 127.0.0.1
> base dc=serveur,dc=domaine,dc=fr
> ldap_version 3
> port 389
> scope one
> pam_filter objectclass=posixAccount
> pam_login_attribute uid
> pam_member_attribute gid
> pam_password crypt
> nss_base_passwd dc=serveur,dc=domaine,dc=fr?sub
> nss_base_shadow ou=Users,dc=serveur,dc=domaine,dc=fr?sub
> nss_base_group ou=Groups,dc=serveur,dc=domaine,dc=fr?one
> nss_base_hosts ou=Computers,dc=serveur,dc=domaine,dc=fr?one
> ===== END of NSS CONF FILE : /etc/libnss-ldap.conf ====>
> ===== NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====> passwd:        
files ldap
> group:          files ldap
> shadow:         files ldap
> hosts:          files dns
> networks:       files
> protocols:      db files
> services:       db files
> ethers:         db files
> rpc:            db files
> netgroup:       nis
> ===== END of NSS-SWITCH CONF FILE : /etc/nsswitch.conf ====>
>
>  'PAM' CONFIGURATION :
>
> =====  /etc/pam.d/common-account ====> account required       
pam_unix.so
> account sufficient      pam_ldap.so
> ===== END of : /etc/pam.d/common-account ====>
> =====  /etc/pam.d/common-auth ====> auth    required        pam_unix.so
nullok_secure
> auth    sufficient      pam_ldap.so use_first_pass
> ===== END of : /etc/pam.d/common-auth ====>
> =====  /etc/pam.d/common-password ====> password   required  
pam_unix.so nullok obscure min=4 max=8 md5
> password   sufficient pam_ldap.so use_authtok
> ===== END of : /etc/pam.d/common-password ====>
> =====  /etc/pam.d/common-session ====> session required       
pam_unix.so
> session optional        pam_ldap.so
> ===== END of : /etc/pam.d/common-session ====>
>
>
> Thanks in advance for your help,
> Best regards.
Problem appears to be in your PAM config... you have pam_unix.so 
required before pam_ldap; and even then, you have pam_ldap as optional. 
You should have something to this effect:

auth   sufficient   pam_ldap.so use_first_pass
auth   required      pam_unix.so

account   sufficient   pam_ldap.so
account   required   pam_unix.so

What you basically need to tell the system, is that IF auth succeeds 
from ldap - then it's sufficient, else auth must succeed from unix. What 
you were telling the system was that auth from unix MUST succeed, THEN 
auth from ldap is ok. It's really a simple fix, but you might want to 
read up a bit on your particular O/S's pam configuration.

Also, not to be picky... but you did supply copies of your config files, 
(which is good), but it's generally a good idea to have obscured your 
passwords, and specific information. You also never specified which O/S 
you are running from, which does matter in some cases, especially to do 
with PAM. Anyhow, hope this helps out.

--
Nathan Vidican
nvidican@wmptl.com