samba - May 2011 - Cannot authenticate new ldap users (unless they are in /etc/passwd too)

Hi,

I migrated a PDC to use an ldap backend and am having fun with a few last
issues..
Existing user accounts and machine accounts were migrated, and existing
users can authenticate.

Now I've added some new users and none of them can authenticate.
e.g. for the user "inktec".

The user can login via SSH, but not mount a share:
smbclient \\\\server3\\someshare -U=inktec mypassword

May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
passdb/pdb_get_set.c:211(pdb_get_group_sid)
May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid: Failed to find Unix
account for inktec
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
auth/auth_util.c:577(make_server_info_sam)
May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but getpwnam()
fails!
May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
auth/auth_sam.c:355(check_sam_security)
May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'

Sama can see the users and groups.
The following find the user just fine:
ldapsearch  -x  '(uid=inktec)'
pdbedit -L -v inktec
getent passwd inktec
smbldap-usershow inktec

id inktec
uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser)

Users were added with the tool "smbldap-useradd -a", and also with
"ldapadmin"...
I also compared the ldap entries for users that work fine with the new users
in ldap admin, they are basically the same.

Perhaps related is that on a  Windows XP client in the domain, if inktec is
added to a User Groups such as Remote Desktop Users, windows complains
"Information return for object picket for object inktec was
incomplete".

Then by chance I added the test user (inktec) to /etc/passwd (but not to
shadow), just to see. It worked!
Its like the passwd line is nssswitch_conf is being ignored?
group:  compat ldap
passwd: compat ldap
shadow: compat ldap
But then why did "getent passwd inktec" work, and why would SSH login
work.

Before ldap I would add users with both "useradd" and "smbpasswd
-a", but
this should not be necessary with the ldap store?

Thanks in advance,

Sean

From: Sean Boran <sean at boran.com>
Date: Mon, 23 May 2011 23:47:41 +0200

snip)
> Now I've added some new users and none of them can authenticate.
> e.g. for the user "inktec".
> 
> The user can login via SSH, but not mount a share:
> smbclient \\\\server3\\someshare -U=inktec mypassword
(snip)
> May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but getpwnam()
> fails!
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
> auth/auth_sam.c:355(check_sam_security)
> May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
According to these logs, you probably failed at Get_Pwnam_alloc() in
lib/username.c referenced by make_server_info_sam() in
auth/auth_util.c

Adding "-d10" to smbclient, you may see useful messages to analyze
such as:

* Get_Pwnam: empty username!
* Finding user 
* Trying _Get_Pwnam(), username given as
...

---
TAKAHASHI Motonobu <monyo at samba.gr.jp>

You still need a "unix" account to back the samba account-  this can
be
done in several ways
     -  have a local unix acct in /etc/passwd
     -  have the LDAP entry for your samba user also include your
"unix"
account info.
     -  have winbind allocate unix uid's and gid's dynamically for samba
accounts in your local domain.


I use option 2 -  LDAP for both unix and samba authentication.  I 
initially used nis for unix and TBD for samba, then moved both to a 
consolidated LDAP backend.

If you don't need LDAP auth for unix level logins , it may be sufficient 
to add uid and gid to the LDAP entry and skip the unix password field.

I have not tried option 3.


On 05/23/2011 05:47 PM, Sean Boran wrote:
> Hi,
>
> I migrated a PDC to use an ldap backend and am having fun with a few last
> issues..
> Existing user accounts and machine accounts were migrated, and existing
> users can authenticate.
>
> Now I've added some new users and none of them can authenticate.
> e.g. for the user "inktec".
>
> The user can login via SSH, but not mount a share:
> smbclient \\\\server3\\someshare -U=inktec mypassword
>
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
> passdb/pdb_get_set.c:211(pdb_get_group_sid)
> May 23 19:40:47 server3 smbd[7364]:   pdb_get_group_sid: Failed to find
Unix
> account for inktec
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  1]
> auth/auth_util.c:577(make_server_info_sam)
> May 23 19:40:47 server3 smbd[7364]:   User inktec in passdb, but getpwnam()
> fails!
> May 23 19:40:47 server3 smbd[7364]: [2011/05/23 19:40:47,  0]
> auth/auth_sam.c:355(check_sam_security)
> May 23 19:40:47 server3 smbd[7364]:   check_sam_security:
> make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
>
> Sama can see the users and groups.
> The following find the user just fine:
> ldapsearch  -x  '(uid=inktec)'
> pdbedit -L -v inktec
> getent passwd inktec
> smbldap-usershow inktec
>
> id inktec
> uid=18664(inktec) gid=513(Domain Users) groups=513(Domain Users),203(buser)
>
> Users were added with the tool "smbldap-useradd -a", and also
with
> "ldapadmin"...
> I also compared the ldap entries for users that work fine with the new
users
> in ldap admin, they are basically the same.
>
> Perhaps related is that on a  Windows XP client in the domain, if inktec is
> added to a User Groups such as Remote Desktop Users, windows complains
> "Information return for object picket for object inktec was
incomplete".
>
> Then by chance I added the test user (inktec) to /etc/passwd (but not to
> shadow), just to see. It worked!
> Its like the passwd line is nssswitch_conf is being ignored?
> group:  compat ldap
> passwd: compat ldap
> shadow: compat ldap
> But then why did "getent passwd inktec" work, and why would SSH
login work.
>
> Before ldap I would add users with both "useradd" and
"smbpasswd -a", but
> this should not be necessary with the ldap store?
>
> Thanks in advance,
>
> Sean