samba - Jan 2007 - make_server_info_info3: pdb_init_sam failed!

Hi,

We have a linux/samba only domain serving files to about 16-18 Windows 
clients (mostly XP, a few W2K).

PDC:
SuSE OpenXchange 4.4
samba 2.2.8a
openldap 2.1.4

Domain Member Server (DMS)
CentOS 4.4
samba 3.0.10

I set the Domain Member Server up using the default passdb backend 
(/etc/samba/smbpasswd) to start with and that all worked fine.

I would like to use LDAP for centralised authentication and have 
re-compiled using --with-ldapsam because the PDC uses the older (Version 
2) of the Samba LDAP schema. (see smb.conf below for params).

I've joined the DOMAIN with:
# net rpc join
Join to 'DOMAIN' is OK

I've set the ldap_bind_password in secrets.tdb with:
# smbpasswd -w <secret>
Setting stored password for "uid=root,dc=somedomain,dc=com" in
secrets.tdb

# smbclient -L DMS -N

gives the following error in the host log:
---8<---
auth/auth_domain.c:domain_client_validate(199)
   domain_client_validate: unable to validate password for user root in 
domain DOMAIN to Domain controller \\PDC. Error was 
NT_STATUS_WRONG_PASSWORD.
---8<---

and when I try to connect to a share I get this:
# smbclient //DMS/share -U validuser
---8<---
auth/auth_util.c:make_server_info_info3(1177)
   make_server_info_info3: pdb_init_sam failed!
---8<---

Connections directly to the PDC from the DMS work fine:
# smbclient //PDC/someshare -U validuser
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.8a-UL]
smb: \> quit

Can anyone please help with these errors? I can't seem to crack it open 
myself

Thanks in advance,

Tom

---8<---
[global]
         server string = %h :-D
         netbios name = dms
         workgroup = DOMAIN

         security = domain
         password server = PDC
         encrypt passwords = Yes
         null passwords = yes

         guest ok = no

         wins support = no
         wins proxy = no
         wins server = xxx.xxx.xxx.xxx

         domain master = no
         local master = no
         preferred master = no
         os level = 0

         log level = 0
         log file = /var/log/samba/%m.log
         max log size = 0

         bind interfaces only = yes
         interfaces = xxx.xxx.xxx.xxx
         smb ports = 139
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

         passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
         ldap suffix = dc=somedomain,dc=com
         ldap port = 389
         ldap server = pdc.somedomain.com
         ldap admin dn = uid=root,dc=somedomain,dc=com
         ldap filter = (&(uid=%u)(objectclass=sambaAccount))
         ldap ssl = no
---8<---

Hi,

Well I partially fixed the problem myself but I'm still having trouble
connecting.

On the PDC I had to adjust the LDAP acl's to allow the DMS read access to
the
ldap databases.

On the DMS I used system-config-authentication to adjust /etc/nsswitch.conf, the
pam settings and /etc/ldap.conf so that nss_ldap is now called to retrieve 
remote ldap information from the PDC.

Previous to the above changes pdbedit -L showed all users having the same uid 
(4294967295). After the change, users have the correct and unique uid's but
all
the machine accounts still show the strange uid of 4294967295.

Is this still an LDAP acl problem or is it a samba configuration error?

client connects still fail with:
#  smbclient //DMS/share -U DOMAIN/validuser
Password:
Domain=[DOMAIN] OS=[Unix] Server=[Samba 3.0.10-1.4E.9.ispl]
tree connect failed: NT_STATUS_NO_SUCH_USER

---8<---
logging with log level set at passdb:4 and auth:4 shows:
[2007/01/30 11:30:43, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
   Using cleartext machine password
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(219)
   check_ntlm_password:  Checking password for unmapped user 
[DOMAIN]\[validuser]@[DMS] with the new password interface
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(222)
   check_ntlm_password:  mapped user is: [DOMAIN]\[validuser]@[DMS]
[2007/01/30 11:30:43, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
   Using cleartext machine password
[2007/01/30 11:30:43, 4]
passdb/secrets.c:secrets_fetch_trust_account_password(290)
   Using cleartext machine password
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
[2007/01/30 11:30:43, 3] auth/auth.c:check_ntlm_password(268)
   check_ntlm_password: winbind authentication for user [validuser] succeeded
[2007/01/30 11:30:43, 2] auth/auth.c:check_ntlm_password(305)
   check_ntlm_password:  authentication for user [validuser] -> [validuser]
->
[validuser] succeeded
---8<---

Also, when smbd starts up I see this in the logs:
---8<---
[2007/01/30 11:30:16, 0] smbd/server.c:main(760)
   smbd version 3.0.10-1.4E.9.ispl started.
   Copyright Andrew Tridgell and the Samba Team 1992-2004
[2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getsampwsid(1382)
   ldapsam_getsampwsid: Unable to locate SID 
[S-1-5-21-712055757-3001861959-2674381142-501] count=0
[2007/01/30 11:30:16, 4] passdb/pdb_ldap.c:ldapsam_getgroup(2117)
   ldapsam_getgroup: Did not find group
---8<---

Any help appreciated!

Thanks in advance,

Tom

DMS LDAP Changes for nss_ldap:
/etc/nsswitch.conf
passwd:     files ldap
shadow:     files ldap
group:      files ldap
protocols:  files ldap
services:   files ldap
netgroup:   files ldap
automount:  files ldap

/etc/ldap.conf
host PDC
base dc=somedomain,dc=com
timelimit 120
bind_timelimit 120
idle_timelimit 3600
ssl no
pam_password md5

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore] 
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

DMS smb.conf
[global]
         server string = %h :-D
         netbios name = DMS
         workgroup = DOMAIN

         security = domain
         password server = PDC
         encrypt passwords = Yes
         null passwords = yes

         guest ok = no

         wins support = no
         wins proxy = no
         wins server = xxx.xxx.xxx.xxx

         domain master = no
         local master = no
         preferred master = no
         os level = 10

         log level = 0 passdb:4 auth:4
         log file = /var/log/samba/%m.log
         max log size = 0

         bind interfaces only = yes
         interfaces = xxx.xxx.xxx.xxx
         smb ports = 139
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

         passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
         ldap suffix = dc=somedomain,dc=com
         ldap server = pdc.somedomain.com
         ldap admin dn = uid=cyrus,dc=somedomain,dc=com
         ldap filter = (&(uid=%u)(objectclass=sambaAccount))
         ldap ssl = off
         ldap delete dn = no


Tom Robinson wrote:
> Hi,
> 
> We have a linux/samba only domain serving files to about 16-18 Windows 
> clients (mostly XP, a few W2K).
> 
> PDC:
> SuSE OpenXchange 4.4
> samba 2.2.8a
> openldap 2.1.4
> 
> Domain Member Server (DMS)
> CentOS 4.4
> samba 3.0.10
> 
> I set the Domain Member Server up using the default passdb backend 
> (/etc/samba/smbpasswd) to start with and that all worked fine.
> 
> I would like to use LDAP for centralised authentication and have 
> re-compiled using --with-ldapsam because the PDC uses the older (Version 
> 2) of the Samba LDAP schema. (see smb.conf below for params).
> 
> I've joined the DOMAIN with:
> # net rpc join
> Join to 'DOMAIN' is OK
> 
> I've set the ldap_bind_password in secrets.tdb with:
> # smbpasswd -w <secret>
> Setting stored password for "uid=root,dc=somedomain,dc=com" in
secrets.tdb
> 
> # smbclient -L DMS -N
> 
> gives the following error in the host log:
> ---8<---
> auth/auth_domain.c:domain_client_validate(199)
>   domain_client_validate: unable to validate password for user root in 
> domain DOMAIN to Domain controller \\PDC. Error was 
> NT_STATUS_WRONG_PASSWORD.
> ---8<---
> 
> and when I try to connect to a share I get this:
> # smbclient //DMS/share -U validuser
> ---8<---
> auth/auth_util.c:make_server_info_info3(1177)
>   make_server_info_info3: pdb_init_sam failed!
> ---8<---
> 
> Connections directly to the PDC from the DMS work fine:
> # smbclient //PDC/someshare -U validuser
> Password:
> Domain=[DOMAIN] OS=[Unix] Server=[Samba 2.2.8a-UL]
> smb: \> quit
> 
> Can anyone please help with these errors? I can't seem to crack it open
> myself
> 
> Thanks in advance,
> 
> Tom
> 
> ---8<---
> [global]
>         server string = %h :-D
>         netbios name = dms
>         workgroup = DOMAIN
> 
>         security = domain
>         password server = PDC
>         encrypt passwords = Yes
>         null passwords = yes
> 
>         guest ok = no
> 
>         wins support = no
>         wins proxy = no
>         wins server = xxx.xxx.xxx.xxx
> 
>         domain master = no
>         local master = no
>         preferred master = no
>         os level = 0
> 
>         log level = 0
>         log file = /var/log/samba/%m.log
>         max log size = 0
> 
>         bind interfaces only = yes
>         interfaces = xxx.xxx.xxx.xxx
>         smb ports = 139
>         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
> 
>         passdb backend = ldapsam_compat:ldap://pdc.somedomain.com
>         ldap suffix = dc=somedomain,dc=com
>         ldap port = 389
>         ldap server = pdc.somedomain.com
>         ldap admin dn = uid=root,dc=somedomain,dc=com
>         ldap filter = (&(uid=%u)(objectclass=sambaAccount))
>         ldap ssl = no
> ---8<---
>